Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Hi there,
I am having troubles with a genuine Proxmark3 v2. During the flashing of the pm3 an error occurred (As i remember it stopped during the process of writing the segments during the flash process). After that the device can not get mounted through USB. I checked with dmesg and lsusb, but nothing is showing up when I try to connect it.
I tried flashing it with a Bus Pirate v3.6 (community firmware version 7.1) using the latest version, but that failed. I tried the latest release of the offical proxmark firmware as well as the latest version of the iceman repo. Still no output on dmesg.
In the past I used the proxmark successfully and flashed it a few times via the Bus Pirate, but this time I am having troubles.
Here is my OpenOcd output:
$ openocd -f tools/at91sam7s512-buspirate.cfg
Open On-Chip Debugger 0.10.0-rc1-dev-gc404ff5d-dirty (2019-11-11-15:43)
Licensed under GNU GPL v2
For bug reports, read
http://openocd.org/doc/doxygen/bugs.html
Warn : Adapter driver 'buspirate' did not declare which transports it allows; assuming legacy JTAG-only
Info : only one transport option; autoselect 'jtag'
adapter speed: 1000 kHz
srst_only srst_pulls_trst srst_gates_jtag srst_open_drain connect_deassert_srst
Info : Buspirate Interface ready!
Info : This adapter doesn't support configurable speed
Info : JTAG tap: sam7x.cpu tap/device found: 0x3f0f0f0f (mfg: 0x787 (<unknown>), part: 0xf0f0, ver: 0x3)
Info : Embedded ICE version 1
Info : sam7x.cpu: hardware has 2 breakpoint/watchpoint units
$ telnet localhost 4444
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Open On-Chip Debugger
> halt
target halted in Thumb state due to debug-request, current mode: Supervisor
cpsr: 0x600000f3 pc: 0x001120b8
> flash banks
#0 : sam7x512.flash.0 (at91sam7) at 0x00000000, size 0x00000000, buswidth 0, chipwidth 0
#1 : sam7x512.flash.1 (at91sam7) at 0x00000000, size 0x00000000, buswidth 0, chipwidth 0
> flash erase_sector 0 0 15
erased sectors 0 through 15 on flash bank 0 in 0.351501s
> flash erase_sector 1 0 15
erased sectors 0 through 15 on flash bank 1 in 0.351299s
> flash write_image ./recovery/proxmark3_recovery.bin 0x100000
wrote 210016 bytes from file ./recovery/proxmark3_recovery.bin in 304.754669s (0.673 KiB/s)
> flash banks
#0 : sam7x512.flash.0 (at91sam7) at 0x00100000, size 0x00040000, buswidth 4, chipwidth 0
#1 : sam7x512.flash.1 (at91sam7) at 0x00140000, size 0x00040000, buswidth 4, chipwidth 0
After re-connection the Proxmark there is still no sign on dmesg. Checking flash banks again it shows size 0 again.
What I tried so far:
Flashing Proxmark with latest original repo (freshly compiled)
Flashing Proxmark with latest iceman repo (freshly compiled)
Trying just to flash bootrom and pressing the pm3 button during startup
Erasing the flash using flash erase_sector
Erasing by connecting pin 55 of the yC to 3.3 volts
When the pm3 is conneted the STD led is shining green, PWR led shining blue, CHR led flickering red. When reconnecting leds A-D light up once and D a second time. After holding the button led B and A alternate 3 times, then C, D and B stay lit. Pressing the button turns of the led B for a short time. I think this behaviour is regular.
Here the register state:
Open On-Chip Debugger
> halt
target halted in Thumb state due to debug-request, current mode: Supervisor
cpsr: 0x600000f3 pc: 0x001120d2
> flash banks
#0 : sam7x512.flash.0 (at91sam7) at 0x00000000, size 0x00000000, buswidth 0, chipwidth 0
#1 : sam7x512.flash.1 (at91sam7) at 0x00000000, size 0x00000000, buswidth 0, chipwidth 0
> reg
===== ARM registers
(0) r0 (/32): 0x00000000 (dirty)
(1) r1 (/32): 0x001120BF
(2) r2 (/32): 0x00000001
(3) r3 (/32): 0xFFFFFFFF
(4) r4 (/32): 0x000003E8
(5) r5 (/32): 0x00000220
(6) r6 (/32): 0x00000000
(7) r7 (/32): 0x00000000
(8) r8 (/32): 0x00000000
(9) r9 (/32): 0x00000000
(10) r10 (/32): 0x00000000
(11) r11 (/32): 0x00004000
(12) r12 (/32): 0x0003E896
(13) sp_usr (/32)
(14) lr_usr (/32)
(15) pc (/32): 0x001120D2 (dirty)
(16) r8_fiq (/32)
(17) r9_fiq (/32)
(18) r10_fiq (/32)
(19) r11_fiq (/32)
(20) r12_fiq (/32)
(21) sp_fiq (/32)
(22) lr_fiq (/32)
(23) sp_irq (/32)
(24) lr_irq (/32)
(25) sp_svc (/32): 0x0020FD58
(26) lr_svc (/32): 0x001120BF
(27) sp_abt (/32)
(28) lr_abt (/32)
(29) sp_und (/32)
(30) lr_und (/32)
(31) cpsr (/32): 0x600000F3
(32) spsr_fiq (/32)
(33) spsr_irq (/32)
(34) spsr_svc (/32): 0x800000D3
(35) spsr_abt (/32)
(36) spsr_und (/32)
(37) sp (/32)
(38) lr (/32)
Any ideas what the problem could be?
Last edited by kelp12 (2019-12-12 20:42:25)
Offline
In case you own a Raspi, you could try this one.
Especially you could try to do the flash "by hand":
telnet IP_ADDRESS 4444
halt
flash erase_sector 0 0 15
flash erase_sector 1 0 15
flash write_image /path_where_you_copied_pm3_files/armsrc/obj/fullimage.elf
flash write_image /path_where_you_copied_pm3_files/bootrom/obj/bootrom.elf
Best of luck,
JD.
Offline
Okay I finally got around organizing a not-in-use Raspberry (since mine isn't free right now )
I tried flashing with a Raspberry 3 + OpenOCD and it finally worked! I guess my Bus Pirate is not working quite like it should ... well whatever, my Proxmark at least works now!
Thank you!
Since the the link that you provided is a bit outdated, I created a updated version:
https://wiki.elvis.science/index.php?ti … Debricking
Last edited by kelp12 (2019-12-12 20:21:57)
Offline
@kelp12:
Glad to see that the Raspi-way worked for you! Perfect work with the wiki, that should help a lot of users with similar problems.
Regards,
JD.
Offline