except TypeError:
if self.connected:
print "Error: waiting for serial read timed out (most likely).";
- print "This shouldn't happen after syncing. Exiting for safety.";
+ print "This shouldn't happen after syncing. Exiting for safety.";
sys.exit(-1)
return self.data;
#Glitching stuff.
"""Time the execution of a verb."""
if data==None: data=[];
self.data=[app&0xff, verb&0xFF]+data;
+ print "Timing app %02x verb %02x." % (app,verb);
self.writecmd(self.GLITCHAPP,0x82,len(self.data),self.data);
- return ord(self.data[0])+(ord(self.data[1])<<8);
+ time=ord(self.data[0])+(ord(self.data[1])<<8);
+ print "Timed to be %i." % time;
+ return time;
def glitchVoltages(self,low=0x0880, high=0x0fff):
"""Set glitching voltages. (0x0fff is max.)"""
self.data=[low&0xff, (low>>8)&0xff,
def erase(self):
"""Erase all of the target's memory."""
self.CCchiperase();
+ self.start();
def CCstatus(self):
"""Check the status."""
(adr>>24)&0xFF];
print "Flashing buffer to 0x%06x" % adr;
self.writecmd(self.APP,0x95,4,data);
+
+ def setsecret(self,value):
+ """Set a secret word for later retreival. Used by glitcher."""
+ page = 0x0000;
+ pagelen = self.CCpagesize(); #Varies by chip.
+ print "page=%04x, pagelen=%04x" % (page,pagelen);
+
+ self.CCeraseflashbuffer();
+ print "Setting secret to %x" % value;
+ self.CCpokedatabyte(0xF000,value);
+ self.CCpokedatabyte(0xF800,value);
+ print "Setting secret to %x==%x" % (value,
+ self.CCpeekdatabyte(0xf000));
+ self.CCflashpage(0);
+ print "code[0]=%x" % self.CCpeekcodebyte(0);
+ def getsecret(self):
+ """Get a secret word. Used by glitcher."""
+ secret=self.CCpeekcodebyte(0);
+ #print "Got secret %02x" % secret;
+ return secret;
+
def dump(self,file,start=0,stop=0xffff):
"""Dump an intel hex file from code memory."""
print "Dumping code from %04x to %04x as %s." % (start,stop,file);
self.client=0;
def setup(self,arch="avr"):
self.client=getClient(arch);
- self.client.serInit();
+ self.client.serInit(); #No timeout
def glitchvoltages(self,time):
"""Returns list of voltages to train at."""
min=r[0];
max=r[1];
if(min==None or max==None): return [];
-
+
spread=max-min;
return range(min,max,1);
#If we get here, there are no points. Return empty set.
tstop=self.client.glitchstarttime();
tstep=0x1; #Must be 1
self.scan(lock,trials,range(vstart,vstop),range(tstart,tstop));
- print "Learning phase complete, beginning to expore.";
+ print "Learning phase complete, beginning to crunch.";
+ self.crunch();
+ print "Crunch phase complete, beginning to explore.";
self.explore();
def scansetup(self,lock):
client=self.client;
+ client.verbose=0;
client.start();
client.erase();
+ print "Scanning %s" % client.infostring();
- self.secret=0x69;
+ self.secret=0x49;
while(client.getsecret()!=self.secret):
print "-- Setting secret";
#Flash the secret to the first two bytes of CODE memory.
client.erase();
+ print "-- Secret was %02x" % client.getsecret();
client.setsecret(self.secret);
sys.stdout.flush()
-
+
#Lock chip to unlock it later.
if lock>0:
client.lock();
#random.shuffle(times);
for vcc in voltages:
- if lock<0 and not self.vccexplored(vcc):
+ if not self.vccexplored(vcc):
print "Exploring vcc=%i" % vcc;
sys.stdout.flush();
for time in times:
import sqlite3;
-glitcher=GoodFETGlitch();
-
if(len(sys.argv)==1):
print "Usage: %s chip verb [objects]\n" % sys.argv[0];
print "%s avr learn" % sys.argv[0];
3) Run 'goodfet $chip exploit' to exploit a chip and recover its firmware."""
sys.exit();
+glitcher=GoodFETGlitch();
if(sys.argv[2]=="graphx11"):
glitcher.graphx11();