later on there are ai generated docs...
altium link.. there is an eror on one of the leds on the charlieplex'd leds... also the 3 pin JST SWD is reversed . https://365.altium.com/files/01BF9671-6FB8-4A9E-9FD1-49A52BA8D165
first flash drive appears as RPI-RP2 copy the uf2 file to it, after that use the system command to reboot to the dfu or hold the RP-BOOT button during power on or a reset cycle
the pico-ice can be used to test the fpga.
https://a360.co/4dxIxcs terminal is CR, so do cr/lf conversion.
for 3v3 control the pads need to be soldered on the pcb,
switch_pwr
short 1-2
glitch_ctrl
solder all three
short 1-2-3
3cv3_ctrl
short 1-2-3
fet
short 1-2-3
thea re two pots vr1, vr2 , vr1 changes run votlage of vtg, vr2 controls the low voltage
diag scripts will find
Found serial ports: crw-rw-rw- 1 root wheel 0x9000003 May 25 08:40 /dev/cu.usbmodem1202
first serial port is the CDC crw-rw-rw- 1 root wheel 0x9000005 May 25 08:40 /dev/cu.usbmodem14301
is for hook up to the fpga etc crw-rw-rw- 1 root wheel 0x9000009 May 25 08:40 /dev/cu.usbmodem14303
adc streaming , two adc's interlevaed see the adc python script
crw-rw-rw- 1 root wheel 0x9000007 May 25 08:40 /dev/cu.usbmodem14305
the adc streaming is seperate and always runs
// run it python adc_stream_reader.py /dev/cu.usbmodem14305
// pack ADC values into buffer
- #define HEADER_BYTE 0xAA
- #define PACKET_SIZE 5
- void pack_adc_values(uint16_t _adc0, uint16_t _adc1, uint8_t seq, uint8_t* buffer) {
- buffer[0] = HEADER_BYTE; // header byte for synchronization
- buffer[1] = seq; // sequence number
-
buffer[2] = _adc0 & 0xFF; // low 8 bits of adc0 -
buffer[3] = ((_adc0 >> 8) & 0x0F) | // high 4 bits of adc0 -
((_adc1 & 0x0F) << 4); // low 4 bits of adc1 -
buffer[4] = (_adc1 >> 4) & 0xFF; // high 8 bits of adc1 - }
tats for LayerOne2025 codebase:
Files by type:
- C (.c): 57 files
- Headers (.h): 48 files
- Python (.py): 25 files
- Markdown (.md): 17 files
- Shell scripts (.sh): 8 files
Code metrics:
- Total lines of code: ~30,383 lines
- Total commits: 82
- Contributors: 2 (charliex: 82)
Top directories:
- Root directory (372 files)
- cli/ (42 files)
- docs/ (12 files)
The LayerOne 2025 GLiTCh BadgE is a versatile hardware hacking platform designed for security researchers, hardware enthusiasts, and anyone interested in exploring digital electronics. It combines a powerful RP2040 microcontroller with specialized hardware for glitching, debugging, and interfacing with other devices.
- RP2040 Microcontroller - Dual-core ARM Cortex-M0+ processor
- ICE40 FPGA - Programmable logic for custom hardware implementations
- Voltage Glitcher - For performing precise voltage glitching attacks
- Crowbar Circuit - For power line manipulation
- SWD Interface - For debugging ARM-based targets
- AVRISP - For programming AVR microcontrollers
- Analog Monitoring - For capturing and analyzing signals
- Multiple USB Modes - Normal, DAP, and DFU modes for different use cases
- Basic Logic Analyser - Simple 12 bit LA at about 10khz
Comprehensive documentation is available in the docs directory:
- Quick Start Guide - Get up and running with your badge
- CLI User Guide - Learn how to use the Command Line Interface
- USB Modes Guide - Understand the different USB modes
- Hardware Hacking Guide - Explore the hardware hacking features
- Glitching Techniques Guide - Detailed guide on voltage, reset, and crowbar glitching
- ADC Signal Analysis Guide - How to use the ADC for signal capture and analysis
- AVRISP Programming Guide - Program AVR microcontrollers with the badge
- Documenting Research - Best practices for documenting hardware security research
- Command Reference - Quick reference for all CLI commands
- Case Studies - Real-world examples of hardware security vulnerabilities
- nRF52 Glitch Attack - Voltage glitching attack on Nordic's BLE SoC
- Python 3.6 or higher
- PySerial library (
pip install pyserial) - PyOCD for debugging (
pip install pyocd)
-
Clone this repository:
git clone [email protected]:charlie-x/LayerOne_2025.git cd LayerOne_2025 -
Connect your badge to your computer using a USB-C cable Either use the RP-BOOT switch to put the badge into RPI-RP2 mode while its in reset, or switch on. or if its already flashed you can use system dfu command on the badge itself, copy the uf2/layerOne2025.uf2 file to the RPI-RP2 folder, use -X if you use cp in Mac OS
-
Run the CLI terminal:
python3 cli_terminal.py
Once connected to the CLI, you can use commands like:
help # Show available commands
status # Show badge status
rgb on # Turn on the RGB LED
usb mode dap # Switch to DAP mode
For a complete list of commands, see the Command Reference.
The badge supports three USB modes:
- Normal Mode (default) - 3 CDC interfaces + Mass Storage
- DAP Mode - CMSIS-DAP debugging interface + CDC
- DFU Mode - Device Firmware Update mode
To switch between modes, use the usb mode command:
usb mode normal # Switch to normal mode
usb mode dap # Switch to DAP mode
usb mode dfu # Switch to DFU mode
use command
adc_stream la
To build the firmware:
./build.sh
To build and flash the firmware:
./build_and_flash.sh
To run the USB mode tests:
python3 test_usb_modes.py
We welcome contributions to improve the badge and its documentation! Please see the Contributing Guide for details on how to contribute.
The LayerOne 2025 GLiTCh BadgE firmware and hardware designs are licensed under MIT License.
The LayerOne 2025 GLiTCh BadgE was created by NullSpaceLabs for the LayerOne 2025 conference. Special thanks to all the contributors and the hardware hacking community for their support and inspiration.
- Website: nullspacelabs.com
- Email: [email protected]
- Twitter: @nullspacelabs