setup:
i am using cw-lite, cw308 and an empty cw308t.
my goal is to glitch an android bootloader.
to do so, i have to send “fastboot oem unlock” commands via usb to the actual target and afterwards either glitch via vcc_in or via clock. there is no other interface available. thus i want to connect the actual target to the cw308t, which itself is then connected to the cw308.
i would like to know, if there is a possibility to “route” the usb commands from the cw-lite over the cw308/308t directly to the actual target?
after a short research i was not able to find anything regarding this issue but i guess that i am not the only one who want to do sth. similar.
i am really new into this so it would be great if someone might provide me with additional information on how to reach my goal.
Hi,
Can you better describe the composition of your glitching setup? E.g. the USB commands that you want to send to the target: where do they originate? How does CW-lite talk to your target? What are you triggering on?
Also, check out the PhyWhisperer-USB project that we’ll be rolling out soon. It may make things easier for you .
i am not at home until beginning of next week, so i can sadly not provide you with some detailled photography.
anyhow, i tried to create a small diagram that should represent my current situation.
i want to send fastboot commands to dut and while the dut is executing these commands do some glitching. then finally i want observe if there is some “interesting” behaviour observable.
i have currently no idea, how i could connect my dut to the cw308 so that the dut receives commands on its usb interface and responds to these again on the usb interface. (like in the attached diagram)
i have read in some other post that you need some additional hardware (like greatFET) to realize this in general.
i found this just after creating my post.
but yeah anyhow, maybe someone can think of an other scenario, in which i d not necessarily have to buy new hardware again.
the phywhisperer-usb looks pretty cool! this should make things way easier…
definitely will have a closer look when someday in near future i am not a poor student anymore
Hi,
So unfortunately the CW-lite wasn’t built for what you have in mind; it was designed to talk to its target using a slow serial link. It cannot “talk” USB beyond its host interface. USB links can’t be routed over arbitrary I/O lines, they need to be driven by what’s called a PHY. The cw-lite has one that it uses to communicate with the host. It would need a second one to forward USB traffic to your target.
That’s the bad news. The good news is that the PhyWhisperer-USB is exactly what you need!
PhyWhisperer passively eavesdrops on the USB traffic between the host machine and the target; it can be programmed to issue a trigger when it sees a pre-determined message (e.g. your fastbook oem unlock message). That trigger can then be used by your existing CW-lite to issue a Vcc or clock glitch.
.
