25 Aug

Unbricking a Proxmark III with JTAG

Oops

I recently tried to upgrade my ProxMark III to the latest CDC firmware to try out some of the new features. In the process I somehow managed to brick it into a boot loop whereby it would just hardware reset ever 2-3 seconds.

There are some other instructions around on the net (see references below) on how to do this using a bus pirate also, and some of the instructions on the proxmark website explain how to flash the s19 files. I found that the s19 firmware files didn’t work for me, but if I followed the bus pirate instructions using the Olimex OpenOCD instead, everything worked nicely.

Process

First of all I had to get OpenOCD working with my Olimex ARM USB TINY H JTAG interface. There are some instructions on the proxmark forum on doing this with the older ARM-USB-OCD device.

Aug 22 22:19:34 kali kernel: [ 3037.150412] usb 1-1: new high-speed USB device number 2 using ehci_hcd
Aug 22 22:19:34 kali kernel: [ 3037.343464] usb 1-1: New USB device found, idVendor=15ba, idProduct=002a
Aug 22 22:19:34 kali kernel: [ 3037.343468] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
Aug 22 22:19:34 kali kernel: [ 3037.343470] usb 1-1: Product: Olimex OpenOCD JTAG ARM-USB-TINY-H
Aug 22 22:19:34 kali kernel: [ 3037.343471] usb 1-1: Manufacturer: Olimex

create a new openocd.cfg:

source [find interface/olimex-arm-usb-tiny-h.cfg]
source [find target/at91sam7x256.cfg]
adapter_khz 6000
telnet_port 4444

Then as root run

# openocd openocd.cfg

From another terminal window telnet to localhost port 4444 and perform the following commands:

Open On-Chip Debugger
> halt
target state: halted
target halted in ARM state due to debug-request, current mode: Abort
cpsr: 0x000000d7 pc: 0x00000068
> flash erase_sector 0 0 15
erased sectors 0 through 15 on flash bank 0 in 0.052437s
> flash erase_sector 1 0 15
flash bank 1 does not exist
in procedure 'flash'
> flash write_image fullimage.elf
Padding image section 0 with 15172 bytes
Padding image section 1 with 4 bytes
wrote 144792 bytes from file fullimage.elf in 17.143480s (8.248 KiB/s)
> flash write_image bootroom.elf
couldn't open bootroom.elf
in procedure 'flash'
> flash write_image bootrom.elf
wrote 3424 bytes from file bootrom.elf in 0.476685s (7.015 KiB/s)

When you plug in the ProxmarkIII now you should get the following syslog entries:

Aug 22 23:04:56 kali kernel: [ 5758.467778] usb 2-2.2: new full-speed USB device number 19 using uhci_hcd
Aug 22 23:04:57 kali kernel: [ 5759.097989] usb 2-2.2: New USB device found, idVendor=2d2d, idProduct=504d
Aug 22 23:04:57 kali kernel: [ 5759.097993] usb 2-2.2: New USB device strings: Mfr=1, Product=0, SerialNumber=0
Aug 22 23:04:57 kali kernel: [ 5759.098013] usb 2-2.2: Manufacturer: proxmark.org
Aug 22 23:04:57 kali kernel: [ 5759.367773] cdc_acm 2-2.2:1.0: ttyACM0: USB ACM device
Aug 22 23:04:57 kali mtp-probe: checking bus 2, device 19: "/sys/devices/pci0000:00/0000:00:11.0/0000:02:00.0/usb2/2-2/2-2.2"

References