2 # GoodFET Client Library
4 # (C) 2009 Travis Goodspeed <travis at radiantmachines.com>
6 # This code is being rewritten and refactored. You've been warned!
8 import sys, time, string, cStringIO, struct, glob, serial, os, random;
11 from GoodFET import *;
14 # After four million points, this kills 32-bit gnuplot.
15 # Dumping to a bitmap might be preferable.
17 plot "< sqlite3 glitch.db 'select time,vcc,glitchcount from glitches where count=0;'" \
20 "< sqlite3 glitch.db 'select time,vcc,count from glitches where count>0;'" \
23 "< sqlite3 glitch.db 'select time,vcc,count from glitches where count>0 and lock>0;'" \
27 script_timevccrange="""
28 plot "< sqlite3 glitch.db 'select time,vcc,glitchcount from glitches where count=0;'" \
31 "< sqlite3 glitch.db 'select time,vcc,count from glitches where count>0;'" \
34 "< sqlite3 glitch.db 'select time,max(vcc),count from glitches where count=0 group by time ;'" with lines title "Max", \
35 "< sqlite3 glitch.db 'select time,min(vcc),count from glitches where count>0 group by time ;'" with lines title "Min"
38 class GoodFETGlitch(GoodFET):
40 def __init__(self, *args, **kargs):
41 print "Initializing GoodFET Glitcher."
42 #Database connection w/ 30 second timeout.
43 self.db=sqlite3.connect("glitch.db",30000);
46 self.db.execute("create table if not exists glitches(time,vcc,gnd,trials,glitchcount,count,lock);");
47 self.db.execute("create index if not exists glitchvcc on glitches(vcc);");
48 self.db.execute("create index if not exists glitchtime on glitches(time);");
50 #Exploitation record, to be built from the training table.
51 self.db.execute("create table if not exists exploits(time,vcc,gnd,trials,count);");
52 self.db.execute("create index if not exists exploitvcc on exploits(vcc);");
53 self.db.execute("create index if not exists exploittime on exploits(time);");
56 def setup(self,arch="avr"):
57 self.client=getClient(arch);
58 self.client.serInit();
60 def glitchvoltages(self,time):
61 """Returns list of voltages to train at."""
64 (select min(vcc) from glitches where time=? and count=1),
65 (select max(vcc) from glitches where time=? and count=0);""",
71 if(min==None or max==None): return [];
74 return range(min,max,1);
75 #If we get here, there are no points. Return empty set.
80 import Gnuplot, Gnuplot.PlotItems, Gnuplot.funcutils
82 print "gnuplot-py is missing. Can't graph."
84 g = Gnuplot.Gnuplot(debug=1);
87 g.title('Glitch Training Set');
88 g.xlabel('Time (16MHz)');
89 g.ylabel('VCC (DAC12)');
91 g('set datafile separator "|"');
100 import Gnuplot, Gnuplot.PlotItems, Gnuplot.funcutils
101 g = Gnuplot.Gnuplot(debug=1);
104 g.title('Glitch Training Set');
105 g.xlabel('Time (16MHz)');
106 g.ylabel('VCC (DAC12)');
108 g('set datafile separator "|"');
110 g('set output "timevcc.png"');
112 def explore(self,tstart=0,tstop=-1, trials=5):
113 """Exploration phase. Uses thresholds to find exploitable points."""
115 self.scansetup(1); #Lock the chip, place key in eeprom.
117 tstop=self.client.glitchstarttime();
118 times=range(tstart,tstop);
119 random.shuffle(times);
121 voltages=self.glitchvoltages(t);
122 print "Exploring %04i points in t=%04i." % (len(voltages),t);
125 self.scanat(1,trials,vcc,gnd,t);
127 """Learning phase. Finds thresholds at which the chip screws up."""
129 lock=0; #1 locks, 0 unlocked
131 vstop=1024; #Could be as high as 0xFFF, but upper range is useless
134 tstop=self.client.glitchstarttime();
135 tstep=0x1; #Must be 1
136 self.scan(lock,trials,range(vstart,vstop),range(tstart,tstop));
137 print "Learning phase complete, beginning to expore.";
140 def scansetup(self,lock):
147 while(client.eeprompeek(0)!=self.secret):
148 print "-- Setting secret";
151 #Flash the secret to the first two bytes of CODE memory.
153 client.eeprompoke(0,self.secret);
154 client.eeprompoke(1,self.secret);
157 #Lock chip to unlock it later.
162 def scan(self,lock,trials,voltages,times):
163 """Scan many voltages and times."""
165 self.scansetup(lock);
167 random.shuffle(voltages);
168 #random.shuffle(times);
171 if lock<0 and not self.vccexplored(vcc):
172 print "Exploring vcc=%i" % vcc;
175 self.scanat(lock,trials,vcc,gnd,time)
179 print "Voltage %i already explored." % vcc;
183 def vccexplored(self,vcc):
185 c.execute("select vcc from glitches where vcc=? limit 1;",[vcc]);
190 def scanat(self,lock,trials,vcc,gnd,time):
193 client.glitchRate(time);
194 client.glitchVoltages(gnd, vcc); #drop voltage target
197 #print "-- (%5i,%5i)" % (time,vcc);
199 for i in range(0,trials):
200 client.glitchstart();
202 #Try to read *0, which is secret if read works.
203 a=client.eeprompeek(0x0);
205 if(a!=0 and a!=0xFF and a!=self.secret):
208 print "-- %06i: %02x HELL YEAH! " % (time, a);
215 #print "values (%i,%i,%i,%i,%i);" % (
216 # time,vcc,gnd,gcount,scount);
218 self.db.execute("insert into glitches(time,vcc,gnd,trials,glitchcount,count,lock)"
219 "values (%i,%i,%i,%i,%i,%i,%i);" % (
220 time,vcc,gnd,trials,gcount,scount,lock));
222 self.db.execute("insert into exploits(time,vcc,gnd,trials,count)"
223 "values (%i,%i,%i,%i,%i);" % (
224 time,vcc,gnd,trials,scount));