THOTCON 2015 RFID Talk Resources

A big thank-you to everyone who attended my talk at THOTCONx06.

Here are some links to resources to help you build your own "Ghetto Proxmark"


The Black Edition

I’m pleased to introduce our latest addition to the MiniPwner family: the Black Edition. The Black is based off the TP-Link 3040, however it has a few hardware modifications.


First, to allow for more flexibility during a penetration test, the internal antenna has been disconnected, and a RP-SMA connector has been added.  This allows you to connect different types of antennas to the Black.  Since the stock antenna no longer functions, the Black comes with a 3 dBi antenna.

Second, we've exposed the serial port.  The goal here is to have direct hardware access to the system if required.  One major advantage is you will have the ability to recover the system through the serial port if you “brick” the device. (We are also working on a few other ideas for the serial port too, so stay tuned.)

Third, the power LED has been removed.  This might sound like a bad idea at first; however, you are not able to control the power LED via software, so therefore the only way to have it not be on during operation was to remove it.

Last but not least, you will notice it has been wrapped in a matte black vinyl. This is to help give you an edge in hiding it in plain sight.


Making the Black is quite time consuming, so there will be a limited number produced.  Please tweet us at @minipwner and let us know the interest level.


- Michael


Version 1 - Archive

Here is all the information related to version 1 of the MiniPwner.

RFID Projects

Kevin has been working on some RFID lock hacking projects.

Here are some links to relevant info:

Build One v2

MiniPwner Community Edition

Like the first version, here are the build instructions for version 2 of the MiniPwner.

What You'll Need

  • TP-Link MR3040
  • SanDisk 16GB USB drive (or equivalent)
  • MiniPwner Overlay - found here

Format USB Drive

  • Setup two partitions on the USB drive, 1 500 MB partition for swap space and the rest of the space for storage.
  • This can be done on a Linux system using fdisk or GParted
    • Partition 1 = 500 MB SWAP
    • Partition 2 = 15.5GB ext4

Install OpenWrt

  1. Download OpenWrt Barrier Breaker from here
  2. Boot your TP-Link 3040 and login at (default credentials are admin/admin)
  3. Select System Tools and then Firmware Upgrade
  4. Use the Choose File button to select the OpenWrt Barrier Breaker image
  5. Use the Upgrade button to apply the image
  6. Wait for the image to be applied
  7. After the TP-Link reboots it will now be at

The Setup

  1. Telnet to the TP-Link at
  2. Set a root password with the passwd command
  3. NOTE: ** You will need to get the TP-Link onto the Internet to download packages **
  4. Install the following packages to enable USB support
    • kmod-scsi-core
    • kmod-usb-storage
    • block-mount
    • kmod-lib-crc16
    • kmod-crypto-hash
    • kmod-fs-ext4
  5. Plug the USB drive into the 3G port and reboot the TP-Link
  6. Log into the TP-Link via ssh using the user root and the password you just set
  7. Modify the /etc/config/fstab to match the following
  8. Run the following commands to "pivot root" to the USB drive
    • mkdir -p /tmp/cproot
    • mount --bind / /tmp/cproot
    • mkdir /mnt/sda2
    • mount /dev/sda2 /mnt/sda2
    • tar -C /tmp/cproot -cvf - . | tar -C /mnt/sda2 -xf -
    • umount /tmp/cproot
  9. You now need to modifiy the /etc/config/fstab again so it will boot off the USB drive
  10. Reboot the TP-Link (and now it becomes a MiniPwner)
  11. Verify the USB drive is mounted correctly by issuing the df command
  12. If everything looks like the image above then you're good to install any packages you would like
  13. The following packages are installed by default on the MiniPwner
    • libpcap_1.5.3-1_ar71xx
    • libstdcpp_4.8-linaro-1_ar71xx
    • libpthread_0.9.33.2-1_ar71xx
    • zlib_1.2.8-1_ar71xx
    • libopenssl_1.0.1j-1_ar71xx
    • libbz2_1.0.6-1_ar71xx
    • bzip2_1.0.6-1_ar71xx
    • terminfo_5.9-1_ar71xx
    • libnet1_1.1.6-1_ar71xx
    • libpcre_8.35-2_ar71xx
    • libltdl_2.4-1_ar71xx
    • libncurses_5.9-1_ar71xx
    • librt_0.9.33.2-1_ar71xx
    • libruby_1.9.3-p545-1_ar71xx
    • wireless-tools_29-5_ar71xx
    • hostapd-common-old_2014-06-03.1-1_ar71xx
    • kmod-madwifi_3.10.49+r3314-6_ar71xx
    • ruby_1.9.3-p545-1_ar71xx
    • uclibcxx_0.2.4-1_ar71xx
    • libnl_3.2.21-1_ar71xx
    • libcap_2.24-1_ar71xx
    • libreadline_6.2-1_ar71xx
    • libdnet_1.11-2_ar71xx
    • libdaq_1.1.1-1_ar71xx
    • libuuid_2.24.1-1_ar71xx
    • libffi_3.0.13-1_ar71xx
    • python-mini_2.7.3-2_ar71xx
    • openssl-util_1.0.1j-1_ar71xx
    • kmod-tun_3.10.49-1_ar71xx
    • liblzo_2.08-1_ar71xx
    • libevent2-core_2.0.21-1_ar71xx
    • libevent2-extra_2.0.21-1_ar71xx
    • libevent2-openssl_2.0.21-1_ar71xx
    • libevent2-pthreads_2.0.21-1_ar71xx
    • libevent2_2.0.21-1_ar71xx

    • aircrack-ng_1.1-3_ar71xx
    • elinks_0.11.7-1_ar71xx
    • ettercap_NG-0.7.3-2_ar71xx
    • karma_20060124-1_ar71xx
    • kismet-client_2010-07-R1-2_ar71xx
    • kismet-drone_2010-07-R1-2_ar71xx
    • kismet-server_2010-07-R1-2_ar71xx
    • nbtscan_1.5.1_ar71xx
    • netcat_0.7.1-2_ar71xx
    • nmap_6.46-1_ar71xx
    • openvpn-easy-rsa_2013-01-30-2_ar71xx
    • openvpn-openssl_2.3.6-1_ar71xx
    • perl_5.20.0-6_ar71xx
    • samba36-client_3.6.24-1_ar71xx
    • samba36-server_3.6.24-1_ar71xx
    • snort_2.9.2.2-3_ar71xx
    • tar_1.23-1_ar71xx
    • tcpdump_4.5.1-4_ar71xx
    • tmux_1.9a-1_ar71xx
    • yafc_1.1.1-2_ar71xx
    • wget_1.16-1_ar71xx
    • python_2.7.3-2_ar71xx
    • vim_7.3-1_ar71xx
    • unzip_6.0-1_ar71xx
  14. Upload the MiniPwner Overlay tar file to the /tmp directory
  15. Untar the file by issuing tar -xf MiniPwner-Setup_x.x.x.tar (where x.x.x is the version number)
  16. Run the setup script by issuing sh
  17. Make sure the three position switch is in the middle position (WISP) and then reboot the MiniPwner


