| blob | aaad58161cd5bd01e417b389e9f2000dab6dcd3c |
1 # Notes on JTAG
2 <a id="top"></a>
4 Some notes on how to reflash a bricked Proxmark3 over JTAG.
6 # Table of Contents
7 - [Notes on JTAG](#notes-on-jtag)
8 - [Table of Contents](#table-of-contents)
9 - [Linux and OpenOCD](#linux-and-openocd)
10 - [Using RDV4 scripts](#using-rdv4-scripts)
11 - [RDV4 pinout](#rdv4-pinout)
12 - [JLink pinout](#jlink-pinout)
13 - [Raspberry Pi pinout](#raspberry-pi-pinout)
14 - [Notes for enabling JTAG port](#notes-for-enabling-jtag-port)
15 - [Where to find more information?](#where-to-find-more-information)
16 - [Third party notes on using a BusPirate](#third-party-notes-on-using-a-buspirate)
17 - [Third party notes on using a J-Link](#third-party-notes-on-using-a-j-link)
18 - [Third party notes on using a RaspBerry Pi](#third-party-notes-on-using-a-raspberry-pi)
19 - [Third party notes on using a J-Link on Windows](#third-party-notes-on-using-a-j-link-on-windows)
20 - [Old original docs](#old-original-docs)
24 # Linux and OpenOCD
25 ^[Top](#top)
27 ## Using RDV4 scripts
28 ^[Top](#top)
30 The RDV4 repository contains helper scripts for JTAG flashing.
32 * Get OpenOCD, e.g.: `apt-get install openocd`
33 * Create `tools/jtag_openocd/openocd_configuration` by copying [`tools/jtag_openocd/openocd_configuration.sample`](/tools/jtag_openocd/openocd_configuration.sample)
34 * Tune it to fit your JTAG tool: adapt `CONFIG_IF` to refer to your JTAG tool. `openocd_configuration.sample` contains several examples and is set up by default to work with the J-Link.
35 * Wire the Proxmark3 to the JTAG tool. How to do it depends on the tool. See below for examples. **Warning:** don't plug the Proxmark3 on USB if the tool delivers already the voltage to the Proxmark3, which is most probably the case.
36 * Then just run
38 ```
39 cd tools/jtag_openocd/
40 ./openocd_flash_recovery.sh
41 ```
43 In some rare situations, flashing the full image over JTAG may fail but the bootloader could be fixed. If it's the case, you can flash the image without JTAG by booting on your fresh bootloader (possibly forced by pressing the Proxmark3 button).
45 For advanced usages there are also `openocd_flash_dump.sh` for dumping the content of the Proxmark3 and `openocd_interactive.sh` for an OpenOCD console.
47 ## RDV4 pinout
48 ^[Top](#top)
50 The RDV4 JTAG header is quite smaller compared to other Proxmark3 platforms.
51 If you're using a J-Link, there is a [convenient adapter](https://github.com/RfidResearchGroup/proxmark3/wiki/Tools#jtag-adapter) made by Proxgrind.
52 You can also make yours with some 1.27mm headers (look for `1.27mm header` on Aliexpress) or Pogo pins or buy an already made clip, e.g. search `dykb clamp` on Aliexpress and take a 1.27mm single-row 6P version.
54 ## JLink pinout
55 ^[Top](#top)
57 J-Link [pinout](https://www.segger.com/interface-description.html):
59 ```
60 Pin cut-out on a JLink 20 pin connector
62 ^^
63 -------------- ---------
64 |19 17 15 13 11 9 7 5 3 1|
65 |20 18 16 14 12 10 8 6 4 2|
66 -------------------------
67 ```
69 ```
70 Map of pins between PM3 / JLink
72 PM3 | JLink
73 --- | -----
74 TMS | 7
75 TDI | 5
76 TDO | 13
77 TCK | 9
78 GND | 6
79 3.3 | 2
80 ```
82 ## Raspberry Pi pinout
83 ^[Top](#top)
85 RPi [pinout](https://pinout.xyz/):
87 ```
88 PM3 | RPi
89 --- | ---
90 TMS | 22
91 TDI | 19
92 TDO | 21
93 TCK | 23
94 GND | 6
95 3.3 | 1
96 ```
98 # Notes for enabling JTAG port
99 ^[Top](#top)
101 If you can communicate with Proxmark3 with OpenOCD, then you don't need to care about this note, as the JTAG port is enabled by default. However, if you see the following output when running OpenOCD, it indicates that the MCU is found, but the JTAG port is disabled (locked).
102 ```
103 Info : JTAG tap: sam7x.cpu tap/device found: 0x3f0f0f0f (mfg: 0x787 (<unknown>), part: 0xf0f0, ver: 0x3)
104 Info : TAP auto0.tap does not have valid IDCODE (idcode=0x0)
105 ......
106 Error: double-check your JTAG setup (interface, speed, ...)
107 ......
108 Info : Halt timed out, wake up GDB.
109 Error: timed out while waiting for target halted
110 ```
112 To resolve this, you need to erase the chip by following the instructions in this Stack Overflow thread.
113 https://stackoverflow.com/questions/48794076/error-halt-timed-out-wake-up-gdb/64291913#64291913
115 # Where to find more information?
116 ^[Top](#top)
118 There has been lots of articles and blogposts about recovering, debricking, JTAG your Proxmark3 and you find here below an assortiment of resources that will be of help.
120 ## Third party notes on using a BusPirate
121 ^[Top](#top)
123 * https://github.com/Proxmark/proxmark3/wiki/Debricking-Proxmark3-with-buspirate
124 * https://b4cktr4ck2.github.io/De-Brickify-Pm3-RDV2/
125 * https://scund00r.com/all/rfid/2018/05/18/debrick-proxmark.html
126 * https://joanbono.github.io/PoC/Flashing_Proxmark3.html
128 ## Third party notes on using a J-Link
129 ^[Top](#top)
131 * http://wiki.yobi.be/wiki/Proxmark
133 ## Third party notes on using a RaspBerry Pi
134 ^[Top](#top)
136 * http://www.lucasoldi.com/2017/01/17/unbrick-proxmark3-with-a-raspberry-pi-and-openocd/
137 * https://wiki.elvis.science/index.php?title=Proxmark3:_Debricking
138 * https://github.com/synthetos/PiOCD/wiki/Using-a-Raspberry-Pi-as-a-JTAG-Dongle
140 ## Third party notes on using a J-Link on Windows
141 ^[Top](#top)
143 * https://github.com/Proxmark/proxmark3/wiki/De-Bricking-Segger
145 ## Old original docs
146 ^[Top](#top)
148 Describes the SEGGER JLINK, JTAG process but be warned, this document is old.
149 https://github.com/RfidResearchGroup/proxmark3/blob/master/doc/original_proxmark3/Compiling%20Proxmark%20source%20and%20firmware%20upgrading%20v1.pdf