[RDV4]Picked up a PM3RDV40 at DEFCON and possibly bricked it

oSPANNERo · 2018-08-15 17:51:02

Good morning all,

So like any good n00b I think I have managed to put my RDV40 into an odd mode that I want to confirm requires a BusPirate or J-Link.

The short version is I was using the RDV40 specific fork from iceman's repo (https://github.com/iceman1001/proxmark3-1) and everything went well till I tried to flash the firmware and it hung on the 3rd operation. This resulted in the A and C light to be bright solid red but occasionally a quick flash to B and D. I tried a couple times to re-flash from this fork but the best I could get (holding the button when plugging in) was to get it to hang about the same place.

I then figured I would try to revert to the main repo firmware (https://github.com/Proxmark/proxmark3) and now A, B, C, and D are all a dim solid red and can't get it to be recognized at all. (The recognition may be my limited Linux skills.)

So... I am simply looking for confirmation that:
1) The current indicator lights imply that I am in a "bricked" state
2) my next step should be to proceed to recovery using the JTAG header
3) these instructions are the proper ones for the RDV40 (as they haven't been updated since Oct 30, 2017):
https://github.com/Proxmark/proxmark3/wiki/Debricking-Proxmark3-with-buspirate
https://github.com/Proxmark/proxmark3/wiki/De-Bricking-Segger
4) I should be using the firmware that comes with the main firmware

I *DO* have resources that can help me with any further analysis on my side if it would be helpful in any way, just not sure what I would engage them on at this point.

Thanks in advance!

Last edited by oSPANNERo (2018-08-15 22:37:56)

oSPANNERo · 2018-08-15 21:42:41

So it appears that the Iceman repo I was working with yesterday/this-morning is now gone... so going to speculate that I probably shouldn't have been using it in the first place. When I was playing with this in Vegas the RRG repo I was using is now gone also. So the remaining repos I can select from seem to be:

https://github.com/Proxmark/proxmark3
https://github.com/iceman1001/proxmark3
https://github.com/RfidResearchGroup/proxmark3

It appears (according to the GIT pages) the RRG one the "go to" for the RDV40 optimized code, correct? If so, should I use the unbricking procedure from the Proxmark Wiki page but the software/firmware from RRG repo or is there a new/different RDV40 specific unbricking procedure? (This is a slight change from #3 and #4 in my original post.)

Last edited by oSPANNERo (2018-08-16 12:37:01)

0xFFFF · 2018-08-16 08:04:18

n00b or not, it happens

This...
https://github.com/RfidResearchGroup/proxmark3
...is a fork of a fork specifically for the PM3RDV40. Unless you know what you're doing and you have a specific use case, I would advise using the RRG repo.

Your assumption is correct. The un-bricking procedure using a BusPirate or Segger J-Link remains the same.

Since you are a self proclaimed n00b I feel obligated to point out that you must use the same client and firmware versions.

oSPANNERo · 2018-08-16 12:40:12

Thank you very much for the confirmation and guidance @0xFFFF! I will move forward with recovering using the RRG Proxmark3 repo recovery files combined with the instructions from the Proxmark Proxmark3 repo.

Now as far as the leds, if all four red leds being dimly lit indicates its bricked... what did A and C being lit brightly mean? Was it in some partially recoverable mode? If I get to that same mode in the future, how does one address that state properly without going all the way down the BusPirate/J-Link path?

Last edited by oSPANNERo (2018-08-16 12:40:45)

0xFFFF · 2018-08-16 13:19:17

No probs.
I can't say for sure about A and C without more information and testing. If you can re-create the situation, that could help.

iceman · 2018-08-16 13:58:17

don't think dimly lit leds indicate anything. First thing I would say not enough power to the device.

For debugging purposes,
which OS are you on? MacOS ppl are having many issues with getting the usb enumeration. I have no clue to why.

Sorry, I had to drop the pm3rdv40 repo since it didn't get the commit history with it when I created it. (My bad git skills)
Now the repo is named: proxmark3 and the homebrew also works.

oSPANNERo · 2018-08-16 15:16:04

@0xFFFF:
Thanks for follow up. Basically the A and C lights were resulting from running the flasher from within the iceman/proxmark3-1 fork (now deprecated). According to my logs the flash succeeded for writing the segments for the bootrom.elf but then hung/failed writing the first segment of fullimage.elf. (https://ybin.me/p/674b250ae013abbf#7JvVWIRZtiU3h4eB8wNLQtWYeoJSBh+dvpuxh7UV8Ns=)

Then all four leds being dimly lit was a result of attempting to flash from proxmark/proxmark3 repo and it failing while writing the second segment of the bootrom.elf. (https://ybin.me/p/6c17d3bcdc31e265#9kkHA7nNgybWIunZTHZJkJ3PXiYaJEjucZnHHSxVwms=)

@iceman:
I have tried the RDV40 on two different computers across 6 different USB ports and all of them result in the dim leds. (One of the computers was able to write to my xEM implant prior to the apparent firmware flash failure.) I will try it with a straight 2.4a usb charger later to verify power availability is unrelated. As far as OS I was using during "the bricking" was an updated kali-rolling box. I have recently built a fresh Ubuntu Bionic Beaver that I will be attempting the recovery on.

##UPDATE## Once we successfully recovered the firmware, the dim LEDs went away so it did not appear to be a problem with insufficient power.

Last edited by oSPANNERo (2018-08-16 17:57:51)

iceman · 2018-08-16 15:43:52

aha, yup, MacOS and Kali users seem to have issues.

For some easyness of setting up the dev-env, the following scripts exists.

install.sh
update.sh
proxmark3.sh

they find the first proxmark enumeration and use it for operations. No need to look in dmesg log for clues.

There has been plenty of posts on how to jtag, or reading the wiki. Under tools/ you find some settings files for different devices.

iceman · 2018-08-16 15:45:25

Somewhere (don't remember where) on the forum or GH issue was about Kali settings that needed to be modified... hm..

oSPANNERo · 2018-08-16 15:53:26

Thanks @iceman. We are beating on the RDV40 with a buspirate right now (Firmware 6.1) using the Unbricking instructions from proxmark/proxmark3 wiki. Unfortunately it fails out when trying to use the at91sam7s512-buspirate.cfg. We are using OpenOCD 0.10 (installed using apt from the default 18.04 repos) It puking on line 30 stating the option "Varient" is an unknown. (Line 21 detects it.) We googled it and the only place the error message seems to show up is this post which doesn't appear to have ever had a documented resolution: http://www.proxmark.org/forum/viewtopic … 409#p27409

We are bashing on our side but if you have any insight we would be happy for it. Our initial thought is that we may need to compile it ourselves with buspirate support explicitly enabled.

Last edited by oSPANNERo (2018-08-16 16:07:22)

oSPANNERo · 2018-08-16 16:35:21

Just confirmed that the "variant" option was removed from the version in the RRG repo and the file allows OpenOCD to run but are now struggling with some timeouts and errors when doing the erases and writes.

Last edited by oSPANNERo (2018-08-16 16:40:23)

oSPANNERo · 2018-08-16 17:56:26

OK... back up and running after addressing some physical connection issues! (Those JTAG holes are very close together!)

Of note, at least for us, that attempting to flash the recovery bin (> flash write_image ./recovery/proxmark3_recovery.bin 0x100000) would consistently fail but doing the two elf files instead worked fine.

Perhaps this and the "variant" option called out in the BusPirate Unbricking wiki entry should be considered for removal if there is ever a new RDV40 specific un-bricking section?

Please let me know if I can provide any more information. It feels like "early adopter tax" combined with "n00b tax" is the RCA but I appreciate the assistance.

Proxmark3 community

Announcement

#1 2018-08-15 17:51:02

[RDV4]Picked up a PM3RDV40 at DEFCON and possibly bricked it

#2 2018-08-15 21:42:41

Re: [RDV4]Picked up a PM3RDV40 at DEFCON and possibly bricked it

#3 2018-08-16 08:04:18

Re: [RDV4]Picked up a PM3RDV40 at DEFCON and possibly bricked it

#4 2018-08-16 12:40:12

Re: [RDV4]Picked up a PM3RDV40 at DEFCON and possibly bricked it

#5 2018-08-16 13:19:17

Re: [RDV4]Picked up a PM3RDV40 at DEFCON and possibly bricked it

#6 2018-08-16 13:58:17

Re: [RDV4]Picked up a PM3RDV40 at DEFCON and possibly bricked it

#7 2018-08-16 15:16:04

Re: [RDV4]Picked up a PM3RDV40 at DEFCON and possibly bricked it

#8 2018-08-16 15:43:52

Re: [RDV4]Picked up a PM3RDV40 at DEFCON and possibly bricked it

#9 2018-08-16 15:45:25

Re: [RDV4]Picked up a PM3RDV40 at DEFCON and possibly bricked it

#10 2018-08-16 15:53:26

Re: [RDV4]Picked up a PM3RDV40 at DEFCON and possibly bricked it

#11 2018-08-16 16:35:21

Re: [RDV4]Picked up a PM3RDV40 at DEFCON and possibly bricked it

#12 2018-08-16 17:56:26

Re: [RDV4]Picked up a PM3RDV40 at DEFCON and possibly bricked it

Board footer