Initial flashing/debricking the Proxmark V3 EASY (w/ Bus Pirate)
TL;DR; Short the ERASE pin with VDDCORE, if ERASE == PIN_55 && VDDCORE == PIN_54
According to complains in the internet, users report bricking their Proxmark3 EASY, when they try to flash the latest firmware with the ‘flasher’ software tool.
Sometimes flashing process of firmware can go wrong, but it can often be recovered with JTAG programmers, or similar programmers.
I will not talk about setting up the environment to build, and flashing the firmware, but I will tell you what you might be missing out and why it might be not working.
If you do not know where to start with flashing your Proxmark3, than have a look here, here, here or here. The first link describes the standard way of upgrading your firmware, which can fail, if you are unlucky. The other three links describe ways to recover your Proxmark3.
Why can upgrading the firmware fail? There are quite some reasons it can go wrong.
- bad firmware image
- wrong parameters
- power loss
- chip security measurements
With the Proxmark3 EASY it seems, that some devices have the Security Bit of the AT91SAM7S512 processor set. The datasheet (see page 113, paragraph 19.2.4.5) says: “The goal of the security bit is to prevent external access to the internal bus system. […] JTAG, Fast Flash Programming and Flash Serial Test Interface features are disabled. Once set,this bit can be reset only by an external hardware ERASE request to the chip. […]”.
To unlock the chip again we can find interesting information in this document on page 20 in paragraph 2.5. Which describes the unlocking the chip by applying Vcc to the ERASE pin. Applying voltage to the pin will wipe the security bit, but also all contents of the flash!
Unfortunately the ERASE pin, which is pin number 55 on the AT91SAM7S512, has no connection. The first idea was to solder a jumper wire to Vcc. On second guess and looking at the datasheets again, reveals pin 54 is VDDCORE, which applies 1.65V to 1.95V (1.8V typical) to the CPU for operation.
To erase and reset the Proxmark, I shortened pin 54 and pin 55 with the tip of a multimeter, applied power via USB to the Proxmark3. After >300ms the flash and security bit is erased and the device can be powered off.
The JTAG interface is now enabled again. Next I flashed the bootloader, and the fullimage using the Bus Pirate v4 using as described in one of the first links mentioned above.
Btw, if you are interested in an alternative to the stock firmware, go and checkout RRG / Iceman - Proxmark3 on GitHub. Have fun.
#hackinghackertools