Another brick in the wall

Malanow · March 30, 2026, 7:19pm

Hazard Course

I used the descriptions below:

doc/jtag_notes.md

master

# Notes on JTAG
<a id="top"></a>

Some notes on how to reflash a bricked Proxmark3 over JTAG.

# Table of Contents
- [Notes on JTAG](#notes-on-jtag)
- [Table of Contents](#table-of-contents)
- [Linux and OpenOCD](#linux-and-openocd)
  - [Using RDV4 scripts](#using-rdv4-scripts)
  - [RDV4 pinout](#rdv4-pinout)
  - [JLink pinout](#jlink-pinout)
  - [Raspberry Pi pinout](#raspberry-pi-pinout)
- [Notes for enabling JTAG port](#notes-for-enabling-jtag-port)
- [Where to find more information?](#where-to-find-more-information)
  - [Third party notes on using a BusPirate](#third-party-notes-on-using-a-buspirate)
  - [Third party notes on using a J-Link](#third-party-notes-on-using-a-j-link)
  - [Third party notes on using a RaspBerry Pi](#third-party-notes-on-using-a-raspberry-pi)
  - [Third party notes on using a J-Link on Windows](#third-party-notes-on-using-a-j-link-on-windows)
  - [Old original docs](#old-original-docs)

This file has been truncated. show original

Proxmark3 Easy Inbound

I bought this bricked Proxmark3 easy from second hand online in bad condition—it was completely dead. When I connected it to the computer, there was no response at all. When I plugged it into the USB port, only the power LED lit up. Following this tutorial How to unbrick a PM3 easy!, I shorted pins 54 (VDDCORE) and 55 (ERASE). After doing this, all the LEDs lit up. I used a Raspberry Pi 3B as a JTAG interface and flashed the bootloader, followed by the full image. Unfortunately, it still isn’t recognized by Windows or Linux (on the Raspberry Pi). I used the image compiled with Proxmark using the “Generic” option. I also tried the latest image from https://www.proxmarkbuilds.org/latest/rrg_other.php. OpenOCD correctly recognizes the MCU (I think—at least it doesn’t throw any errors). When connecting via Telnet, I can clear memory sectors and flash new bin images.

Anomalous Materials

Here are the results of playing around with opecocd and jtag

./openocd_flash_recovery.sh not work

Open On-Chip Debugger 0.12.0+dev-snapshot (2026-02-16-16:07)
Licensed under GNU GPL v2
For bug reports, read
        http://openocd.org/doc/doxygen/bugs.html
WARNING: interface/raspberrypi2-native.cfg is deprecated.
WARNING: Please use interface/raspberrypi-native.cfg for all Raspberry Pi models.
Warn : TMS/SWDIO moved to GPIO 8 (pin 24). Check the wiring please!
DEPRECATED! use 'adapter gpio srst' not 'bcm2835gpio_srst_num'
srst_only separate srst_gates_jtag srst_push_pull connect_deassert_srst
Warn : DEPRECATED: auto-selecting transport "jtag". Use 'transport select jtag' to suppress this message.
DEPRECATED! use 'gdb memory_map', not 'gdb_memory_map'
Warn : Transport "jtag" was already selected
DEPRECATED! use 'adapter speed' not 'adapter_khz'
adapter speed: 1000 kHz
Info : BCM2835 GPIO JTAG/SWD bitbang driver
Info : clock speed 1000 kHz
Error: JTAG scan chain interrogation failed: all zeroes
Error: Check JTAG interface, timings, target power, etc.
Error: Trying to use configured scan chain anyway...
Error: sam7x.cpu: IR capture error; saw 0x00 not 0x01
Warn : Bypassing JTAG setup events due to errors
Info : Embedded ICE version 0
Error: unknown EmbeddedICE version (comms ctrl: 0x00000000)
Info : sam7x.cpu: hardware has 2 breakpoint/watchpoint units
Info : [sam7x.cpu] Examination succeed
Info : [sam7x.cpu] starting gdb server on 3333
Info : Listening on port 3333 for gdb connections
Warn : target was in unknown state when halt was requested
Info : Halt timed out, wake up GDB.
Error: timed out while waiting for target halted

Warn : Flash driver of sam7x.flash.0 does not support free_driver_priv()
Warn : Flash driver of sam7x.flash.1 does not support free_driver_priv()

… but

openocd -f /usr/share/openocd/proxmark.cfg

works well,

Open On-Chip Debugger 0.12.0+dev-snapshot (2026-02-16-16:07)
Licensed under GNU GPL v2
For bug reports, read
        http://openocd.org/doc/doxygen/bugs.html
DEPRECATED! use 'adapter driver' not 'interface'
DEPRECATED! use 'bcm2835gpio peripheral_base' not 'bcm2835gpio_peripheral_base'
DEPRECATED! use 'bcm2835gpio speed_coeffs' not 'bcm2835gpio_speed_coeffs'
DEPRECATED! use 'adapter gpio tck; adapter gpio tms; adapter gpio tdi; adapter gpio tdo' not 'bcm2835gpio_jtag_nums'
DEPRECATED! use 'adapter gpio swclk; adapter gpio swdio' not 'bcm2835gpio_swd_nums'
DEPRECATED! use 'adapter gpio trst' not 'bcm2835gpio_trst_num'
DEPRECATED! use 'adapter speed' not 'adapter_khz'
Warn : DEPRECATED: auto-selecting transport "jtag". Use 'transport select jtag' to suppress this message.
Info : Listening on port 6666 for tcl connections
Info : Listening on port 4444 for telnet connections
Info : BCM2835 GPIO JTAG/SWD bitbang driver
Info : clock speed 200 kHz
Info : JTAG tap: sam7x.cpu tap/device found: 0x3f0f0f0f (mfg: 0x787 (Shenzhen South Electron Co Ltd), part: 0xf0f0, ver: 0x3)
Info : Embedded ICE version 1
Info : sam7x.cpu: hardware has 2 breakpoint/watchpoint units
Info : [sam7x.cpu] Examination succeed
Info : [sam7x.cpu] starting gdb server on 3333
Info : Listening on port 3333 for gdb connections

I use telnet:

telnet 127.0.0.1 4444
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
Open On-Chip Debugger
> halt
target halted in Thumb state due to debug-request, current mode: Supervisor
cpsr: 0x200000f3 pc: 0x002009f6
> flash erase_sector 0 0 15
erased sectors 0 through 15 on flash bank 0 in 0.045542s
> flash erase_sector 1 0 15
erased sectors 0 through 15 on flash bank 1 in 0.057147s
> flash write_image /root/proxmark3/recovery/fullimage.bin 0x102000
wrote 415388 bytes from file /root/proxmark3/recovery/fullimage.bin in 57.129536s (7.101 KiB/s)
> flash write_image /root/proxmark3/recovery/bootrom.bin 0x100000
wrote 8192 bytes from file /root/proxmark3/recovery/bootrom.bin in 1.216594s (6.576 KiB/s)
>

Power Up

USB device descriptor failed

After flashing botrom.bin and fullimage.bin, the device appears in Device Manager (tested on two different computers and with several different cables) as unrecognized—“A request for the USB device descriptor failed.” As for Linux—tested with a Raspberry Pi that I used as a JTAG—the SBC shows no response.

LEDs

When power is connected, all LEDs light up briefly, then the red LED lights up and goes out. Pressing the button can trigger different lighting sequences, for example:

A - on, B - blink, C - off, D - off
A - blink and off, B - off, C - off, D - off

It is possible—I think—to enable DFU mode. If you hold down the buttons while turning on the power, the following sequence lights up:

A - on B - off C - on D - off

Conclusion

In my opinion, the changes in the LED states when the button is pressed indicate that the firmware has been flashed correctly.
Some code is running there and responding to external stimuli.
The problem is UART communication (I might be wrong here; I’m new to this sort of thing). I’m not familiar with OpenOCD—maybe you know how to verify what’s programmed into the MCU and the bin file. Maybe there’s something wrong with the addresses I’m using.
I’m wondering how to use proxmark3_recovery.bin. What address should I use for 0x100000?

Questionable Ethics

Yes, it’s ninety-nine percent a cheap Chinese clone. Sorry:(

Endgame

I would appreciate any help

Yes, I’m a huge fan of Half-Life