Thus by looking at the power consumption, we can determine the wrong password character. This makes it possible to brute-force the password, since we can simply guess a single digit of the password at a time.
== Scripting the Complete Attack ==
The current script sets up the application, then runs the GUI normally at this line:
As a beginning point, the following allows you to manually specify two characters for the password. These characters are put into the system, and based on a simple power threshold it decides where the password failed. This script would be the same as your previous script, but replace the above call with:
<pre>num1 = ord('c')
num2 = ord('f')
ser.write(chr(num1) + chr(num2))
if cap.scope.capture(update=True, NumberPoints=None, waitingCallback=pe):
print "Capture OK"
if min(cap.scope.datapoints[10000:14000]) > -0.1:
print "Byte 1 Wrong"
elif min(cap.scope.datapoints[18000:22000]) > -0.1:
print "Byte 2 Wrong"
print "Password OK? Check response on serial"
#Disconnect before exit to save grief
You will need to adjust the thresholds and possibly data point locations based on your own experiments. With this you should be able to make a script which brute-forces the password by breaking the first byte and then the second byte.
== Conclusion ==