Proxmark
Upgrading ELECHOUSE Proxmark3 Easy V3 to 512k
(de)soldering
The popular Proxmark3 Easy has an at91sam7s256 with only 256k and e.g. it's already about 83% full with the current iceman firmware.
So I decided to attempt an upgrade.
at91sam7s512 is about 15€ on Farnell.
The steps I followed to desolder and solder the new chip are basically the same as seen on this youtube video:
- heating the chip with my desoldering station
- removing the chip with a small suction pen
- putting flux on the pads
- cleaning the pads with desoldering wire
- putting the new chip and soldering some pins to lock it in place (look for aligning the small dot on the correct corner)
- putting flux on the pins
- putting solder on the pins, don't be afraid of bridges...
- removing extra solder with desoldering wire
- checking carefully for residual solder bridges
And voila.
Note that it's maybe easier to solder the new chip not by using flux+solder+iron but solder flux paste and heating with air gun, as shown in this video...
JTAG programming
Then wire your JTAG programmer to the board. Mine is a Segger J-Link.
To make it easier, solder a breakable single-row male curved header.
Choose a curved one so you can leave it in place later and still stack the PM3 daughterboard.
Then using Dupont wires male-female, wire it to the JTAG programmer.
For the J-Link, the pinout is:
--------- --------- |1917151311 9 7 5 3 1| |201816141210 8 6 4 2| -------------------- PM3 JLink --- ----- TMS 7 TDI 5 TDO 13 TCK 9 GND 6 3.3 not connected
I didn't connect the 3v3 because J-Link Vref is 5v so I prefered to power the PM3 over USB while reprogramming it.
To use the J-Link on Debian:
$ apt-get install openocd
There is some doc installed locally: file:///usr/share/doc/openocd/openocd.html/index.html
Create /etc/udev/rules.d/60-jlink.rules with
ATTRS{idVendor}=="1366", ATTRS{idProduct}=="0101", MODE="664", GROUP="plugdev"
I created a config file by reusing most of tools/at91sam7s512-buspirate.cfg, but specific to J-Link instead of buspirate:
telnet_port 4444 gdb_port 3333 interface jlink transport select jtag adapter_khz 1000 reset_config srst_only srst_pulls_trst jtag newtap sam7x cpu -irlen 4 -ircapture 0x1 -irmask 0xf -expected-id 0x3f0f0f0f target create sam7x.cpu arm7tdmi -endian little -chain-position sam7x.cpu sam7x.cpu configure -event reset-init { soft_reset_halt mww 0xfffffd00 0xa5000004 # RSTC_CR: Reset peripherals mww 0xfffffd44 0x00008000 # WDT_MR: disable watchdog mww 0xfffffd08 0xa5000001 # RSTC_MR enable user reset mww 0xfffffc20 0x00005001 # CKGR_MOR : enable the main oscillator sleep 10 mww 0xfffffc2c 0x000b1c02 # CKGR_PLLR: 16MHz * 12/2 = 96MHz sleep 10 mww 0xfffffc30 0x00000007 # PMC_MCKR : MCK = PLL / 2 = 48 MHz sleep 10 mww 0xffffff60 0x00480100 # MC_FMR: flash mode (FWS=1,FMCN=72) sleep 100 } gdb_memory_map enable sam7x.cpu configure -work-area-virt 0 -work-area-phys 0x00200000 -work-area-size 0x10000 -work-area-backup 0 flash bank sam7x.flash.0 at91sam7 0 0 0 0 sam7x.cpu 0 0 0 0 0 0 0 18432 flash bank sam7x.flash.1 at91sam7 0 0 0 0 sam7x.cpu 1 0 0 0 0 0 0 18432
Launching OpenOCD:
$ openocd -f at91sam7s512-jlink.cfg Open On-Chip Debugger 0.9.0 (2017-03-07-13:28) Licensed under GNU GPL v2 For bug reports, read http://openocd.org/doc/doxygen/bugs.html adapter speed: 1000 kHz srst_only srst_pulls_trst srst_gates_jtag srst_open_drain connect_deassert_srst Info : J-Link ARM V8 compiled Dec 1 2009 11:42:48 Info : J-Link caps 0xb9ff7bbf Info : J-Link hw version 80000 Info : J-Link hw type J-Link Info : J-Link max mem block 9576 Info : J-Link configuration Info : USB-Address: 0x0 Info : Kickstart power on JTAG-pin 19: 0xffffffff Info : Vref = 3.332 TCK = 1 TDI = 0 TDO = 0 TMS = 0 SRST = 1 TRST = 1 Info : J-Link JTAG Interface ready Info : clock speed 1000 kHz Info : JTAG tap: sam7x.cpu tap/device found: 0x3f0f0f0f (mfg: 0x787, part: 0xf0f0, ver: 0x3) Info : Embedded ICE version 1 Info : sam7x.cpu: hardware has 2 breakpoint/watchpoint units
Launching a telnet:
telnet localhost 4444 Connected to localhost. Escape character is '^]'. Open On-Chip Debugger > halt target state: halted target halted in ARM state due to debug-request, current mode: Supervisor cpsr: 0xf00000d3 pc: 0x001c9c60 > flash erase_sector 0 0 15 erased sectors 0 through 15 on flash bank 0 in 0.033260s > flash write_image /tmp/bootrom.s19 0x100000 wrote 3624 bytes from file /tmp/bootrom.s19 in 0.392169s (9.024 KiB/s)
The chip was new but in case you need to backup the chip content first, this should be possible with sth like "dump_image original.bin 0x100000 0x80000"
Flashing full image
I also tried to flash the fullimage via JTAG but it failed working afterwards, so once the bootloader is installed, I used the usual recovery procedure:
- Press button and keep it pressed during the whole procedure
- Plug PM3 to USB
- ./flasher /dev/ttyACM0 fullimage.elf
- Release button and re-plug the PM3
Done
$ ./proxmark3 /dev/ttyACM0 Proxmark3 RFID instrument bootrom: iceman/iceman/v2.1.0-1547-gb0df293d 2017-05-03 20:44:34 os: iceman/iceman/v2.1.0-1547-gb0df293d 2017-05-03 20:44:39 LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04 HF FPGA image built for 2s30vq100 on 2015/11/ 2 at 9: 8: 8 uC: AT91SAM7S512 Rev B Embedded Processor: ARM7TDMI Nonvolatile Program Memory Size: 512K bytes. Used: 217204 bytes (41%). Free: 307084 bytes (59%). Second Nonvolatile Program Memory Size: None Internal SRAM Size: 64K bytes Architecture Identifier: AT91SAM7Sxx Series Nonvolatile Program Memory Type: Embedded Flash Memory