09:02 <Wanda[cis]> hmm

09:02 <Wanda[cis]> I: g.applet.program.avr.spi: device signature: 1e 94 82 (unknown)

09:02 <Wanda[cis]> [...]

09:02 <Wanda[cis]> AttributeError: 'NoneType' object has no attribute 'erase_time'

09:03 <Wanda[cis]> okay time for a detour

09:20 <Wanda[cis]> welp. I think I added the device properly, but unfortunately the lock bits on the device are in the nekophobic configuration

09:29 <altracer[m]> How about userspace HID input proxy? Like CMSIS-DAP v1, and there will be a queue to buffer multiple transitions

09:30 <Wanda[cis]> ... HID proxy?

12:47 <altracer[m]> Wanda: I can't help you with avr other than "apply high voltage programming"

12:47 <Wanda[cis]> does this help with lock bits?

12:47 <Wanda[cis]> because I doubt that

12:48 <altracer[m]> Grazfather: do you want to just patch through some FTDI MPSSE emulation, or also spin some debugger logic on Glasgow?

12:48 <Wanda[cis]> right. speaking of JTAG on glasgow.

12:49 <Wanda[cis]> I'd be very interested in having a better JTAG remote protocol in glasgow

12:49 <Wanda[cis]> for my own purposes

12:49 <Wanda[cis]> it's going to become a blocker for prjcombine at some point in reasonably near future

12:50 <Wanda[cis]> the problem is, I have no idea what protocol to use; quite possibly the answer is "go and design one"

12:51 <Wanda[cis]> MPSSE-over-TCP could be viable I guesssss, but also fuck FTDI

12:52 <altracer[m]> Wanda: ATmega lock bits and boot lock bits were designed for readout protection, not bricking (as in stm32f4 rdp2), you can always full-chip erase, losing program contents

12:52 <Wanda[cis]> one thing that's reasonably simple at least is the xilinx virtual cable protocol

12:52 <Wanda[cis]> but ehh.

12:53 <Wanda[cis]> also not particularly inspiring

12:53 <Wanda[cis]> altracer[m]: the problem is that I am very specifically interested in reading out the firmware from the device I have on paw

12:53 <altracer[m]> Wanda: then you can try glitching (voltage fault injection)

12:55 <Wanda[cis]> yeahhh I'm considering this

12:55 <Wanda[cis]> not quite sure how to approach it though

12:56 <Wanda[cis]> at least I have multiple copies of this devboard, so not a big problem if I destroy one

12:56 <altracer[m]> outsource to chinese experienced companies or DIY?

12:57 <altracer[m]> obtain a Hextree Faultier (rp2040+crowbar mosfets), write some python, desolder filtercaps, set to bruteforce for some hours

12:58 <altracer[m]> a Glasgow may be better and more flexible for this

12:58 <Wanda[cis]> any idea how likely it is to destroy the AVR this way?

12:58 <altracer[m]> they're very robust compared to 90nm cortexm

12:59 <altracer[m]> it's not HVpp (applying 12v) but crowbar (dipping 3.3v Vdd)

13:07 <vegard_e[m]> having dealt with a few different ones, I think the ones I prefer are the ones that encode a sequence of «do n clocks with this tms level and this bit sequence on tdi, with optional tdo capture»

13:07 <vegard_e[m]> tdi sequence could probably also be optional

13:12 <Wanda[cis]> yeah, that's what I'd want as well

13:13 <Wanda[cis]> you give either a bitvec or a const value to put on tdi, another bitvec or const for tms, and a flag whether you care about tdo

13:13 <Wanda[cis]> that said

13:13 <Wanda[cis]> if I was actually designing a proper remote protocol, I'd want it to be a bit more featureful

13:14 <Wanda[cis]> at the very least: remote sleep, set/get TCK frequency

13:15 <Wanda[cis]> also GPIO get/set for some devices

13:15 <galibert[m]> is remote sleep something else that just not changing anything?

13:16 <Wanda[cis]> and if I was designing it with a larger scope than just glasgow, I'd really want the protocol to give you metadata about the device's capabilities and any board vendor/product IDs you have available

13:17 <Wanda[cis]> galibert[m]: remote sleep is specifically about ensuring that the device performs the delay after previous command and before next command; when you have a protocol that supports proper batching and have a target that needs delays for some reason, it is crucial that you use the remote sleep command, and not just `usleep()` call within client code

13:17 <galibert[m]> interesting

13:18 <galibert[m]> you meant sleep as in "wait", not "sleep state", I understand now

13:18 <Wanda[cis]> you don't want your delays to get fucked up because of TCP/IP network farts

13:18 <galibert[m]> or, well, delay

13:21 <altracer[m]> bridge/firmware delay is far more deterministic than desktop, and that's important in flash ops and resets

13:23 <Wanda[cis]> yeah that too

13:23 <Wanda[cis]> though if you also need to ensure a minimum delay somewhere, it gets more complicated, as you need to design a "corking" protocol where stuff doesn't start getting executed on the probe until the whole command batch is buffered

13:24 <Wanda[cis]> and that gets annoyingly complex because now you have to think about buffer sizes

13:26 <Wanda[cis]> Wilfried "Wonka" Klaebe: I was talking about a hypothetical remote JTAG protocol right now, not the glitching

13:26 <WilfriedWonkaKla> it's an FPGA. one could implement the complete glitching attack in risc-v code and execute it on the glasgow itself...

13:26 <WilfriedWonkaKla> or micropython

14:21 <altracer[m]> pico-glitcher is implemented in rp2040 micropython, afaik

17:09 <grazianom[m]> That's HID? How would the applet communicate with it?

17:09 <grazianom[m]> FTDI or whatever. I don't know anything. I am just proposing anything better than bit banging

17:24 <altracer[m]> I have a Huion H1060P graphical EMR tablet (possibly running on some USB FS GD32F1), and in Linux the official app creates a uinput HID device even in absence of tablet. I can't always compile, sign and insmod Digimend hid-uclogic.ko (which works fine)

17:26 <altracer[m]> I don't know the Python parts of Glasgow architecture, however if it connects to FX2LP bridge using only bulk endpoints and libusb, then implementing debugger interface could be done via a virtual device generated by said python parts (not writing a libfx2 hid firmware etc.)

17:28 <altracer[m]> Consider OpenOCD and BMDA, most their backend drivers flush some command queue (sometimes with depth of 1) through write/read methods which 90% boil down to libusb1 calls and therefore kernel syscalls (10% use libgpiod or spidev userspace). I don't think they work with downstream TCP sockets like JLink server or STLink Shared server (but could be ported to)

18:05 <threeflour[m]> It uses bulk endpoints and libusb for reading/writing to the in/out fifos

18:08 <altracer[m]> Just 2 and 6, no dynamic configuration?

18:08 <altracer[m]> I would not wish on anyone to write undebuggable 8051 firmware that has to speak USB HS, Composite Device, on multiple endpoints and interfaces. It's not like it has enough packet memory to do that anyways. The FX1/2/2LP appnote highlights some inflexibility.

18:17 <threeflour[m]> I don't remember the endpoint numbering offhand. There are two bulk in and two out endpoints. I think the ones used are always the same unless more than one applet is ran simultaneously.

22:55 <dualtachyon[m]> hmm, are you the same SamIAm that made that jlink-clone unbricker?

23:03 <threeflour[m]> That's a different one.