Debricking Proxmark3 with buspirate

Iceman edited this page Oct 30, 2017 · 1 revision

Debricking Proxmark3 with a BusPirate

--------------- User @joanbono did a blog using buspirate on OSX

--------------- Below is the guideline from Umeå hackerspace blog.

Source

Preparation

  • You need a BusPirate that supports firmware v5.9+
  • Download and install OpenOCD Note: OpenOCD is available in many Linux distributions. Within these packages, OpenOCD will often ship with a number of sample configurations compatible with devices like the Segger J-Link (& compatible clones) and other JTAG interfaces.

The configuration below is annotated into "General", "Interface", and "Chipset" sections. It should be noted that while the BusPirate is used in these directions, the directions have been proven to work with other interfaces as well.

Using OpenOCD with bus-pirate support allows us to very cheaply interact with the AT91SAM chipset that is the Proxmark's main Micro-controller.

Once you have a bus pirate with the right firmware and Openocd compiled, navigate into the Proxmark Source Code directory, with compiled firmware images.

Download the following configuration file for opened, '''don't forget to change the Buspirate_Port''' to one that matches your system

at91sam7s512-buspirate.cfg

## General OpenOCD configuration
# Ports
telnet_port 4444
gdb_port 3333

## Interface configuration section
# Interface
interface buspirate
buspirate_port /dev/ttyUSB0
adapter_khz 1000

# Communication speed
buspirate_speed normal # or fast

# Voltage regulator: enabled = 1 or disabled = 0
buspirate_vreg 1

# Pin mode: normal or open-drain
buspirate_mode normal

# Pull-up state: enabled = 1 or disabled = 0
buspirate_pullup 1

## Chipset configuration section
# use combined on interfaces or targets that can't set TRST/SRST separately
reset_config srst_only srst_pulls_trst

jtag newtap sam7x cpu -irlen 4 -ircapture 0x1 -irmask 0xf -expected-id 0x3f0f0f0f 

target create sam7x.cpu arm7tdmi -endian little -chain-position sam7x.cpu -variant arm7tdmi

sam7x.cpu configure -event reset-init {	
	soft_reset_halt
	mww 0xfffffd00 0xa5000004	# RSTC_CR: Reset peripherals
	mww 0xfffffd44 0x00008000	# WDT_MR: disable watchdog
	mww 0xfffffd08 0xa5000001	# RSTC_MR enable user reset
	mww 0xfffffc20 0x00005001	# CKGR_MOR : enable the main oscillator
	sleep 10
	mww 0xfffffc2c 0x000b1c02	# CKGR_PLLR: 16MHz * 12/2 = 96MHz
	sleep 10
	mww 0xfffffc30 0x00000007	# PMC_MCKR : MCK = PLL / 2 = 48 MHz
	sleep 10
	mww 0xffffff60 0x00480100	# MC_FMR: flash mode (FWS=1,FMCN=72)
	sleep 100

}

gdb_memory_map enable
#gdb_breakpoint_override hard
#armv4_5 core_state arm

sam7x.cpu configure -work-area-virt 0 -work-area-phys 0x00200000 -work-area-size 0x10000 -work-area-backup 0
flash bank sam7x512.flash.0 at91sam7 0 0 0 0 sam7x.cpu 0 0 0 0 0 0 0 18432
flash bank sam7x512.flash.1 at91sam7 0 0 0 0 sam7x.cpu 1 0 0 0 0 0 0 18432

Connecting the Bus-pirate to the Promxmark3

Wire up the Bus-pirate to the proxmark as follows (assuming sparkfun cable):

Color Pin # Function
Black Pin 20 GND
Brown Pin 13 MISO/TDO
Yellow Pin 9 CLK
Red Pin 7 TMS
Orange Pin 5 MOSI/TDI

Pin locations

  • Pin 1 = top-leftmost pin,
  • Pin 2 = top-rightmost pin (close to the button)
  • Pin 20 = bottom-rightmost pin

Time To Play in the JTAG State-Machine

Execute Openocd: OpenOCD -f at91sam7s512-buspirate.cfg then telnet localhost 4444 and you will get OpenOCD prompt

Halting the proxmark

halt

Working with flash memory

Erase flash contents

Note: On some chips, there is no "Bank 1".

  • flash erase_sector 0 0 15
  • flash erase_sector 1 0 15

Write the new firmware

Assuming your in the root of the Proxmark source code repository, and have already compiled the firmware issuing the make command.

You can do it from recovery binary

> flash write_image ./recovery/proxmark3_recovery.bin 0x100000

or you can do it this way

> flash write_image ./armsrc/obj/fullimage.elf
> flash write_image ./bootrom/obj/bootrom.elf

Troubleshooting

I can't overwrite my flash and get the error "Lock Error Bit Detected":

> flash erase_sector 0 0 15
status register: 0x1048b205
Lock Error Bit Detected, Operation Abort
failed erasing sectors 0 to 15

In this case you need to clear the protection on that bank (or banks). This can be done as follows:

flash protect 0 0 15 off
flash protect 1 0 15 off

When successful, you should see a message as follows:

> flash protect 0 0 15 off
cleared protection for sectors 0 through 15 on flash bank 0
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.