continued from above
“The Proxmark is Here”
On Monday the Proxmark3 RDV4 I ordered arrived. It’s a beauty of a device, even comes in a sleek plastic case.
Setting it up wasn’t easy, just like the proxmark3 repository warns:
It should be pointed out quite early that the proxmark3 is not really for beginners. If you are not already fairly familiar with electronics, embedded programming, some RF design and ISO standards, this device will probably bring you more frustration than anything else ! Users that do not understand the basic principles behind RFID may have difficulty using the device.
While I’m not specifically familiar with RF designs and ISO standards, I’m savvy and persistent, which I hope will do the trick.
I chose to use the Iceman fork (from the RfidResearchGroup GitHub organization, also called the RRG repo) of the Proxmark3 software, since it’s designed specifically for the RDV4 version of the Proxmark3 device (the latest hardware release, smaller and more powerful). Since the Proxmark3 is open source, there are many forks of its software. I use macOS and Homebrew so the first step was to follow these instructions. The brew install proxmark3
command gave me an error saying there wasn’t a installable stable version, so I had to use brew install --HEAD proxmark3 which successfully installed the most up-to-date version, which is perhaps unstable.
It really is important to flash the latest software to the board, mine wouldn’t successfully connect to my computer without the latest software:
██████╗ ███╗ ███╗ ████╗ ...iceman fork
██╔══██╗████╗ ████║ ══█║ ...dedicated to RDV40
██████╔╝██╔████╔██║ ████╔╝
██╔═══╝ ██║╚██╔╝██║ ══█║ iceman@icesql.net
██║ ██║ ╚═╝ ██║ ████╔╝ https://github.com/rfidresearchgroup/proxmark3/
╚═╝ ╚═╝ ╚═╝ ╚═══╝ pre-release v4.0
Support iceman on patreon - https://www.patreon.com/iceman1001/
on paypal - https://www.paypal.me/iceman1001
[=] Using UART port /dev/tty.usbmodemiceman1
[!!] ERROR: cannot communicate with the Proxmark
[+] About to use the following files:
[+] /usr/local/Cellar/proxmark3/HEAD-960d8c4/bin/../share/proxmark3/firmware/bootrom.elf
[+] /usr/local/Cellar/proxmark3/HEAD-960d8c4/bin/../share/proxmark3/firmware/fullimage.elf
[+] Waiting for Proxmark3 to appear on /dev/tty.usbmodemiceman1
Found
[+] Entering bootloader...
[+] (Press and release the button only to abort )
[+] Waiting for Proxmark3 to appear on /dev/tty.usbmodemiceman1
Found
[!!] ====================== OBS ! ===========================================
[!!] Note: Your bootloader does not understand the new CMD_BL_VERSION command
[!!] It is recommended that you first update your bootloader alone,
[!!] reboot the Proxmark3 then only update the main firmware
[=] Available memory on this board: UNKNOWN
[!!] ====================== OBS ! ======================================
[!!] Note: Your bootloader does not understand the new CHIP_INFO command
[!!] It is recommended that you first update your bootloader alone,
[!!] reboot the Proxmark3 then only update the main firmware
[=] Permitted flash range: 0x00100000-0x00140000
[+] Loading ELF file /usr/local/Cellar/proxmark3/HEAD-960d8c4/bin/../share/proxmark3/firmware/bootrom.elf
[+] Loading usable ELF segments:
[+] 0 : V 0x00100000 P 0x00100000 (0x00000200->0x00000200) [R X] @0x94
[+] 1 : V 0x00200000 P 0x00100200 (0x00000e30->0x00000e30) [R X] @0x298
[+] Loading ELF file /usr/local/Cellar/proxmark3/HEAD-960d8c4/bin/../share/proxmark3/firmware/fullimage.elf
[+] Loading usable ELF segments:
[+] 0 : V 0x00102000 P 0x00102000 (0x00040068->0x00040068) [R X] @0x94
[!!] Error: PHDR is not contained in Flash
[+] All done.
Have a nice day!
I followed the instructions from the main proxmark3 repo Wiki to upgrade the bootloader. I ended up having to do the Upgrading Proxmark3 from HID to CDC step and there was some trouble finding where the client and proxmark3 directories were (maybe because of Homebrew installation?). Now as I’m writing this, I figure out what the issue was. I think things I needed ended up being in usr/local/something (In retrospect probably /usr/local/Cellar/proxmark3/HEAD-960d8c4/share/proxmark3/firmware/bootrom.elf and fullimage.elf like the pm3 software told me. Or maybe just /usr/local/share/proxmark3? there’s some weird symlinking stuff going on that I don’t understand.) Anyway once I found the right files and flashed everything it worked great, went really fast:
██████╗ ███╗ ███╗ ████╗ ...iceman fork
██╔══██╗████╗ ████║ ══█║ ...dedicated to RDV40
██████╔╝██╔████╔██║ ████╔╝
██╔═══╝ ██║╚██╔╝██║ ══█║ iceman@icesql.net
██║ ██║ ╚═╝ ██║ ████╔╝ https://github.com/rfidresearchgroup/proxmark3/
╚═╝ ╚═╝ ╚═╝ ╚═══╝ pre-release v4.0
Support iceman on patreon - https://www.patreon.com/iceman1001/
on paypal - https://www.paypal.me/iceman1001
[=] Using UART port /dev/tty.usbmodemiceman1
[+] About to use the following files:
[+] /usr/local/share/proxmark3/firmware/bootrom.elf
[+] /usr/local/share/proxmark3/firmware/fullimage.elf
[+] Waiting for Proxmark3 to appear on /dev/tty.usbmodemiceman1
Found
[+] Entering bootloader...
[+] (Press and release the button only to abort )
[+] Waiting for Proxmark3 to appear on /dev/tty.usbmodemiceman1
Found
[=] Available memory on this board: 512K bytes
[=] Permitted flash range: 0x00100000-0x00180000
[+] Loading ELF file /usr/local/share/proxmark3/firmware/bootrom.elf
[+] Loading usable ELF segments:
[+] 0 : V 0x00100000 P 0x00100000 (0x00000200->0x00000200) [R X] @0x94
[+] 1 : V 0x00200000 P 0x00100200 (0x00000e30->0x00000e30) [R X] @0x298
[+] Loading ELF file /usr/local/share/proxmark3/firmware/fullimage.elf
[+] Loading usable ELF segments:
[+] 0 : V 0x00102000 P 0x00102000 (0x00040068->0x00040068) [R X] @0x94
[+] 1 : V 0x00200000 P 0x00142068 (0x00001540->0x00001540) [RW ] @0x400fc
[=] Note: Extending previous segment from 0x40068 to 0x415a8 bytes
[+] Flashing...
[+] Writing segments for file: /usr/local/share/proxmark3/firmware/bootrom.elf
[+] 0x00100000..0x001001ff [0x200 / 1 blocks]
OK
[+] 0x00100200..0x0010102f [0xe30 / 8 blocks]
OK
[+] Writing segments for file: /usr/local/share/proxmark3/firmware/fullimage.elf
[+] 0x00102000..0x001435a7 [0x415a8 / 523 blocks]
OK
[+] All done.
Have a nice day!
Then I could plug in the Proxmark3, fire up my terminal and type pm3 and it would be auto-detected and connect. Here’s what that looked like:
██████╗ ███╗ ███╗ ████╗ ...iceman fork
██╔══██╗████╗ ████║ ══█║ ...dedicated to RDV40
██████╔╝██╔████╔██║ ████╔╝
██╔═══╝ ██║╚██╔╝██║ ══█║ iceman@icesql.net
██║ ██║ ╚═╝ ██║ ████╔╝ https://github.com/rfidresearchgroup/proxmark3/
╚═╝ ╚═╝ ╚═╝ ╚═══╝ pre-release v4.0
Support iceman on patreon - https://www.patreon.com/iceman1001/
on paypal - https://www.paypal.me/iceman1001
[=] Using UART port /dev/tty.usbmodemiceman1
[=] Communicating with PM3 over USB-CDC
[ Proxmark3 RFID instrument ]
[ CLIENT ]
client: RRG/Iceman
compiled with Clang/LLVM 4.2.1 Compatible Apple LLVM 10.0.1 (clang-1001.0.46.4) OS:OSX ARCH:x86_64
[ PROXMARK RDV4 ]
external flash: present
smartcard reader: present
[ PROXMARK RDV4 Extras ]
FPC USART for BT add-on support: absent
[ ARM ]
bootrom: RRG/Iceman/master/960d8c4 2019-09-15 00:42:55
os: RRG/Iceman/master/960d8c4 2019-09-15 00:43:06
compiled with GCC 5.4.1 20160919 (release) [ARM/embedded-5-branch revision 240496]
[ FPGA ]
LF image built for 2s30vq100 on 2019-07-31 at 15:57:16
HF image built for 2s30vq100 on 2018-09-03 at 21:40:23
[ Hardware ]
--= uC: AT91SAM7S512 Rev A
--= Embedded Processor: ARM7TDMI
--= Nonvolatile Program Memory Size: 512K bytes, Used: 275878 bytes (53%) Free: 248410 bytes (47%)
--= Second Nonvolatile Program Memory Size: None
--= Internal SRAM Size: 64K bytes
--= Architecture Identifier: AT91SAM7Sxx Series
--= Nonvolatile Program Memory Type: Embedded Flash Memory
[usb] pm3 -->
Hooray! I now ran through the suggested setup steps found on the RRG wiki.
Now I had a functional Proxmark3 RDV4 which I could put to use snooping, reading, and cloning tags.
Logistical Note: The Proxmark3 RDV4 was USD$310. I don’t feel that the one thing I need the proxmark for justifies the entire purchase of the device, and I’d love to see how I can share its value with the community. (Once this whole ordeal is over) direct message me if you’re in the US and need access to a Proxmark3 and maybe we can figure out a way to ship it around and share the value.
Next time: Testing the Proxmark3 on known tags.
Then: Troubles writing to the xEM and a T5577 card
Next steps → figure out how to write to the T5577 card included with the pm3, build cylindrical antenna out of xEM Access Controller while waiting for DT xEM antennae to be released 