Months ago I bricked my Proxmark3 while I was experimenting with the creation of a new antenna for a tag. The leds blinked in a strange way at boot and my mac not recognized anymore the device.
I found only people that unbrick it with BusPirate, but why not use a Raspberry Pi (who does not have one nowadays 🙂 )??
Pinout connections
In the picture below we have the pinout of the PM3’s JTAG. Notice that the pin 20 is the closest to the center of the board.
PM3 pinout JTAG
I connect the PM3 to the Raspberry Pi (I use the first version) with female-female jumper. In the picture below there is the pinout of the Pi
RPi pinout
RPI pin – JTAG
11 J_TCLK (pin 9)
25 J_TMS (pin 7)
10 J_TDI (pin 5)
9 J_TDO (pin 13)
GND pin 20
For the VCC of the PM3 I reccomended to connect it to a external power source (the PC is one option) and not directly to the VCC of the Pi.
Compiling OPENOCD
Now we have to compile OpenOCD on the RPi
sudo apt-get install -y autoconf libtool libftdi-dev
git clone –recursive git://git.code.sf.net/p/openocd/code openocd-git && cd openocd-git
./bootstrap
./configure –enable-sysfsgpio –enable-maintainer-mode –disable-werror –enable-ft2232_libftdi –enable-ep93xx –enable-at91rm9200 –enable-usbprog –enable-presto_libftdi –enable-jlink –enable-vsllink –enablrlink –enable-arm-jtag-ew –enable-dummy –enable-buspirate –enable-ulink –enable-presto_libftdi –enable-usb_blaster_libftdi –enable-ft2232_libftdi –prefix=/usr
make
sudo make install
sudo cp -r tcl/ /usr/share/openocd
After this you have to put this configuration file in the folder /usr/share/openocd/board . I modified this file to make it work with our environment. Copy and paste the content of box below.
# Ports
telnet_port 4444
gdb_port 3333
# Interface
source [find interface/sysfsgpio-raspberrypi.cfg]
# use combined on interfaces or targets that can’t set TRST/SRST separately
reset_config srst_only srst_pulls_trst
jtag newtap sam7x cpu -irlen 4 -ircapture 0x1 -irmask 0xf
#target create sam7x.cpu arm7tdmi -endian little -chain-position sam7x.cpu -variant arm7tdmi
target create sam7x.cpu arm7tdmi -endian little -chain-position sam7x.cpu
sam7x.cpu configure -event reset-init {
soft_reset_halt
mww 0xfffffd00 0xa5000004 # RSTC_CR: Reset peripherals
mww 0xfffffd44 0x00008000 # WDT_MR: disable watchdog
mww 0xfffffd08 0xa5000001 # RSTC_MR enable user reset
mww 0xfffffc20 0x00005001 # CKGR_MOR : enable the main oscillator
sleep 10
mww 0xfffffc2c 0x000b1c02 # CKGR_PLLR: 16MHz * 12/2 = 96MHz
sleep 10
mww 0xfffffc30 0x00000007 # PMC_MCKR : MCK = PLL / 2 = 48 MHz
sleep 10
mww 0xffffff60 0x00480100 # MC_FMR: flash mode (FWS=1,FMCN=72)
sleep 100
}
gdb_memory_map enable
#gdb_breakpoint_override hard
#armv4_5 core_state arm
sam7x.cpu configure -work-area-virt 0 -work-area-phys 0x00200000 -work-area-size 0x10000 -work-area-backup 0
flash bank sam7x512.flash.0 at91sam7 0 0 0 0 sam7x.cpu 0 0 0 0 0 0 0 18432
flash bank sam7x512.flash.1 at91sam7 0 0 0 0 sam7x.cpu 1 0 0 0 0 0 0 18432
Compiling Proxmark3 Firmware
For the compiling process based on you OS you can go on the official Wiki of Proxmark. I reccomend to build the code in you PC and copy the necessary file to the Raspberry Pi.
https://github.com/Proxmark/proxmark3/wiki/compiling
After that you have to copy this two files directly in a folder of your RPi:
- /armsrc/obj/fullimage.elf
- /bootrom/obj/bootrom.elf
Start OpenOCD
Now you need to access to RPi and power on the PM3 throw the USB cable.
openocd -f at91sam7s512-buspirate.cfg
It’s time to access to our new JTAG Programmer throw telnet in our local network, we can access to it directly in the raspberry pi in localhost too.
Do this command and you’re in 🙂
halt
flash erase_sector 0 0 15
flash erase_sector 1 0 15
flash write_image /path_where_you_copied_pm3_files/armsrc/obj/fullimage.elf
flash write_image /path_where_you_copied_pm3_files/bootrom/obj/bootrom.elf
BINGO, our PM3 it’s like new 🙂
Thank you so much for this! I was trying to flash the Iceman image to my Proxmark3 Easy and it bricked – All lights on.
Some observations:
Copying and pasting your commands for installing the programs have replaced the ‘double dashed’ parameters with a single special dash, this has to be corrected before pasting the commands.
It would have been really helpful if you specifically stated that the ‘Pi Pin’ is actually ‘Pi GPIO pin’ – I was looking at it and I knew it did not make sense but several other sites do the same thing – This page https://iosoft.blog/2019/01/28/raspberry-pi-openocd/ lists both which clarified things for me.
Finally, the biggest problem I had was that OpenOCD would not detect the Atmel chip at all – I had to initiate an ‘erase’ process which was a matter of painstakingly holding a sewing pin attached to 3.3v via a wire on Pin55 of the Atmel at power on to erase the chip. the VDDCore pin is 54 and only ~1.8v, so get it wrong and bye-bye chip….