Unbrick Proxmark3 with a Raspberry Pi and OpenOCD

By admin | Raspberry Pi, RFID | 4 comments | 17 January, 2017 | 1

Months ago I bricked my Proxmark3 while I was experimenting with the creation of a new antenna for a tag. The leds blinked in a strange way at boot and my mac not recognized anymore the device.

I found only people that unbrick it with BusPirate, but why not use a Raspberry Pi (who does not have one nowadays 🙂 )??

Pinout connections

In the picture below we have the pinout of the PM3’s JTAG. Notice that the pin 20 is the closest to the center of the board.

PM3 pinout JTAG

I connect the PM3 to the Raspberry Pi (I use the first version) with female-female jumper. In the picture below there is the pinout of the Pi

RPi pinout

RPI pin – JTAG

11 J_TCLK (pin 9)

25 J_TMS (pin 7)

10 J_TDI (pin 5)

9 J_TDO (pin 13)

GND pin 20

For the VCC of the PM3 I reccomended to connect it to a external power source (the PC is one option) and not directly to the VCC of the Pi.

Compiling OPENOCD

Now we have to compile OpenOCD on the RPi

apt-get update

sudo apt-get install -y autoconf libtool libftdi-dev

git clone –recursive git://git.code.sf.net/p/openocd/code openocd-git && cd openocd-git
./bootstrap

./configure –enable-sysfsgpio –enable-maintainer-mode –disable-werror –enable-ft2232_libftdi –enable-ep93xx –enable-at91rm9200 –enable-usbprog –enable-presto_libftdi –enable-jlink –enable-vsllink –enablrlink –enable-arm-jtag-ew –enable-dummy –enable-buspirate –enable-ulink –enable-presto_libftdi –enable-usb_blaster_libftdi –enable-ft2232_libftdi –prefix=/usr

make

sudo make install

sudo cp -r tcl/ /usr/share/openocd

After this you have to put this configuration file in the folder /usr/share/openocd/board . I modified this file to make it work with our environment. Copy and paste the content of box below.

# Ports

telnet_port 4444

gdb_port 3333

# Interface

source [find interface/sysfsgpio-raspberrypi.cfg]

# use combined on interfaces or targets that can’t set TRST/SRST separately

reset_config srst_only srst_pulls_trst

jtag newtap sam7x cpu -irlen 4 -ircapture 0x1 -irmask 0xf

#target create sam7x.cpu arm7tdmi -endian little -chain-position sam7x.cpu -variant arm7tdmi

target create sam7x.cpu arm7tdmi -endian little -chain-position sam7x.cpu

sam7x.cpu configure -event reset-init {

soft_reset_halt

mww 0xfffffd00 0xa5000004 # RSTC_CR: Reset peripherals

mww 0xfffffd44 0x00008000 # WDT_MR: disable watchdog

mww 0xfffffd08 0xa5000001 # RSTC_MR enable user reset

mww 0xfffffc20 0x00005001 # CKGR_MOR : enable the main oscillator

sleep 10

mww 0xfffffc2c 0x000b1c02 # CKGR_PLLR: 16MHz * 12/2 = 96MHz

sleep 10

mww 0xfffffc30 0x00000007 # PMC_MCKR : MCK = PLL / 2 = 48 MHz

sleep 10

mww 0xffffff60 0x00480100 # MC_FMR: flash mode (FWS=1,FMCN=72)

sleep 100

}

gdb_memory_map enable

#gdb_breakpoint_override hard

#armv4_5 core_state arm

sam7x.cpu configure -work-area-virt 0 -work-area-phys 0x00200000 -work-area-size 0x10000 -work-area-backup 0

flash bank sam7x512.flash.0 at91sam7 0 0 0 0 sam7x.cpu 0 0 0 0 0 0 0 18432

flash bank sam7x512.flash.1 at91sam7 0 0 0 0 sam7x.cpu 1 0 0 0 0 0 0 18432

Compiling Proxmark3 Firmware

For the compiling process based on you OS you can go on the official Wiki of Proxmark. I reccomend to build the code in you PC and copy the necessary file to the Raspberry Pi.

https://github.com/Proxmark/proxmark3/wiki/compiling

After that you have to copy this two files directly in a folder of your RPi:

/armsrc/obj/fullimage.elf
/bootrom/obj/bootrom.elf

Start OpenOCD

Now you need to access to RPi and power on the PM3 throw the USB cable.

cd /usr/share/openocd/board

openocd -f at91sam7s512-buspirate.cfg

It’s time to access to our new JTAG Programmer throw telnet in our local network, we can access to it directly in the raspberry pi in localhost too.

Do this command and you’re in 🙂

telnet IP_ADDRESS 4444

halt

flash erase_sector 0 0 15

flash erase_sector 1 0 15

flash write_image /path_where_you_copied_pm3_files/armsrc/obj/fullimage.elf

flash write_image /path_where_you_copied_pm3_files/bootrom/obj/bootrom.elf

BINGO, our PM3 it’s like new 🙂

[POC] How to travel for free with Italian public transports

By admin | 0 comment

Hey remember! It’s a proof of concept 🙂 Before publishing this article I verified that the company not use this technology anymore. Some years ago I did some experiments with my rechargeable card used inRead more

Andrew Reply 11 April 2019 at 6:28

Thank you so much for this! I was trying to flash the Iceman image to my Proxmark3 Easy and it bricked – All lights on.

Some observations:
Copying and pasting your commands for installing the programs have replaced the ‘double dashed’ parameters with a single special dash, this has to be corrected before pasting the commands.

It would have been really helpful if you specifically stated that the ‘Pi Pin’ is actually ‘Pi GPIO pin’ – I was looking at it and I knew it did not make sense but several other sites do the same thing – This page https://iosoft.blog/2019/01/28/raspberry-pi-openocd/ lists both which clarified things for me.

Finally, the biggest problem I had was that OpenOCD would not detect the Atmel chip at all – I had to initiate an ‘erase’ process which was a matter of painstakingly holding a sewing pin attached to 3.3v via a wire on Pin55 of the Atmel at power on to erase the chip. the VDDCore pin is 54 and only ~1.8v, so get it wrong and bye-bye chip….
- Michelle Reply 29 November 2019 at 22:41
  
  Andrew, I’m going to try this on a proxmark3 rdv2, so I’m curious if I’ll need to jumper the same pin. What OS were you using on the pi?
- Michelle Reply 30 November 2019 at 1:58
  
  Hey Andrew, did all the configure options work for you, Many of them do not exist in the configure. Do you by chance have a log of all the successful steps? The raspberry pi used in this example is ancient… which did you use? btw.. the link you provided to iosoft is great. You didn’t just follow its install steps did you?
  
  Thanks!
Michelle Stoetzel Reply 30 November 2019 at 18:30

I’ve actually been able to compile with no issues now, on the latest raspiian-buster image.

sudo apt-get install -y autoconf libtool libftdi-dev libusb-1.0.0-dev

git clone –recursive git://git.code.sf.net/p/openocd/code openocd-git && cd openocd-git

./bootstrap

./configure –enable-sysfsgpio –enable-maintainer-mode –disable-werror –enable-ft2232_libftdi –enable-ep93xx –enable-at91rm9200 –enable-usbprog \
–enable-presto_libftdi –enable-jlink –enable-vsllink –enable-rlink –enable-arm-jtag-ew –enable-dummy –enable-buspirate –enable-ulink –enable-presto_libftdi \
–enable-usb_blaster_libftdi –enable-ft2232_libftdi –prefix=/usr

make

sudo make install

sudo cp -r tcl/ /usr/share/openocd

sudo mkdir -p /usr/share/openocd/board

cd /usr/share/openocd/board

sudo vi at91sam7s512-buspirate.cfg

vi /usr/share/openocd/tcl/interface/sysfsgpio-raspberrypi.cf

Adjusting JTAG pins for 40 pin header. Not sure why we bother to set the SWD pins.

# Each of the JTAG lines need a gpio number set: tck tms tdi tdo
# Header pin numbers: 23 22 19 21
##sysfsgpio_jtag_nums 11 25 10 9
# tck tms tdi tdo
sysfsgpio_jtag_nums 25 24 23 22

# Each of the SWD lines need a gpio number set: swclk swdio
# Header pin numbers: 23 22
sysfsgpio_swd_nums 25 24

# Run
cd /usr/share/openocd/board
sudo openocd -f at91sam7s512-buspirate.cfg

# haven’t had any success getting the proxmark to respond after connecting the jumpers.. still working on it. (any suggestions?)

cd /home/pi/flash

flash write_image ./armsrc/obj/fullimage.elf

flash write_image ./bootrom/obj/bootrom.elf

Unbrick Proxmark3 with a Raspberry Pi and OpenOCD