Setting up the Blueshark PM3 module.
The blueshark module, is an add-on for Proxmark3. Pretty basic to install, and a very nice hardware. It features a rechargeable battery, and Bluetooth, for cableless operation, using bluetooth.
So, start out with turning on PM3, and Bluetooth. The LED should be blinking a slow blue. If it is, we're ready.
Start with checking if bluetooth is enabled on your Linux host. We do that with.
systemctl status bluetoothIf it's turned off, your output will look like this one. Note the incative (dead) status in the output below.
root@xeon:/opt/proxmark3/client# systemctl status bluetooth
● bluetooth.service - Bluetooth service
Loaded: loaded (/lib/systemd/system/bluetooth.service; disabled; vendor preset: disabled)
Active: inactive (dead)
Docs: man:bluetoothd(8)
jan 06 18:30:14 xeon bluetoothd[8181]: Endpoint registered: sender=:1.30 path=/MediaEndpoint/A2DPSink/sbc
jan 06 18:30:14 xeon bluetoothd[8181]: Endpoint registered: sender=:1.30 path=/MediaEndpoint/A2DPSource/sbc
jan 06 18:45:14 xeon bluetoothd[8181]: Terminating
jan 06 18:45:14 xeon bluetoothd[8181]: Endpoint unregistered: sender=:1.30 path=/MediaEndpoint/A2DPSink/sbc
jan 06 18:45:14 xeon systemd[1]: Stopping Bluetooth service...
jan 06 18:45:14 xeon bluetoothd[8181]: Endpoint unregistered: sender=:1.30 path=/MediaEndpoint/A2DPSource/sbc
jan 06 18:45:14 xeon bluetoothd[8181]: Stopping SDP server
jan 06 18:45:14 xeon bluetoothd[8181]: Exit
jan 06 18:45:14 xeon systemd[1]: bluetooth.service: Succeeded.
jan 06 18:45:14 xeon systemd[1]: Stopped Bluetooth service.
Turn it on with
service bluetooth startIf it's okay, you output of systemctl status bluetooth, should look like this.
root@xeon:/opt/proxmark3/client# systemctl status bluetooth
● bluetooth.service - Bluetooth service
Loaded: loaded (/lib/systemd/system/bluetooth.service; disabled; vendor preset: disabled)
Active: active (running) since Mon 2020-01-06 19:13:30 CET; 1s ago
Docs: man:bluetoothd(8)
Main PID: 9403 (bluetoothd)
Status: "Running"
Tasks: 1 (limit: 23867)
Memory: 1.2M
CGroup: /system.slice/bluetooth.service
└─9403 /usr/lib/bluetooth/bluetoothd
jan 06 19:13:30 xeon systemd[1]: Starting Bluetooth service...
jan 06 19:13:30 xeon bluetoothd[9403]: Bluetooth daemon 5.50
jan 06 19:13:30 xeon systemd[1]: Started Bluetooth service.
jan 06 19:13:30 xeon bluetoothd[9403]: Starting SDP server
jan 06 19:13:30 xeon bluetoothd[9403]: Bluetooth management interface 1.14 initialized
jan 06 19:13:30 xeon bluetoothd[9403]: Sap driver initialization failed.
jan 06 19:13:30 xeon bluetoothd[9403]: sap-server: Operation not permitted (1)
jan 06 19:13:30 xeon bluetoothd[9403]: Endpoint registered: sender=:1.30 path=/MediaEndpoint/A2DPSink/sbc
jan 06 19:13:30 xeon bluetoothd[9403]: Endpoint registered: sender=:1.30 path=/MediaEndpoint/A2DPSource/sbcLet's move on to bluetooth and rfcomm setup. First we need to setup pairing, and we need to find the PM3. We can do that with
root@xeon:/opt/proxmark3/client# bluetoothctl
Agent registered
[bluetooth]#
Next, let's see what commands we need to pair. Try help
[bluetooth]# help
Menu main:
Available commands:
-------------------
advertise Advertise Options Submenu
scan Scan Options Submenu
gatt Generic Attribute Submenu
list List available controllers
show [ctrl] Controller information
select <ctrl> Select default controller
devices List available devices
paired-devices List paired devices
system-alias <name> Set controller alias
reset-alias Reset controller alias
power <on/off> Set controller power
pairable <on/off> Set controller pairable mode
discoverable <on/off> Set controller discoverable mode
agent <on/off/capability> Enable/disable agent with given capability
default-agent Set agent as the default one
advertise <on/off/type> Enable/disable advertising with given type
set-alias <alias> Set device alias
scan <on/off> Scan for devices
info [dev] Device information
pair [dev] Pair with device
trust [dev] Trust device
untrust [dev] Untrust device
block [dev] Block device
unblock [dev] Unblock device
remove <dev> Remove device
connect <dev> Connect device
disconnect [dev] Disconnect device
menu <name> Select submenu
version Display version
quit Quit program
exit Quit program
help Display help about this program
export Print evironment variables
[bluetooth]# So, according to the help output, we can use scan. Let's try that, and see if we can find a PM3.
[bluetooth]# scan on
Discovery started
[CHG] Controller 00:15:83:4A:4E:C6 Discovering: yes
[NEW] Device 20:19:05:06:16:38 PM3_RDV4.0
[bluetooth]# scan off
[CHG] Device 20:19:05:06:16:38 RSSI is nil
[CHG] Controller 00:15:83:4A:4E:C6 Discovering: no
Discovery stopped
[bluetooth]#
We could. Note the output says we have a device called PM3_RDV4.0, with a bluetooth address of 20:19:05:06:16:38.
Let's hurry up, and pair with it.
[bluetooth]# pair 20:19:05:06:16:38
Attempting to pair with 20:19:05:06:16:38
[CHG] Device 20:19:05:06:16:38 Connected: yes
Request PIN code
[agent] Enter PIN code: 1234
[CHG] Device 20:19:05:06:16:38 UUIDs: 00001101-0000-1000-8000-00805f9b34fb
[CHG] Device 20:19:05:06:16:38 ServicesResolved: yes
[CHG] Device 20:19:05:06:16:38 Paired: yes
Pairing successful
[CHG] Device 20:19:05:06:16:38 ServicesResolved: no
[CHG] Device 20:19:05:06:16:38 Connected: no
[bluetooth]#
Next, we need to set up a serial port with rfcomm. Let's see what the help function have to say about that.
root@xeon:/opt/proxmark3/client# rfcomm -help
RFCOMM configuration utility ver 5.50
Usage:
rfcomm [options] <command> <dev>
Options:
-i, --device [hciX|bdaddr] Local HCI device or BD Address
-h, --help Display help
-r, --raw Switch TTY into raw mode
-A, --auth Enable authentication
-E, --encrypt Enable encryption
-S, --secure Secure connection
-M, --master Become the master of a piconet
-L, --linger [seconds] Set linger timeout
-a Show all devices (default)
Commands:
bind <dev> <bdaddr> [channel] Bind device
release <dev> Release device
show <dev> Show device
connect <dev> <bdaddr> [channel] Connect device
listen <dev> [channel [cmd]] Listen
watch <dev> [channel [cmd]] Watch
So, it seems we can connect to it using rfcomm bind rfcomm0 bluetooth_address. Let's try it.
root@xeon:/opt/proxmark3/client# rfcomm bind rfcomm0 20:19:05:06:16:38
root@xeon:/opt/proxmark3/client# root@xeon:/opt/proxmark3/client# rfcomm
rfcomm0: 20:19:05:06:16:38 channel 1 clean
Let's check if it worked by calling rfcomm without parameters. Here it did work, as we have a working connection on rfcomm0. So, the last step is connecting to it with.
./proxmark3 /dev/rfcomm0And, you should see the output below.
[ Proxmark3 RFID instrument ]
[ CLIENT ]
client: RRG/Iceman
compiled with GCC 9.2.1 20191102 OS:Linux ARCH:x86_64
[ PROXMARK3 RDV4 ]
external flash: present
smartcard reader: present
[ PROXMARK3 RDV4 Extras ]
FPC USART for BT add-on support: present
[ ARM ]
bootrom: RRG/Iceman/master/release (git)
os: RRG/Iceman/master/release (git)
compiled with GCC 7.3.1 20180622 (release) [ARM/embedded-7-branch revision 261907]
[ FPGA ]
LF image built for 2s30vq100 on 2019-07-31 at 15:57:16
HF image built for 2s30vq100 on 2018-09-03 at 21:40:23
[ Hardware ]
--= uC: AT91SAM7S512 Rev A
--= Embedded Processor: ARM7TDMI
--= Nonvolatile Program Memory Size: 512K bytes, Used: 276818 bytes (53%) Free: 247470 bytes (47%)
--= Second Nonvolatile Program Memory Size: None
--= Internal SRAM Size: 64K bytes
--= Architecture Identifier: AT91SAM7Sxx Series
--= Nonvolatile Program Memory Type: Embedded Flash Memory
[fpc] pm3 -->
If you do, congrat's, it's working :)