Your original ARM AT91SAM7S512 was OK, you just need to re-enable JTAG/recover the device via the pin 55 (ERASE).
You can follow the instructions in this note, under 4.9.3;
NOTE
Thank's you saved my day. I bricked my device after a couple of hour.
I got the same problem as described in this thread
My jtag on the proxmark esay was locked, and when i did a usb elf update it broke the bootloader.
After i did the pin 55 (ERASE), everything went back to normal.
]]>Your original ARM AT91SAM7S512 was OK, you just need to re-enable JTAG/recover the device via the pin 55 (ERASE).
Interesting thought. I hadn't reviewed this particular chip in enough depth to find that little nugget. It certainly would be a step worth trying the next time we run into a corrupted and unresponsive device.
]]>You can follow the instructions in this note, under 4.9.3;
NOTE
Unfortunately it wasn't the root cause, infact I continued to receive a flat TDO signal from the ARM.
After checking that all the surrounding resistors and capacitors are ok, I finally decided to replace the ARM CPU with a brand new AT91SAM7S512 bought from RS component (to be sure to not receive a counterfeit one).
I removed the old ARM with SRA Fast Chip, that should be equivalent to ChipQuik SMD1NL. It's a low temperature solder + flux, that allows to desolder chip with hundreds of pins with only a solder iron. In 2 minutes I have safely removed the CPU without damaging the chip or the PCB.
In this image you can also see the traces under the chip.
After cleaning the pads, removing all this alloy (important step!), I have soldered the new ARM:
and..... tadaaaaaaaa.... TDO (green signal) is live!!!
So I disconnected the scope-meter, and used J-Link to flash first the recovery image and then the bootload and firmware.
SEGGER J-Link Commander V4.50l ('?' for help)
Compiled Jul 9 2012 15:03:06
DLL version V4.50l, compiled Jul 9 2012 15:02:49
Firmware: J-Link ARM V8 compiled Nov 28 2014 13:44:46
Hardware: V8.00
S/N: 87461523
Feature(s): RDI, FlashBP, FlashDL, JFlash, GDBFull
VTarget = 3.313V
Info: TotalIRLen = 4, IRPrint = 0x01
Found 1 JTAG device, Total IRLen = 4:
#0 Id: 0x3F0F0F0F, IRLen: 04, IRPrint: 0x1, ARM7TDMI Core
Found ARM with core Id 0x3F0F0F0F (ARM7)
JTAG speed: 100 kHz
Opening data file [D:\official-64-20180917-82258709f6c66a06c4f09dc902128c2d1eb41389\firmware_win\JTAG Only\proxmark3_recovery.bin] ...
- Data file opened successfully (192492 bytes, 1 range, CRC = 0x252DF2E5)
Connecting ...
- Connecting via USB to J-Link device 0
- J-Link firmware: V1.20 (J-Link ARM V8 compiled Nov 28 2014 13:44:46)
- JTAG speed: 5 kHz (Fixed)
- Initializing CPU core (Init sequence) ...
- Initialized successfully
- JTAG speed: 6000 kHz (Auto)
- CPU clock frequency: 32 kHz (Auto detected)
- J-Link found 1 JTAG device. Core ID: 0x3F0F0F0F (ARM7)
- Connected successfully
Auto programming target (192492 bytes, 1 range) ...
- Program (0x0 - 0x2EFEB) does not fit into selected flash sectors.
- Program relocated for programming by 0x100000 bytes
- Programming target (192492 bytes, 1 range) ...
- Target programmed successfully
- Verifying CRC of affected sectors ...
- CRC of affected sectors verified successfully (CRC = 0xBA8BE661)
- De-initializing CPU core (Exit sequence) ...
- De-initialized successfully
- Target erased, programmed and verified successfully - Completed after 11.131 sec
Opening data file [D:\official-64-20180917-82258709f6c66a06c4f09dc902128c2d1eb41389\firmware_win\JTAG Only\bootrom.bin] ...
- Data file opened successfully (8192 bytes, 1 range, CRC = 0xC8467158)
Auto programming target (8192 bytes, 1 range) ...
- Programming target (8192 bytes, 1 range) ...
- Target programmed successfully
- Verifying CRC of affected sectors ...
- CRC of affected sectors verified successfully (CRC = 0x443C732F)
- De-initializing CPU core (Exit sequence) ...
- De-initialized successfully
- Target erased, programmed and verified successfully - Completed after 0.532 sec
Opening data file [D:\official-64-20180917-82258709f6c66a06c4f09dc902128c2d1eb41389\firmware_win\JTAG Only\fullimage.bin] ...
- Data file opened successfully (184300 bytes, 1 range, CRC = 0xB14E1945)
Auto programming target (184300 bytes, 1 range) ...
- Programming target (184300 bytes, 1 range) ...
- Target programmed successfully
- Verifying CRC of affected sectors ...
- CRC of affected sectors verified successfully (CRC = 0x401BCE51)
- De-initializing CPU core (Exit sequence) ...
- De-initialized successfully
- Target erased, programmed and verified successfully - Completed after 5.751 sec
Tried the proxmark client and ...IT WORKS!!!
proxmark3> hw version
Prox/RFID mark3 RFID instrument
bootrom: master/v3.0.1-405-g8225870-suspect 2018-09-17 12:14:57
os: master/v3.0.1-405-g8225870-suspect 2018-09-17 12:14:59
fpga_lf.bit built for 2s30vq100 on 2015/03/06 at 07:38:04
fpga_hf.bit built for 2s30vq100 on 2018/09/12 at 15:18:46
uC: AT91SAM7S512 Rev B
Embedded Processor: ARM7TDMI
Nonvolatile Program Memory Size: 512K bytes. Used: 192490 bytes (37%). Free: 331798 bytes (63%).
Second Nonvolatile Program Memory Size: None
Internal SRAM Size: 64K bytes
Architecture Identifier: AT91SAM7Sxx Series
Nonvolatile Program Memory Type: Embedded Flash Memory
-----------
proxmark3> hw tune
Measuring antenna characteristics, please wait.........
# LF antenna: 32.59 V @ 125.00 kHz
# LF antenna: 25.02 V @ 134.00 kHz
# LF optimal: 32.86 V @ 123.71 kHz
# HF antenna: 26.98 V @ 13.56 MHz
Displaying LF tuning graph. Divisor 89 is 134khz, 95 is 125khz.
-----------
proxmark3> hf 14a info
UID : 1a 1c 6a 0b
ATQA : 00 04
SAK : 08 [2]
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
proprietary non iso14443-4 card found, RATS not supported
Chinese magic backdoor commands (GEN 1a) detected
Prng detection: WEAK
OK OK OK!!!! I'm very happy now!!!
Thanks grauerfuchs and all you that gave me interesting suggestions.
Finally, I can say that in my case the problem was a defective ARM AT91SAM7S512.
I hope that this post, thanks to your suggestions, can become a trobleshooting guide for those with similar problems.
]]>If you're not seeing oscillations on the crystal pins 1 and 3, then that means one of the following three things has happened:
1. The ARM chip is not providing enough power to the crystal for it to oscillate.
2. One or both of the capacitors has failed.
3. The crystal has failed.
Both of them are 4 pin (3.2x2.5mm).
After following their traces and looking at some datasheets, I have understood that they are different, despite the external appearance being identical: the 13.56MHz should be an Oscillator (VDD, GND, output and tri-state?), whilst the 16 MHz should be a Crystal Unit (2 GND in diagonal). Isn't it?
A crystal unit should be:
whilst an oscillator should be:
Don't blame me if I'm wrong, I'm only trying to understand.
On the 13.56MHz I have 3.28 VDC on the first diagonal and the 13.56MHz wave on the second diagonal.
On the 16MHz I have seen that the first diagonal is all GND and I measure nothing on the second diagonal, or between GND and the pins of that diagonal.
My Proxmark:
I don't know how they work (I'm going to study something about them), but what they need to oscillate? If the 16MHz doesn't oscillates, is it sure it's broken or could it be missing something from the ARM to do its job? In other words, at this point, can we definitely say that the crystal is to be replaced for the Proxmark to work again?
Thanks!
]]>root@kali:~/proxmark3# dmesg | grep -i usb
[ 4574.912751] usb 1-1: new full-speed USB device number 13 using xhci_hcd
[ 4591.536411] usb 1-1: new full-speed USB device number 14 using xhci_hcd
[ 4608.160539] usb 1-1: new full-speed USB device number 15 using xhci_hcd
[ 4624.784211] usb 1-1: new full-speed USB device number 16 using xhci_hcd
[ 4641.408312] usb 1-1: new full-speed USB device number 17 using xhci_hcd
[ 4658.032210] usb 1-1: new full-speed USB device number 18 using xhci_hcd
[ 4674.659886] usb 1-1: new full-speed USB device number 19 using xhci_hcd
[ 4691.275856] usb 1-1: new full-speed USB device number 20 using xhci_hcd
[ 4707.899875] usb 1-1: new full-speed USB device number 21 using xhci_hcd
[ 4726.147757] usb 1-1: new full-speed USB device number 22 using xhci_hcd
[ 4742.763382] usb 1-1: new full-speed USB device number 23 using xhci_hcd
[ 4759.375537] usb 1-1: new full-speed USB device number 24 using xhci_hcd
[ 4775.999307] usb 1-1: new full-speed USB device number 25 using xhci_hcd
[ 4792.619320] usb 1-1: new full-speed USB device number 26 using xhci_hcd
[ 4809.239210] usb 1-1: new full-speed USB device number 27 using xhci_hcd
[ 4825.859097] usb 1-1: new full-speed USB device number 28 using xhci_hcd
[ 4842.478990] usb 1-1: new full-speed USB device number 29 using xhci_hcd
[ 4859.098661] usb 1-1: new full-speed USB device number 30 using xhci_hcd
[ 4875.718686] usb 1-1: new full-speed USB device number 31 using xhci_hcd
[ 4892.338439] usb 1-1: new full-speed USB device number 32 using xhci_hcd
[ 4908.958549] usb 1-1: new full-speed USB device number 33 using xhci_hcd
[ 4925.574184] usb 1-1: new full-speed USB device number 34 using xhci_hcd
[ 4942.194330] usb 1-1: new full-speed USB device number 35 using xhci_hcd
[ 4958.814213] usb 1-1: new full-speed USB device number 36 using xhci_hcd
...and so on
I have still not tried to ground the NRST pin, but after I read your latest post, my priority is to check again the 16MHz oscillator. It could be the real root cause!
Now I'm going for a walk with my dogs. When I get home, I will go immediately to check the oscillator again!
Thanks!
If Windows doesn't recognize it reliably regardless of button press, that makes it more likely that Windows is an issue. Drivers and reliability have often been problematic with Windows.
I recommend following the instructions provided in the official source code wiki https://github.com/Proxmark/proxmark3/wiki/Kali-Linux. They have instructions specifically for Kali. Thankfully, configuration of the environment for the PM3 is quite easy.
If you do want to try directly grounding the NRST pin, I recommend using a 1k resistor between the pin and ground. A 1k resistor is enough to ensure you're not overdriving the circuit if something is holding the pin high, and they're also fairly common, cheap, and easy to acquire.
]]>