2 # GoodFET Client Library
4 # (C) 2009 Travis Goodspeed <travis at radiantmachines.com>
6 # This code is being rewritten and refactored. You've been warned!
8 import sys, time, string, cStringIO, struct, glob, os, random;
11 from GoodFET import *;
14 # After four million points, this kills 32-bit gnuplot.
15 # Dumping to a bitmap might be preferable.
17 plot "< sqlite3 glitch.db 'select time,vcc,glitchcount from glitches where count=0;'" \
20 "< sqlite3 glitch.db 'select time,vcc,count from glitches where count>0;'" \
23 "< sqlite3 glitch.db 'select time,vcc,count from glitches where count>0 and lock>0;'" \
27 script_timevccrange="""
28 plot "< sqlite3 glitch.db 'select time,vcc,glitchcount from glitches where count=0;'" \
31 "< sqlite3 glitch.db 'select time,vcc,count from glitches where count>0;'" \
34 "< sqlite3 glitch.db 'select time,max(vcc),count from glitches where count=0 group by time ;'" with lines title "Max", \
35 "< sqlite3 glitch.db 'select time,min(vcc),count from glitches where count>0 group by time ;'" with lines title "Min"
38 class GoodFETGlitch(GoodFET):
40 def __init__(self, *args, **kargs):
41 print "# Initializing GoodFET Glitcher."
42 #Database connection w/ 30 second timeout.
43 self.db=sqlite3.connect("glitch.db",30000);
46 self.db.execute("create table if not exists glitches(time,vcc,gnd,trials,glitchcount,count,lock);");
47 self.db.execute("create index if not exists glitchvcc on glitches(vcc);");
48 self.db.execute("create index if not exists glitchtime on glitches(time);");
50 #Exploitation record, to be built from the training table.
51 self.db.execute("create table if not exists exploits(time,vcc,gnd,trials,count);");
52 self.db.execute("create index if not exists exploitvcc on exploits(vcc);");
53 self.db.execute("create index if not exists exploittime on exploits(time);");
56 def setup(self,arch="avr"):
57 self.client=getClient(arch);
58 self.client.serInit(); #No timeout
60 def glitchvoltages(self,time):
61 """Returns list of voltages to train at."""
64 # (select min(vcc) from glitches where time=? and count=1),
65 # (select max(vcc) from glitches where time=? and count=0);""",
67 c.execute("select min,max from glitchrange where time=? and max-min>0;",[time]);
72 if(min==None or max==None): return [];
75 return range(min,max,1);
76 #If we get here, there are no points. Return empty set.
79 """This builds tables for glitching voltage ranges from the training set."""
80 print "Precomputing glitching ranges. This might take a long while.";
83 self.db.execute("drop table if exists glitchrange;");
84 self.db.execute("create table glitchrange(time integer primary key asc,max,min);");
86 print "Calculating ranges...";
93 c.execute("select time,vcc,glitchcount,count from glitches;"); #Limit 10000 for testing.
97 if progress % 1000000==0: print "%09i rows crunched." % progress;
102 # FIXME: Threse thresholds suck.
104 try: oldmax=maxes[t];
106 if v>oldmax: maxes[t]=v;
109 except: oldmin=0x10000;
110 if v<oldmin: mins[t]=v;
111 print "List complete. Inserting.";
116 self.db.execute("insert into glitchrange(time,max,min) values (?,?,?)",(t,max,min));
118 print "Done, database crunched.";
121 import Gnuplot, Gnuplot.PlotItems, Gnuplot.funcutils
123 print "gnuplot-py is missing. Can't graph."
125 g = Gnuplot.Gnuplot(debug=1);
128 g.title('Glitch Training Set');
129 g.xlabel('Time (16MHz)');
130 g.ylabel('VCC (DAC12)');
132 g('set datafile separator "|"');
139 import Gnuplot, Gnuplot.PlotItems, Gnuplot.funcutils
140 g = Gnuplot.Gnuplot(debug=1);
143 g.title('Glitch Training Set');
144 g.xlabel('Time (16MHz)');
145 g.ylabel('VCC (DAC12)');
147 g('set datafile separator "|"');
149 g('set output "timevcc.png"');
153 c.execute("select time,vcc,gnd,glitchcount,count from glitches where lock=0 and glitchcount>0;");
154 print "time vcc gnd glitchcount count";
156 print "%i %i %i %i %i" % r;
159 c.execute("select time,vcc,gnd,glitchcount,count from glitches where lock=0 and glitchcount>0;");
160 print "time vcc gnd glitchcount count";
162 print "%i %i %i %i %i" % r;
163 #GnuPlot sucks for large sets. Switch to viewpoints soon.
164 # sqlite3 glitch.db "select time,vcc,count from glitches where count=0" | vp -l -d "|" -I
166 def explore(self,times=None, trials=10):
167 """Exploration phase. Uses thresholds to find exploitable points."""
169 self.scansetup(1); #Lock the chip, place key in eeprom.
172 tstop=self.client.glitchstarttime();
173 times=range(tstart,tstop);
174 random.shuffle(times);
177 total=1.0*len(times);
180 c.execute("select time,min,max from glitchrange where max-min>0;");
183 random.shuffle(rows);
184 print "Exploring %i times." % len(times);
194 voltages=range(min,max,1);
196 print "%02.02f Exploring %04i points in t=%04i." % (count/total,len(voltages),t);
199 self.scanat(1,trials,vcc,gnd,t);
201 """Learning phase. Finds thresholds at which the chip screws up."""
203 lock=0; #1 locks, 0 unlocked
205 vstop=1024; #Could be as high as 0xFFF, but upper range is useless
208 tstop=self.client.glitchstarttime();
209 tstep=0x1; #Must be 1
210 self.scan(lock,trials,range(vstart,vstop),range(tstart,tstop));
211 print "Learning phase complete, begin to crunch.";
213 #print "Crunch phase complete, beginning to explore.";
216 def scansetup(self,lock):
221 print "Scanning %s" % client.infostring();
228 print "-- Setting secret";
231 #Flash the secret, to try and recover it later.
233 print "-- Secret was %02x" % client.getsecret();
234 client.setsecret(self.secret);
235 print "-- Secret set to %02x" % client.getsecret();
237 if(client.getsecret()!=self.secret):
238 print "Secret failed to set. Exiting for safety.";
241 #Lock chip to unlock it later.
246 def scan(self,lock,trials,voltages,times):
247 """Scan many voltages and times."""
249 self.scansetup(lock);
251 random.shuffle(voltages);
252 #random.shuffle(times);
255 if not self.vccexplored(vcc):
256 print "Exploring vcc=%i" % vcc;
259 self.scanat(lock,trials,vcc,gnd,time)
263 print "Voltage %i already explored." % vcc;
267 def vccexplored(self,vcc):
269 c.execute("select vcc from glitches where vcc=? limit 1;",[vcc]);
275 def scanat(self,lock,trials,vcc,gnd,time):
277 client.glitchRate(time);
278 client.glitchVoltages(gnd, vcc); #drop voltage target
281 #print "-- (%5i,%5i)" % (time,vcc);
283 for i in range(0,trials):
284 client.glitchstart();
286 #Try to read *0, which is secret if read works.
287 a=client.getsecret();
289 if(a!=0 and a!=0xFF and a!=self.secret):
292 print "-- %06i: %02x HELL YEAH! " % (time, a);
299 #print "values (%i,%i,%i,%i,%i);" % (
300 # time,vcc,gnd,gcount,scount);
302 self.db.execute("insert into glitches(time,vcc,gnd,trials,glitchcount,count,lock)"
303 "values (%i,%i,%i,%i,%i,%i,%i);" % (
304 time,vcc,gnd,trials,gcount,scount,lock));
306 print "INSERTING AN EXPLOIT point, t=%i and vcc=%i" % (time,vcc);
307 self.db.execute("insert into exploits(time,vcc,gnd,trials,count)"
308 "values (%i,%i,%i,%i,%i);" % (
309 time,vcc,gnd,trials,scount));
310 self.db.commit(); #Don't leave a lock open.