Proxmark3: Debricking

From Embedded Lab Vienna for IoT & Security
Jump to: navigation, search

Summary

This tutorial will show how to reset a Proxmark3 RDV2 via the JTAG interface.

This is useful when the Proxmark3 RDV2 is bricked and won't connect to the computer. This will solve any software failures like a corrupt firmware or bootloader.

1. Debricking process via Raspberry Pi 3+ (version 2, 3 and 4 work exactly the same)
2. Debricking process via Bus Pirate 3.6

Note: The method with the Bus Pirate did not work for me. Maybe you have better luck.

Requirements

  • Proxmark3
  • Raspberry Pi 2, 3, or 4
  • Bus Pirate v3 (or higher)
  • Linux: Debian

Raspberry Pi

Proxmark raspi.jpg
This tutorial is based on
http://www.lucasoldi.com/2017/01/17/unbrick-proxmark3-with-a-raspberry-pi-and-openocd/
https://github.com/synthetos/PiOCD/wiki/Using-a-Raspberry-Pi-as-a-JTAG-Dongle
http://openocd.org/doc/html/OpenOCD-Project-Setup.html

Compile Proxmark

See Proxmark: Installation or from the official website

Compile OpenOCD

sudo apt-get update
sudo apt-get install -y autoconf libtool libftdi-dev textinfo pkg-config pkgconf git
git clone https://git.code.sf.net/p/openocd/code openocd
cd openocd
./bootstrap
./configure --enable-sysfsgpio --enable-bcm2835gpio
make
sudo make install
sudo cp -r tcl/ /usr/share/openocd

make will take about 15 minutes.

Connect physically

Connect the following pins from the Raspberry Pi to the Proxmark3

Proxmark3 Raspberry Pi Cable colour
TMS 22 yellow
TDI 19 blue
TDO 21 green
TCK 23 orange
GND 6 purple
3.3V 1 grey

For the pin layout of the Raspberry Pi see link.

Proxmark raspi pin.jpg

The pin configuration can be changed in: /usr/share/openocd/interface/raspberrypi2-native.cfg. (Not necessary for this tutorial)


Connect via OpenOCD

Note: Power the Proxmark separately from the Raspberry Pi

1. Start OpenOCD
switch to the Proxmark folder
cd proxmark3
Note: the source code of the Proxmark should be already be complied.
2. Create OpenOCD configuration
nano tools/raspi.cfg
Past following code into the file
# Ports
telnet_port 4444
gdb_port 3333

# Interface
adapter_khz 1000
source [find interface/raspberrypi2-native.cfg]

# use combined on interfaces or targets that can't set TRST/SRST separately
reset_config srst_only srst_pulls_trst

jtag newtap sam7x cpu -irlen 4 -ircapture 0x1 -irmask 0xf

target create sam7x.cpu arm7tdmi -endian little -chain-position sam7x.cpu 

sam7x.cpu configure -event reset-init { 
    soft_reset_halt
    mww 0xfffffd00 0xa5000004   # RSTC_CR: Reset peripherals
    mww 0xfffffd44 0x00008000   # WDT_MR: disable watchdog
    mww 0xfffffd08 0xa5000001   # RSTC_MR enable user reset
    mww 0xfffffc20 0x00005001   # CKGR_MOR : enable the main oscillator
    sleep 10
    mww 0xfffffc2c 0x000b1c02   # CKGR_PLLR: 16MHz * 12/2 = 96MHz
    sleep 10
    mww 0xfffffc30 0x00000007   # PMC_MCKR : MCK = PLL / 2 = 48 MHz
    sleep 10
    mww 0xffffff60 0x00480100   # MC_FMR: flash mode (FWS=1,FMCN=72)
    sleep 100

}

gdb_memory_map enable
#gdb_breakpoint_override hard
#armv4_5 core_state arm

sam7x.cpu configure -work-area-virt 0 -work-area-phys 0x00200000 -work-area-size 0x10000 -work-area-backup 0
flash bank sam7x512.flash.0 at91sam7 0 0 0 0 sam7x.cpu 0 0 0 0 0 0 0 18432
flash bank sam7x512.flash.1 at91sam7 0 0 0 0 sam7x.cpu 1 0 0 0 0 0 0 18432
3. Start OpenOCD with the configuration file just created
sudo openocd -f tools/raspi.cfg
Now a openOCD session is started. Do not close it.
4. Connect to OpenOCD session
Open a new terminal window and telnet to the port that was specified in the .cfg file
telnet localhost 4444
5. Flash via JTAG
j@laptop:~/git/proxmark3$ telnet localhost 4444
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Open On-Chip Debugger
> 
6. Halt the Proxmark3
halt
7. Erase the flash content
flash erase_sector 0 0 15
flash erase_sector 1 0 15
8. Flash the new firmware
flash write_image ./armsrc/obj/fullimage.elf
flash write_image ./bootrom/obj/bootrom.elf

Done!

Disconnect the Raspberry Pi from the Proxmark

Now you should be able to connect to the Proxmark as usual:

./client/proxmark3 /dev/ttyACM0

For useful commands visit: Proxmark3: Useful commands

Bus Pirate

Note: Here the Bus Pirate 3.6 will be used

Note: This did not work for me, maybe it was faulty hardware or faulty firmware

This tutorial is based on https://scund00r.com/all/rfid/2018/05/18/debrick-proxmark.html

Update the Bus Pirate
you can use following guide: Bus Pirate: First steps
Get the latest Proxmark3 repository & build
git clone https://github.com/Proxmark/proxmark3.git
cd proxmark3
install needed components:
sudo apt install p7zip git build-essential libreadline5 libreadline-dev libusb-0.1-4 libusb-dev libqt4-dev perl pkg-config wget libncurses5-dev gcc-arm-none-eabi libstdc++-arm-none-eabi-newlib libpcsclite-dev pcscd
make clean && make all
Install proxmark3 driver:
sudo cp -rf driver/77-mm-usb-device-blacklist.rules /etc/udev/rules.d/77-mm-usb-device-blacklist.rules
sudo udevadm control --reload-rules
Add user
sudo adduser $USER dialout
Now logout and login in again
Install OpenOCD
sudo apt-get install openocd
Connect the Proxmark3 to the Bus Pirate
use this pin configuration:
Proxmark3 Bus Pirate
TMS CS
TDI MOSI
TDO MISO
TCK CLK
GND GND
3.3V 3.3V
Flashing
check on with Port the Bus Pirate is connected:
ls /dev/tty*
OR
dmesg -wH and plugout and connect the Bus Pirate again
Set OpenOCD config
nano tools/at91sam7s512-buspirate.cfg
# Interface
interface buspirate
buspirate_port /dev/ttyUSB0
adapter_khz 1000
Start OpenOCD
Launch OpenOCD
sudo openocd -f tools/at91sam7s512-buspirate.cfg
:~/git/proxmark3$ sudo openocd -f tools/at91sam7s512-buspirate.cfg
[sudo] password for j:               
Open On-Chip Debugger 0.10.0-rc1-dev-gc404ff5d-dirty (2019-11-11-15:43)
Licensed under GNU GPL v2
For bug reports, read
   http://openocd.org/doc/doxygen/bugs.html
Warn : Adapter driver 'buspirate' did not declare which transports it allows; assuming  legacy JTAG-only 
Info : only one  transport option; autoselect 'jtag' 
adapter speed: 1 000 kHz 
srst_only srst_p ulls_tr st srst_gates_jtag srst_open_drain connect_deassert_srst 
Info : Buspirate  Interf ace ready! 
Info : This adap ter doe sn't suppo rt configurable speed 
Info : JTAG tap:  sam7x. cpu tap/de vice found: 0x3f0f0f0f (mfg: 0x787 (<unknown>), part:  0xf0f0, ver: 0x3 ) 
Info : Embedded ICE version 1 
Info : sam7x.cpu: hardware has 2 breakpoint/watchpoint units
Info : accepting 'telnet' connection on tcp/4444
Open a new terminal window
and type: telnet localhost 4444
j@laptop:~/git/proxmark3$ telnet localhost 4444
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Open On-Chip Debugger
> 
Halt the Proxmark3
halt
Erase the flash content:
flash erase_sector 0 0 15
flash erase_sector 1 0 15
Flash the new firmware:
flash write_image ./armsrc/obj/fullimage.elf
This will take a while (about 6 minutes)
flash write_image ./bootrom/obj/bootrom.elf

Used Hardware

Proxmark3 RDV2 Kit Bus Pirate v3.6 Universal serial interface

References