From 99f1c6d13131623455f66d07d52b3251f62eb708 Mon Sep 17 00:00:00 2001 From: travisutk Date: Sun, 27 Jun 2010 22:02:30 +0000 Subject: [PATCH] Better glitching exploration. git-svn-id: https://svn.code.sf.net/p/goodfet/code/trunk@646 12e2690d-a6be-4b82-a7b7-67c4a43b65c8 --- client/GoodFETGlitch.py | 31 ++++++++++++++++++++----------- client/goodfet.glitch | 12 ++++++++---- 2 files changed, 28 insertions(+), 15 deletions(-) diff --git a/client/GoodFETGlitch.py b/client/GoodFETGlitch.py index 0e0a1aa..0d16ba4 100644 --- a/client/GoodFETGlitch.py +++ b/client/GoodFETGlitch.py @@ -90,19 +90,21 @@ class GoodFETGlitch(GoodFET): mins={}; c=self.db.cursor(); - c.execute("select time,vcc,count from glitches;"); #Limit 10000 for testing. + c.execute("select time,vcc,glitchcount,count from glitches;"); #Limit 10000 for testing. progress=0; for r in c: progress=progress+1; if progress % 1000000==0: print "%09i rows crunched." % progress; t=r[0]; v=r[1]; - count=r[2]; - if count==0: + glitchcount=r[2]; + count=r[3]; + # FIXME: Threse thresholds suck. + if count<2: try: oldmax=maxes[t]; except: oldmax=-1; if v>oldmax: maxes[t]=v; - elif count==1: + elif glitchcount<2: try: oldmin=mins[t]; except: oldmin=0x10000; if v0;"); + c.execute("select time,vcc,gnd,glitchcount,count from glitches where lock=0 and glitchcount>0;"); print "time vcc gnd glitchcount count"; for r in c: print "%i %i %i %i %i" % r; - def npoints(self): + def rpoints(self): c=self.db.cursor(); c.execute("select time,vcc,gnd,glitchcount,count from glitches where lock=0 and glitchcount>0;"); print "time vcc gnd glitchcount count"; @@ -161,13 +163,14 @@ class GoodFETGlitch(GoodFET): #GnuPlot sucks for large sets. Switch to viewpoints soon. # sqlite3 glitch.db "select time,vcc,count from glitches where count=0" | vp -l -d "|" -I - def explore(self,tstart=0,tstop=-1, trials=1): + def explore(self,times=None, trials=10): """Exploration phase. Uses thresholds to find exploitable points.""" gnd=0; self.scansetup(1); #Lock the chip, place key in eeprom. - if tstop<0: + if times==None: + tstart=0; tstop=self.client.glitchstarttime(); - times=range(tstart,tstop); + times=range(tstart,tstop); random.shuffle(times); #self.crunch(); count=0.0; @@ -178,10 +181,16 @@ class GoodFETGlitch(GoodFET): rows=c.fetchall(); c.close(); random.shuffle(rows); + print "Exploring %i times." % len(times); + mins={}; + maxes={}; for r in rows: t=r[0]; - min=r[1]; - max=r[2]; + mins[t]=r[1]; + maxes[t]=r[2]; + for t in times: + min=mins[t]; + max=maxes[t]; voltages=range(min,max,1); count=count+1.0; print "%02.02f Exploring %04i points in t=%04i." % (count/total,len(voltages),t); diff --git a/client/goodfet.glitch b/client/goodfet.glitch index 512b04b..6750c8f 100755 --- a/client/goodfet.glitch +++ b/client/goodfet.glitch @@ -28,7 +28,7 @@ sequence for a new chip is as follows. On a sample chip for the same model as the target, 1) Run 'goodfet $chip learn' in order to learn the glitching voltages. 2) Run 'goodfet $chip crunch' in order to precompute glitching ranges. -3) Run 'goodfet $chip explore' to find a time at which to glitch. +3) Run 'goodfet $chip explore [tstart tstop]' to find a time at which to glitch. Then on a chip to be extracted, 3) Run 'goodfet $chip exploit' to exploit a chip and recover its firmware.""" @@ -45,8 +45,8 @@ if(sys.argv[2]=="graph"): if(sys.argv[2]=="points"): glitcher.points(); exit(); -if(sys.argv[2]=="npoints"): - glitcher.npoints(); +if(sys.argv[2]=="rangepoints"): + glitcher.rpoints(); exit(); if(sys.argv[2]=="crunch"): @@ -58,7 +58,11 @@ glitcher.setup(sys.argv[1]); if(sys.argv[2]=="learn"): glitcher.learn(); if(sys.argv[2]=="explore"): - glitcher.explore(); + times=None; + if(len(sys.argv)>=4): + times=range(int(sys.argv[3]), + int(sys.argv[4])); + glitcher.explore(times); if(sys.argv[2]=="exploit"): print "Coming soon."; -- 2.20.1