Ebay Proxmark3 Easy - Antennas Unusable

I bought a 512k Proxmark3 Easy from ebay instead of DT (I know, I know… The cost savings was absolutely NOT worth it… Lesson learned.)
That’s out of the way. If this post doesn’t belong in the support topic, delete away.

TL;DR:
512k Proxmark 3 Easy from an ebay seller. I’ve tried 3 different USB cables. My USB cable is plugged into the short side, not the power port by the button. I’ve tightened the screws and standoffs. I’ve compiled and re-compiled the Iceman firmware from fresh git clones (and I did remember to update Makefile.platform). Every time I run “hw tune” in the pm3 client, I get “LF antenna is UNUSABLE” “HF antenna is UNUSABLE” and it won’t read any tags.

Long story here:
The first thing I did was flash the Iceman firmware. I’m on Linux, so I pulled the latest Github code (2023-04-22 was when I first tried), edited Makefile.platform to include PLATFORM=PM3GENERIC, compiled it, pm3-flash-all threw an error about the bootloader not supporting some command.
Read the error, it says flash them individually. Okay, ./pm3-flash-bootloader seems to have worked fine, and the subsequent ./pm3-flash-fullimage didn’t throw any errors.
Inside the ./pm3 client, “hw tune” shows both (LF and HF) antenna is UNUSABLE.
I’ve been hammering at this for a few days, with no luck. I’ve tightened all of the screws and brass stand-offs, the arrows on the LF antenna are pointing to the arrows on the middle board, I’ve tried “make clean” then “make build -j” then ./pm3-flash-bootrom then ./pm3-flash-fullimage and nothing is changing. I’ve tried various combinations of holding the button, flashing, unplugging, releasing the button, but since I’m not getting an error I suspect that was wasted effort.

I tried contacting the seller through ebay. The seller told me “It will only work with our firmware.” … Then ebay suspended my account and will not reactivate it (my own fault). So I don’t have access to working firmware (but I would love to get it working on Iceman instead of whatever it shipped with, anyway).

I’m hoping that I don’t need to JTAG de-brick it, but that’s the only thing I think I haven’t tried yet.

Just now, I’ve wiped out my git clone of RRG iceman fork, cloned it again, edited Makefile.platform, compiled everything, and the results are the same.

Short of buying a known working unit from DT and tossing this one in the trash, what’s the right course of action here?

Thank you for any suggestions.

Flash Bootrom

[ proxmark3 ] $ ./pm3-flash-bootrom
[=] Session log /home/5y6j8jlm35xo/.proxmark3/logs/log_20230425.txt
[+] loaded from JSON file /home/5y6j8jlm35xo/.proxmark3/preferences.json
[+] About to use the following file:
[+] /home/5y6j8jlm35xo/Downloads/git/proxmark3/client/…/bootrom/obj/bootrom.elf
[+] Loading ELF file /home/5y6j8jlm35xo/Downloads/git/proxmark3/client/…/bootrom/obj/bootrom.elf
[+] ELF file version Iceman/master/v4.16191-312-ge25266886 2023-04-25 16:28:21 4dd8876b1

[+] Waiting for Proxmark3 to appear on /dev/ttyACM1
:clock2: 59 found
[+] Entering bootloader…
[+] (Press and release the button only to abort)
[+] Waiting for Proxmark3 to appear on /dev/ttyACM1
:clock2: 49 found
[=] Available memory on this board: 512K bytes

[=] Permitted flash range: 0x00100000-0x00180000
[+] Loading usable ELF segments:
[+] 0: V 0x00100000 P 0x00100000 (0x00000200->0x00000200) [R X] @0x94
[+] 1: V 0x00200000 P 0x00100200 (0x00000d18->0x00000d18) [R X] @0x298

[+] Flashing…
[+] Writing segments for file: /home/5y6j8jlm35xo/Downloads/git/proxmark3/client/…/bootrom/obj/bootrom.elf
[+] 0x00100000…0x001001ff [0x200 / 1 blocks]
. ok
[+] 0x00100200…0x00100f17 [0xd18 / 7 blocks]
… ok

[+] All done

[=] Have a nice day!

[ proxmark3 ] $

Flash Fullimage

[ proxmark3 ] $ ./pm3-flash-fullimage
[=] Session log /home/5y6j8jlm35xo/.proxmark3/logs/log_20230425.txt
[+] loaded from JSON file /home/5y6j8jlm35xo/.proxmark3/preferences.json
[+] About to use the following file:
[+] /home/5y6j8jlm35xo/Downloads/git/proxmark3/client/…/armsrc/obj/fullimage.elf
[+] Loading ELF file /home/5y6j8jlm35xo/Downloads/git/proxmark3/client/…/armsrc/obj/fullimage.elf
[+] ELF file version Iceman/master/v4.16191-312-ge25266886 2023-04-25 16:28:21 4dd8876b1

[+] Waiting for Proxmark3 to appear on /dev/ttyACM1
:clock2: 59 found
[+] Entering bootloader…
[+] (Press and release the button only to abort)
[+] Waiting for Proxmark3 to appear on /dev/ttyACM1
:clock2: 49 found
[=] Available memory on this board: 512K bytes

[=] Permitted flash range: 0x00102000-0x00180000
[+] Loading usable ELF segments:
[+] 1: V 0x00102000 P 0x00102000 (0x0004950c->0x0004950c) [R X] @0xb8
[+] 2: V 0x00200000 P 0x0014b50c (0x00001b3b->0x00001b3b) [R X] @0x495c8
[=] Note: Extending previous segment from 0x4950c to 0x4b047 bytes

[+] Flashing…
[+] Writing segments for file: /home/5y6j8jlm35xo/Downloads/git/proxmark3/client/…/armsrc/obj/fullimage.elf
[+] 0x00102000…0x0014d046 [0x4b047 / 601 blocks]

@@@ @@@@@@@ @@@@@@@@ @@@@@@@@@@ @@@@@@ @@@ @@@
@@! !@@ @@! @@! @@! @@! @@! @@@ @@!@!@@@
!!@ !@! @!!!:! @!! !!@ @!@ @!@!@!@! @!@@!!@!
!!: :!! !!: !!: !!: !!: !!! !!: !!!
: :: :: : : :: ::: : : : : : :: :
. … … . . … … . . . . . … .


… ok

[+] All done

[=] Have a nice day!

[ proxmark3 ] $

pm3 hw status, hw version, hw tune

[ proxmark3 ] $ ./pm3
[=] Session log /home/5y6j8jlm35xo/.proxmark3/logs/log_20230425.txt
[+] loaded from JSON file /home/5y6j8jlm35xo/.proxmark3/preferences.json
[=] Using UART port /dev/ttyACM1
[=] Communicating with PM3 over USB-CDC

8888888b. 888b d888 .d8888b.
888 Y88b 8888b d8888 d88P Y88b
888 888 88888b.d88888 .d88P
888 d88P 888Y88888P888 8888"
8888888P" 888 Y888P 888 "Y8b.
888 888 Y8P 888 888 888
888 888 " 888 Y88b d88P
888 888 888 “Y8888P” [ :coffee: ]

[ Proxmark3 RFID instrument ]

MCU....... AT91SAM7S512 Rev B
Memory.... 512 KB ( 60% used )

Client.... Iceman/master/v4.16191-312-ge25266886 2023-04-25 16:23:00
Bootrom... Iceman/master/v4.16191-312-ge25266886 2023-04-25 16:28:21
OS........ Iceman/master/v4.16191-312-ge25266886 2023-04-25 16:28:21
Target.... PM3 GENERIC

[usb] pm3 → hw status
[#] Memory
[#] BigBuf_size… 42608
[#] Available memory… 42608
[#] Tracing
[#] tracing … 1
[#] traceLen … 0
[#] Current FPGA image
[#] mode… HF image 2s30vq100 2022-03-23 17:21:16
[#] LF Sampling config
[#] [q] divisor… 95 ( 125.00 kHz )
[#] [b] bits per sample… 8
[#] [d] decimation… 1
[#] [a] averaging… yes
[#] [t] trigger threshold… 0
[#] [s] samples to skip… 0
[#]
[#] LF T55XX config
[#] [r] [a] [b] [c] [d] [e] [f] [g]
[#] mode |start|write|write|write| read|write|write
[#] | gap | gap | 0 | 1 | gap | 2 | 3
[#] ---------------------------±----±----±----±----±----±----±-----
[#] fixed bit length (default) | 31 | 20 | 18 | 50 | 15 | N/A | N/A |
[#] long leading reference | 31 | 20 | 18 | 50 | 15 | N/A | N/A |
[#] leading zero | 31 | 20 | 18 | 40 | 15 | N/A | N/A |
[#] 1 of 4 coding reference | 31 | 20 | 18 | 34 | 15 | 50 | 66 |
[#]
[#] HF 14a config
[#] [a] Anticol override… std ( follow standard )
[#] [b] BCC override… std ( follow standard )
[#] [2] CL2 override… std ( follow standard )
[#] [3] CL3 override… std ( follow standard )
[#] [r] RATS override… std ( follow standard )
[#] Transfer Speed
[#] Sending packets to client…
[#] Time elapsed… 500ms
[#] Bytes transferred… 290816
[#] Transfer Speed PM3 → Client… 581632 bytes/s
[#] Various
[#] Max stack usage… 4088 / 8480 bytes
[#] Debug log level… 1 ( error )
[#] ToSendMax… -1
[#] ToSend BUFFERSIZE… 2308
[#] Slow clock… 31269 Hz
[#] Installed StandAlone Mode
[#] LF HID26 standalone - aka SamyRun (Samy Kamkar)
[#]
[usb] pm3 → hw version

[ Proxmark3 RFID instrument ]

[ CLIENT ]
Iceman/master/v4.16191-312-ge25266886 2023-04-25 16:23:00 4dd8876b1
compiled with… GCC 12.2.1 20221121 (Red Hat 12.2.1-4)
platform… Linux / x86_64
Readline support… present
QT GUI support… present
native BT support… present
Python script support… present
Lua SWIG support… present
Python SWIG support… present

[ PROXMARK3 ]
firmware… PM3 GENERIC

[ ARM ]
bootrom: Iceman/master/v4.16191-312-ge25266886 2023-04-25 16:28:21 4dd8876b1
os: Iceman/master/v4.16191-312-ge25266886 2023-04-25 16:28:21 4dd8876b1
compiled with GCC 12.2.0

[ FPGA ]
LF image 2s30vq100 2022-03-23 17:21:05
HF image 2s30vq100 2022-03-23 17:21:16
HF FeliCa image 2s30vq100 2022-03-23 17:21:27
HF 15 image 2s30vq100 2022-03-23 17:21:38

[ Hardware ]
–= uC: AT91SAM7S512 Rev B
–= Embedded Processor: ARM7TDMI
–= Internal SRAM size: 64K bytes
–= Architecture identifier: AT91SAM7Sxx Series
–= Embedded flash memory 512K bytes ( 60% used )

[usb] pm3 → hw tune
[=] ---------- Reminder ------------------------
[=] hw tune doesn’t actively tune your antennas,
[=] it’s only informative.
[=] Measuring antenna characteristics, please wait…
:clock12: 9
[=] ---------- LF Antenna ----------
[!] :warning: LF antenna is UNUSABLE
[=] ---------- HF Antenna ----------
[!] :warning: HF antenna is UNUSABLE

(*) Q factor must be measured without tag on the antenna

[-] :no_entry: Not showing LF tuning graph since all values is zero.

[usb] pm3

Bottom line, the problem might be that the hardware is just not usable… some factories allow pretty bad part tolerances because those parts are cheaper, and sometimes the tolerances line up at opposite ends and you’re way way out of spec… for example, if they used tuning capacitors with a 15% tolerance and they expect a wide tolerance for their inductors, particularly the LF antenna, then you could just randomly end up with hardware that is not usable.

I returned the ebay unit, bought a unit from DT, upgraded the firmware, and everything is working! Thanks again.
Sadly, my tags were written by a White Cloner. Currently bruteforcing the password (none of the passwords I found so far worked). And that cloner is going in the trash :grin:

1 Like

There is a place for it (other than the rubbish)
I would use it for something like this

But there are still other better options
:flipperzero_white:

Did you check out this thread? (that command syntax may be a previous iteration, but if you step through the PM3 commands one by one followingbthe same principle you should be able to work it out)
Reply here if you get stuck, or in that thread with the new syntax to help others out

Good luck

I bought the DT one and it’s magnificent. I rarely recommend a product, but this one is perfect!

1 Like

Thread locked, couldn’t reply there. :eyes:

Current syntax (2023-04-28):
lf t55xx write -b 0 -d 00148041 -p AA55BBBB (and optional -t for test mode)

Passwords I tried to unlock a t5577 locked by White Cloner:
000D8787
00434343
12345678
19920427
44B44CAE
51243648
88661858
AA55BBBB
00012323

Also, +1 for :flipperzero_white:

1 Like

I hadn’t seen the lightsaber thread! Funnily enough, that’s what started this journey.
My boss has some of the crystals, 2 of the custom built light sabers, and both styles of holocron. Writing tags with the white cloner, the holocrons respond as expected, but the light sabers respond as though they aren’t reading any tag. (oh, you have to depress a button in the top of the lightsaber crystal chamber to activate the reader, we jammed a 34mm length of stick in there to hold it down and try the tags out)
I tried reading the tags (which were locked by White Cloner) and the crystals (also locked by White Cloner) on my :flipperzero_white: but I couldn’t see any difference that would make them not work. Since my tags are t5577, I was hoping the Proxmark would show something on another page that I could copy to make it work… But they’re locked. :sweat_smile:

I read 34 years to fully brute force? I’m going to try scanning a write from the White Cloner, see if I can read the password that way. Also try writing a new non-locked t5577 with the em4100 code stuff, see if I can fool it that way. Good weekend project.

1 Like

Runing lf sniff on the Proxmark while programming a tag on the White Cloner didn’t show anything. Back to the drawing board.

WOW there is way more info in that Galaxy’s Edge Google Doc than I realized! There are tabs for RFID Reader/Writer Hardware (don’t use Blue Cloner, don’t use White Cloner :sweat: and some passwords to try), and a very in-depth tab on RFID Writer Signal Analysis (which includes standard and iceman firmware commands, and how to setup your proxmark to read the signals and decode the password used on t5577 and em4305 writes!)

I was re-reading the Google Doc link that I just added to your light saber thread, and it has a password I hadn’t tried! And it worked for me!
lf t55xx write -b 0 -d 00148041 -p 00012323

2 Likes