Alex Dib

Information Security Enthusiast

Debricking Proxmark 3 using the Bus Pirate

18 May 2018 » all, rfid

Overview

So you bricked your $300 proxmark..F!@#. Hope is not lost, the bus pirate to the rescue! This post will outline how to debrick / reflash your Proxmark 3 using the bus pirate 3.6 on the kali operating system.

Preparation

You will need a Bus Pirate that supports firmware v5.9+ and OpenOCD. To make things easier, I soldered a 6 pin header to the Proxmark 3 and used jumper wires to connect to the bus pirate. The latest bus pirate firmware can be found here.

Get the latest Proxmark 3 repository

git clone https://github.com/Proxmark/proxmark3.git
cd proxmark3
make clean && make all

Install OpenOCD

apt-get install openocd

Connect the Proxmark 3 to the Bus Pirate

Depending on which version of the proxmark you have, the MOSI/MISO pins will be switched so pay attention to the tables below.

Screenshot proxmark bus pirate connection

Proxmark 3 RDV2

Screenshot pm3rdv2

Proxmark 3Bus PirateJumper Colour
TMSCSPurple
TDIMOSIGreen
TDOMISOBlue
TCKCLKYellow
GNDGNDBlack
+3.3+3.3White


Proxmark 3 Easy (RDV3)

Screenshot pm3rdv3

Proxmark 3Bus PirateJumper Colour
TMSCSPurple
TDIMISOBlue
TDOMOSIGreen
TCKCLKYellow
GNDGNDBlack
+3.3+3.3White

Flashing

1. Connect the Bus Pirate USB to the host machine with the Proxmark 3 attached.

2. Identify the the bus pirate port on the host machine (/dev/ttyUSB0 by default).

ls /dev/tty*

3. Adjust buspirate_port in the at91sam7s512-buspirate.cfg file located in the Proxmark 3 tools folder with the port found in the previous step.

# Interface
interface buspirate
buspirate_port /dev/ttyUSB0
adapter_khz 1000

4. Launch OpenOCD with the config file found the Proxmark 3 tools directory.

openocd -f tools/at91sam7s512-buspirate.cfg

Screenshot openocd

5. Telnet to the bus pirate in another terminal window.

telnet localhost 4444

Screenshot telnet

6. Halt and erase the flash contents;

halt
flash erase_sector 0 0 15
flash erase_sector 1 0 15

Screenshot halt erase

7. Write the new firmware, this process can take a few minutes so be patient.

flash write_image ./armsrc/obj/fullimage.elf
flash write_image ./bootrom/obj/bootrom.elf

Screenshot write firmware

8. Quit and disconnect the Proxmark 3 and bus pirate. Your Proxmark 3 should be back to normal, Enjoy!

Screenshot Proxmark 3

Troubleshooting

“Halt timed out, wake up GDB”: Switch the MOSI/MISO pins.

# Error
> halt
Halt timed out, wake up GDB.
timed out while waiting for target halted

“Lock Error Bit Detected”: Clear protection on bank(s)

# Error
> flash erase_sector 0 0 15
status register: 0x1048b205
Lock Error Bit Detected, Operation Abort
failed erasing sectors 0 to 15

# Resolution
flash protect 0 0 15 off
flash protect 1 0 15 off

Sources

Related Posts