Difference between revisions of "Proxmark"

From YobiWiki
Jump to navigation Jump to search
m
m
Line 1: Line 1:
 
==Upgrading ELECHOUSE Proxmark3 Easy V3 to 512k==
  
==Upgrading ELECHOUSE Proxmark3 Easy V3 to 512k==
  +
===(de)soldering===
 
 
The popular [https://www.aliexpress.com/popular/proxmark3-kit.html Proxmark3 Easy] has an at91sam7s256 with only 256k and e.g. it's already about 83% full with the current iceman firmware.
  
The popular [https://www.aliexpress.com/popular/proxmark3-kit.html Proxmark3 Easy] has an at91sam7s256 with only 256k and e.g. it's already about 83% full with the current iceman firmware.
 
<br>So I decided to attempt an upgrade.
  
<br>So I decided to attempt an upgrade.
Line 21: Line 21:
   
 
Note that it's maybe easier to solder the new chip not by using flux+solder+iron but [https://www.aliexpress.com/wholesale?SearchText=mechanic+solder+flux solder flux paste] and heating with air gun, as shown [https://www.youtube.com/watch?v=2Z7nCAxS2Rg&t=9m30s in this video]...
  
Note that it's maybe easier to solder the new chip not by using flux+solder+iron but [https://www.aliexpress.com/wholesale?SearchText=mechanic+solder+flux solder flux paste] and heating with air gun, as shown [https://www.youtube.com/watch?v=2Z7nCAxS2Rg&t=9m30s in this video]...
  +
===JTAG programming===
 
 
Then wire your JTAG programmer to the board. Mine is a Segger J-Link.
  
Then wire your JTAG programmer to the board. Mine is a Segger J-Link.
 
<br>To make it easier, solder a [https://www.aliexpress.com/wholesale?SearchText=breakable+single+row+male+curved+header+2.54 breakable single-row male curved header].
  
<br>To make it easier, solder a [https://www.aliexpress.com/wholesale?SearchText=breakable+single+row+male+curved+header+2.54 breakable single-row male curved header].
Line 48: Line 48:
   
 
$ apt-get install openocd
  
$ apt-get install openocd
  +
There is some doc installed locally: file:///usr/share/doc/openocd/openocd.html/index.html
   
 
Create /etc/udev/rules.d/60-jlink.rules with
  
Create /etc/udev/rules.d/60-jlink.rules with
 
ATTRS{idVendor}=="1366", ATTRS{idProduct}=="0101", MODE="664", GROUP="plugdev"
  
ATTRS{idVendor}=="1366", ATTRS{idProduct}=="0101", MODE="664", GROUP="plugdev"
  +
  +
I created a config file by reusing most of [https://github.com/Proxmark/proxmark3/blob/master/tools/at91sam7s512-buspirate.cfg tools/at91sam7s512-buspirate.cfg], but specific to J-Link instead of buspirate:
  +
<pre>
  +
telnet_port 4444
  +
gdb_port 3333
  +
interface jlink
  +
transport select jtag
  +
adapter_khz 1000
  +
reset_config srst_only srst_pulls_trst
  +
jtag newtap sam7x cpu -irlen 4 -ircapture 0x1 -irmask 0xf -expected-id 0x3f0f0f0f
  +
target create sam7x.cpu arm7tdmi -endian little -chain-position sam7x.cpu
  +
sam7x.cpu configure -event reset-init {
  +
soft_reset_halt
  +
mww 0xfffffd00 0xa5000004 # RSTC_CR: Reset peripherals
  +
mww 0xfffffd44 0x00008000 # WDT_MR: disable watchdog
  +
mww 0xfffffd08 0xa5000001 # RSTC_MR enable user reset
  +
mww 0xfffffc20 0x00005001 # CKGR_MOR : enable the main oscillator
  +
sleep 10
  +
mww 0xfffffc2c 0x000b1c02 # CKGR_PLLR: 16MHz * 12/2 = 96MHz
  +
sleep 10
  +
mww 0xfffffc30 0x00000007 # PMC_MCKR : MCK = PLL / 2 = 48 MHz
  +
sleep 10
  +
mww 0xffffff60 0x00480100 # MC_FMR: flash mode (FWS=1,FMCN=72)
  +
sleep 100
  +
}
  +
gdb_memory_map enable
  +
sam7x.cpu configure -work-area-virt 0 -work-area-phys 0x00200000 -work-area-size 0x10000 -work-area-backup 0
  +
flash bank sam7x.flash.0 at91sam7 0 0 0 0 sam7x.cpu 0 0 0 0 0 0 0 18432
  +
flash bank sam7x.flash.1 at91sam7 0 0 0 0 sam7x.cpu 1 0 0 0 0 0 0 18432
  +
</pre>
  +
  +
Launching OpenOCD:
  +
  +
<pre>
  +
$ openocd -f at91sam7s512-jlink.cfg
  +
Open On-Chip Debugger 0.9.0 (2017-03-07-13:28)
  +
Licensed under GNU GPL v2
  +
For bug reports, read
  +
http://openocd.org/doc/doxygen/bugs.html
  +
adapter speed: 1000 kHz
  +
srst_only srst_pulls_trst srst_gates_jtag srst_open_drain connect_deassert_srst
  +
Info : J-Link ARM V8 compiled Dec 1 2009 11:42:48
  +
Info : J-Link caps 0xb9ff7bbf
  +
Info : J-Link hw version 80000
  +
Info : J-Link hw type J-Link
  +
Info : J-Link max mem block 9576
  +
Info : J-Link configuration
  +
Info : USB-Address: 0x0
  +
Info : Kickstart power on JTAG-pin 19: 0xffffffff
  +
Info : Vref = 3.332 TCK = 1 TDI = 0 TDO = 0 TMS = 0 SRST = 1 TRST = 1
  +
Info : J-Link JTAG Interface ready
  +
Info : clock speed 1000 kHz
  +
Info : JTAG tap: sam7x.cpu tap/device found: 0x3f0f0f0f (mfg: 0x787, part: 0xf0f0, ver: 0x3)
  +
Info : Embedded ICE version 1
  +
Info : sam7x.cpu: hardware has 2 breakpoint/watchpoint units
  +
</pre>
  +
  +
Launching a telnet:
  +
<pre>
  +
telnet localhost 4444
  +
Connected to localhost.
  +
Escape character is '^]'.
  +
Open On-Chip Debugger
  +
> halt
  +
target state: halted
  +
target halted in ARM state due to debug-request, current mode: Supervisor
  +
cpsr: 0xf00000d3 pc: 0x001c9c60
  +
> flash erase_sector 0 0 15
  +
erased sectors 0 through 15 on flash bank 0 in 0.033260s
  +
> flash write_image /tmp/bootrom.s19 0x100000
  +
wrote 3624 bytes from file /tmp/bootrom.s19 in 0.392169s (9.024 KiB/s)
  +
</pre>
  +
The chip was new but in case you need to backup the chip content first, this should be possible with sth like "dump_image original.bin 0x100000 0x80000"
  +
===Flashing full image===
  +
I also tried to flash the fullimage via JTAG but it failed working afterwards, so once the bootloader is installed, I used the usual recovery procedure:
  +
* Press button and keep it pressed during the whole procedure
  +
* Plug PM3 to USB
  +
* ./flasher /dev/ttyACM0 fullimage.elf
  +
* Release button and re-plug the PM3
  +
<pre>
  +
===Done===
  +
$ ./proxmark3 /dev/ttyACM0
  +
Proxmark3 RFID instrument
  +
bootrom: iceman/iceman/v2.1.0-1547-gb0df293d 2017-05-03 20:44:34
  +
os: iceman/iceman/v2.1.0-1547-gb0df293d 2017-05-03 20:44:39
  +
LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04
  +
HF FPGA image built for 2s30vq100 on 2015/11/ 2 at 9: 8: 8
  +
  +
uC: AT91SAM7S512 Rev B
  +
Embedded Processor: ARM7TDMI
  +
Nonvolatile Program Memory Size: 512K bytes. Used: 217204 bytes (41%).
  +
Free: 307084 bytes (59%).
  +
Second Nonvolatile Program Memory Size: None
  +
Internal SRAM Size: 64K bytes
  +
Architecture Identifier: AT91SAM7Sxx Series
  +
Nonvolatile Program Memory Type: Embedded Flash Memory
  +
</pre>

Revision as of 09:35, 4 May 2017

Upgrading ELECHOUSE Proxmark3 Easy V3 to 512k

(de)soldering

The popular Proxmark3 Easy has an at91sam7s256 with only 256k and e.g. it's already about 83% full with the current iceman firmware.
So I decided to attempt an upgrade.

at91sam7s512 is about [15€ on http://fr.farnell.com/atmel/at91sam7s512b-au/micro-32-bits-arm7-512k-flash/dp/1972051 Farnell].

The steps I followed to desolder and solder the new chip are basically the same as seen on this youtube video:

  • heating the chip with my desoldering station
  • removing the chip with a small suction pen
  • putting flux on the pads
  • cleaning the pads with desoldering wire
  • putting the new chip and soldering some pins to lock it in place (look for aligning the small dot on the correct corner)
  • putting flux on the pins
  • putting solder on the pins, don't be afraid of bridges...
  • removing extra solder with desoldering wire
  • checking carefully for residual solder bridges

And voila.

Note that it's maybe easier to solder the new chip not by using flux+solder+iron but solder flux paste and heating with air gun, as shown in this video...

JTAG programming

Then wire your JTAG programmer to the board. Mine is a Segger J-Link.
To make it easier, solder a breakable single-row male curved header.
Choose a curved one so you can leave it in place later and still stack the PM3 daughterboard.

Then using Dupont wires male-female, wire it to the JTAG programmer.

For the J-Link, the pinout is: 

  ---------  ---------
 |1917151311 9 7 5 3 1|
 |201816141210 8 6 4 2|
  --------------------

PM3  JLink
---  -----
TMS   7
TDI   5
TDO  13
TCK   9
GND   6
3.3  not connected

I didn't connect the 3v3 because J-Link Vref is 5v so I prefered to power the PM3 over USB while reprogramming it.

To use the J-Link on Debian: 

$ apt-get install openocd

There is some doc installed locally: file:///usr/share/doc/openocd/openocd.html/index.html

Create /etc/udev/rules.d/60-jlink.rules with 

ATTRS{idVendor}=="1366", ATTRS{idProduct}=="0101", MODE="664", GROUP="plugdev"

I created a config file by reusing most of tools/at91sam7s512-buspirate.cfg, but specific to J-Link instead of buspirate: 

telnet_port 4444
gdb_port 3333
interface jlink
transport select jtag
adapter_khz 1000
reset_config srst_only srst_pulls_trst
jtag newtap sam7x cpu -irlen 4 -ircapture 0x1 -irmask 0xf -expected-id 0x3f0f0f0f
target create sam7x.cpu arm7tdmi -endian little -chain-position sam7x.cpu
sam7x.cpu configure -event reset-init {
	soft_reset_halt
	mww 0xfffffd00 0xa5000004	# RSTC_CR: Reset peripherals
	mww 0xfffffd44 0x00008000	# WDT_MR: disable watchdog
	mww 0xfffffd08 0xa5000001	# RSTC_MR enable user reset
	mww 0xfffffc20 0x00005001	# CKGR_MOR : enable the main oscillator
	sleep 10
	mww 0xfffffc2c 0x000b1c02	# CKGR_PLLR: 16MHz * 12/2 = 96MHz
	sleep 10
	mww 0xfffffc30 0x00000007	# PMC_MCKR : MCK = PLL / 2 = 48 MHz
	sleep 10
	mww 0xffffff60 0x00480100	# MC_FMR: flash mode (FWS=1,FMCN=72)
	sleep 100
}
gdb_memory_map enable
sam7x.cpu configure -work-area-virt 0 -work-area-phys 0x00200000 -work-area-size 0x10000 -work-area-backup 0
flash bank sam7x.flash.0 at91sam7 0 0 0 0 sam7x.cpu 0 0 0 0 0 0 0 18432
flash bank sam7x.flash.1 at91sam7 0 0 0 0 sam7x.cpu 1 0 0 0 0 0 0 18432

Launching OpenOCD: 

$ openocd -f at91sam7s512-jlink.cfg
Open On-Chip Debugger 0.9.0 (2017-03-07-13:28)
Licensed under GNU GPL v2
For bug reports, read
	http://openocd.org/doc/doxygen/bugs.html
adapter speed: 1000 kHz
srst_only srst_pulls_trst srst_gates_jtag srst_open_drain connect_deassert_srst
Info : J-Link ARM V8 compiled Dec  1 2009 11:42:48
Info : J-Link caps 0xb9ff7bbf
Info : J-Link hw version 80000
Info : J-Link hw type J-Link
Info : J-Link max mem block 9576
Info : J-Link configuration
Info : USB-Address: 0x0
Info : Kickstart power on JTAG-pin 19: 0xffffffff
Info : Vref = 3.332 TCK = 1 TDI = 0 TDO = 0 TMS = 0 SRST = 1 TRST = 1
Info : J-Link JTAG Interface ready
Info : clock speed 1000 kHz
Info : JTAG tap: sam7x.cpu tap/device found: 0x3f0f0f0f (mfg: 0x787, part: 0xf0f0, ver: 0x3)
Info : Embedded ICE version 1
Info : sam7x.cpu: hardware has 2 breakpoint/watchpoint units

Launching a telnet: 

 telnet localhost 4444
Connected to localhost.
Escape character is '^]'.
Open On-Chip Debugger
> halt
target state: halted
target halted in ARM state due to debug-request, current mode: Supervisor
cpsr: 0xf00000d3 pc: 0x001c9c60
> flash erase_sector 0 0 15
erased sectors 0 through 15 on flash bank 0 in 0.033260s
> flash write_image /tmp/bootrom.s19 0x100000  
wrote 3624 bytes from file /tmp/bootrom.s19 in 0.392169s (9.024 KiB/s)

The chip was new but in case you need to backup the chip content first, this should be possible with sth like "dump_image original.bin 0x100000 0x80000"

Flashing full image

I also tried to flash the fullimage via JTAG but it failed working afterwards, so once the bootloader is installed, I used the usual recovery procedure:

  • Press button and keep it pressed during the whole procedure
  • Plug PM3 to USB
  • ./flasher /dev/ttyACM0 fullimage.elf
  • Release button and re-plug the PM3
===Done===
$ ./proxmark3 /dev/ttyACM0
Proxmark3 RFID instrument
bootrom: iceman/iceman/v2.1.0-1547-gb0df293d 2017-05-03 20:44:34
os: iceman/iceman/v2.1.0-1547-gb0df293d 2017-05-03 20:44:39
LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04
HF FPGA image built for 2s30vq100 on 2015/11/ 2 at  9: 8: 8

uC: AT91SAM7S512 Rev B
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 512K bytes. Used: 217204 bytes (41%).
Free: 307084 bytes (59%).
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory
Retrieved from "https://wiki.yobi.be/index.php?title=Proxmark&oldid=10292"