Skip to content
A low pin count sniffer for ICEStick - targeting TPM chips
Branch: master
Clone or download
Latest commit 6ad062f Mar 12, 2019
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
parse Initial commit Mar 12, 2019
test Initial commit Mar 12, 2019
.gitignore
LICENSE Initial commit Mar 12, 2019
Makefile Initial commit Mar 12, 2019
README.md
TODO.md
buffer.v
buffer_tb.v Initial commit Mar 12, 2019
bufferdomain.v
ftdi.v Initial commit Mar 12, 2019
lpc.v
mem2serial.v
mem2serial_tb.v
pll.v Initial commit Mar 12, 2019
power_on_reset.v
ringbuffer.v Initial commit Mar 12, 2019
ringbuffer_tb.v Initial commit Mar 12, 2019
top.pcf Initial commit Mar 12, 2019
top.v
top_tb.v Initial commit Mar 12, 2019
trigger_led.v Initial commit Mar 12, 2019
uart_tx.v Initial commit Mar 12, 2019
uart_tx_tb.v

README.md

TPM Specific lpc sniffer (low pin count) for ice40 stick

Turn the ice40 stick into a LPC sniffer, only logging TPM specific messages. This repository is a duplicate of https://github.com/lynxis/lpc_sniffer/, with modifications made to only log messages with start field 0101 and address 24.

This project was used to extract BitLocker VMK keys by sniffing the LPC bus when BitLocker was enabled in it's default configuration. More information is available in this post.

features

  • i/o read + writes
  • memory read + writes
  • sync errors

How to use

  1. modify EEPROM of the FTDI and enable OPTO mode on Channel B
  2. programm top.bin into your ice40 by iceprog lpc_sniffer.bin
  3. connect the LPC bus
  4. python3 ./parse/read_serial.py /dev/ttyUSB1

what connectors are used on the IceStick?

  • J1 connector
	VCC 3.3|NC 1
	GND        2
	lpc_clock  3
	lpc_ad[0]  4
	lpc_ad[1]  5
	lpc_ad[2]  6
	lpc_ad[3]  7
	lpc_frame  8
	lpc_reset  9
  • uart output over the ftdi

LEDs

	For orientation: the usb port points south:
	green in the middle: overflow_led

overflow_led when internal buffer is full. No more LPC frames are decoded

Uart protocol

The LPC sniffer will write out frames onto the second uart of FTDI with 921600 baud.

format

  • 4 byte: address
  • 1 byte: data
  • 1 byte: 0-3bits: direction+type, 4-7: errorcode
  • 2 byte: '\r\n'

error codes

An error code is decoded in 4 bits

  • 0001 - sync timeout.

Internal documentation

A LPC frame will:

  1. decoded by the LPC decoder
  2. saved into the internal memory
  3. padded by \r\n
  4. written onto uart

in memory layout

The internal memory is used as 48bit addressable memory. 48 bit is exact one lpc frame

  • 4 byte: address
  • 1 byte: data
  • 1 byte: direction/type + error code

internal buffer

The LPC sniffer is using an internal buffer. When the internal buffer is full, new frames will be discarded. The green LED in the middle will turn on. The internal buffer can save up to 2**10 lpc frames (1024).

You can’t perform that action at this time.