RRG-Proxmark3/doc/jtag_notes.md
wh201906 af11b98f09
Misc work about flashing firmware by JTAG
Add config file for CMSIS-DAP
Highlight the note for unlocking the JTAG ports
2024-02-16 14:57:41 +08:00

5.3 KiB

Notes on JTAG

Some notes on how to reflash a bricked Proxmark3 over JTAG.

Table of Contents

Linux and OpenOCD

^Top

Using RDV4 scripts

^Top

The RDV4 repository contains helper scripts for JTAG flashing.

  • Get OpenOCD, e.g.: apt-get install openocd
  • Create tools/jtag_openocd/openocd_configuration by copying tools/jtag_openocd/openocd_configuration.sample
  • Tune it to fit your JTAG tool: adapt CONFIG_IF to refer to your JTAG tool. openocd_configuration.sample contains several examples and is set up by default to work with the J-Link.
  • Wire the Proxmark3 to the JTAG tool. How to do it depends on the tool. See below for examples. Warning: don't plug the Proxmark3 on USB if the tool delivers already the voltage to the Proxmark3, which is most probably the case.
  • Then just run
cd tools/jtag_openocd/
./openocd_flash_recovery.sh

In some rare situations, flashing the full image over JTAG may fail but the bootloader could be fixed. If it's the case, you can flash the image without JTAG by booting on your fresh bootloader (possibly forced by pressing the Proxmark3 button).

For advanced usages there are also openocd_flash_dump.sh for dumping the content of the Proxmark3 and openocd_interactive.sh for an OpenOCD console.

RDV4 pinout

^Top

The RDV4 JTAG header is quite smaller compared to other Proxmark3 platforms.
If you're using a J-Link, there is a convenient adapter made by Proxgrind.
You can also make yours with some 1.27mm headers (look for 1.27mm header on Aliexpress) or Pogo pins or buy an already made clip, e.g. search dykb clamp on Aliexpress and take a 1.27mm single-row 6P version.

^Top

J-Link pinout:

Pin cut-out on a JLink 20 pin connector

                ^^
  --------------  ---------
 |19 17 15 13 11  9 7 5 3 1|
 |20 18 16 14 12 10 8 6 4 2|
  -------------------------
Map of pins between PM3 / JLink 

PM3 | JLink
--- | -----
TMS |  7
TDI |  5
TDO | 13
TCK |  9
GND |  6
3.3 |  2

Raspberry Pi pinout

^Top

RPi pinout:

PM3 | RPi
--- | ---
TMS | 22
TDI | 19
TDO | 21
TCK | 23
GND |  6
3.3 |  1

Notes for enabling JTAG port

^Top

If you can communicate with Proxmark3 with OpenOCD, then you don't need to care about this note, as the JTAG port is enabled by default. However, if you see the following output when running OpenOCD, it indicates that the MCU is found, but the JTAG port is disabled (locked).

Info : JTAG tap: sam7x.cpu tap/device found: 0x3f0f0f0f (mfg: 0x787 (<unknown>), part: 0xf0f0, ver: 0x3)
Info : TAP auto0.tap does not have valid IDCODE (idcode=0x0)
......
Error: double-check your JTAG setup (interface, speed, ...)
......
Info : Halt timed out, wake up GDB.
Error: timed out while waiting for target halted

To resolve this, you need to erase the chip by following the instructions in this Stack Overflow thread. https://stackoverflow.com/questions/48794076/error-halt-timed-out-wake-up-gdb/64291913#64291913

Where to find more information?

^Top

There has been lots of articles and blogposts about recovering, debricking, JTAG your Proxmark3 and you find here below an assortiment of resources that will be of help.

Third party notes on using a BusPirate

^Top

^Top

Third party notes on using a RaspBerry Pi

^Top

^Top

Old original docs

^Top

Describes the SEGGER JLINK, JTAG process but be warned, this document is old. https://github.com/RfidResearchGroup/proxmark3/blob/master/doc/original_proxmark3/Compiling%20Proxmark%20source%20and%20firmware%20upgrading%20v1.pdf