Better glitching code, more portable than the old.

I might have broken AVR glitching support.

git-svn-id: https://svn.code.sf.net/p/goodfet/code/trunk@642 12e2690d-a6be-4b82-a7b7-67c4a43b65c8

diff --git a/client/GoodFET.py b/client/GoodFET.py
index 154bd38..c3ab99e 100755 (executable)
--- a/client/GoodFET.py
+++ b/client/GoodFET.py
@@ -288,7 +288,7 @@ class GoodFET:
             except TypeError:
                 if self.connected:
                     print "Error: waiting for serial read timed out (most likely).";
             except TypeError:
                 if self.connected:
                     print "Error: waiting for serial read timed out (most likely).";

-                    print "This shouldn't happen after syncing.  Exiting for safety.";
+                    print "This shouldn't happen after syncing.  Exiting for safety.";                    

                     sys.exit(-1)
                 return self.data;
     #Glitching stuff.
                     sys.exit(-1)
                 return self.data;
     #Glitching stuff.


@@ -313,8 +313,11 @@ class GoodFET:
         """Time the execution of a verb."""
         if data==None: data=[];
         self.data=[app&0xff, verb&0xFF]+data;
         """Time the execution of a verb."""
         if data==None: data=[];
         self.data=[app&0xff, verb&0xFF]+data;

+        print "Timing app %02x verb %02x." % (app,verb);

         self.writecmd(self.GLITCHAPP,0x82,len(self.data),self.data);
         self.writecmd(self.GLITCHAPP,0x82,len(self.data),self.data);

-        return ord(self.data[0])+(ord(self.data[1])<<8);
+        time=ord(self.data[0])+(ord(self.data[1])<<8);
+        print "Timed to be %i." % time;
+        return time;

     def glitchVoltages(self,low=0x0880, high=0x0fff):
         """Set glitching voltages. (0x0fff is max.)"""
         self.data=[low&0xff, (low>>8)&0xff,
     def glitchVoltages(self,low=0x0880, high=0x0fff):
         """Set glitching voltages. (0x0fff is max.)"""
         self.data=[low&0xff, (low>>8)&0xff,

diff --git a/client/GoodFETCC.py b/client/GoodFETCC.py
index b4ce51f..344d9a5 100644 (file)
--- a/client/GoodFETCC.py
+++ b/client/GoodFETCC.py
@@ -271,6 +271,7 @@ class GoodFETCC(GoodFET):
     def erase(self):
         """Erase all of the target's memory."""
         self.CCchiperase();
     def erase(self):
         """Erase all of the target's memory."""
         self.CCchiperase();

+        self.start();

     
     def CCstatus(self):
         """Check the status."""
     
     def CCstatus(self):
         """Check the status."""


@@ -334,6 +335,27 @@ class GoodFETCC(GoodFET):
               (adr>>24)&0xFF];
         print "Flashing buffer to 0x%06x" % adr;
         self.writecmd(self.APP,0x95,4,data);
               (adr>>24)&0xFF];
         print "Flashing buffer to 0x%06x" % adr;
         self.writecmd(self.APP,0x95,4,data);

+    
+    def setsecret(self,value):
+        """Set a secret word for later retreival.  Used by glitcher."""
+        page = 0x0000;
+        pagelen = self.CCpagesize(); #Varies by chip.
+        print "page=%04x, pagelen=%04x" % (page,pagelen);
+        
+        self.CCeraseflashbuffer();
+        print "Setting secret to %x" % value;
+        self.CCpokedatabyte(0xF000,value);
+        self.CCpokedatabyte(0xF800,value);
+        print "Setting secret to %x==%x" % (value,
+                                            self.CCpeekdatabyte(0xf000));
+        self.CCflashpage(0);
+        print "code[0]=%x" % self.CCpeekcodebyte(0);
+    def getsecret(self):
+        """Get a secret word.  Used by glitcher."""
+        secret=self.CCpeekcodebyte(0);
+        #print "Got secret %02x" % secret;
+        return secret;
+    

     def dump(self,file,start=0,stop=0xffff):
         """Dump an intel hex file from code memory."""
         print "Dumping code from %04x to %04x as %s." % (start,stop,file);
     def dump(self,file,start=0,stop=0xffff):
         """Dump an intel hex file from code memory."""
         print "Dumping code from %04x to %04x as %s." % (start,stop,file);

diff --git a/client/GoodFETGlitch.py b/client/GoodFETGlitch.py
index 0d49ac3..ce82d0d 100644 (file)
--- a/client/GoodFETGlitch.py
+++ b/client/GoodFETGlitch.py
@@ -55,7 +55,7 @@ class GoodFETGlitch(GoodFET):
         self.client=0;
     def setup(self,arch="avr"):
         self.client=getClient(arch);
         self.client=0;
     def setup(self,arch="avr"):
         self.client=getClient(arch);

-        self.client.serInit();
+        self.client.serInit(); #No timeout

 
     def glitchvoltages(self,time):
         """Returns list of voltages to train at."""
 
     def glitchvoltages(self,time):
         """Returns list of voltages to train at."""


@@ -70,7 +70,7 @@ class GoodFETGlitch(GoodFET):
             min=r[0];
             max=r[1];
             if(min==None or max==None): return [];
             min=r[0];
             max=r[1];
             if(min==None or max==None): return [];

-
+            

             spread=max-min;
             return range(min,max,1);
         #If we get here, there are no points.  Return empty set.
             spread=max-min;
             return range(min,max,1);
         #If we get here, there are no points.  Return empty set.


@@ -199,15 +199,19 @@ class GoodFETGlitch(GoodFET):
         tstop=self.client.glitchstarttime();
         tstep=0x1; #Must be 1
         self.scan(lock,trials,range(vstart,vstop),range(tstart,tstop));
         tstop=self.client.glitchstarttime();
         tstep=0x1; #Must be 1
         self.scan(lock,trials,range(vstart,vstop),range(tstart,tstop));

-        print "Learning phase complete, beginning to expore.";
+        print "Learning phase complete, beginning to crunch.";
+        self.crunch();
+        print "Crunch phase complete, beginning to explore.";

         self.explore();
         
     def scansetup(self,lock):
         client=self.client;
         self.explore();
         
     def scansetup(self,lock):
         client=self.client;

+        client.verbose=0;

         client.start();
         client.erase();
         client.start();
         client.erase();

+        print "Scanning %s" % client.infostring();

         
         

-        self.secret=0x69;
+        self.secret=0x49;

         
         while(client.getsecret()!=self.secret):
             print "-- Setting secret";
         
         while(client.getsecret()!=self.secret):
             print "-- Setting secret";


@@ -215,9 +219,10 @@ class GoodFETGlitch(GoodFET):
             
             #Flash the secret to the first two bytes of CODE memory.
             client.erase();
             
             #Flash the secret to the first two bytes of CODE memory.
             client.erase();

+            print "-- Secret was %02x" % client.getsecret();

             client.setsecret(self.secret);
             sys.stdout.flush()
             client.setsecret(self.secret);
             sys.stdout.flush()

-
+            

         #Lock chip to unlock it later.
         if lock>0:
             client.lock();
         #Lock chip to unlock it later.
         if lock>0:
             client.lock();


@@ -232,7 +237,7 @@ class GoodFETGlitch(GoodFET):
         #random.shuffle(times);
         
         for vcc in voltages:
         #random.shuffle(times);
         
         for vcc in voltages:

-            if lock<0 and not self.vccexplored(vcc):
+            if not self.vccexplored(vcc):

                 print "Exploring vcc=%i" % vcc;
                 sys.stdout.flush();
                 for time in times:
                 print "Exploring vcc=%i" % vcc;
                 sys.stdout.flush();
                 for time in times:

diff --git a/client/goodfet.glitch b/client/goodfet.glitch
index 1d301a9..512b04b 100755 (executable)
--- a/client/goodfet.glitch
+++ b/client/goodfet.glitch
@@ -11,8 +11,6 @@ from intelhex import IntelHex16bit, IntelHex;
 import sqlite3;
 
 
 import sqlite3;
 
 

-glitcher=GoodFETGlitch();
-

 if(len(sys.argv)==1):
     print "Usage: %s chip verb [objects]\n" % sys.argv[0];
     print "%s avr learn" % sys.argv[0];
 if(len(sys.argv)==1):
     print "Usage: %s chip verb [objects]\n" % sys.argv[0];
     print "%s avr learn" % sys.argv[0];


@@ -36,6 +34,7 @@ Then on a chip to be extracted,
 3) Run 'goodfet $chip exploit' to exploit a chip and recover its firmware."""
     sys.exit();
 
 3) Run 'goodfet $chip exploit' to exploit a chip and recover its firmware."""
     sys.exit();
 

+glitcher=GoodFETGlitch();

 
 if(sys.argv[2]=="graphx11"):
     glitcher.graphx11();
 
 if(sys.argv[2]=="graphx11"):
     glitcher.graphx11();