Proxmark3 community
Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
- Logged in as ikarus
- Last visit: Today 11:22:42
- Topics: Posted | New | Active | Unanswered
Announcement
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
#1 2009-03-14 13:27:08
problem when jumping from boot code to main code
Hi, everyone
I am new here. I have 2 PM3(made by myself, not buying from proxmark3.com).
It took me a long time to know how to program the pm3......
But now I have some srange problem. To describe my problem clearly, let me define the four LCDs, A (yellow) B (green) C (red) D(red led away from the others), just the same as in CHAHGES.txt.
1. When I use the older version code(before 2008.12.11), I can only let the pm3 boot by clicking the "Reset&Run" button in armpgm. If I only plug in usb, it will do nothing and Windows can not recognize it. After clicking the "Reset&Run" button, the LED boot sequence is A, B, then only D (2~3 seconds later). And the pm3 will stay in such state. If I use prox.exe(prox bootrom, load, gui and so on), it will execute when B lights, and programming ".s19" file can execute smoothly, but "gui" command can not. It's just the same as eldiabl0 decribed in "http://www.proxmark.org/forum/topic/76/ … -your-fix/"(No.25), "the gui seems to see the board for a split second and then closes and tells me that it lost communications."
2.When I use the newer code (after 2008.12.11), I can program the board by holding down the button(red and yellow LEDs are lit). But after programming, it can not work either. I can only see the four leds are lit, then A B C are lit, after more than ten seconds the four are lit again, then the three..... When the four are lit, if I hold down the button, the gui can open, the windows can recognize the pm3, but it will lose connection soon.
I am try to solve the problem, and I read the bootrom code, and find something:
for the first problem:
LED_A_ON();
// Configure the flash that we are running out of.
MC_FLASH_MODE = MC_FLASH_MODE_FLASH_WAIT_STATES(0) |
MC_FLASH_MODE_MASTER_CLK_IN_MHZ(48);
// Careful, a lot of peripherals can't be configured until the PLL clock
// comes up; you write to the registers but it doesn't stick.
ConfigClocks();
LED_B_ON();
UsbStart();So, we can see, after the A and B light, there's a "UsbStart()"fuction, that's why we can use the "prox XXX" command at this time.
if((SWORD)(now - start) > 30000) {
USB_D_PLUS_PULLUP_OFF();
LED_A_OFF();
LED_B_OFF();
LED_D_ON();
asm("mov r3, #1\n");
asm("lsl r3, r3, #13\n");
asm("mov r4, #1\n");
asm("orr r3, r4\n");
asm("bx r3\n");We can see, just as I discribed above, the A&B off, D on! Then the boot ends, and jumping to the main code. It seems that my pm3 stays here, can not jump to the main code. But I add some LED actions at the beginning of the main code(appmain.c), the LED are lit as my design. So it seems it jumped to the main code, but after jumping, it did nothing. What can make this happen?
In the same way, I find when I use the newer codes, I encounter the same problem!
Anyone has any idea?
Thanks in advance?
(hope my poor English didn't trouble you........)
Last edited by RFlD (2009-03-14 13:29:59)
#2 2009-03-15 15:41:34
- rule
- Member
- Registered: 2008-05-21
- Posts: 417
Re: problem when jumping from boot code to main code
I have no clue what can be going wrong here. Are you sure the FPGA flashing (by booting the ARM) goes well? This is done during the (isolated) red-light blinking at the end of the boot process. Or do you not even get to this stage?
There is some more information about the leds in the manual:
https://www.lafargue.name/proxmark3/running.html
Let me know if it helps, cheers,
Roel
#3 2009-03-16 12:20:18
Re: problem when jumping from boot code to main code
You haven't said what flavour ARM you're using. Find out the silicon version, I remember in the past people have had weirdness with program execution that came down to the number of waitstates programed when accessing the FLASH.
IIRC it was SummoningDark who came up with the solution.
Last edited by d18c7db (2009-03-16 12:23:11)
#4 2009-03-19 21:21:49
Re: problem when jumping from boot code to main code
I found somethink interesting in disasm of osimage.s19 :
osimage.elf: file format elf32-littlearm
Disassembly of section .text:
00010000 <____divsi3_from_thumb>:
10000: 4778 bx pc
10002: 46c0 nop (mov r8, r8)
10004: ea00189c b 1627c <__aeabi_idiv>00010008 <Vector>:
10008: b500 push {lr}
1000a: f000 f927 bl 1025c <AppMain>
1000e: bc01 pop {r0}
10010: 4700 bx r0
10012: 46c0 nop (mov r8, r8)
So Vector() is located at 0x10008 insted of 0x10000.
Jump with
asm("ldr r3, = 0x10009");
asm("bx r3");
in BootROM() works.
Last edited by BizonGod (2009-03-19 21:22:03)
#5 2009-03-20 03:17:23
Re: problem when jumping from boot code to main code
BisonGod that's good finding but I'm not sure what version code you're looking at as the posts in this thread are very light on specific details. I've checked the precompiled osimage.elf and .s19 in 20090301_proxmark_doob.zip and they both disassemble to the following which looks correct to me (from IDA pro). The source code also looks correct. We need to find out if this is a bug that needs fixing or is it a compile environment (or user) issue. I'm still running 20081211 myself and it's running fine.
.text:00010000 ; ===========================================================================
.text:00010000
.text:00010000 ; Segment type: Pure code
.text:00010000 AREA .text, CODE, READWRITE
.text:00010000 ; ORG 0x10000
.text:00010000 CODE16
.text:00010000
.text:00010000 EXPORT Vector
.text:00010000 Vector ; DATA XREF: SimulateTagLowFrequency+28o
.text:00010000 ; __divsi3:loc_17354o
.text:00010000 PUSH {LR}
.text:00010002 BL AppMain
.text:00010006 ; ---------------------------------------------------------------------------
.text:00010006 POP {R0}
.text:00010008 BX R0
.text:00010008 ; ---------------------------------------------------------------------------
.text:0001000A ALIGN 4
.text:0001000C
.text:0001000C loc_1000C ; CODE XREF: CodeIso14443bAsReader+Ap
.text:0001000C ; SimulateIso14443Tag+1Ep ...
.text:0001000C LDR R2, =ToSendMax
.text:0001000E MOVS R3, #1
.text:00010010 NEGS R3, R3
.text:00010012 STR R3, [R2]
.text:00010014 LDR R2, =unk_200000
.text:00010016 MOVS R3, #8
.text:00010018 STR R3, [R2]
.text:0001001A BX LR#6 2009-03-20 15:04:57
Re: problem when jumping from boot code to main code
Thanks, BizonGod.
I modified the code as you suggested, but it doesn't work, either.(but it‘s different from the code which isn't modified)
I'll try to locate the problem.
if I had any progress, I would post it here!
,
#7 2009-03-20 17:04:23
Re: problem when jumping from boot code to main code
I have my modified firmware for my specific hardware. I have compiled it with GNUARM (gcc 4.3.2).
So jump to main code works (but with addinational offset caused by this stub (i can't move it now).
But again USB don't work. Previously it was caused by my big mistake in ld script in bootrom.
I will try to track this in mainapp.
#8 2009-03-22 23:15:18
Re: problem when jumping from boot code to main code
After few hours of debugging i noticed that most of errors are data-abort exceptions.
Errors occurs independly of code (it was ok in asm). So i started thinking about dirty
reads from flash. I started reading about flash controller, and i found in datasheet:
page 115
FMCN: Flash Microsecond Cycle Number
Before writing Non Volatile Memory bits (Lock bits, General Purpose NVM bit and Security bits), this field must be set to the
number of Master Clock cycles in one microsecond.
When writing the rest of the Flash, this field defines the number of Master Clock cycles in 1.5 microseconds. This number
must be rounded up.
So it looks, that FMCN should be set 72, instead 48. (48 MHz MCLK * 1.5us = 72)
page 576
FWS - Read Operations - Maximum Operating Frequency (MHz)
0 - 1 cycle - 30
1 - 2 cycles - 55
2 - 3 cycles - 55
3 - 4 cycles - 55
So it also looks it should be set 1 instead of 0.
In BootROM() should looks like
// if 512K FLASH part - TODO make some defines
if ((DBGU_CIDR | 0xf00) == 0xa00) {
MC_FLASH_MODE0 = MC_FLASH_MODE_FLASH_WAIT_STATES(1) |
MC_FLASH_MODE_MASTER_CLK_IN_MHZ(0x48);
MC_FLASH_MODE1 = MC_FLASH_MODE_FLASH_WAIT_STATES(1) |
MC_FLASH_MODE_MASTER_CLK_IN_MHZ(0x48);
} else {
MC_FLASH_MODE0 = MC_FLASH_MODE_FLASH_WAIT_STATES(1) | // 1 instead of 0
MC_FLASH_MODE_MASTER_CLK_IN_MHZ(72); // 72 instead of 48
}
Can anyone confirm?
#11 2009-03-23 21:42:52
Re: problem when jumping from boot code to main code
BizonGod as I said in the third post in this thread, I had a feeling it might have been something like that and SummoningDark had come across the same issue with his ARM (512K version). It's possible that different ARM chip variants have different access speeds on the FLASH which is why some, like mine for example, work OK with the faster settings while others like RFID's and yours crash.
It will probably pay to err on the side of caution and set the timing values for the slowest case.
Last edited by d18c7db (2009-03-23 21:45:38)
#12 2009-03-24 16:10:58
Re: problem when jumping from boot code to main code
BizonGod
Thanks, the way which you mentioned to modify the code helps me, but I have new problem now.
It seems that the fpga in my board doesn't work!
Could anyone give me a way to locate the problem in fpga?
#13 2009-04-24 12:41:39
Re: problem when jumping from boot code to main code
hello, BizonGod,
i confirm that your solution is right.
my ARM is AT91SAM7S256 ,witch buy form JR(proxmar3.com).
exept the firmware come with the board , all other firmware act as what RFID described.
so somebody can check if the code should be amend in the svn dir.
thx!
#14 2009-04-25 08:24:37
Re: problem when jumping from boot code to main code
so somebody can check if the code should be amend in the svn dir.
thx!
-> BizonGod / others : just contact me to be added as contributors to SVN.
As a sidenote, my PM3 bought from proxmark3.com works fine on all current versions...
Last edited by edo512 (2009-04-25 08:24:49)
#15 2009-04-25 10:14:57
Re: problem when jumping from boot code to main code
reuse wrote:so somebody can check if the code should be amend in the svn dir.
thx!-> BizonGod / others : just contact me to be added as contributors to SVN.
As a sidenote, my PM3 bought from proxmark3.com works fine on all current versions...
hi,edo512, today i tried all the version again. all works. so strange!! but yestday it not work if not change.
wait more people's feedback.