blob: 6995940452eac5948a05b3468874a7680260754b (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
|
import numpy as np
import time
import serial
from tqdm import tnrange, tqdm
import random
from pulsegen import PicoPulseGen
# Open serial interface
# I'm using this to detect when the glitch was successful
try:
ser = serial.Serial('/dev/ttyUSB0', 115200)
except Exception as e:
print('Could not open /dev/ttyUSB0')
exit()
# Connect to modchip
try:
glitcher = PicoPulseGen('/dev/ttyACM0')
logger.info('Connected to modchip')
# You have to figure out the trig_edges parameter
# You have to figure out ranges for the pulse_offset and pulse_width parameters
glitcher.trig_edges = 0
glitcher.pulse_offset = 0
glitcher.pulse_width = 0
glitcher.set_gpio(0)
except Exception as e:
print('Could not connect to modchip')
exit()
input("Press enter to start.")
def generator():
while True:
yield
idx = 0
success = False
for _ in tqdm(generator()):
if idx % 10 == 0:
# Pulse width and offset are expressed in number of cycles of the PIO state machine operating frequency (default in the provided fw is 250MHz).
glitch_width = random.randint(A, B) # You have to figure out good ranges here
glitch_offset = random.randint(C, D)
glitcher.pulse_offset = glitch_offset
glitcher.pulse_width = glitch_width
ser.reset_input_buffer()
glitcher.arm() # Arm the modchip, it will try to power up the UT and will wait for the number of set trigger pulses to occur before inserting a glitch
glitcher.wait_trig(timeout=5) # Waits for the modchip to signal it has triggered. The modchip will be disarmed if no glitch has occurred within 5 seconds.
time.sleep(0.55) # Have to wait for the second stage to start to see serial output
data = ser.read(ser.in_waiting)
if b'LENNERT' in data: # a check to determine if the glitch was successful. My BL2 has been modified to print LENNERT.
success = True
break
glitcher.set_gpio(0) # Disables the core voltage regulator. The modchip firmware will re-enable the regulator automatically on the next glitch attempt.
time.sleep(0.1)
idx += 1
if success:
print('Glitch successul!')
logger.debug('%d, %d, %d' %(idx, glitch_width, glitch_offset))
logger.debug(data.decode('utf-8', 'ignore'))
ser.close()
glitcher.close()
|