Proxmark3 RDV4 Blueshark issues with Mac OS

r00t · August 25, 2023, 11:24am

Hey Folks,
I’ve decided to install the blueshark module on my pm3rdv4. I do use a mac os ventura 13.5.1
So for the last two days I am trying to solve this and I am really really pissed off.
What the issue is? When I connect the blueshark to the mac os first time pairing goes fine, client connects to the tty, but then on random interval the connection drops and bt got disconnected. Afterwards the pm3 cannot connect to the client any more, despite the connection to the bt is established. Initially my client, bootloader and pm os image were done from latest stable release of iceman 4.16717. I also tried to rollback to 4.16191 and 4.15864. No luck. I was reading the github instructions and I saw that people mention that random disconnects may occur, and I should clean NVRAM/PRAM also remove /Library/Preferences/com.apple.bluetooth.plist. I did this multiple times but nothing came out of it. I also did SMC reset - same story.
Afterwards, I’ve decided to pinpoint if I have a faulty blueshark or my mac bt serial driver is crap.
I built the same client and fw on a raspberry pi4(latest in master of proxmark repo). Connected the proxmark to the raspberry, and surprise surprise, everything worked like a charm, no disconnects, no issues, reconnecting just fine after manual disconnect.
My question here is, does anyone have a workaround for fixing this issue with the mac bt serial driver?

here is some more info

build from

git show 
commit eaef707fb0732f5211f998a464c1e37854ba1144 (HEAD -> master, origin/master, origin/HEAD)
Merge: aa0bd3ea1 96eededb8
Author: iceman1001 <iceman@iuse.se>
Date:   Thu Aug 24 20:49:30 2023 +0200

    Merge pull request #2094 from kormax/master
    
    Remove duplicate MFP definitions. Update AIDlist

this is from the mac

./pm3 -p /dev/tty.PM3_RDV40              
[=] Session log /Users/******/.proxmark3/logs/log_20230825092241.txt
[+] loaded from JSON file `/Users/******/.proxmark3/preferences.json`
[=] Using UART port /dev/tty.PM3_RDV40
[=] Communicating with PM3 over FPC UART
[=] PM3 UART serial baudrate: 115200



  8888888b.  888b     d888  .d8888b.   
  888   Y88b 8888b   d8888 d88P  Y88b  
  888    888 88888b.d88888      .d88P  
  888   d88P 888Y88888P888     8888"  
  8888888P"  888 Y888P 888      "Y8b.  
  888        888  Y8P  888 888    888  
  888        888   "   888 Y88b  d88P 
  888        888       888  "Y8888P"    [ ☕ ]


  [ Proxmark3 RFID instrument ]

    MCU....... AT91SAM7S512 Rev B
    Memory.... 512 KB ( 67% used )

    Client.... Iceman/master/v4.16717-378-geaef707fb 2023-08-25 10:34:29
    Bootrom... Iceman/master/v4.16717-378-geaef707fb-suspect 2023-08-25 10:33:40 
    OS........ Iceman/master/v4.16717-378-geaef707fb-suspect 2023-08-25 10:34:01 
    Target.... RDV4

[fpc] pm3 --> hw status                       
[#] Memory
[#]   BigBuf_size............. 38540
[#]   Available memory........ 38280
[#] Tracing
[#]   tracing ................ 0
[#]   traceLen ............... 200
[#] Current FPGA image
[#]   mode.................... fpga_pm3_felica.ncd image 2s30vq100 2023-07-12 16:12:34
[#] Flash memory
[#]   Baudrate................ 24 MHz
[#]   Init.................... OK
[#]   Memory size............. 2 mbits / 256 kb
[#]   Unique ID (be).......... 0x25999F97307C69D5
[#] Smart card module (ISO 7816)
[#]   version................. v4.13
[#] LF Sampling config
[#]   [q] divisor............. 95 ( 125.00 kHz )
[#]   [b] bits per sample..... 8
[#]   [d] decimation.......... 1
[#]   [a] averaging........... yes
[#]   [t] trigger threshold... 0
[#]   [s] samples to skip..... 0 
[#] 
[#] LF T55XX config
[#]            [r]               [a]   [b]   [c]   [d]   [e]   [f]   [g]
[#]            mode            |start|write|write|write| read|write|write
[#]                            | gap | gap |  0  |  1  | gap |  2  |  3
[#] ---------------------------+-----+-----+-----+-----+-----+-----+------
[#] fixed bit length (default) |  29 |  17 |  15 |  47 |  15 | N/A | N/A | 
[#]     long leading reference |  29 |  17 |  18 |  50 |  15 | N/A | N/A | 
[#]               leading zero |  29 |  17 |  18 |  40 |  15 | N/A | N/A | 
[#]    1 of 4 coding reference |  29 |  17 |  15 |  31 |  15 |  47 |  63 | 
[#] 
[#] HF 14a config
[#]   [a] Anticol override.... std    ( follow standard )
[#]   [b] BCC override........ std    ( follow standard )
[#]   [2] CL2 override........ std    ( follow standard )
[#]   [3] CL3 override........ std    ( follow standard )
[#]   [r] RATS override....... std    ( follow standard )
[#] Transfer Speed
[#]   Sending packets to client...
[#]   Time elapsed................... 505ms
[#]   Bytes transferred.............. 5632
[#]   Transfer Speed PM3 -> Client... 11152 bytes/s
[#] Various
[#]   Max stack usage......... 4088 / 8480 bytes
[#]   Debug log level......... 1 ( error )
[#]   ToSendMax............... 6
[#]   ToSend BUFFERSIZE....... 2308
[#]   Slow clock.............. 31071 Hz
[#] Installed StandAlone Mode
[#]   LF HID26 standalone - aka SamyRun (Samy Kamkar)
[#] Flash memory dictionary loaded
[#]   Mifare.................. 1092 / 2047 keys
[#]   T55x7................... 123 / 1023 keys
[#]   iClass.................. 28 / 511 keys
[#]

[fpc] pm3 --> hw version 

 [ Proxmark3 RFID instrument ]

 [ CLIENT ]
  Iceman/master/v4.16717-378-geaef707fb-suspect 2023-08-25 10:34:29 0171633e7
  compiled with............. Clang/LLVM Apple LLVM 14.0.3 (clang-1403.0.22.14.1)
  platform.................. OSX / x86_64
  Readline support.......... present
  QT GUI support............ present
  native BT support......... absent
  Python script support..... present
  Lua SWIG support.......... present
  Python SWIG support....... present

 [ PROXMARK3 ]
  device.................... RDV4
  firmware.................. RDV4
  external flash............ present
  smartcard reader.......... present
  FPC USART for BT add-on... present

 [ ARM ]
  bootrom: Iceman/master/v4.16717-378-geaef707fb-suspect 2023-08-25 10:33:40 0171633e7
       os: Iceman/master/v4.16717-378-geaef707fb-suspect 2023-08-25 10:34:01 0171633e7
  compiled with GCC 10.2.1 20201103 (release)

 [ FPGA ] 
  fpga_pm3_lf.ncd image 2s30vq100 2023-07-12 16:12:04
  fpga_pm3_hf.ncd image 2s30vq100 2023-07-12 16:12:14
  fpga_pm3_felica.ncd image 2s30vq100 2023-07-12 16:12:34
  fpga_pm3_hf_15.ncd image 2s30vq100 2023-07-12 16:12:24

 [ Hardware ]
  --= uC: AT91SAM7S512 Rev B
  --= Embedded Processor: ARM7TDMI
  --= Internal SRAM size: 64K bytes
  --= Architecture identifier: AT91SAM7Sxx Series
  --= Embedded flash memory 512K bytes ( 67% used )

here is the only diff in the clients / this is the rasp linux

[fpc] pm3 --> hw version

 [ Proxmark3 RFID instrument ]

 [ CLIENT ]
  Iceman/master/v4.16717-378-geaef707fb-suspect 2023-08-25 11:24:20 0171633e7
  compiled with............. GCC 12.2.0
  platform.................. Linux / aarch64
  Readline support.......... present
  QT GUI support............ present
  native BT support......... present
  Python script support..... present
  Lua SWIG support.......... present
  Python SWIG support....... present

 [ PROXMARK3 ]
  device.................... RDV4
  firmware.................. RDV4
  external flash............ present
  smartcard reader.......... present
  FPC USART for BT add-on... present

 [ ARM ]
  bootrom: Iceman/master/v4.16717-378-geaef707fb-suspect 2023-08-25 10:33:40 0171633e7
       os: Iceman/master/v4.16717-378-geaef707fb-suspect 2023-08-25 10:34:01 0171633e7
  compiled with GCC 10.2.1 20201103 (release)

 [ FPGA ] 
  fpga_pm3_lf.ncd image 2s30vq100 2023-07-12 16:12:04
  fpga_pm3_hf.ncd image 2s30vq100 2023-07-12 16:12:14
  fpga_pm3_felica.ncd image 2s30vq100 2023-07-12 16:12:34
  fpga_pm3_hf_15.ncd image 2s30vq100 2023-07-12 16:12:24

 [ Hardware ]
  --= uC: AT91SAM7S512 Rev B
  --= Embedded Processor: ARM7TDMI
  --= Internal SRAM size: 64K bytes
  --= Architecture identifier: AT91SAM7Sxx Series
  --= Embedded flash memory 512K bytes ( 67% used )

Native bt support is present in linux and absent in mac os(but I guess this is expected)
Any suggestions how to address this will be very welcome

r00t · August 26, 2023, 8:05pm

Mood of the day
jurassic_shit
I continued doing my research today trying to figure this out, and it seems I discovered a lil bubu.
So it seems our apple friends decided to rework the bt driver in mac os 12 and it’s still having the same issue till this day(current mac os build is13.5.1) Good jaab apple! Well done!

To explain a lil bit more:
When the device is initially paired with the machine for the first time it creates /dev/tty.PM3_RDV40
Afterwards the comm goes via this uart port as expected.
During this time the led of the blueshark, blinks with 1hz frequency, like the device is not connected. When pm3 client is started and connected to the uart the led turns solid blue. This is till something doesn’t fubar, and device led starts blinking again, pm3 client indicates comm timeout with the hw.
If the blueshark module is still powered on it may be possible to reconnect by hw connect or restarting the client all together. When the blueshark is powered off and powered on that’s the end of the story. Trying to connect via the mac system settings bt interface, succeeds, and led on the BS turns blue(not expected behaviour), but no communication occurs between client and the proxmark. I tried setting diff baud rates, did not helped.
Next I’ve decided to compare if there is a diff between the first and the second reconnect - when it works and when it doesn’t. Going to system information I’ve found the following

Connected:
PM3_RDV4.0:
Address: 00:21:08:35:24:CB
RSSI: -74
Services: 0x800000 < ACL >

Connected:
PM3_RDV4.0:
Address: 00:21:08:35:24:CB
RSSI: -74
Services: 0x802000 < Braille ACL >

I have no damn idea what Braille ACL is, bluetoothd logs looks relatively fine. I’ve decided to take a look around and see if other people share the same pain, and here comes the surprise. Various of folks on reddit, are commenting that bunch of hw, like bt mouses, kbd, speakers etc and mishandled by the bt driver, and also discovered as the same service.
The cherry on top is that since mac os is maintained by apple and it’s a closed system, they may fix this mess next decade or never.
I do have a el capitan mac, and I might try with it. On theory it should work since it doesn’t have the new improved driver, but that’s not what I am trying to achieve here. Another workaround would be to scrape apple os completely, dualboot a linux and f em.