blog
/
gl2gb
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
gl2gb/public/posts/initial-flashing-debricking.../index.html

114 lines
5.9 KiB
HTML
Raw Blame History

<!DOCTYPE html>
<html lang="en"><head>
<title>GoatPr0n.farm</title>
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta name="format-detection" content="telephone=no" />
<meta name="theme-color" content="#000084" />
<link rel="icon" href="https://goatpr0n.farm//favicon.ico">
<link rel="canonical" href="https://goatpr0n.farm/">
<link rel="stylesheet" href="/css/bootstrap.css">
<link rel="stylesheet" href="/css/bootstrap-responsive.css">
<link rel="stylesheet" href="/css/style.css">
</head><body>
<nav class="navbar navbar-inverse navbar-fixed-top">
<div class="navbar-inner">
<div class="container">
<button type="button" class="btn btn-navbar" data-toggle="collapse" data-target=".nav-collapse"></button>
<a class="brand" href="https://goatpr0n.farm/">GoatPr0n.farm</a>
<div class="nav-collapse collapse">
<ul class="nav">
<li>
<a href="/posts/">
<span>All posts</span>
</a>
</li>
</ul>
</div>
</div>
</div>
</nav><div id="content" class="container">
<div class="row-fluid navmargin">
<div class="page-header">
<h1>Initial flashing/debricking the Proxmark V3 EASY (w/ Bus Pirate) - Wed, Sep 25, 2019</h1>
</div>
<p class="lead"></p>
<p>TL;DR; Short the ERASE pin with VDDCORE, if ERASE == PIN_55 &amp;&amp; VDDCORE == PIN_54</p>
<p>According to complains in the internet, users report bricking their Proxmark3 EASY, when they try to flash the latest firmware with the &lsquo;flasher&rsquo; software tool.</p>
<p>Sometimes flashing process of firmware can go wrong, but it can often be recovered with JTAG programmers, or similar programmers.</p>
<p>I will not about setting up the environment to build, and flash the firmware, but I will tell you what you might be missing out and why it might be not working.</p>
<p>If you do not know where to start with flashing your Proxmark3, than have a look <a href="https://github.com/Proxmark/proxmark3/wiki/flashing">here</a>, <a href="https://github.com/Proxmark/proxmark3/wiki/Debricking-Proxmark3-with-buspirate">here</a>, <a href="https://github.com/Proxmark/proxmark3/wiki/De-Bricking-Segger">here</a> or <a href="https://joanbono.github.io/PoC/Flashing_Proxmark3.html">here</a>. The first link describes the standard way of upgrading your firmware, which can fail, if you are unlucky. The other three links describe ways to recover your Proxmark3.</p>
<p>Why can upgrading the firmware fail? There are quite some reasons it can go wrong.</p>
<ul>
<li>bad firmware image</li>
<li>wrong parameters</li>
<li>power loss</li>
<li>chip security measurements</li>
</ul>
<p>With the Proxmark3 EASY it seems, that some devices have the <em>Security Bit</em> of the AT91SAM7S512 processor set. The <a href="http://ww1.microchip.com/downloads/en/DeviceDoc/doc6175.pdf">datasheet</a> (see page 113, paragraph 19.2.4.5) says: &ldquo;The goal of the security bit is to prevent external access to the internal bus system. [&hellip;] JTAG, Fast Flash Programming and Flash Serial Test Interface features are disabled. Once set,this bit can be reset only by an external hardware ERASE request to the chip. [&hellip;]&quot;.</p>
<p>To unlock the chip again we can find interesting information in <a href="http://www.equinox-tech.com/downloads/equinox/ApplicationNotes/AN122%20Atmel%20AT91SAM7%20ISP%20Programming_V1-13_250110.pdf">this document</a> on page 20 in paragraph 2.5. Which describes the unlocking the chip by applying <em>Vcc</em> to the <em>ERASE</em> pin. Applying voltage to the pin will wipe the security bit, but also all contents of the flash!</p>
<p>Unfortunately the ERASE pin, which is pin number 55 on the AT91SAM7S512, has no connection. The first idea was to solder a jumper wire to <em>Vcc</em>. On second guess and looking at the datasheets again, reveals pin 54 is <em>VDDCORE</em>, which applies 1.65V to 1.95V (1.8V typical) to the CPU for operation.</p>
<p>To erase and reset the Proxmark, I shortened pin 54 and pin 55 with the tip of a multimeter, applied power via USB to the Proxmark3. After &gt;300ms the flash and security bit is erased and the device can be powered off.</p>
<p>The JTAG interface is now enabled again. Next I flashed the bootloader, and the fullimage using the Bus Pirate v4 using as described in one of the first links mentioned above.</p>
<p>#hackinghackertools</p>
<h4><a href="https://goatpr0n.farm/">Back to Home</a></h4>
</div>
</div><footer class="container">
<hr class="soften">
<p>
&copy;
Julian Knauer
<span id="thisyear">2020</span>
</p>
<p class="text-center">
</p>
</footer>
<script src="/js/jquery.js"></script>
<script src="/js/bootstrap-386.js"></script>
<script src="/js/bootstrap-transition.js"></script>
<script src="/js/bootstrap-alert.js"></script>
<script src="/js/bootstrap-modal.js"></script>
<script src="/js/bootstrap-dropdown.js"></script>
<script src="/js/bootstrap-scrollspy.js"></script>
<script src="/js/bootstrap-tab.js"></script>
<script src="/js/bootstrap-tooltip.js"></script>
<script src="/js/bootstrap-popover.js"></script>
<script src="/js/bootstrap-button.js"></script>
<script src="/js/bootstrap-collapse.js"></script>
<script src="/js/bootstrap-carousel.js"></script>
<script src="/js/bootstrap-typeahead.js"></script>
<script src="/js/bootstrap-affix.js"></script>
<script>
_386 = {
fastLoad: false ,
onePass: false ,
speedFactor: 1
};
function ThisYear() {
document.getElementById('thisyear').innerHTML = new Date().getFullYear();
};
</script></body>
</html>
Reference in New Issue View Git Blame Copy Permalink