X-Git-Url: http://git.rot13.org/?p=goodfet;a=blobdiff_plain;f=client%2Fgoodfet.cc;h=e58ec686330f9a495cce1a956592d15d15580af9;hp=e233d659ceaae5831509687000123c95effca7e6;hb=586e50d09b9c31458248b524b4618a2baf898e19;hpb=ecb9432850549952b9fe14b67fcf6798bbab0261 diff --git a/client/goodfet.cc b/client/goodfet.cc index e233d65..e58ec68 100755 --- a/client/goodfet.cc +++ b/client/goodfet.cc @@ -6,36 +6,352 @@ # This code is being rewritten and refactored. You've been warned! import sys; -import binascii; +import binascii, time; from GoodFETCC import GoodFETCC; +from GoodFETConsole import GoodFETConsole; from intelhex import IntelHex; +def printpacket(packet): + s=""; + i=0; + for foo in packet: + i=i+1; + s="%s %02x" % (s,foo); + print "# %s" %s; + +simplepacketcount=0; +def handlesimplicitipacket(packet): + s=""; + i=0; + global simplepacketcount; + simplepacketcount=simplepacketcount+1; + + len=packet[0]; + if len<12: return; + + dst=[packet[1], + packet[2], + packet[3], + packet[4]]; + src=[packet[5], + packet[6], + packet[7], + packet[8]]; + port=packet[9]; + info=packet[10]; + seq=packet[11]; + #payload begins at byte 10. + + if packet[len+2]&0x80==0: + print "# Dropped broken packet."; + elif port==0x20: + #data packet + counter=packet[11]; + button=packet[12]; + x=packet[13]; + if x>=128: x=0-(x^0xFF)-1; + y=packet[14]; + if y>=128: y=0-(y^0xFF)-1; + z=packet[15]; + if z>=128: z=0-(z^0xFF)-1; + + print "%09i %03i %4i %4i %4i" % (simplepacketcount,button,x,y,z); + sys.stdout.flush(); + elif port==0x02: + #Link request. Gotta send a proper reply to get data. + tid=packet[13]; + #14 ff ff ff ff 3c b7 e3 98 + #02 03 c9 + #01 97 + #ef be ad de 3d 00 02 + reply=[0x10, + src[0], src[1], src[2], src[3], + 0x78,0x56,0x34,0x10, #my address. + port, 0x21, seq, + 0x81, tid, #reply, tid + + 0x20,0x00,0xad,0xde, #link token + 0x00]; #no security + #printpacket(reply); + print "#FIXME FAST: repeatedly broadcasting ACK to catch LINK on the next attempt."; + for foo in range(1,50): + client.RF_txpacket(reply); + + pass; + elif port==0x03: + #print "Join request."; + #printpacket(packet); + if packet[12]!=1: + print "Not a join request. WTF?"; + return; + tid=packet[13]; + reply=[0x12, #reply is one byte shorter + src[0], src[1], src[2], src[3], + 0x78,0x56,0x34,0x10, #my address. + port, 0x21, seq, + 0x81, tid, #reply, tid + + 0xef,0xbe,0xad,0xde, #Join token + 0x00]; #no security + #printpacket(reply); + print "#FIXME FAST: repeatedly broadcasting ACK to catch JOIN on the next attempt."; + #printpacket(reply); + for foo in range(1,50): + client.RF_txpacket(reply); + + + elif port==0x04: + print "Security request."; + elif port==0x05: + print "Frequency request."; + elif port==0x06: + print "Management request."; + else: + print "Unknown Port %02x" %port; + if(len(sys.argv)==1): print "Usage: %s verb [objects]\n" % sys.argv[0]; + print "%s erase" % sys.argv[0]; + print "%s flash $foo.hex" % sys.argv[0]; print "%s test" % sys.argv[0]; + print "%s term" % sys.argv[0]; print "%s info" % sys.argv[0]; + print "%s infotest" % sys.argv[0]; + print "%s halt" % sys.argv[0]; + print "%s regs" % sys.argv[0]; print "%s dumpcode $foo.hex [0x$start 0x$stop]" % sys.argv[0]; print "%s dumpdata $foo.hex [0x$start 0x$stop]" % sys.argv[0]; - print "%s erase" % sys.argv[0]; print "%s writedata $foo.hex [0x$start 0x$stop]" % sys.argv[0]; print "%s verify $foo.hex [0x$start 0x$stop]" % sys.argv[0]; print "%s peekdata 0x$start [0x$stop]" % sys.argv[0]; print "%s pokedata 0x$adr 0x$val" % sys.argv[0]; - #print "%s peekcode 0x$start [0x$stop]" % sys.argv[0]; + print "%s peek 0x$iram" % sys.argv[0]; + print "%s poke 0x$iram 0x$val" % sys.argv[0]; + print "%s peekcode 0x$start [0x$stop]" % sys.argv[0]; + print "\n" + print "%s rssi [freq]\n\tGraphs signal strength on [freq] Hz." % sys.argv[0]; + print "%s carrier [freq]\n\tHolds a carrier on [freq] Hz." % sys.argv[0]; + print "%s reflex [freq]\n\tJams on [freq] Hz." % sys.argv[0]; + print "%s sniffsimpliciti [us|eu|lf]\n\tSniffs SimpliciTI packets." % sys.argv[0]; + print "%s sniffdash7 [lf]\n\tSniffs Dash7. (untested)" % sys.argv[0]; + print "%s snifficlicker [us]\n\tSniffs iClicker." % sys.argv[0]; + print "\n"; + print "%s simpliciti [us|eu|lf]\n\tSimpliciti access point for Chronos watch." % sys.argv[0]; + print "%s iclicker [us|eu|lf]\n\tSniffs iClicker packets as ASCII." % sys.argv[0]; + sys.exit(); #Initailize FET and set baud rate +#client=GoodFET.GoodFETCC.GoodFETCC(); client=GoodFETCC(); client.serInit() #Connect to target -client.CCsetup(); -client.CCstart(); +client.setup(); +client.start(); + + + +if(sys.argv[1]=="carrier"): + if len(sys.argv)>2: + client.RF_setfreq(eval(sys.argv[2])); + client.RF_carrier(); + while(1): + time.sleep(1); + +if(sys.argv[1]=="reflex"): + client.CC1110_crystal(); + client.RF_idle(); + + client.config_simpliciti(); + + threshold=100; + if len(sys.argv)>2: + client.RF_setfreq(eval(sys.argv[2])); + print "Listening on %f MHz." % (client.RF_getfreq()/10**6); + print "Jamming if RSSI>=%i" % threshold; + + client.pokebyte(0xFE00,threshold,"xdata"); #Write threshold to shellcode. + client.shellcodefile("reflex.ihx"); + rssi=0; + while 1: + while(0==client.ishalted()): + rssi=0; + rssi=client.peek8(0xFE00,"xdata"); + print "Activated jamming with RSSI of %i, going again for another packet." % rssi; + #client.CCdebuginstr([0x02, 0xf0, 0x00]); #ljmp 0xF000 + client.resume(); + + +if(sys.argv[1]=="rssi"): + client.CC1110_crystal(); + client.RF_idle(); + + client.config_simpliciti(); + + if len(sys.argv)>2: + client.RF_setfreq(eval(sys.argv[2])); + print "Listening on %f MHz." % (client.RF_getfreq()/10.0**6); + + #FIXME, ugly + RFST=0xDFE1 + client.CC_RFST_CAL(); + time.sleep(1); + + while 1: + client.CC_RFST_RX(); + rssi=client.RF_getrssi(); + client.CC_RFST_IDLE(); #idle + time.sleep(0.01); + string=""; + for foo in range(0,rssi>>2): + string=("%s."%string); + print "%02x %04i %s" % (rssi,rssi, string); + +if(sys.argv[1]=="sniff"): + client.CC1110_crystal(); + client.RF_idle(); + + #client.config_simpliciti(region); + + print "Listening as %x on %f MHz" % (client.RF_getsmac(), + client.RF_getfreq()/10.0**6); + #Now we're ready to get packets. + while 1: + packet=None; + while packet==None: + packet=client.RF_rxpacket(); + printpacket(packet); + sys.stdout.flush(); + +if(sys.argv[1]=="sniffsimpliciti"): + region="us"; + if len(sys.argv)>2: + region=sys.argv[2]; + + client.CC1110_crystal(); + client.RF_idle(); + + client.config_simpliciti(region); + + print "Listening as %x on %f MHz" % (client.RF_getsmac(), + client.RF_getfreq()/10.0**6); + #Now we're ready to get packets. + while 1: + packet=None; + while packet==None: + packet=client.RF_rxpacket(); + printpacket(packet); + sys.stdout.flush(); +if(sys.argv[1]=="sniffook"): + region="lf"; + if len(sys.argv)>2: + region=sys.argv[2]; + + client.CC1110_crystal(); + client.RF_idle(); + + client.config_ook(region); + + print "Listening for OOK on %f MHz" % (client.RF_getfreq()/10.0**6); + #Now we're ready to get packets. + while 1: + packet=None; + while packet==None: + packet=client.RF_rxpacket(); + printpacket(packet); + sys.stdout.flush(); +if(sys.argv[1]=="sniffdash7"): + region="lf"; + if len(sys.argv)>2: + region=sys.argv[2]; + + client.CC1110_crystal(); + client.RF_idle(); + + client.config_dash7(region); + + print "Listening as %x on %f MHz" % (client.RF_getsmac(), + client.RF_getfreq()/10.0**6); + #Now we're ready to get packets. + while 1: + packet=None; + while packet==None: + packet=client.RF_rxpacket(); + printpacket(packet); + sys.stdout.flush(); +if(sys.argv[1]=="snifficlicker"): + region="us"; + if len(sys.argv)>2: + region=sys.argv[2]; + + client.CC1110_crystal(); + client.RF_idle(); + + client.config_iclicker(region); + + print "Listening as %x on %f MHz" % (client.RF_getsmac(), + client.RF_getfreq()/10.0**6); + #Now we're ready to get packets. + while 1: + packet=None; + while packet==None: + packet=client.RF_rxpacket(); + printpacket(packet); + sys.stdout.flush(); +if(sys.argv[1]=="iclicker"): + buttons=[0, 'A', 'j', 3, 4, 'B', + 6, 7, 8, 9, 'E', 0xB, 0xC, + 'C', 'D', 0xF]; + region="us"; + if len(sys.argv)>2: + region=sys.argv[2]; + + client.CC1110_crystal(); + client.RF_idle(); + + client.config_iclicker(region); + + print "Listening as %x on %f MHz" % (client.RF_getsmac(), + client.RF_getfreq()/10.0**6); + #Now we're ready to get packets. + while 1: + packet=None; + while packet==None: + packet=client.RF_rxpacket(); + printpacket(packet); + button=((packet[5]&1)<<3) | (packet[6]>>5); + print "Button %c" % buttons[button]; + sys.stdout.flush(); + +if(sys.argv[1]=="simpliciti"): + region="us"; + if len(sys.argv)>2: + region=sys.argv[2]; + + client.CC1110_crystal(); + client.RF_idle(); + + client.config_simpliciti(region); + + print "# Listening as %x on %f MHz" % (client.RF_getsmac(), + client.RF_getfreq()/10.0**6); + #Now we're ready to get packets. + while 1: + packet=None; + while packet==None: + packet=client.RF_rxpacket(); + handlesimplicitipacket(packet); + sys.stdout.flush(); + + +if(sys.argv[1]=="term"): + GoodFETConsole(client).run(); if(sys.argv[1]=="test"): - client.CCtest(); + client.test(); if(sys.argv[1]=="deadtest"): for i in range(1,10): print "IDENT as %s" % client.CCidentstr(); @@ -76,11 +392,35 @@ if(sys.argv[1]=="dumpdata"): i+=1; h.write_hex_file(f); if(sys.argv[1]=="status"): - print "Status: %s" %client.CCstatusstr(); + print "Status: %s" %client.status(); +if(sys.argv[1]=="halt"): + print "Halting CPU." + client.halt(); + +if(sys.argv[1]=="infotest"): + while 1: + client.start(); + print "Ident %s" % client.CCidentstr(); +if(sys.argv[1]=="info"): + print "Ident %s" % client.CCidentstr(); + + try: + print "Freq %10.3f MHz" % (client.RF_getfreq()/10**6); + print "RSSI %02x" % client.RF_getrssi(); + except: + print "Freq, RSSI, etc unknown. Install SmartRF7."; + #print "Rate %10i kbps" % (client.RF_getrate()/1000); + #print "PacketLen %02i bytes" % client.RF_getpacketlen(); + #print "SMAC 0x%010x" % client.RF_getsmac(); + #print "TMAC 0x%010x" % client.RF_gettmac(); + +if(sys.argv[1]=="regs"): + client.CMDrs(); + if(sys.argv[1]=="erase"): - print "Status: %s" % client.CCstatusstr(); + print "Status: %s" % client.status(); client.CCchiperase(); - print "Status: %s" %client.CCstatusstr(); + print "Status: %s" %client.status(); if(sys.argv[1]=="peekinfo"): print "Select info flash." @@ -97,7 +437,28 @@ if(sys.argv[1]=="peekinfo"): while start<=stop: print "%04x: %02x" % (start,client.CCpeekcodebyte(start)); start=start+1; - +if(sys.argv[1]=="poke"): + client.CCpokeirambyte(int(sys.argv[2],16), + int(sys.argv[3],16)); +if(sys.argv[1]=="randtest"): + #Seed RNG + client.CCpokeirambyte(0xBD,0x01); #RNDH=0x01 + client.CCpokeirambyte(0xB4,0x04); #ADCCON1=0x04 + client.CCpokeirambyte(0xBD,0x01); #RNDH=0x01 + client.CCpokeirambyte(0xB4,0x04); #ADCCON1=0x04 + + #Dump values + for foo in range(1,10): + print "%02x" % client.CCpeekirambyte(0xBD); #RNDH + client.CCpokeirambyte(0xB4,0x04); #ADCCON1=0x04 + client.CCreleasecpu(); + client.CChaltcpu(); + print "%02x" % client.CCpeekdatabyte(0xDF61); #CHIP ID +if(sys.argv[1]=="adctest"): + # ADCTest 0xDF3A 0xDF3B + print "ADC TEST %02x%02x" % ( + client.CCpeekdatabyte(0xDF3A), + client.CCpeekdatabyte(0xDF3B)); if(sys.argv[1]=="config"): print "Config is %02x" % client.CCrd_config(); @@ -110,38 +471,11 @@ if(sys.argv[1]=="flash"): if(len(sys.argv)>4): stop=int(sys.argv[4],16); - h = IntelHex(f); - page = 0x0000; - pagelen = 2048; #2kB pages in 32-bit words - bcount = 0; - - #Wipe all of flash. - client.CCchiperase(); - #Wipe the RAM buffer for the next flash page. - client.CCeraseflashbuffer(); - for i in h._buf.keys(): - while(i>page+pagelen): - if bcount>0: - client.CCflashpage(page); - client.CCeraseflashbuffer(); - bcount=0; - print "Flashed page at %06x" % page - page+=pagelen; - - #Place byte into buffer. - client.CCpokedatabyte(0xF000+i-page, - h[i]); - bcount+=1; - if(i%0x100==0): - print "%04x at %06x" % (i,page); - #last page - client.CCflashpage(page); - print "Flashed final page at %06x" % page; - + client.flash(f); if(sys.argv[1]=="lock"): - print "Status: %s" %client.CCstatusstr(); + print "Status: %s" %client.status(); client.CClockchip(); - print "Status: %s" %client.CCstatusstr(); + print "Status: %s" %client.status(); if(sys.argv[1]=="flashpage"): target=0; if(len(sys.argv)>2): @@ -181,6 +515,34 @@ if(sys.argv[1]=="peekdata"): while start<=stop: print "%04x: %02x" % (start,client.CCpeekdatabyte(start)); start=start+1; +if(sys.argv[1]=="peek"): + start=0x0000; + if(len(sys.argv)>2): + start=int(sys.argv[2],16); + stop=start; + if(len(sys.argv)>3): + stop=int(sys.argv[3],16); + print "Peeking from %04x to %04x." % (start,stop); + while start<=stop: + print "%04x: %02x" % (start,client.CCpeekirambyte(start)); + start=start+1; +if(sys.argv[1]=="verify"): + f=sys.argv[2]; + start=0; + stop=0xFFFF; + if(len(sys.argv)>3): + start=int(sys.argv[3],16); + if(len(sys.argv)>4): + stop=int(sys.argv[4],16); + + h = IntelHex(f); + for i in h._buf.keys(): + if(i>=start and i2): @@ -202,4 +564,4 @@ if(sys.argv[1]=="pokedata"): print "Poking %04x to become %02x." % (start,val); client.CCpokedatabyte(start,val); -client.CCstop(); +client.stop();