#
# This code is being rewritten and refactored. You've been warned!
-import sys, time, string, cStringIO, struct, glob, serial, os, random;
+import sys, time, string, cStringIO, struct, glob, os, random;
import sqlite3;
from GoodFET import *;
class GoodFETGlitch(GoodFET):
def __init__(self, *args, **kargs):
- print "Initializing GoodFET Glitcher."
+ print "# Initializing GoodFET Glitcher."
#Database connection w/ 30 second timeout.
self.db=sqlite3.connect("glitch.db",30000);
self.client=0;
def setup(self,arch="avr"):
self.client=getClient(arch);
- self.client.serInit();
+ self.client.serInit(); #No timeout
def glitchvoltages(self,time):
"""Returns list of voltages to train at."""
min=r[0];
max=r[1];
if(min==None or max==None): return [];
-
+
spread=max-min;
return range(min,max,1);
#If we get here, there are no points. Return empty set.
return [];
- def buildglitchvoltages(self):
+ def crunch(self):
"""This builds tables for glitching voltage ranges from the training set."""
- print "Precomputing glitching ranges. This might take a while.";
+ print "Precomputing glitching ranges. This might take a long while.";
+ print "Times...";
+ sys.stdout.flush();
+ self.db.execute("drop table if exists glitchrange;");
+ self.db.execute("create table glitchrange(time integer primary key asc,max,min);");
+ self.db.commit();
+ print "Calculating ranges...";
sys.stdout.flush();
- self.db.execute("create temporary table glitchrange(time integer primary key asc,max,min);");
- self.db.execute("insert into glitchrange(time,max,min) select distinct time, 0, 0 from glitches;");
- self.db.execute("update glitchrange set max=(select max(vcc) from glitches where glitches.time=glitchrange.time and count=0);");
- self.db.execute("update glitchrange set min=(select min(vcc) from glitches where glitches.time=glitchrange.time and count>0);");
+ maxes={};
+ mins={};
+
+ c=self.db.cursor();
+ c.execute("select time,vcc,glitchcount,count from glitches;"); #Limit 10000 for testing.
+ progress=0;
+ for r in c:
+ progress=progress+1;
+ if progress % 1000000==0: print "%09i rows crunched." % progress;
+ t=r[0];
+ v=r[1];
+ glitchcount=r[2];
+ count=r[3];
+ # FIXME: Threse thresholds suck.
+ if count<2:
+ try: oldmax=maxes[t];
+ except: oldmax=-1;
+ if v>oldmax: maxes[t]=v;
+ elif glitchcount<2:
+ try: oldmin=mins[t];
+ except: oldmin=0x10000;
+ if v<oldmin: mins[t]=v;
+ print "List complete. Inserting.";
+ for t in maxes:
+ max=maxes[t];
+ try: min=mins[t];
+ except: min=0;
+ self.db.execute("insert into glitchrange(time,max,min) values (?,?,?)",(t,max,min));
+ self.db.commit();
+ print "Done, database crunched.";
def graphx11(self):
try:
import Gnuplot, Gnuplot.PlotItems, Gnuplot.funcutils
print "^C to exit.";
while 1==1:
time.sleep(30);
-
-
def graph(self):
import Gnuplot, Gnuplot.PlotItems, Gnuplot.funcutils
g = Gnuplot.Gnuplot(debug=1);
g('set term png');
g('set output "timevcc.png"');
g(script_timevcc);
- def explore(self,tstart=0,tstop=-1, trials=5):
+ def points(self):
+ c=self.db.cursor();
+ c.execute("select time,vcc,gnd,glitchcount,count from glitches where lock=0 and glitchcount>0;");
+ print "time vcc gnd glitchcount count";
+ for r in c:
+ print "%i %i %i %i %i" % r;
+ def rpoints(self):
+ c=self.db.cursor();
+ c.execute("select time,vcc,gnd,glitchcount,count from glitches where lock=0 and glitchcount>0;");
+ print "time vcc gnd glitchcount count";
+ for r in c:
+ print "%i %i %i %i %i" % r;
+ #GnuPlot sucks for large sets. Switch to viewpoints soon.
+ # sqlite3 glitch.db "select time,vcc,count from glitches where count=0" | vp -l -d "|" -I
+
+ def explore(self,times=None, trials=10):
"""Exploration phase. Uses thresholds to find exploitable points."""
gnd=0;
self.scansetup(1); #Lock the chip, place key in eeprom.
- if tstop<0:
+ if times==None:
+ tstart=0;
tstop=self.client.glitchstarttime();
- times=range(tstart,tstop);
+ times=range(tstart,tstop);
random.shuffle(times);
- self.buildglitchvoltages();
+ #self.crunch();
count=0.0;
- total=1.0*len(t);
+ total=1.0*len(times);
+
+ c=self.db.cursor();
+ c.execute("select time,min,max from glitchrange where max-min>0;");
+ rows=c.fetchall();
+ c.close();
+ random.shuffle(rows);
+ print "Exploring %i times." % len(times);
+ mins={};
+ maxes={};
+ for r in rows:
+ t=r[0];
+ mins[t]=r[1];
+ maxes[t]=r[2];
for t in times:
- voltages=self.glitchvoltages(t);
+ min=mins[t];
+ max=maxes[t];
+ voltages=range(min,max,1);
count=count+1.0;
print "%02.02f Exploring %04i points in t=%04i." % (count/total,len(voltages),t);
sys.stdout.flush();
self.scanat(1,trials,vcc,gnd,t);
def learn(self):
"""Learning phase. Finds thresholds at which the chip screws up."""
- trials=1;
+ trials=30;
lock=0; #1 locks, 0 unlocked
vstart=0;
vstop=1024; #Could be as high as 0xFFF, but upper range is useless
tstop=self.client.glitchstarttime();
tstep=0x1; #Must be 1
self.scan(lock,trials,range(vstart,vstop),range(tstart,tstop));
- print "Learning phase complete, beginning to expore.";
- self.explore();
+ print "Learning phase complete, begin to crunch.";
+ self.crunch();
+ #print "Crunch phase complete, beginning to explore.";
+ #self.explore();
def scansetup(self,lock):
client=self.client;
+ client.verbose=0;
client.start();
client.erase();
+ print "Scanning %s" % client.infostring();
- self.secret=0x69;
+ #Kind of arbitrary.
+ #16 bit minimum.
+ self.secret=0xdead;
+
+
+ print "-- Setting secret";
+ client.start();
+
+ #Flash the secret, to try and recover it later.
+ client.erase();
+ print "-- Secret was %02x" % client.getsecret();
+ client.setsecret(self.secret);
+ print "-- Secret set to %02x" % client.getsecret();
+ sys.stdout.flush()
+ if(client.getsecret()!=self.secret):
+ print "Secret failed to set. Exiting for safety.";
+ sys.exit();
- while(client.eeprompeek(0)!=self.secret):
- print "-- Setting secret";
- client.start();
-
- #Flash the secret to the first two bytes of CODE memory.
- client.erase();
- client.eeprompoke(0,self.secret);
- client.eeprompoke(1,self.secret);
- sys.stdout.flush()
-
#Lock chip to unlock it later.
if lock>0:
client.lock();
#random.shuffle(times);
for vcc in voltages:
- if lock<0 and not self.vccexplored(vcc):
+ if not self.vccexplored(vcc):
print "Exploring vcc=%i" % vcc;
sys.stdout.flush();
for time in times:
rows=c.fetchall();
for a in rows:
return True;
+ c.close();
return False;
def scanat(self,lock,trials,vcc,gnd,time):
client=self.client;
- db=self.db;
client.glitchRate(time);
client.glitchVoltages(gnd, vcc); #drop voltage target
gcount=0;
client.glitchstart();
#Try to read *0, which is secret if read works.
- a=client.eeprompeek(0x0);
+ a=client.getsecret();
if lock>0: #locked
if(a!=0 and a!=0xFF and a!=self.secret):
gcount+=1;
scount+=1;
#print "values (%i,%i,%i,%i,%i);" % (
# time,vcc,gnd,gcount,scount);
- if(lock>0):
+ if(lock==0):
self.db.execute("insert into glitches(time,vcc,gnd,trials,glitchcount,count,lock)"
"values (%i,%i,%i,%i,%i,%i,%i);" % (
time,vcc,gnd,trials,gcount,scount,lock));
- else:
+ elif scount>0:
+ print "INSERTING AN EXPLOIT point, t=%i and vcc=%i" % (time,vcc);
self.db.execute("insert into exploits(time,vcc,gnd,trials,count)"
"values (%i,%i,%i,%i,%i);" % (
time,vcc,gnd,trials,scount));
+ self.db.commit(); #Don't leave a lock open.
projects / goodfet / blobdiff