From 89029e6edf48e5f1385f9b25d7cdbed2a4780140 Mon Sep 17 00:00:00 2001 From: travisutk Date: Fri, 25 Jun 2010 16:32:41 +0000 Subject: [PATCH] Better glitching code, more portable than the old. I might have broken AVR glitching support. git-svn-id: https://svn.code.sf.net/p/goodfet/code/trunk@642 12e2690d-a6be-4b82-a7b7-67c4a43b65c8 --- client/GoodFET.py | 7 +++++-- client/GoodFETCC.py | 22 ++++++++++++++++++++++ client/GoodFETGlitch.py | 17 +++++++++++------ client/goodfet.glitch | 3 +-- 4 files changed, 39 insertions(+), 10 deletions(-) diff --git a/client/GoodFET.py b/client/GoodFET.py index 154bd38..c3ab99e 100755 --- a/client/GoodFET.py +++ b/client/GoodFET.py @@ -288,7 +288,7 @@ class GoodFET: except TypeError: if self.connected: print "Error: waiting for serial read timed out (most likely)."; - print "This shouldn't happen after syncing. Exiting for safety."; + print "This shouldn't happen after syncing. Exiting for safety."; sys.exit(-1) return self.data; #Glitching stuff. @@ -313,8 +313,11 @@ class GoodFET: """Time the execution of a verb.""" if data==None: data=[]; self.data=[app&0xff, verb&0xFF]+data; + print "Timing app %02x verb %02x." % (app,verb); self.writecmd(self.GLITCHAPP,0x82,len(self.data),self.data); - return ord(self.data[0])+(ord(self.data[1])<<8); + time=ord(self.data[0])+(ord(self.data[1])<<8); + print "Timed to be %i." % time; + return time; def glitchVoltages(self,low=0x0880, high=0x0fff): """Set glitching voltages. (0x0fff is max.)""" self.data=[low&0xff, (low>>8)&0xff, diff --git a/client/GoodFETCC.py b/client/GoodFETCC.py index b4ce51f..344d9a5 100644 --- a/client/GoodFETCC.py +++ b/client/GoodFETCC.py @@ -271,6 +271,7 @@ class GoodFETCC(GoodFET): def erase(self): """Erase all of the target's memory.""" self.CCchiperase(); + self.start(); def CCstatus(self): """Check the status.""" @@ -334,6 +335,27 @@ class GoodFETCC(GoodFET): (adr>>24)&0xFF]; print "Flashing buffer to 0x%06x" % adr; self.writecmd(self.APP,0x95,4,data); + + def setsecret(self,value): + """Set a secret word for later retreival. Used by glitcher.""" + page = 0x0000; + pagelen = self.CCpagesize(); #Varies by chip. + print "page=%04x, pagelen=%04x" % (page,pagelen); + + self.CCeraseflashbuffer(); + print "Setting secret to %x" % value; + self.CCpokedatabyte(0xF000,value); + self.CCpokedatabyte(0xF800,value); + print "Setting secret to %x==%x" % (value, + self.CCpeekdatabyte(0xf000)); + self.CCflashpage(0); + print "code[0]=%x" % self.CCpeekcodebyte(0); + def getsecret(self): + """Get a secret word. Used by glitcher.""" + secret=self.CCpeekcodebyte(0); + #print "Got secret %02x" % secret; + return secret; + def dump(self,file,start=0,stop=0xffff): """Dump an intel hex file from code memory.""" print "Dumping code from %04x to %04x as %s." % (start,stop,file); diff --git a/client/GoodFETGlitch.py b/client/GoodFETGlitch.py index 0d49ac3..ce82d0d 100644 --- a/client/GoodFETGlitch.py +++ b/client/GoodFETGlitch.py @@ -55,7 +55,7 @@ class GoodFETGlitch(GoodFET): self.client=0; def setup(self,arch="avr"): self.client=getClient(arch); - self.client.serInit(); + self.client.serInit(); #No timeout def glitchvoltages(self,time): """Returns list of voltages to train at.""" @@ -70,7 +70,7 @@ class GoodFETGlitch(GoodFET): min=r[0]; max=r[1]; if(min==None or max==None): return []; - + spread=max-min; return range(min,max,1); #If we get here, there are no points. Return empty set. @@ -199,15 +199,19 @@ class GoodFETGlitch(GoodFET): tstop=self.client.glitchstarttime(); tstep=0x1; #Must be 1 self.scan(lock,trials,range(vstart,vstop),range(tstart,tstop)); - print "Learning phase complete, beginning to expore."; + print "Learning phase complete, beginning to crunch."; + self.crunch(); + print "Crunch phase complete, beginning to explore."; self.explore(); def scansetup(self,lock): client=self.client; + client.verbose=0; client.start(); client.erase(); + print "Scanning %s" % client.infostring(); - self.secret=0x69; + self.secret=0x49; while(client.getsecret()!=self.secret): print "-- Setting secret"; @@ -215,9 +219,10 @@ class GoodFETGlitch(GoodFET): #Flash the secret to the first two bytes of CODE memory. client.erase(); + print "-- Secret was %02x" % client.getsecret(); client.setsecret(self.secret); sys.stdout.flush() - + #Lock chip to unlock it later. if lock>0: client.lock(); @@ -232,7 +237,7 @@ class GoodFETGlitch(GoodFET): #random.shuffle(times); for vcc in voltages: - if lock<0 and not self.vccexplored(vcc): + if not self.vccexplored(vcc): print "Exploring vcc=%i" % vcc; sys.stdout.flush(); for time in times: diff --git a/client/goodfet.glitch b/client/goodfet.glitch index 1d301a9..512b04b 100755 --- a/client/goodfet.glitch +++ b/client/goodfet.glitch @@ -11,8 +11,6 @@ from intelhex import IntelHex16bit, IntelHex; import sqlite3; -glitcher=GoodFETGlitch(); - if(len(sys.argv)==1): print "Usage: %s chip verb [objects]\n" % sys.argv[0]; print "%s avr learn" % sys.argv[0]; @@ -36,6 +34,7 @@ Then on a chip to be extracted, 3) Run 'goodfet $chip exploit' to exploit a chip and recover its firmware.""" sys.exit(); +glitcher=GoodFETGlitch(); if(sys.argv[2]=="graphx11"): glitcher.graphx11(); -- 2.20.1