Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2018-04-17 17:19:14

homer2320776
Contributor
Registered: 2018-01-30
Posts: 7

Dead Proxmark3 Easy

Hey guys!

I currently have 2 of the Proxmark3 Easy's from Elechouse, and one started acting up about a month ago. Both are running the latest firmware and software from Icemans fork, but it started acting up before the flashing.

Proxmark3 RFID instrument

 [ ARM ]
 bootrom: iceman/master/ice_v3.1.0-790-ga968ea8c 2018-04-17 13:30:43
      os: iceman/master/ice_v3.1.0-790-ga968ea8c 2018-04-17 13:30:48
 [ FPGA ]
 LF image built for 2s30vq100 on 2017/10/25 at 19:50:50
 HF image built for 2s30vq100 on 2017/11/10 at 19:24:16

 [ Hardware ]
  --= uC: AT91SAM7S256 Rev D
  --= Embedded Processor: ARM7TDMI
  --= Nonvolatile Program Memory Size: 256K bytes, Used: 237702 bytes (91%) Free: 24442 bytes ( 9%)
  --= Second Nonvolatile Program Memory Size: None
  --= Internal SRAM Size: 64K bytes
  --= Architecture Identifier: AT91SAM7Sxx Series
  --= Nonvolatile Program Memory Type: Embedded Flash Memory

The issue is when I try to read anything, LF or HF, all I get back are empty responses:

pm3 --> lf read
#db# LF Sampling config:
#db#   [q] divisor.............95 (125 KHz)
#db#   [b] bps.................8
#db#   [d] decimation..........1
#db#   [a] averaging...........Yes
#db#   [t] trigger threshold...0
#db# Done, saved 40000 out of 40000 seen samples at 8 bits/sample
#db# buffer samples: ff ff ff ff ff ff ff ff ...
Reading 39999 bytes from device memory

Data fetched
Samples @ 8 bits/smpl, decimation 1:1
pm3 --> lf search
NOTE: some demods output possible binary
  if it finds something that looks like a tag

False Positives ARE possible

Checking for known tags:

Signal looks just like noise. Looking for Hitag signal now.
Waiting for a response from the proxmark...
You can cancel this operation by pressing the pm3 button
command execution time out

pm3 --> hf search

timeout while waiting for reply.
no known/supported 13.56 MHz tags found

The hardware information just in case it is needed:

pm3 --> hw tune

measuring antenna characteristics, please wait...
...
LF antenna: 23.65 V - 125.00 kHz
LF antenna: 17.00 V - 134.00 kHz
LF optimal: 25.35 V - 121.21 kHz
[+] LF antenna is OK

HF antenna: 25.78 V - 13.56 MHz
[+] HF antenna is OK

[+]  Displaying LF tuning graph. Divisor 89 is 134khz, 95 is 125khz.

pm3 --> hw status
#db# Memory
#db#   BIGBUF_SIZE.............40000
#db#   Available memory........40000
#db# Tracing
#db#   tracing ................0
#db#   traceLen ...............162
#db# Fpga
#db#   mode....................HF
#db# Flash memory
#db#   init....................FAIL
#db# Smart card module (ISO 7816)
#db#   init....................OK
#db# LF Sampling config:
#db#   [q] divisor.............95 (125 KHz)
#db#   [b] bps.................8
#db#   [d] decimation..........1
#db#   [a] averaging...........Yes
#db#   [t] trigger threshold...0
#db# USB Speed:
#db#   Sending USB packets to client...
#db#   Time elapsed............1500ms
#db#   Bytes transferred.......761856
#db#   USB Transfer Speed PM3 -> Client = 507904 Bytes/s
#db# Various
#db#   MF_DBGLEVEL.............1
#db#   ToSendMax...............24
#db#   ToSendBit...............8
#db#   ToSend BUFFERSIZE.......2308
#db# Installed StandAlone Mods
#db#    LF HID26 standalone - aka SamyRun (Samy Kamkar)

Any help would be greatly appreciated!

Offline

#2 2018-04-17 18:15:37

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: Dead Proxmark3 Easy

try latest source from offical pm3 repo.  It will give an indication if its the device or firmware.

Offline

#3 2018-04-17 18:59:15

homer2320776
Contributor
Registered: 2018-01-30
Posts: 7

Re: Dead Proxmark3 Easy

Seems to do the same thing

proxmark3> hw ver
[[[ Cached information ]]]

Prox/RFID mark3 RFID instrument
bootrom: master/v3.0.1-361-ge069547-suspect 2018-04-03 11:12:28
os: master/v3.0.1-361-ge069547-suspect 2018-04-03 11:12:31
LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04
HF FPGA image built for 2s30vq100 on 2017/10/27 at 08:30:59

uC: AT91SAM7S256 Rev D
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 256K bytes. Used: 199639 bytes (76%). Free: 62505 bytes (24%).
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory

proxmark3> hw tune

Measuring antenna characteristics, please wait.........
# LF antenna: 21.04 V @   125.00 kHz
# LF antenna: 18.84 V @   134.00 kHz
# LF optimal: 21.04 V @   125.00 kHz
# HF antenna: 25.17 V @    13.56 MHz
Displaying LF tuning graph. Divisor 89 is 134khz, 95 is 125khz.



proxmark3> hw status
#db# Memory
#db#   BIGBUF_SIZE.............40000
#db#   Available memory........40000
#db# Tracing
#db#   tracing ................1
#db#   traceLen ...............224
#db# Fgpa
#db#   mode....................HF
#db# LF Sampling config:
#db#   [q] divisor:           95
#db#   [b] bps:               8
#db#   [d] decimation:        1
#db#   [a] averaging:         1
#db#   [t] trigger threshold: 0
#db# USB Speed:
#db#   Sending USB packets to client...
#db#   Time elapsed:      1500ms
#db#   Bytes transferred: 795136
#db#   USB Transfer Speed PM3 -> Client = 530090 Bytes/s
#db# Various
#db#   MF_DBGLEVEL......2
#db#   ToSendMax........13
#db#   ToSendBit........8
proxmark3> lf read
#db# LF Sampling config:
#db#   [q] divisor:           95
#db#   [b] bps:               8
#db#   [d] decimation:        1
#db#   [a] averaging:         1
#db#   [t] trigger threshold: 0
#db# Done, saved 40000 out of 40000 seen samples at 8 bits/sample
#db# buffer samples: ff ff ff ff ff ff ff ff ...
Reading 39999 bytes from device memory

Data fetched
Samples @ 8 bits/smpl, decimation 1:1
proxmark3> hf search


no known/supported 13.56 MHz tags found

Awhile back when I first noticed this issue, I got frustrated and 'dropped' the device onto my desk, the percussive maintenance seemed to fix it for a short while but I was never able to get it working again.

The newer device works flawlessly but I would like to get this one working as a backup, just in case.

Offline

#4 2018-08-26 19:37:14

Tom5ive
Contributor
Registered: 2017-09-18
Posts: 53

Re: Dead Proxmark3 Easy

Strangely - I have a pm3-easy that has just begun showing a VERY similar problem. hw tune shows LF unusable at 0.42v sometimes. Give it a few bashes on my hand and back to normal.

I'm thinking the oscillator maybe?

Offline

#5 2018-08-31 23:40:22

grauerfuchs
Contributor
Registered: 2018-08-28
Posts: 50

Re: Dead Proxmark3 Easy

Don't rule out the possibility of an antenna connector issue quite yet. Since it's tied to the screws on the pm3-easy, it's quite possible we're dealing with oxidation or corrosion, especially if we're dealing with dissimilar metals between the pads, the screws, and the spacers. It might be worth looking at the connection pads to see if they're discolored. If I do recall, plated connectors can be cleaned with something as simple as the pink eraser head from a #2 pencil.

Offline

#6 2018-09-01 02:53:09

Tom5ive
Contributor
Registered: 2017-09-18
Posts: 53

Re: Dead Proxmark3 Easy

Potentially in some cases. But in my case I have cut the PCB in half and attached sma connectors soldered to the board.

Offline

#7 2018-09-01 03:40:59

grauerfuchs
Contributor
Registered: 2018-08-28
Posts: 50

Re: Dead Proxmark3 Easy

All right. That does indeed rule out the screws or antenna pads.

My first thoughts are to check the connection points directly. If one of the soldered connections lifted from the trace, if the SMA connector was damaged, or if you have a cold solder joint, you could get some strange results like this.

Next, are you using the antenna that came with it (modified), or have you constructed your own? If the latter, have you verified that the antenna is the proper impedance to match the circuit? Something I haven't seen mentioned here or in the Proxmark3 specs (but is typically important in RF transmission) is SWR. If you had an antenna that is sufficiently mismatched, it could have damaged the output amplifier. Assuming that the PM3 Easy uses the exact same hardware as the PM3 open source schematic, that would be the ACT244 (IC9, IC10) or (hopefully only) one or more of the series resistors connected between it and the antenna coil.

If the connectors are solid and you have an alternative LF antenna you could test out, it might be worth seeing how it responds to that. I'd almost be tempted to carefully peel the adhesive backing from an old clamshell card, cut out the chip, and attach a pigtail to the coil leads for grins, failing anything else. I'm not sure how the impedance of the cut card's antenna would match up, but it would probably at least work in short-term to test and see if it's your antenna that's faulty.

Offline

#8 2018-09-11 03:05:32

Tom5ive
Contributor
Registered: 2017-09-18
Posts: 53

Re: Dead Proxmark3 Easy

Ok so..

1. Entire board has been reflowed and still same issue - no loose connection anywhere...

2. I have about 50-60 different coils as making custom coils is part of what I do for Dangerous Things / users of implantable rfid tech. They are all tuned to exact frequencies / measured inductance's and all work on my RDV2 and RDV4 hardware... I also have original coils yes and its the same problem with them.

3. I am 90% sure its the crystal as I can get the board to work by bashing it with the back of a screwdriver lol.

Offline

#9 2018-09-11 03:07:02

Tom5ive
Contributor
Registered: 2017-09-18
Posts: 53

Re: Dead Proxmark3 Easy

4. Taking an antenna from a card / key-fob and trying to make it into a reader antenna WILL NOT WORK as the inductance will be way off. usually using a LOT thinner gauge wire and I think that you'd possibly burn out the coil with the output from your pm3.

Offline

#10 2018-09-11 04:22:52

grauerfuchs
Contributor
Registered: 2018-08-28
Posts: 50

Re: Dead Proxmark3 Easy

#3: Interesting. I suppose it is indeed possible, but I'd also have expected a similar impact on HF, were that the case. I suppose I should look more in depth at the oscillator and the FPGA tuning, as well as the bandwidth of the stock antennas. After all, if you've ruled out the other options, then what little remains has to be it.

#2, 4: All right. As mentioned, I haven't had a chance to run tests on the coils from a card. I figured it was probably a long shot as far as a viable long-term antenna goes, but I was hopeful that it was tuned well enough to work for a short duration if there weren't other options. Besides, I wasn't aware of your level of experience with antenna design. Good on you, BTW. I've been waiting on the time to develop a good, reliable antenna before getting mine implanted.

Offline

#11 2018-09-11 12:36:30

Tom5ive
Contributor
Registered: 2017-09-18
Posts: 53

Re: Dead Proxmark3 Easy

It's very interesting! Hoping to make some interesting things smile.

Also a note about destroying the driver circuitry with the wrong antenna. If you read in to some data sheets from original pm3 hardware and then try and find some newer IC's capable of similar functions that a hardware designer might likely use on something like the pm3-easy - you quickly come across statements in them like:

These devices are essentially immune to any form of
upset, except direct overvoltage or over-dissipation.
They cannot be latched under any conditions within
their power and voltage ratings. These parts are not
subject to damage or improper operation when up to
5V of ground bounce is present on their ground
terminals. They can accept, without damage or logic
upset, more than 1A inductive current of either polarity
being forced back into their outputs. In addition, all
terminals are fully protected against up to 4 kV of
electrostatic discharge.

Pm3 is a pretty sturdy piece of hardware my friend smile

Offline

#12 2018-09-11 12:51:56

grauerfuchs
Contributor
Registered: 2018-08-28
Posts: 50

Re: Dead Proxmark3 Easy

Well then, assuming the statements from the manufacturers are indeed true and the PM3 Easy is using a properly designed part, we can eliminate damaged drivers from the list as well. You're right. I don't see anywhere else we could look for a simple failure mode but the oscillator. Have you been able to measure the oscillator's frequency as confirmation of the issue?

Offline

Board footer

Powered by FluxBB