mirror of
https://github.com/RfidResearchGroup/proxmark3.git
synced 2025-01-07 08:38:35 +08:00
95 lines
3.3 KiB
Markdown
95 lines
3.3 KiB
Markdown
# External flash
|
|
|
|
External 256kbytes flash is a unique feature of the RDV4 edition.
|
|
|
|
## Addresses
|
|
|
|
Flash memory is
|
|
|
|
* 256kb (0x40000= 262144)
|
|
* divided into 4 pages of 64kb (0x10000 = 65536)
|
|
* 4 pages divided into 16 sectors of 4kb (0x1000 = 4096), so last sector is at 0x3F000
|
|
|
|
Therefore a flash address can be interpreted as such:
|
|
```
|
|
0xPSxxx e.g. 0x3FF7F
|
|
^ page ^ page 3
|
|
^ sector ^ sector 0xF
|
|
^^^ offset ^^^ offset 0xF7F
|
|
```
|
|
|
|
## Layout
|
|
|
|
Page 0:
|
|
* available for user data
|
|
* to dump it: `mem dump f page0_dump o 0 l 65536`
|
|
* to erase it: `mem wipe p 0`
|
|
|
|
Page 1:
|
|
* available for user data
|
|
* to dump it: `mem dump f page1_dump o 65536 l 65536`
|
|
* to erase it: `mem wipe p 1`
|
|
|
|
Page 2:
|
|
* available for user data
|
|
* to dump it: `mem dump f page2_dump o 131072 l 65536`
|
|
* to erase it: `mem wipe p 2`
|
|
|
|
Page 3:
|
|
* used by Proxmark3 RDV4 specific functions: flash signature and keys dictionaries, see below for details
|
|
* to dump it: `mem dump f page3_dump o 196608 l 65536`
|
|
* to erase it:
|
|
* **Beware** it will erase your flash signature (see below) so better to back it up first as you won't be able to regenerate it by yourself!
|
|
* It's possible to erase completely page 3 by erase the entire flash memory with the voluntarily undocumented command `mem wipe i`.
|
|
* Updating keys dictionaries doesn't require to erase page 3.
|
|
|
|
## Page3 Layout
|
|
|
|
Page3 is used as follows by the Proxmark3 RDV4 firmware:
|
|
|
|
* **MF_KEYS**
|
|
* offset: page 3 sector 9 (0x9) @ 3*0x10000+9*0x1000=0x39000
|
|
* length: 2 sectors
|
|
|
|
* **ICLASS_KEYS**
|
|
* offset: page 3 sector 11 (0xB) @ 3*0x10000+11*0x1000=0x3B000
|
|
* length: 1 sector
|
|
|
|
* **T55XX_KEYS**
|
|
* offset: page 3 sector 12 (0xC) @ 3*0x10000+12*0x1000=0x3C000
|
|
* length: 1 sector
|
|
|
|
* **T55XX_CONFIG**
|
|
* offset: page 3 sector 13 (0xD) @ 3*0x10000+13*0x1000=0x3D000
|
|
* length: 1 sector (actually only a few bytes are used to store `t55xx_config` structure)
|
|
|
|
* **RSA SIGNATURE**, see below for details
|
|
* offset: page 3 sector 15 (0xF) offset 0xF7F @ 3*0x10000+15*0x1000+0xF7F=0x3FF7F
|
|
* length: 128 bytes
|
|
* offset should have been 0x3FF80 but historically it's one byte off and therefore the last byte of the flash is unused
|
|
|
|
## RSA signature
|
|
|
|
To ensure your Proxmark3 RDV4 is not a counterfeit product, its external flash contains a RSA signature of the flash unique ID.
|
|
You can verify it with: `mem info`
|
|
|
|
```
|
|
[usb] pm3 --> mem info
|
|
|
|
[=] --- Flash memory Information ---------
|
|
|
|
[=] -------------------------------------------------------------
|
|
[=] ID | xx xx xx xx xx xx xx xx
|
|
[=] SHA1 | xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx
|
|
[=] RSA SIGNATURE |
|
|
[00] | xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx
|
|
[01] | xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx
|
|
[02] | xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx
|
|
[03] | xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx
|
|
[=] KEY length | 128
|
|
[+] RSA key validation ok
|
|
[+] RSA Verification ok
|
|
```
|
|
|
|
For a backup of the signature: `mem dump p f flash_signature_dump o 262015 l 128`
|
|
|