Debricking Proxmark3 with a BusPirate
--------------- User @joanbono did a blog using buspirate on OSX
--------------- Below is the guideline from Umeå hackerspace blog.
Source
Preparation
- You need a BusPirate that supports firmware v5.9+
- Download and install OpenOCD Note: OpenOCD is available in many Linux distributions. Within these packages, OpenOCD will often ship with a number of sample configurations compatible with devices like the Segger J-Link (& compatible clones) and other JTAG interfaces.
The configuration below is annotated into "General", "Interface", and "Chipset" sections. It should be noted that while the BusPirate is used in these directions, the directions have been proven to work with other interfaces as well.
Using OpenOCD with bus-pirate support allows us to very cheaply interact with the AT91SAM chipset that is the Proxmark's main Micro-controller.
Once you have a bus pirate with the right firmware and Openocd compiled, navigate into the Proxmark Source Code directory, with compiled firmware images.
Download the following configuration file for opened, '''don't forget to change the Buspirate_Port''' to one that matches your system
at91sam7s512-buspirate.cfg
# Ports
telnet_port 4444
gdb_port 3333
# Interface
interface buspirate
buspirate_port /dev/ttyUSB0
adapter_khz 1000
# Communication speed
buspirate_speed normal # or fast
# Voltage regulator: enabled = 1 or disabled = 0
buspirate_vreg 1
# Pin mode: normal or open-drain
buspirate_mode normal
# Pull-up state: enabled = 1 or disabled = 0
buspirate_pullup 1
# use combined on interfaces or targets that can't set TRST/SRST separately
reset_config srst_only srst_pulls_trst
jtag newtap sam7x cpu -irlen 4 -ircapture 0x1 -irmask 0xf -expected-id 0x3f0f0f0f
target create sam7x.cpu arm7tdmi -endian little -chain-position sam7x.cpu
sam7x.cpu configure -event reset-init {
soft_reset_halt
mww 0xfffffd00 0xa5000004 # RSTC_CR: Reset peripherals
mww 0xfffffd44 0x00008000 # WDT_MR: disable watchdog
mww 0xfffffd08 0xa5000001 # RSTC_MR enable user reset
mww 0xfffffc20 0x00005001 # CKGR_MOR : enable the main oscillator
sleep 10
mww 0xfffffc2c 0x000b1c02 # CKGR_PLLR: 16MHz * 12/2 = 96MHz
sleep 10
mww 0xfffffc30 0x00000007 # PMC_MCKR : MCK = PLL / 2 = 48 MHz
sleep 10
mww 0xffffff60 0x00480100 # MC_FMR: flash mode (FWS=1,FMCN=72)
sleep 100
}
gdb_memory_map enable
#gdb_breakpoint_override hard
#armv4_5 core_state arm
sam7x.cpu configure -work-area-virt 0 -work-area-phys 0x00200000 -work-area-size 0x10000 -work-area-backup 0
flash bank sam7x512.flash.0 at91sam7 0 0 0 0 sam7x.cpu 0 0 0 0 0 0 0 18432
flash bank sam7x512.flash.1 at91sam7 0 0 0 0 sam7x.cpu 1 0 0 0 0 0 0 18432
Connecting the Bus-pirate to the Promxmark3
Wire up the Bus-pirate to the proxmark as follows (assuming sparkfun cable):
Color | Pin # | Function |
---|---|---|
Black | Pin 20 | GND |
Brown | Pin 13 | MISO/TDO |
Yellow | Pin 9 | CLK |
Red | Pin 7 | TMS |
Orange | Pin 5 | MOSI/TDI |
Pin locations
- Pin 1 = top-leftmost pin,
- Pin 2 = top-rightmost pin (close to the button)
- Pin 20 = bottom-rightmost pin
Time To Play in the JTAG State-Machine
Execute Openocd:
OpenOCD -f at91sam7s512-buspirate.cfg
then
telnet localhost 4444
and you will get OpenOCD prompt
Halting the proxmark
halt
Working with flash memory
Erase flash contents
Note: On some chips, there is no "Bank 1".
flash erase_sector 0 0 15
flash erase_sector 1 0 15
Write the new firmware
Assuming your in the root of the Proxmark source code repository, and have already compiled the firmware issuing the make command.
You can do it from recovery binary
> flash write_image ./recovery/proxmark3_recovery.bin 0x100000
or you can do it this way
> flash write_image ./armsrc/obj/fullimage.elf
> flash write_image ./bootrom/obj/bootrom.elf
Troubleshooting
I can't overwrite my flash and get the error "Lock Error Bit Detected":
> flash erase_sector 0 0 15
status register: 0x1048b205
Lock Error Bit Detected, Operation Abort
failed erasing sectors 0 to 15
In this case you need to clear the protection on that bank (or banks). This can be done as follows:
flash protect 0 0 15 off
flash protect 1 0 15 off
When successful, you should see a message as follows:
> flash protect 0 0 15 off
cleared protection for sectors 0 through 15 on flash bank 0
Proxmark Wiki
Hardware
Firmware Upgrade
Client Software
Usage
Low Frequency (125-134kHz)
High Frequency (13.56MHz)
Struggling with this manual? Do you miss some explanation or found something wrong or ambigious? Then please post in the Manual Feedback section of the forum. Any feedback is appreciated.