Proxmark3 RDV 4

So… I got a Proxmark3 RDV 4 for Christmas.  It’s great.  It’s tiny, svelte, and… had a bunch of errors right out of the box.  Naturally that means it’s time to reflash it, but as it turns out the default wiki instructions for Kali Linux aren’t quite right for the RDV 4 now.  Let’s fix that, shall we?

To start off, I’m using the DEFCON 26 Hardware Hacking Village (HHV) base version of Kali Linux, modified to use the rolling repos.  In other words, I’m basically using a current version of Kali.  Everything is patched and current as of today (December 25, 2018).

Adding Dependencies

This part actually starts the same as the default instructions:

apt-get install git build-essential libreadline5 libreadline-dev gcc-arm-none-eabi libusb-0.1-4 libusb-dev libqt4-dev ncurses-dev perl pkg-config

But then we have to fix something that gets all bolloxed up because Kali includes modemmanager by default, which makes updating the firmware… painful.

apt-get remove modemmanager

Ah, that’s better now. If you don’t kill the evil modemmanager your device will never quite enumerate. You’ll just get caught in a fun loop where you see “new full-speed USB device number {NUMBER} using xhci_hcd” every 5 to 20 seconds over and over again.

Okay, moving on. We’ll need the GitHub repo, but let’s use the dedicated repository for the RDV 4. The below is specific to my customizations, so just choose a location that works for you:

cd /hwhack/gitclones
git clone https://github.com/RfidResearchGroup/proxmark3.git
git pull

Building Everything

Next up, it’s time to build the firmware and client. We can do this quickly the cloned Git repository:

cd /hwhack/gitclones/proxmark3
make clean
make all
cd /hwhack/gitclones/proxmark3/client
make

Updating Firmware

Now for the fun part. Type the following into your terminal but DO NOT PRESS ENTER AFTER THE FINAL COMMAND. Got it? Do NOT press enter. Just leave it hanging like a 2000 ballot chad in Florida.

cd /hwhack/gitclones/proxmark3/client
./flasher /dev/ttyACM0 -b ../bootrom/obj/bootrom.elf

Now, time to ignore what all of those bits of advice tell you. You’re not going to just hold the button in while it boots. You’re going to hold the button in continuously until you see success. This may take a minute or two, so if you feel the need for a good finger flexing and relaxation session… now’s the time.

Okay, digits all limber? Hold in the button, then connect the Proxmark to the computer via USB, and WHILE STILL HOLDING THE BUTTON DOWN press the enter key on that last command. Now wait until you see something like the following complete:

Loading ELF file ../bootrom/obj/bootrom.elf
Loading usable ELF segments:
0: V 0x00100000 P 0x00100000 (0x00000200->0x00000200) [R X] @0x94
1: V 0x00200000 P 0x00100200 (0x00000d48->0x00000d48) [R X] @0x298

[+] Waiting for Proxmark to appear on /dev/ttyACM0           
...........[=] UART Setting serial baudrate 460800
.Found 
Entering bootloader... 
(Press and release the button only to abort)
[+] Waiting for Proxmark to appear on /dev/ttyACM0           
......................[=] UART Setting serial baudrate 460800
. Found 

Flashing... 
Writing segments for file: ../bootrom/obj/bootrom.elf
 0x00100000..0x001001ff [0x200 / 1 blocks].OK 
 0x00100200..0x00100f47 [0xd48 / 7 blocks].......OK 

Resetting hardware... 
All done. 

Have a nice day!

Halfway there! Now prep the next command, and let’s all say it together… DON’T PRESS ENTER ON THE SECOND COMMAND.

cd /hwhack/gitclones/proxmark3/client
./flasher /dev/ttyACM0 ../armsrc/obj/fullimage.elf

Unplug the Proxmark and repeat the pattern of holding the button, plugging it in, hitting the enter key, and waiting until you see something like the following:

Loading ELF file ../armsrc/obj/fullimage.elf
Loading usable ELF segments:
0: V 0x00102000 P 0x00102000 (0x00037920->0x00037920) [R X] @0x94
1: V 0x00200000 P 0x00139920 (0x000012d8->0x000012d8) [RW ] @0x379b4
Note: Extending previous segment from 0x37920 to 0x38bf8 bytes

[+] Waiting for Proxmark to appear on /dev/ttyACM0           
[=] UART Setting serial baudrate 460800
.Found 

Flashing... 
Writing segments for file: ../armsrc/obj/fullimage.elf
 0x00102000..0x0013abf7 [0x38bf8 / 454 blocks]......................................................................................................................................................................................................................................................................................................................................................................................................................................................................OK 

Resetting hardware... 
All done. 

Have a nice day!

Of course, if you’re proper posh you should be able do all this by just not letting go of the button at all, but I haven’t tested that myself.

Testing the Proxmark

At this point it’s just verifying that everything works (if you got errors, just try again).  To do so we use the proxmark client and do some builtin checks:

cd /hwhack/gitclones/proxmark3/client
./proxmark3 /dev/ttyACM0 


██████╗ ███╗   ███╗ ████╗     ...iceman fork
██╔══██╗████╗ ████║   ══█║      ...dedicated to RDV40
██████╔╝██╔████╔██║ ████╔╝
██╔═══╝ ██║╚██╔╝██║   ══█║    iceman@icesql.net
██║     ██║ ╚═╝ ██║ ████╔╝  https://github.com/iceman1001/proxmark3
╚═╝     ╚═╝     ╚═╝ ╚═══╝ pre v4.0

Keep iceman fork alive with a donation!           https://paypal.me/iceman1001/
MONERO: 43mNJLpgBVaTvyZmX9ajcohpvVkaRy1kbZPm8tqAb7itZgfuYecgkRF36rXrKFUkwEGeZedPsASRxgv4HPBHvJwyJdyvQuP


[=] UART Setting serial baudrate 460800

Proxmark3 RFID instrument
          

 [ CLIENT ]          
 client: iceman build for RDV40 with flashmem; smartcard;  
          
 [ ARM ]
 bootrom: iceman/master/ab9048f7 2018-12-26 01:07:24
      os: iceman/master/ab9048f7 2018-12-26 01:07:26

 [ FPGA ]
 LF image built for 2s30vq100 on 2018/ 9/ 8 at 13:57:51
 HF image built for 2s30vq100 on 2018/ 9/ 3 at 21:40:23          

 [ Hardware ]           
  --= uC: AT91SAM7S512 Rev B          
  --= Embedded Processor: ARM7TDMI          
  --= Nonvolatile Program Memory Size: 512K bytes, Used: 240632 bytes (46%) Free: 283656 bytes (54%)          
  --= Second Nonvolatile Program Memory Size: None          
  --= Internal SRAM Size: 64K bytes          
  --= Architecture Identifier: AT91SAM7Sxx Series          
  --= Nonvolatile Program Memory Type: Embedded Flash Memory          

          
pm3 --> hw status
#db# Memory          
#db#   BIGBUF_SIZE.............40000          
#db#   Available memory........40000          
#db# Tracing          
#db#   tracing ................1          
#db#   traceLen ...............0          
#db# Currently loaded FPGA image          
#db#   mode.................... HF image built for 2s30vq100 on 2018/ 9/ 3 at 21:40:23          
#db# Flash memory          
#db#   Baudrate................24MHz          
#db#   Init....................OK          
#db#   Memory size.............2 mbits / 256kb          
#db#   Unique ID...............0xffffffffffffffff          
#db# Smart card module (ISO 7816)          
#db#   version.................v2.06          
#db# LF Sampling config          
#db#   [q] divisor.............95 (125 KHz)          
#db#   [b] bps.................8          
#db#   [d] decimation..........1          
#db#   [a] averaging...........Yes          
#db#   [t] trigger threshold...0          
#db# LF T55XX config          
#db#   [a] startgap............29*8 (232)          
#db#   [b] writegap............17*8 (136)          
#db#   [c] write_0.............15*8 (120)          
#db#   [d] write_1.............47*8 (376)          
#db#   [e] readgap.............15*8 (120)          
#db# USB Speed          
#db#   Sending USB packets to client...          
Status command failed. USB Speed Test timed out          
#db#   Time elapsed............1500ms          
#db#   Bytes transferred.......815616          
#db#   USB Transfer Speed PM3 -> Client = 543744 Bytes/s          
#db# Various          
#db#   MF_DBGLEVEL.............1          
#db#   ToSendMax...............-1          
#db#   ToSendBit...............0          
#db#   ToSend BUFFERSIZE.......2308          
#db# Installed StandAlone Mode          
#db#    LF HID26 standalone - aka SamyRun (Samy Kamkar)          
pm3 --> hw version

Proxmark3 RFID instrument
          

 [ CLIENT ]          
 client: iceman build for RDV40 with flashmem; smartcard;  
          
 [ ARM ]
 bootrom: iceman/master/ab9048f7 2018-12-26 01:07:24
      os: iceman/master/ab9048f7 2018-12-26 01:07:26

 [ FPGA ]
 LF image built for 2s30vq100 on 2018/ 9/ 8 at 13:57:51
 HF image built for 2s30vq100 on 2018/ 9/ 3 at 21:40:23          

 [ Hardware ]           
  --= uC: AT91SAM7S512 Rev B          
  --= Embedded Processor: ARM7TDMI          
  --= Nonvolatile Program Memory Size: 512K bytes, Used: 240632 bytes (46%) Free: 283656 bytes (54%)          
  --= Second Nonvolatile Program Memory Size: None          
  --= Internal SRAM Size: 64K bytes          
  --= Architecture Identifier: AT91SAM7Sxx Series          
  --= Nonvolatile Program Memory Type: Embedded Flash Memory          

          
pm3 --> hw tune
          
[=] measuring antenna characteristics, please wait...
          
....
          
[+] LF antenna: 72.94 V - 125.00 kHz          
[+] LF antenna: 39.23 V - 134.00 kHz          
[+] LF optimal: 72.94 V - 125.00 kHz          
[+] LF antenna is OK  
          
[+] HF antenna: 44.89 V - 13.56 MHz          
[+] HF antenna is OK           
          
[+] Displaying LF tuning graph. Divisor 89 is 134khz, 95 is 125khz.
          
pm3 --> quit

And with that, you’re ready to go. Good hunting. 🙂

One thought on “Proxmark3 RDV 4

Add yours

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Website Powered by WordPress.com.

Up ↑