git.rot13.org Git - goodfet/blob - client/GoodFETGlitch.py

   1 #!/usr/bin/env python
   2 # GoodFET Client Library
   3 #
   4 # (C) 2009 Travis Goodspeed <travis at radiantmachines.com>
   5 #
   6 # This code is being rewritten and refactored.  You've been warned!
   7
   8 import sys, time, string, cStringIO, struct, glob, serial, os, random;
   9 import sqlite3;
  10
  11 from GoodFET import *;
  12
  13 script_timevcc="""
  14 plot "< sqlite3 glitch.db 'select time,vcc,glitchcount from glitches where count=0;'" \
  15 with dots \
  16 title "Scanned", \
  17 "< sqlite3 glitch.db 'select time,vcc,count from glitches where count>0;'" \
  18 with dots \
  19 title "Success", \
  20 "< sqlite3 glitch.db 'select time,vcc,count from glitches where count>0 and lock>0;'" \
  21 with dots \
  22 title "Exploited"
  23 """;
  24
  25 class GoodFETGlitch(GoodFET):
  26
  27     def __init__(self, *args, **kargs):
  28         print "Initializing GoodFET Glitcher."
  29         #Database connection w/ 30 second timeout.
  30         self.db=sqlite3.connect("glitch.db",30000);
  31         self.db.execute("create table if not exists glitches(time,vcc,gnd,trials,glitchcount,count,lock)");
  32         self.db.execute("create index if not exists glitchvcc on glitches(vcc);");
  33         self.db.execute("create index if not exists glitchtime on glitches(time);");
  34         self.client=0;
  35     def setup(self,arch="avr"):
  36         self.client=getClient(arch);
  37     def graphx11(self):
  38         try:
  39             import Gnuplot, Gnuplot.PlotItems, Gnuplot.funcutils
  40         except ImportError:
  41             print "gnuplot-py is missing.  Can't graph."
  42             return;
  43         g = Gnuplot.Gnuplot(debug=1);
  44         g.clear();
  45
  46         g.title('Glitch Training Set');
  47         g.xlabel('Time (16MHz)');
  48         g.ylabel('VCC (DAC12)');
  49
  50         g('set datafile separator "|"');
  51
  52         g(script_timevcc);
  53         while 1==1:
  54             time.sleep(30);
  55             g('replot');
  56
  57
  58     def graph(self):
  59         #try:
  60         import Gnuplot, Gnuplot.PlotItems, Gnuplot.funcutils
  61         #except ImportError:
  62         #    print "py-gnuplot or py-numpy is missing.  Can't graph."
  63         #    return;
  64         g = Gnuplot.Gnuplot(debug=1);
  65
  66         g('\nset term png');
  67         g.title('Glitch Training Set');
  68         g.xlabel('Time (16MHz)');
  69         g.ylabel('VCC (DAC12)');
  70
  71         g('set datafile separator "|"');
  72         g('set term png');
  73         g('set output "timevcc.png"');
  74         g(script_timevcc);
  75
  76     def learn(self):
  77         #Learning phase
  78         trials=1;
  79         lock=0;  #1 locks, 0 unlocked
  80         vstart=0;
  81         vstop=0xfff;  #Could be as high as 0xFFF
  82         vstep=1;
  83         tstart=0;
  84         tstop=-1; #<0 defaults to full range
  85         tstep=0x1; #Must be 1
  86         self.scan(lock,trials,vstart,vstop,tstart,tstop);
  87
  88     def scan(self,lock,trials=1,vstart=0,vstop=0xfff,tstart=0,tstop=-1):
  89         client=self.client;
  90         self.lock=lock;
  91         client.serInit();
  92         if tstop<0:
  93             tstop=client.glitchstarttime();  #Really long; only use for initial investigation.
  94             print "-- Start takes %04i cycles." % tstop;
  95         client.start();
  96         client.erase();
  97
  98         self.secret=0x69;
  99
 100         while(client.eeprompeek(0)!=self.secret):
 101             print "-- Setting secret";
 102             client.start();
 103
 104             #Flash the secret to the first two bytes of CODE memory.
 105             client.erase();
 106             client.eeprompoke(0,self.secret);
 107             client.eeprompoke(1,self.secret);
 108             sys.stdout.flush()
 109
 110         #Lock chip to unlock it later.
 111         if lock>0:
 112             client.lock();
 113         voltages=range(vstart,vstop,1);
 114         times=range(tstart,tstop,1);
 115
 116         gnd=0;     #TODO, glitch GND.
 117         vcc=0xfff;
 118         random.shuffle(voltages);
 119         #random.shuffle(times);
 120
 121         for vcc in voltages:
 122             if not self.vccexplored(vcc):
 123                 print "Exploring vcc=%i" % vcc;
 124                 sys.stdout.flush();
 125                 for time in times:
 126                     self.scanat(trials,vcc,gnd,time)
 127                     sys.stdout.flush()
 128                 self.db.commit();
 129             else:
 130                 print "Voltage %i already explored." % vcc;
 131                 sys.stdout.flush();
 132     def vccexplored(self,vcc):
 133         c=self.db.cursor();
 134         c.execute("select vcc from glitches where vcc=? limit 1;",[vcc]);
 135         rows=c.fetchall();
 136         for a in rows:
 137             return True;
 138         return False;
 139     def scanat(self,trials,vcc,gnd,time):
 140         client=self.client;
 141         db=self.db;
 142         client.glitchRate(time);
 143         client.glitchVoltages(gnd, vcc);  #drop voltage target
 144         gcount=0;
 145         scount=0;
 146         #print "-- (%5i,%5i)" % (time,vcc);
 147         #sys.stdout.flush();
 148         for i in range(0,trials):
 149             client.glitchstart();
 150
 151             #Try to read *0, which is secret if read works.
 152             a=client.eeprompeek(0x0);
 153             if self.lock>0: #locked
 154                 if(a!=0 and a!=0xFF and a!=self.secret):
 155                     gcount+=1;
 156                 if(a==self.secret):
 157                     print "-- %04x: %02x HELL YEAH! " % (time, a);
 158                     scount+=1;
 159             else: #unlocked
 160                 if(a!=self.secret):
 161                     gcount+=1;
 162                 if(a==self.secret):
 163                     scount+=1;
 164         #print "values (%i,%i,%i,%i,%i);" % (
 165         #    time,vcc,gnd,gcount,scount);
 166         self.db.execute("insert into glitches(time,vcc,gnd,trials,glitchcount,count,lock)"
 167                    "values (%i,%i,%i,%i,%i,%i,%i);" % (
 168                 time,vcc,gnd,trials,gcount,scount,self.lock));