Difference between revisions of "Proxmark3: Debricking"

From Embedded Lab Vienna for IoT & Security
Jump to navigation Jump to search
Line 45: Line 45:
</pre>
</pre>
<code>make</code> will take about 15 minutes.
<code>make</code> will take about 15 minutes.
-> '''Note:''' make, bootstrap and configure should give no compilation errors !!! (if not so check if you have all necessary libraries installed)
-> '''Note:''' also make sure that you compiled the proxmark repository without any compilation errors! (if not so check if you have all necessary libraries installed)


=== Connect physically ===
=== Connect physically ===
Line 132: Line 136:
:: <code>sudo openocd -f tools/raspi.cfg</code>
:: <code>sudo openocd -f tools/raspi.cfg</code>
:: Now a openOCD session is started. Do '''not''' close it.
:: Now a openOCD session is started. Do '''not''' close it.
~/git/proxmark3 $ sudo openocd -f tools/raspi.cfg
Open On-Chip Debugger 0.10.0+dev-01404-g393448342-dirty (2020-09-17-17:59)
Licensed under GNU GPL v2
For bug reports, read
http://openocd.org/doc/doxygen/bugs.html
Info : auto-selecting first available session transport "jtag". To override use 'transport select <transport>'.
Info : Listening on port 6666 for tcl connections
Info : Listening on port 4444 for telnet connections
Info : BCM2835 GPIO JTAG/SWD bitbang driver
Info : clock speed 1001 kHz
Info : JTAG tap: sam7x.cpu tap/device found: 0x3f0f0f0f (mfg: 0x787 (<unknown>), part: 0xf0f0, ver: 0x3)
Info : Embedded ICE version 1
Info : sam7x.cpu: hardware has 2 breakpoint/watchpoint units
Info : starting gdb server for sam7x.cpu on 3333
Info : Listening on port 3333 for gdb connections
Info : accepting 'telnet' connection on tcp/4444
target halted in ARM state due to debug-request, current mode: Supervisor
cpsr: 0x000000d3 pc: 0x00122a74
'''Note:''' If the output does not look like that and rather looks like this:
~/git/proxmark3 $ sudo openocd -f tools/raspi.cfg
Open On-Chip Debugger 0.10.0+dev-01404-g393448342-dirty (2020-09-17-17:59)
Licensed under GNU GPL v2
For bug reports, read
http://openocd.org/doc/doxygen/bugs.html
Info : auto-selecting first available session transport "jtag". To override use 'transport select <transport>'.
Info : Listening on port 6666 for tcl connections
Info : Listening on port 4444 for telnet connections
Info : BCM2835 GPIO JTAG/SWD bitbang driver
Info : clock speed 1001 kHz
Info : JTAG tap: sam7x.cpu tap/device found: 0x3f0f0f0f (mfg: 0x787 (<unknown>), part: 0xf0f0, ver: 0x3)
Info : TAP auto0.tap does not have valid IDCODE (idcode=0x0)
Info : TAP auto1.tap does not have valid IDCODE (idcode=0x0)
Info : TAP auto2.tap does not have valid IDCODE (idcode=0x0)
Info : TAP auto3.tap does not have valid IDCODE (idcode=0x0)
Info : TAP auto4.tap does not have valid IDCODE (idcode=0x0)
Info : TAP auto5.tap does not have valid IDCODE (idcode=0x0)
, then erase the chip manually and enable the JTAG interface by connecting the pin of the AT91SAM7S512 to 3.3V (see http://www.proxmark.org/forum/viewtopic.php?id=6159)
; 4. Connect to OpenOCD session
; 4. Connect to OpenOCD session
: Open a new terminal window and telnet to the port that was specified in the .cfg file
: Open a new terminal window and telnet to the port that was specified in the .cfg file
:: <code>telnet localhost 4444</code>
:: <code>telnet localhost 4444</code>
; 5. Flash via JTAG
; 5. Flash via JTAG
j@laptop:~/git/proxmark3$ telnet localhost 4444
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Open On-Chip Debugger
>
; 6. Halt the Proxmark3
; 6. Halt the Proxmark3
:: <code>halt</code>
:: <code>halt</code>
Line 152: Line 187:
:: <code>flash write_image ./armsrc/obj/fullimage.elf</code>
:: <code>flash write_image ./armsrc/obj/fullimage.elf</code>
:: <code>flash write_image ./bootrom/obj/bootrom.elf</code>
:: <code>flash write_image ./bootrom/obj/bootrom.elf</code>
$ telnet localhost 4444
Trying ::1...
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Open On-Chip Debugger
> halt
target halted in ARM state due to debug-request, current mode: Supervisor
cpsr: 0x000000d3 pc: 0x00122a74
> flash erase_sector 0 0 15
erased sectors 0 through 15 on flash bank 0 in 0.032174s
> flash erase_sector 1 0 15
erased sectors 0 through 15 on flash bank 1 in 0.031851s
> flash write_image ./armsrc/obj/fullimage.elf
wrote 257448 bytes from file ./armsrc/obj/fullimage.elf in 21.204687s (11.857 KiB/s)
> flash write_image ./bootrom/obj/bootrom.elf
wrote 3888 bytes from file ./bootrom/obj/bootrom.elf in 0.352596s (10.768 KiB/s)


'''Done!'''
'''Done!'''

Revision as of 20:21, 19 September 2020

Summary

This tutorial will show how to reset a Proxmark3 RDV2 via the JTAG interface.

This is useful when the Proxmark3 RDV2 is bricked and won't connect to the computer. This will solve any software failures like a corrupt firmware or bootloader.

1. Debricking process via Raspberry Pi 3+ (version 2, 3 and 4 work exactly the same)
2. Debricking process via Bus Pirate 3.6

Note: The method with the Bus Pirate did not work for me. Maybe you have better luck.

Requirements

  • Proxmark3
  • Raspberry Pi 2, 3, or 4
  • Bus Pirate v3 (or higher)
  • Linux: Debian

Raspberry Pi

Proxmark raspi.jpg
This tutorial is based on
http://www.lucasoldi.com/2017/01/17/unbrick-proxmark3-with-a-raspberry-pi-and-openocd/
https://github.com/synthetos/PiOCD/wiki/Using-a-Raspberry-Pi-as-a-JTAG-Dongle
http://openocd.org/doc/html/OpenOCD-Project-Setup.html

Compile Proxmark

See Proxmark: Installation or from the official website

Compile OpenOCD

sudo apt-get update
sudo apt-get install -y autoconf libtool libftdi-dev textinfo pkg-config pkgconf git
git clone https://git.code.sf.net/p/openocd/code openocd
cd openocd
./bootstrap
./configure --enable-sysfsgpio --enable-bcm2835gpio
make
sudo make install
sudo cp -r tcl/ /usr/share/openocd

make will take about 15 minutes.

-> Note: make, bootstrap and configure should give no compilation errors !!! (if not so check if you have all necessary libraries installed)

-> Note: also make sure that you compiled the proxmark repository without any compilation errors! (if not so check if you have all necessary libraries installed)

Connect physically

Connect the following pins from the Raspberry Pi to the Proxmark3

Proxmark3 Raspberry Pi Cable colour
TMS 22 yellow
TDI 19 blue
TDO 21 green
TCK 23 orange
GND 6 grey
3.3V 1 purple

For the pin layout of the Raspberry Pi see link.

Proxmark raspi pin.jpg

The pin configuration can be changed in: /usr/share/openocd/interface/raspberrypi2-native.cfg. (Not necessary for this tutorial)


Connect via OpenOCD

Note: Power the Proxmark separately from the Raspberry Pi

1. Start OpenOCD
switch to the Proxmark folder
cd proxmark3
Note: the source code of the Proxmark should be already be complied.
2. Create OpenOCD configuration
nano tools/raspi.cfg
Past following code into the file
# Ports
telnet_port 4444
gdb_port 3333

# Interface
adapter_khz 1000
source [find interface/raspberrypi2-native.cfg]

# use combined on interfaces or targets that can't set TRST/SRST separately
reset_config srst_only srst_pulls_trst

jtag newtap sam7x cpu -irlen 4 -ircapture 0x1 -irmask 0xf

target create sam7x.cpu arm7tdmi -endian little -chain-position sam7x.cpu 

sam7x.cpu configure -event reset-init { 
    soft_reset_halt
    mww 0xfffffd00 0xa5000004   # RSTC_CR: Reset peripherals
    mww 0xfffffd44 0x00008000   # WDT_MR: disable watchdog
    mww 0xfffffd08 0xa5000001   # RSTC_MR enable user reset
    mww 0xfffffc20 0x00005001   # CKGR_MOR : enable the main oscillator
    sleep 10
    mww 0xfffffc2c 0x000b1c02   # CKGR_PLLR: 16MHz * 12/2 = 96MHz
    sleep 10
    mww 0xfffffc30 0x00000007   # PMC_MCKR : MCK = PLL / 2 = 48 MHz
    sleep 10
    mww 0xffffff60 0x00480100   # MC_FMR: flash mode (FWS=1,FMCN=72)
    sleep 100

}

gdb_memory_map enable
#gdb_breakpoint_override hard
#armv4_5 core_state arm

sam7x.cpu configure -work-area-virt 0 -work-area-phys 0x00200000 -work-area-size 0x10000 -work-area-backup 0
flash bank sam7x512.flash.0 at91sam7 0 0 0 0 sam7x.cpu 0 0 0 0 0 0 0 18432
flash bank sam7x512.flash.1 at91sam7 0 0 0 0 sam7x.cpu 1 0 0 0 0 0 0 18432
3. Start OpenOCD with the configuration file just created
sudo openocd -f tools/raspi.cfg
Now a openOCD session is started. Do not close it.
~/git/proxmark3 $ sudo openocd -f tools/raspi.cfg
Open On-Chip Debugger 0.10.0+dev-01404-g393448342-dirty (2020-09-17-17:59)
Licensed under GNU GPL v2
For bug reports, read
	http://openocd.org/doc/doxygen/bugs.html
Info : auto-selecting first available session transport "jtag". To override use 'transport select <transport>'.
Info : Listening on port 6666 for tcl connections
Info : Listening on port 4444 for telnet connections
Info : BCM2835 GPIO JTAG/SWD bitbang driver
Info : clock speed 1001 kHz
Info : JTAG tap: sam7x.cpu tap/device found: 0x3f0f0f0f (mfg: 0x787 (<unknown>), part: 0xf0f0, ver: 0x3)
Info : Embedded ICE version 1
Info : sam7x.cpu: hardware has 2 breakpoint/watchpoint units
Info : starting gdb server for sam7x.cpu on 3333
Info : Listening on port 3333 for gdb connections
Info : accepting 'telnet' connection on tcp/4444
target halted in ARM state due to debug-request, current mode: Supervisor
cpsr: 0x000000d3 pc: 0x00122a74

Note: If the output does not look like that and rather looks like this:

~/git/proxmark3 $ sudo openocd -f tools/raspi.cfg
Open On-Chip Debugger 0.10.0+dev-01404-g393448342-dirty (2020-09-17-17:59)
Licensed under GNU GPL v2
For bug reports, read
	http://openocd.org/doc/doxygen/bugs.html
Info : auto-selecting first available session transport "jtag". To override use 'transport select <transport>'.
Info : Listening on port 6666 for tcl connections
Info : Listening on port 4444 for telnet connections
Info : BCM2835 GPIO JTAG/SWD bitbang driver
Info : clock speed 1001 kHz
Info : JTAG tap: sam7x.cpu tap/device found: 0x3f0f0f0f (mfg: 0x787 (<unknown>), part: 0xf0f0, ver: 0x3)
Info : TAP auto0.tap does not have valid IDCODE (idcode=0x0)
Info : TAP auto1.tap does not have valid IDCODE (idcode=0x0)
Info : TAP auto2.tap does not have valid IDCODE (idcode=0x0)
Info : TAP auto3.tap does not have valid IDCODE (idcode=0x0)
Info : TAP auto4.tap does not have valid IDCODE (idcode=0x0)
Info : TAP auto5.tap does not have valid IDCODE (idcode=0x0)

, then erase the chip manually and enable the JTAG interface by connecting the pin of the AT91SAM7S512 to 3.3V (see http://www.proxmark.org/forum/viewtopic.php?id=6159)

4. Connect to OpenOCD session
Open a new terminal window and telnet to the port that was specified in the .cfg file
telnet localhost 4444
5. Flash via JTAG
6. Halt the Proxmark3
halt
7. Erase the flash content
flash erase_sector 0 0 15
flash erase_sector 1 0 15
8. Flash the new firmware
flash write_image ./armsrc/obj/fullimage.elf
flash write_image ./bootrom/obj/bootrom.elf
$ telnet localhost 4444
Trying ::1...
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Open On-Chip Debugger
> halt
target halted in ARM state due to debug-request, current mode: Supervisor
cpsr: 0x000000d3 pc: 0x00122a74
> flash erase_sector 0 0 15
erased sectors 0 through 15 on flash bank 0 in 0.032174s

> flash erase_sector 1 0 15
erased sectors 0 through 15 on flash bank 1 in 0.031851s

> flash write_image ./armsrc/obj/fullimage.elf
wrote 257448 bytes from file ./armsrc/obj/fullimage.elf in 21.204687s (11.857 KiB/s)

> flash write_image ./bootrom/obj/bootrom.elf
wrote 3888 bytes from file ./bootrom/obj/bootrom.elf in 0.352596s (10.768 KiB/s)

Done!

Disconnect the Raspberry Pi from the Proxmark

Now you should be able to connect to the Proxmark as usual:

./client/proxmark3 /dev/ttyACM0

For useful commands visit: Proxmark3: Useful commands

Bus Pirate

Note: Here the Bus Pirate 3.6 will be used

Note: This did not work for me, maybe it was faulty hardware or faulty firmware

This tutorial is based on https://scund00r.com/all/rfid/2018/05/18/debrick-proxmark.html

Update the Bus Pirate
you can use following guide: Bus Pirate: First steps
Get the latest Proxmark3 repository & build
git clone https://github.com/Proxmark/proxmark3.git
cd proxmark3
install needed components:
sudo apt install p7zip git build-essential libreadline5 libreadline-dev libusb-0.1-4 libusb-dev libqt4-dev perl pkg-config wget libncurses5-dev gcc-arm-none-eabi libstdc++-arm-none-eabi-newlib libpcsclite-dev pcscd
make clean && make all
Install proxmark3 driver:
sudo cp -rf driver/77-mm-usb-device-blacklist.rules /etc/udev/rules.d/77-mm-usb-device-blacklist.rules
sudo udevadm control --reload-rules
Add user
sudo adduser $USER dialout
Now logout and login in again
Install OpenOCD
sudo apt-get install openocd
Connect the Proxmark3 to the Bus Pirate
use this pin configuration:
Proxmark3 Bus Pirate
TMS CS
TDI MOSI
TDO MISO
TCK CLK
GND GND
3.3V 3.3V
Flashing
check on with Port the Bus Pirate is connected:
ls /dev/tty*
OR
dmesg -wH and plugout and connect the Bus Pirate again
Set OpenOCD config
nano tools/at91sam7s512-buspirate.cfg
# Interface
interface buspirate
buspirate_port /dev/ttyUSB0
adapter_khz 1000
Start OpenOCD
Launch OpenOCD
sudo openocd -f tools/at91sam7s512-buspirate.cfg
:~/git/proxmark3$ sudo openocd -f tools/at91sam7s512-buspirate.cfg
[sudo] password for j:               
Open On-Chip Debugger 0.10.0-rc1-dev-gc404ff5d-dirty (2019-11-11-15:43)
Licensed under GNU GPL v2
For bug reports, read
   http://openocd.org/doc/doxygen/bugs.html
Warn : Adapter driver 'buspirate' did not declare which transports it allows; assuming  legacy JTAG-only 
Info : only one  transport option; autoselect 'jtag' 
adapter speed: 1 000 kHz 
srst_only srst_p ulls_tr st srst_gates_jtag srst_open_drain connect_deassert_srst 
Info : Buspirate  Interf ace ready! 
Info : This adap ter doe sn't suppo rt configurable speed 
Info : JTAG tap:  sam7x. cpu tap/de vice found: 0x3f0f0f0f (mfg: 0x787 (<unknown>), part:  0xf0f0, ver: 0x3 ) 
Info : Embedded ICE version 1 
Info : sam7x.cpu: hardware has 2 breakpoint/watchpoint units
Info : accepting 'telnet' connection on tcp/4444
Open a new terminal window
and type: telnet localhost 4444
j@laptop:~/git/proxmark3$ telnet localhost 4444
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Open On-Chip Debugger
> 
Halt the Proxmark3
halt
Erase the flash content:
flash erase_sector 0 0 15
flash erase_sector 1 0 15
Flash the new firmware:
flash write_image ./armsrc/obj/fullimage.elf
This will take a while (about 6 minutes)
flash write_image ./bootrom/obj/bootrom.elf

Used Hardware

Proxmark3 RDV2 Kit Bus Pirate v3.6 Universal serial interface

References