dandri/proxmark3
1
0
Fork 0
mirror of https://github.com/RfidResearchGroup/proxmark3.git synced 2026-03-29 04:09:53 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
master
proxmark3/doc/ext_flash_notes.md
iceman1001 03f4f06a3c text
2025-09-25 21:29:50 +02:00

5.4 KiB
Raw Permalink Blame History

External flash

External 256kbytes flash is a unique feature of the RDV4 edition.

Table of Contents

Addresses

^Top

Flash memory is

  • 256KB (0x40000 = 262144)
  • divided into 4 pages of 64KB (0x10000 = 65536)
  • 4 pages divided into 16 sectors of 4KB (0x1000 = 4096), so last sector is at 0x3F000

Therefore a flash address can be interpreted as such:

0xPSxxx       e.g. 0x3FF7F
  ^ page             ^ page 3
   ^ sector           ^ sector 0xF
    ^^^ offset         ^^^ offset 0xF7F

Please note that for other flash memory sizes than 256KB a "Page 3" will be the last page of the memory, and address offsets would be dependant on the memory size.

Layout

^Top

Page 0:

  • available for user data
  • to dump it: mem dump -f page0_dump -o 0 -l 65536
  • to erase it: mem wipe -p 0

Page 1:

  • available for user data
  • to dump it: mem dump -f page1_dump -o 65536 -l 65536
  • to erase it: mem wipe -p 1

Page 2:

  • available for user data
  • to dump it: mem dump -f page2_dump -o 131072 -l 65536
  • to erase it: mem wipe -p 2

Page 3 (or the last page for memories other than 256KB):

  • used by Proxmark3 RDV4 specific functions: flash signature, see below for details
  • to dump it: mem dump -f page3_dump -o 196608 -l 65536
  • to erase it:
    • Beware it will erase your flash signature so better to back it up first as you won't be able to regenerate it by yourself!
    • edit the source code to enable Page 3 as a valid input in the mem wipe command.
    • Updating keys dictionaries doesn't require to erase page 3.

Page3 Layout

^Top

Page3 (or the last page for memories other than 256KB) is used as follows by the Proxmark3 RDV4 firmware:

  • RSA SIGNATURE, see below for details

    • offset: page 3 sector 15 (0xF) offset 0xF7F @ 30x10000+150x1000+0xF7F=0x3FF7F (decimal 262015)
    • length: 128 bytes
    • offset should have been 0x3FF80 but historically it's one byte off and therefore the last byte of the flash is unused

  • Reserved for future use

    • offset: page 3 sector 14 (0xE)

  • SPIFFS sectors

    • offset: page 3 sectors 13..0 (0xD..0x0)

RSA signature

^Top

To ensure your Proxmark3 RDV4 is not a counterfeit product, its external flash contains a RSA signature of the flash unique ID. You can verify it with: mem info

Here below is a sample output of a RDV4 device.

[usb] pm3 --> mem info                                                
                                                                      
[=] --- Flash memory Information ---------                            
[=] ID................... 25AD99A782A867D5                            
[=] SHA1................. 67C3B9BA2FA90AD4B283926B70017066C082C156    
[+] Signature............ ( ok )                                      
                                                                      
[=] --- RDV4 RSA signature ---------------                            
[=]  C7C7DF7FA3A2391A2B36E97D227C746ED8BB475E8766F54A13BAA9AAB29299BE 
[=]  37546AACCC29157ABF8AFBF3A1CFB24275442D565F7E996C6B08090528ADE25E 
[=]  ED1498E3089C72C68348D83CBD13F1247327BDBC9D75B09ECE3E051E19FE19BB 
[=]  98CB038757F2EDFD2DC5060D05C3296BC19A6F768290D555DFD50407E0E13A70 
                                                                      
[=] --- RDV4 RSA Public key --------------                            
[=] Len.................. 128                                         
[=] Exponent............. 010001                                      
[=] Public key modulus N                                              
[=]  E28D809BF323171D11D1ACA4C32A5B7E0A8974FD171E75AD120D60E9B76968FF 
[=]  4B0A6364AE50583F9555B8EE1A725F279E949246DF0EFCE4C02B9F3ACDCC623F 
[=]  9337F21C0C066FFB703D8BFCB5067F309E056772096642C2B1A8F50305D5EC33 
[=]  DB7FB5A3C8AC42EB635AE3C148C910750ABAA280CE82DC2F180F49F30A1393B5 
                                                                      
[+] RSA public key validation.... ( ok )                              
[+] RSA private key validation... ( ok )                              
[+] RSA verification..... ( ok )                                      
[+] Genuine Proxmark3 RDV4 signature detected

backup first!

^Top

To make a backup of the signature to file:

mem dump -f flash_signature_dump -o 262015 -l 128

generate a signature

^Top

With the latest addition of a client/resources/pm3_generic_private_key.pem file anyone with a modified Proxmark3 device with SPI eeprom now can add a self signed signature.

To verify the private key pem file

cd client/resources/
sha512sum -c pm3_generic_private_key.sha512.txt

pm3_generic_private_key.pem: OK

Looking at current SPI eeprom information, run

mem info
mem info -v

Create a signature using the new generic private key, run

mem info -s -p client/resources/pm3_generic_private_key.pem

Create a signature using the new generic private key and write it to the Proxmark3 device, run DANGEROUS This will overwrite any current signature. Make sure you backup your current signature before by following instructions: backup first!

mem info -s -p client/resources/pm3_generic_private_key.pem -w
Reference in New Issue View Git Blame Copy Permalink