RfidResearchGroup/proxmark3
1
1
Fork 0
mirror of https://github.com/RfidResearchGroup/proxmark3.git synced 2024-11-05 23:17:58 +08:00
Code Issues Projects Releases Packages Wiki Activity
proxmark3/doc/ext_flash_notes.md
Philippe Teuwen 9dc1b1664d Add external flash layout notes
2019-07-17 21:11:34 +02:00

3.3 KiB
Raw Blame History

External flash

External 256kbytes flash is a unique feature of the RDV4 edition.

Addresses

Flash memory is

  • 256kb (0x40000= 262144)
  • divided into 4 pages of 64kb (0x10000 = 65536)
  • 4 pages divided into 16 sectors of 4kb (0x1000 = 4096), so last sector is at 0x3F000

Therefore a flash address can be interpreted as such:

0xPSxxx       e.g. 0x3FF7F
  ^ page             ^ page 3
   ^ sector           ^ sector 0xF
    ^^^ offset         ^^^ offset 0xF7F

Layout

Page 0:

  • available for user data
  • to dump it: mem dump f page0_dump o 0 l 65536
  • to erase it: mem wipe p 0

Page 1:

  • available for user data
  • to dump it: mem dump f page1_dump o 65536 l 65536
  • to erase it: mem wipe p 1

Page 2:

  • available for user data
  • to dump it: mem dump f page2_dump o 131072 l 65536
  • to erase it: mem wipe p 2

Page 3:

  • used by Proxmark3 RDV4 specific functions: flash signature and keys dictionaries, see below for details
  • to dump it: mem dump f page3_dump o 196608 l 65536
  • to erase it:
    • Beware it will erase your flash signature (see below) so better to back it up first as you won't be able to regenerate it by yourself!
    • It's possible to erase completely page 3 by erase the entire flash memory with the voluntarily undocumented command mem wipe i.
    • Updating keys dictionaries doesn't require to erase page 3.

Page3 Layout

Page3 is used as follows by the Proxmark3 RDV4 firmware:

  • MF_KEYS

    • offset: page 3 sector 9 (0x9) @ 30x10000+90x1000=0x39000
    • length: 2 sectors

  • ICLASS_KEYS

    • offset: page 3 sector 11 (0xB) @ 30x10000+110x1000=0x3B000
    • length: 1 sector

  • T55XX_KEYS

    • offset: page 3 sector 12 (0xC) @ 30x10000+120x1000=0x3C000
    • length: 1 sector

  • T55XX_CONFIG

    • offset: page 3 sector 13 (0xD) @ 30x10000+130x1000=0x3D000
    • length: 1 sector (actually only a few bytes are used to store t55xx_config structure)

  • RSA SIGNATURE, see below for details

    • offset: page 3 sector 15 (0xF) offset 0xF7F @ 30x10000+150x1000+0xF7F=0x3FF7F
    • length: 128 bytes
    • offset should have been 0x3FF80 but historically it's one byte off and therefore the last byte of the flash is unused

RSA signature

To ensure your Proxmark3 RDV4 is not a counterfeit product, its external flash contains a RSA signature of the flash unique ID. You can verify it with: mem info

[usb] pm3 --> mem info
          
[=] --- Flash memory Information ---------
          
[=] -------------------------------------------------------------          
[=] ID            | xx xx xx xx xx xx xx xx           
[=] SHA1          | xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx           
[=] RSA SIGNATURE |          
[00] | xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx 
[01] | xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx 
[02] | xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx 
[03] | xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx 
[=] KEY length   | 128          
[+] RSA key validation ok          
[+] RSA Verification ok

For a backup of the signature: mem dump p f flash_signature_dump o 262015 l 128