Unbricking Proxmark3 RDV4 with a Shikra

Debricking Proxmark3 RDV4 with a Shikra

Yesterday I unboxed my shiny new Proxmark and proceeded to immediately brick it trying to update the firmware. I saw a couple of guides for de-bricking it using the BusPirate, but I only have a Shikra. I thought surely this is a thing, and did some Googling and pretending like I know what I am doing until to my surprise, it worked!

Things you’ll need:

Files for openocd Shikra config

shikra.cfg

telnet_port 4444
#shikra.cfg
interface ftdi
transport select jtag
ftdi_vid_pid 0x0403 0x6014

ftdi_layout_init 0x0c08 0x0f1b
adapter_khz 2000
#end shikra.cfg

prox.cfg

## Chipset configuration section
# use combined on interfaces or targets that can't set TRST/SRST separately
reset_config srst_only srst_pulls_trst

jtag newtap sam7x cpu -irlen 4 -ircapture 0x1 -irmask 0xf -expected-id 0x3f0f0f0f 

target create sam7x.cpu arm7tdmi -endian little -chain-position sam7x.cpu

sam7x.cpu configure -event reset-init {	
	soft_reset_halt
	mww 0xfffffd00 0xa5000004	# RSTC_CR: Reset peripherals
	mww 0xfffffd44 0x00008000	# WDT_MR: disable watchdog
	mww 0xfffffd08 0xa5000001	# RSTC_MR enable user reset
	mww 0xfffffc20 0x00005001	# CKGR_MOR : enable the main oscillator
	sleep 10
	mww 0xfffffc2c 0x000b1c02	# CKGR_PLLR: 16MHz * 12/2 = 96MHz
	sleep 10
	mww 0xfffffc30 0x00000007	# PMC_MCKR : MCK = PLL / 2 = 48 MHz
	sleep 10
	mww 0xffffff60 0x00480100	# MC_FMR: flash mode (FWS=1,FMCN=72)
	sleep 100

}

gdb_memory_map enable
#gdb_breakpoint_override hard
#armv4_5 core_state arm

sam7x.cpu configure -work-area-virt 0 -work-area-phys 0x00200000 -work-area-size 0x10000 -work-area-backup 0
flash bank sam7x512.flash.0 at91sam7 0 0 0 0 sam7x.cpu 0 0 0 0 0 0 0 18432
flash bank sam7x512.flash.1 at91sam7 0 0 0 0 sam7x.cpu 1 0 0 0 0 0 0 18432

Pinout from Proxmark to Shikra

  • TCK - 1
  • TDI - 2
  • TDO - 3
  • TMS - 4
  • GND - 18
image

Running the magic

Make sure you have openocd installed and that you have compiled the Proxmark3 firmware. The config files shown above will start a listener on port 4444 that you can telnet to to run the commands needed to de-brick your Proxmark with openocd.

image

UPDATE

The .cfg files have been added to the RfidResearchGroup fork (best fork) of Proxmark3. No need to use the files shown above, instead, use the following openocd command from the root of the proxmark3 directory. Thanks iceman!

OpenOCD

openocd -f tools/jtag_openocd/interface-shikra.cfg -f tools/jtag_openocd/chip-at91sam7s.cfg

Telnet

telnet 127.0.0.1 4444

Once you have your telnet session, you need to halt the device, erase memory, then write the recovery to the device.

halt
flash erase_sector 0 0 15
flash erase_sector 1 0 15
flash write_image ./recovery/proxmark3_recovery.bin 0x100000

Now power cycle the Proxmark3, and hopefully you are good to go.

References:

If for whatever reason this doesnt work, check these boys.