search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
fix overwriting return value in one case
[RRG-proxmark3.git] / doc / ext_flash_notes.md
blob96b968bc7d2c429aec92d1046f50c125e6d8a2eb
1 # External flash
2 <a id="Top"></a>
3
4 External 256kbytes flash is a unique feature of the RDV4 edition.
5
6 # Table of Contents
7 - [External flash](#external-flash)
8 - [Table of Contents](#table-of-contents)
9   - [Addresses](#addresses)
10   - [Layout](#layout)
11   - [Page3 Layout](#page3-layout)
12   - [RSA signature](#rsa-signature)
13 - [backup first!](#backup-first)
14
15
16
17 ## Addresses
18 ^[Top](#top)
19
20 Flash memory is
21
22 * 256KB (0x40000= 262144)
23 * divided into 4 pages of 64KB (0x10000 = 65536)
24 * 4 pages divided into 16 sectors of 4KB (0x1000 = 4096), so last sector is at 0x3F000
25
26 Therefore a flash address can be interpreted as such:
27 ```
28 0xPSxxx       e.g. 0x3FF7F
29   ^ page             ^ page 3
30    ^ sector           ^ sector 0xF
31     ^^^ offset         ^^^ offset 0xF7F
32 ```
33
34 ## Layout
35 ^[Top](#top)
36
37 Page 0:
38 * available for user data
39 * to dump it: `mem dump f page0_dump o 0 l 65536`
40 * to erase it: `mem wipe p 0`
41
42 Page 1:
43 * available for user data
44 * to dump it: `mem dump f page1_dump o 65536 l 65536`
45 * to erase it: `mem wipe p 1`
46
47 Page 2:
48 * available for user data
49 * to dump it: `mem dump f page2_dump o 131072 l 65536`
50 * to erase it: `mem wipe p 2`
51
52 Page 3:
53 * used by Proxmark3 RDV4 specific functions: flash signature and keys dictionaries, see below for details
54 * to dump it: `mem dump f page3_dump o 196608 l 65536`
55 * to erase it:
56   * **Beware** it will erase your flash signature so better to back it up first as you won't be able to regenerate it by yourself!
57   * edit the source code to enable Page 3 as a valid input in the `mem wipe` command.
58   * Updating keys dictionaries doesn't require to erase page 3.
59
60 ## Page3 Layout
61 ^[Top](#top)
62
63 Page3 is used as follows by the Proxmark3 RDV4 firmware:
64
65 * **MF_KEYS**
66   * offset: page 3 sector  9 (0x9) @ 3*0x10000+9*0x1000=0x39000
67   * length: 2 sectors
68
69 * **ICLASS_KEYS**
70   * offset: page 3 sector 11 (0xB) @ 3*0x10000+11*0x1000=0x3B000
71   * length: 1 sector
72
73 * **T55XX_KEYS**
74   * offset: page 3 sector 12 (0xC) @ 3*0x10000+12*0x1000=0x3C000
75   * length: 1 sector
76
77 * **T55XX_CONFIG**
78   * offset: page 3 sector 13 (0xD) @ 3*0x10000+13*0x1000=0x3D000
79   * length: 1 sector (actually only a few bytes are used to store `t55xx_config` structure)
80
81 * **RSA SIGNATURE**, see below for details
82   * offset: page 3 sector 15 (0xF) offset 0xF7F @ 3*0x10000+15*0x1000+0xF7F=0x3FF7F  (decimal 262015)
83   * length: 128 bytes
84   * offset should have been 0x3FF80 but historically it's one byte off and therefore the last byte of the flash is unused
85
86 ## RSA signature
87 ^[Top](#top)
88
89 To ensure your Proxmark3 RDV4 is not a counterfeit product, its external flash contains a RSA signature of the flash unique ID.
90 You can verify it with: `mem info`
91
92
93 Here below is a sample output of a RDV4 device.
94 ```
95 [usb] pm3 --> mem info                                                
96                                                                       
97 [=] --- Flash memory Information ---------                            
98 [=] ID................... 25AD99A782A867D5                            
99 [=] SHA1................. 67C3B9BA2FA90AD4B283926B70017066C082C156    
100 [+] Signature............ ( ok )                                      
101                                                                       
102 [=] --- RDV4 RSA signature ---------------                            
103 [=]  C7C7DF7FA3A2391A2B36E97D227C746ED8BB475E8766F54A13BAA9AAB29299BE 
104 [=]  37546AACCC29157ABF8AFBF3A1CFB24275442D565F7E996C6B08090528ADE25E 
105 [=]  ED1498E3089C72C68348D83CBD13F1247327BDBC9D75B09ECE3E051E19FE19BB 
106 [=]  98CB038757F2EDFD2DC5060D05C3296BC19A6F768290D555DFD50407E0E13A70 
107                                                                       
108 [=] --- RDV4 RSA Public key --------------                            
109 [=] Len.................. 128                                         
110 [=] Exponent............. 010001                                      
111 [=] Public key modulus N                                              
112 [=]  E28D809BF323171D11D1ACA4C32A5B7E0A8974FD171E75AD120D60E9B76968FF 
113 [=]  4B0A6364AE50583F9555B8EE1A725F279E949246DF0EFCE4C02B9F3ACDCC623F 
114 [=]  9337F21C0C066FFB703D8BFCB5067F309E056772096642C2B1A8F50305D5EC33 
115 [=]  DB7FB5A3C8AC42EB635AE3C148C910750ABAA280CE82DC2F180F49F30A1393B5 
116                                                                       
117 [+] RSA public key validation.... ( ok )                              
118 [+] RSA private key validation... ( ok )                              
119 [+] RSA verification..... ( ok )                                      
120 [+] Genuine Proxmark3 RDV4 signature detected                         
121 ```
122
123 # backup first!
124 ^[Top](#top)
125
126 To make a backup of the signature to file:
127
128 `mem dump -f flash_signature_dump -o 262015 -l 128`
129
Proxmark3 - the RFID research Swiss army knife. Iceman firmware