git.rot13.org Git - goodfet/blob - client/GoodFETGlitch.py

   1 #!/usr/bin/env python
   2 # GoodFET Client Library
   3 #
   4 # (C) 2009 Travis Goodspeed <travis at radiantmachines.com>
   5 #
   6 # This code is being rewritten and refactored.  You've been warned!
   7
   8 import sys, time, string, cStringIO, struct, glob, serial, os, random;
   9 import sqlite3;
  10
  11 from GoodFET import *;
  12
  13 script_timevcc="""
  14 plot "< sqlite3 glitch.db 'select time,vcc,glitchcount from glitches where count=0;'" \
  15 with dots \
  16 title "Scanned", \
  17 "< sqlite3 glitch.db 'select time,vcc,count from glitches where count>0;'" \
  18 with dots \
  19 title "Success", \
  20 "< sqlite3 glitch.db 'select time,vcc,count from glitches where count>0 and lock>0;'" \
  21 with dots \
  22 title "Exploited"
  23 """;
  24
  25 class GoodFETGlitch(GoodFET):
  26
  27     def __init__(self, *args, **kargs):
  28         print "Initializing GoodFET Glitcher."
  29         #Database connection and tables.
  30         self.db=sqlite3.connect("glitch.db");
  31         self.db.execute("create table if not exists glitches(time,vcc,gnd,trials,glitchcount,count,lock)");
  32         self.client=0;
  33     def setup(self,arch="avr"):
  34         self.client=getClient(arch);
  35     def graph(self):
  36         try:
  37             import Gnuplot, Gnuplot.PlotItems, Gnuplot.funcutils
  38         except ImportError:
  39             print "gnuplot-py is missing.  Can't graph."
  40             return;
  41         g = Gnuplot.Gnuplot(debug=1);
  42         g.clear();
  43
  44         g.title('Glitch Training Set');
  45         g.xlabel('Time (16MHz)');
  46         g.ylabel('VCC (DAC12)');
  47
  48         g('set datafile separator "|"');
  49
  50         g(script_timevcc);
  51         while 1==1:
  52             time.sleep(30);
  53             g('replot');
  54
  55     def learn(self):
  56         #Learning phase
  57         trials=1;
  58         lock=0;  #1 locks, 0 unlocked
  59         vstart=0;
  60         vstop=1024;  #Could be as high as 0xFFF
  61         vstep=1;
  62         tstart=0;
  63         tstop=-1; #<0 defaults to full range
  64         tstep=0x1; #Must be 1
  65         self.scan(lock,trials,vstart,vstop,tstart,tstop);
  66
  67     def scan(self,lock,trials=1,vstart=0,vstop=0xfff,tstart=0,tstop=-1):
  68         client=self.client;
  69         self.lock=lock;
  70         client.serInit();
  71         if tstop<0:
  72             tstop=client.glitchstarttime();  #Really long; only use for initial investigation.
  73             print "-- Start takes %04i cycles." % tstop;
  74         client.start();
  75         client.erase();
  76
  77         self.secret=0x69;
  78
  79         while(client.eeprompeek(0)!=self.secret):
  80             print "-- Setting secret";
  81             client.start();
  82
  83             #Flash the secret to the first two bytes of CODE memory.
  84             client.erase();
  85             client.eeprompoke(0,self.secret);
  86             client.eeprompoke(1,self.secret);
  87             sys.stdout.flush()
  88
  89         #Lock chip to unlock it later.
  90         if lock>0:
  91             client.lock();
  92         voltages=range(vstart,vstop,1);
  93         times=range(tstart,tstop,1);
  94
  95         gnd=0;     #TODO, glitch GND.
  96         vcc=0xfff;
  97         random.shuffle(voltages);
  98         #random.shuffle(times);
  99
 100         count=0; #Commit counter.
 101         for vcc in voltages:
 102             for time in times:
 103                 self.scanat(trials,vcc,gnd,time)
 104                 sys.stdout.flush()
 105                 count+=trials;
 106                 if count>100:
 107                     count=0;
 108                     self.db.commit();
 109
 110
 111     def scanat(self,trials,vcc,gnd,time):
 112         client=self.client;
 113         db=self.db;
 114         client.glitchRate(time);
 115         client.glitchVoltages(gnd, vcc);  #drop voltage target
 116         gcount=0;
 117         scount=0;
 118         print "-- (%5i,%5i)" % (time,vcc);
 119         sys.stdout.flush();
 120         for i in range(0,trials):
 121             client.glitchstart();
 122
 123             #Try to read *0, which is secret if read works.
 124             a=client.eeprompeek(0x0);
 125             if self.lock>0: #locked
 126                 if(a!=0 and a!=0xFF and a!=self.secret):
 127                     gcount+=1;
 128                 if(a==self.secret):
 129                     print "-- %04x: %02x HELL YEAH! " % (time, a);
 130                     scount+=1;
 131             else: #unlocked
 132                 if(a!=self.secret):
 133                     gcount+=1;
 134                 if(a==self.secret):
 135                     scount+=1;
 136         #print "values (%i,%i,%i,%i,%i);" % (
 137         #    time,vcc,gnd,gcount,scount);
 138         self.db.execute("insert into glitches(time,vcc,gnd,trials,glitchcount,count,lock)"
 139                    "values (%i,%i,%i,%i,%i,%i,%i);" % (
 140                 time,vcc,gnd,trials,gcount,scount,self.lock));