GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → denandz → Lpc_sniffer_tpm

denandz / Lpc_sniffer_tpm

Licence: gpl-3.0
A low pin count sniffer for ICEStick - targeting TPM chips

Labels

verilog

Projects that are alternatives of or similar to Lpc sniffer tpm

Symbiflow Examples
Example designs showing different ways to use SymbiFlow toolchains.
Stars: ✭ 71 (-21.98%)
Mutual labels:  verilog
Toooba
RISC-V Core; superscalar, out-of-order, multi-core capable; based on RISCY-OOO from MIT
Stars: ✭ 79 (-13.19%)
Mutual labels:  verilog
Xilinx Serial Miner
Bitcoin miner for Xilinx FPGAs
Stars: ✭ 83 (-8.79%)
Mutual labels:  verilog
Vt52 Fpga
Stars: ✭ 75 (-17.58%)
Mutual labels:  verilog
Minimig Aga mister
Stars: ✭ 77 (-15.38%)
Mutual labels:  verilog
Homotopy
Homotopy theory in Coq.
Stars: ✭ 79 (-13.19%)
Mutual labels:  verilog
J1sc
A reimplementation of a tiny stack CPU
Stars: ✭ 64 (-29.67%)
Mutual labels:  verilog
Oldland Cpu
Oldland CPU - a 32-bit RISC FPGA CPU including RTL + tools
Stars: ✭ 90 (-1.1%)
Mutual labels:  verilog
Ustc Rvsoc
FPGA-based RISC-V CPU+SoC.
Stars: ✭ 77 (-15.38%)
Mutual labels:  verilog
Vsdflow
VSDFLOW is an automated solution to programmers, hobbyists and small scale semiconductor technology entrepreneurs who can craft their ideas in RTL language, and convert the design to hardware using VSD (RTL-to-GDS) FLOW. VSDFLOW is completely build using OPHW tools, where the user gives input RTL in verilog. From here on the VSDFLOW takes control, RTL is synthesized (using Yosys). The synthesized netlist is given to PNR tool (Qflow) and finally Sign-off is done with STA tool (using Opentimer). The output of the flow is GDSII layout and performance & area metrics of your design. VSDFLOW also provide hooks at all stages for users working at different levels of design flow. It is tested for 30k instance count design like ARM Cortex-M0, and can be further tested for multi-million instance count using hierarchical or glue logic.
Stars: ✭ 82 (-9.89%)
Mutual labels:  verilog
Computerarchitecturelab
This repository is used to release the Labs of Computer Architecture Course from USTC
Stars: ✭ 75 (-17.58%)
Mutual labels:  verilog
Antikernel
The Antikernel operating system project
Stars: ✭ 75 (-17.58%)
Mutual labels:  verilog
Cpu
A very primitive but hopefully self-educational CPU in Verilog
Stars: ✭ 80 (-12.09%)
Mutual labels:  verilog
Cpus Caddr
FPGA based MIT CADR lisp machine - rewritten in modern verilog - boots and runs
Stars: ✭ 72 (-20.88%)
Mutual labels:  verilog
Wujian100 open
IC design and development should be faster,simpler and more reliable
Stars: ✭ 1,252 (+1275.82%)
Mutual labels:  verilog
Jt gng
CAPCOM arcade hardware accurately replicated on MiST and MiSTer FPGA platforms. It covers Ghosts'n Goblins, 1942, 1943, Commando, F1-Dream, GunSmoke, Tiger Road, Black Tiger, Bionic Commando, Higemaru, Street Fighter and Vulgus.
Stars: ✭ 65 (-28.57%)
Mutual labels:  verilog
C65gs
FPGA-based C64 Accelerator / C65 like computer
Stars: ✭ 79 (-13.19%)
Mutual labels:  verilog
Ivtest
Regression test suite for Icarus Verilog.
Stars: ✭ 90 (-1.1%)
Mutual labels:  verilog
Hoodlum
A nicer HDL.
Stars: ✭ 88 (-3.3%)
Mutual labels:  verilog
Ponylink
A single-wire bi-directional chip-to-chip interface for FPGAs
Stars: ✭ 80 (-12.09%)
Mutual labels:  verilog
View All Similar Projects ➔

TPM Specific lpc sniffer (low pin count) for ice40 stick

Turn the ice40 stick into a LPC sniffer, only logging TPM specific messages. This repository is a duplicate of https://github.com/lynxis/lpc_sniffer/, with modifications made to only log messages with start field 0101 and address between 24 and 27.

This project was used to extract BitLocker VMK keys by sniffing the LPC bus when BitLocker was enabled in it's default configuration. More information is available in this post.

features

  • i/o read + writes
  • memory read + writes
  • sync errors

How to use

  1. modify EEPROM of the FTDI and enable OPTO mode on Channel B
  2. program lpc_sniffer.bin into your ice40 by iceprog lpc_sniffer.bin
  3. note: previous command can be replace by make install
  4. connect the LPC bus
  5. extract LPC data: python3 ./parse/read_serial.py /dev/ttyUSB1 | tee outlog
  6. extract key from data: cut -f 2 -d' outlog | grep '2...00$' | perl -pe 's/.{8}(..)..\n/$1/' | grep -Po "2c0000000100000003200000(..){32}"

what connectors are used on the IceStick?

  • J1 connector
	VCC 3.3|NC 1
	GND        2
	lpc_clock  3
	lpc_ad[0]  4
	lpc_ad[1]  5
	lpc_ad[2]  6
	lpc_ad[3]  7
	lpc_frame  8
	lpc_reset  9
  • uart output over the ftdi

LEDs

	For orientation: the usb port points south:
	green in the middle: overflow_led

overflow_led when internal buffer is full. No more LPC frames are decoded

Uart protocol

The LPC sniffer will write out frames onto the second uart of FTDI with 921600 baud.

format

  • 4 byte: address
  • 1 byte: data
  • 1 byte: 0-3bits: direction+type, 4-7: errorcode
  • 2 byte: '\r\n'

error codes

An error code is decoded in 4 bits

  • 0001 - sync timeout.

Internal documentation

A LPC frame will:

  1. decoded by the LPC decoder
  2. saved into the internal memory
  3. padded by \r\n
  4. written onto uart

in memory layout

The internal memory is used as 48bit addressable memory. 48 bit is exact one lpc frame

  • 4 byte: address
  • 1 byte: data
  • 1 byte: direction/type + error code

internal buffer

The LPC sniffer is using an internal buffer. When the internal buffer is full, new frames will be discarded. The green LED in the middle will turn on. The internal buffer can save up to 2**10 lpc frames (1024).

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].