114 lines
5.9 KiB
HTML
114 lines
5.9 KiB
HTML
<!DOCTYPE html>
|
|
<html lang="en"><head>
|
|
<title>GoatPr0n.farm</title>
|
|
<meta name="viewport" content="width=device-width, initial-scale=1.0">
|
|
<meta name="format-detection" content="telephone=no" />
|
|
<meta name="theme-color" content="#000084" />
|
|
<link rel="icon" href="https://goatpr0n.farm//favicon.ico">
|
|
<link rel="canonical" href="https://goatpr0n.farm/">
|
|
|
|
<link rel="stylesheet" href="/css/bootstrap.css">
|
|
<link rel="stylesheet" href="/css/bootstrap-responsive.css">
|
|
<link rel="stylesheet" href="/css/style.css">
|
|
|
|
</head><body>
|
|
<nav class="navbar navbar-inverse navbar-fixed-top">
|
|
<div class="navbar-inner">
|
|
<div class="container">
|
|
<button type="button" class="btn btn-navbar" data-toggle="collapse" data-target=".nav-collapse"></button>
|
|
<a class="brand" href="https://goatpr0n.farm/">GoatPr0n.farm</a>
|
|
<div class="nav-collapse collapse">
|
|
<ul class="nav">
|
|
|
|
|
|
|
|
<li>
|
|
<a href="/posts/">
|
|
|
|
<span>All posts</span>
|
|
</a>
|
|
</li>
|
|
|
|
|
|
</ul>
|
|
</div>
|
|
</div>
|
|
</div>
|
|
</nav><div id="content" class="container">
|
|
|
|
<div class="row-fluid navmargin">
|
|
<div class="page-header">
|
|
<h1>Initial flashing/debricking the Proxmark V3 EASY (w/ Bus Pirate) - Wed, Sep 25, 2019</h1>
|
|
</div>
|
|
<p class="lead"></p>
|
|
<p>TL;DR; Short the ERASE pin with VDDCORE, if ERASE == PIN_55 && VDDCORE == PIN_54</p>
|
|
<p>According to complains in the internet, users report bricking their Proxmark3 EASY, when they try to flash the latest firmware with the ‘flasher’ software tool.</p>
|
|
<p>Sometimes flashing process of firmware can go wrong, but it can often be recovered with JTAG programmers, or similar programmers.</p>
|
|
<p>I will not about setting up the environment to build, and flash the firmware, but I will tell you what you might be missing out and why it might be not working.</p>
|
|
<p>If you do not know where to start with flashing your Proxmark3, than have a look <a href="https://github.com/Proxmark/proxmark3/wiki/flashing">here</a>, <a href="https://github.com/Proxmark/proxmark3/wiki/Debricking-Proxmark3-with-buspirate">here</a>, <a href="https://github.com/Proxmark/proxmark3/wiki/De-Bricking-Segger">here</a> or <a href="https://joanbono.github.io/PoC/Flashing_Proxmark3.html">here</a>. The first link describes the standard way of upgrading your firmware, which can fail, if you are unlucky. The other three links describe ways to recover your Proxmark3.</p>
|
|
<p>Why can upgrading the firmware fail? There are quite some reasons it can go wrong.</p>
|
|
<ul>
|
|
<li>bad firmware image</li>
|
|
<li>wrong parameters</li>
|
|
<li>power loss</li>
|
|
<li>chip security measurements</li>
|
|
</ul>
|
|
<p>With the Proxmark3 EASY it seems, that some devices have the <em>Security Bit</em> of the AT91SAM7S512 processor set. The <a href="http://ww1.microchip.com/downloads/en/DeviceDoc/doc6175.pdf">datasheet</a> (see page 113, paragraph 19.2.4.5) says: “The goal of the security bit is to prevent external access to the internal bus system. […] JTAG, Fast Flash Programming and Flash Serial Test Interface features are disabled. Once set,this bit can be reset only by an external hardware ERASE request to the chip. […]".</p>
|
|
<p>To unlock the chip again we can find interesting information in <a href="http://www.equinox-tech.com/downloads/equinox/ApplicationNotes/AN122%20Atmel%20AT91SAM7%20ISP%20Programming_V1-13_250110.pdf">this document</a> on page 20 in paragraph 2.5. Which describes the unlocking the chip by applying <em>Vcc</em> to the <em>ERASE</em> pin. Applying voltage to the pin will wipe the security bit, but also all contents of the flash!</p>
|
|
<p>Unfortunately the ERASE pin, which is pin number 55 on the AT91SAM7S512, has no connection. The first idea was to solder a jumper wire to <em>Vcc</em>. On second guess and looking at the datasheets again, reveals pin 54 is <em>VDDCORE</em>, which applies 1.65V to 1.95V (1.8V typical) to the CPU for operation.</p>
|
|
<p>To erase and reset the Proxmark, I shortened pin 54 and pin 55 with the tip of a multimeter, applied power via USB to the Proxmark3. After >300ms the flash and security bit is erased and the device can be powered off.</p>
|
|
<p>The JTAG interface is now enabled again. Next I flashed the bootloader, and the fullimage using the Bus Pirate v4 using as described in one of the first links mentioned above.</p>
|
|
<p>#hackinghackertools</p>
|
|
|
|
<h4><a href="https://goatpr0n.farm/">Back to Home</a></h4>
|
|
</div>
|
|
|
|
|
|
</div><footer class="container">
|
|
<hr class="soften">
|
|
<p>
|
|
©
|
|
|
|
Julian Knauer
|
|
|
|
<span id="thisyear">2020</span>
|
|
|
|
</p>
|
|
<p class="text-center">
|
|
|
|
|
|
|
|
|
|
|
|
</p>
|
|
</footer>
|
|
|
|
<script src="/js/jquery.js"></script>
|
|
<script src="/js/bootstrap-386.js"></script>
|
|
<script src="/js/bootstrap-transition.js"></script>
|
|
<script src="/js/bootstrap-alert.js"></script>
|
|
<script src="/js/bootstrap-modal.js"></script>
|
|
<script src="/js/bootstrap-dropdown.js"></script>
|
|
<script src="/js/bootstrap-scrollspy.js"></script>
|
|
<script src="/js/bootstrap-tab.js"></script>
|
|
<script src="/js/bootstrap-tooltip.js"></script>
|
|
<script src="/js/bootstrap-popover.js"></script>
|
|
<script src="/js/bootstrap-button.js"></script>
|
|
<script src="/js/bootstrap-collapse.js"></script>
|
|
<script src="/js/bootstrap-carousel.js"></script>
|
|
<script src="/js/bootstrap-typeahead.js"></script>
|
|
<script src="/js/bootstrap-affix.js"></script>
|
|
<script>
|
|
_386 = {
|
|
fastLoad: false ,
|
|
onePass: false ,
|
|
speedFactor: 1
|
|
};
|
|
|
|
|
|
function ThisYear() {
|
|
document.getElementById('thisyear').innerHTML = new Date().getFullYear();
|
|
};
|
|
</script></body>
|
|
</html>
|