Here is the finished Timing Attack, I have added a couple of options
Super Sample, will take a number of measurements and then average them before giving the result to the timing attack algorithm. Only useful if you have crappy hardware (like me). You should set this to '1' by default
Satistics mode, useful for debug & nerds only
Useage: DGTool SS File [X YY..YY]
File is "downgrader" flash image
SS is the "Super Sample" count, for now use 1 (unless you like waiting for stuff)
Optionally X YY..YY will restart with X bytes;
of guessed hash YY..YY
iDGTool 1 1888.bin will run the downgrader using SS = 1 and the file 1888.bin
iDGTool 1 1888.bin 5 AABBCCDDEE will run the downgrader using SS = 1 and the file 1888.bin with 5 bytes of the hash set to AABBCCDDEE
Finally, I have included the "statistics" option. Once you have guessed a good hash (and made a back up of it of course) you can measure how accurately your setup is performing.
iDGTool SS boots.bin X
Will run the timing measurement X times for each of the hash bytes and record the results in a sStats.cvs file. Again SS = 1
You are on a Spree my friend, Infectus Timing Attack - Improved Infectus Timing Attack - Finished Infectus Timing Attack. Keep up the great work.
By the way, I'm going to build my addon, and got a question, can I just remove R6T3, do the Timming Attack, get my cpu key, put R6T3 back an not bother modifying LDVs?. (I have already a Nand Backup) or should I not remove R6T3?.