Glitching USB Firmware for Fun

[Micah Elizabeth Scott], aka [scanlime], has been playing around with USB drawing tablets, and got to the point that she wanted with the firmware — to reverse engineer, see what’s going on, and who knows what else. Wacom didn’t design the devices to be user-updateable, so there aren’t copies of the ROMs floating around the web, and the tablet’s microcontroller seems to be locked down to boot.

With the easy avenues turning up dead ends, that means building some custom hardware to get it done and making a very detailed video documenting the project (embedded below). If you’re interested in chip power glitching attacks, and if you don’t suffer from short attention span, watch it, it’s a phenomenal introduction.

Spoiler: the ROM dump comes out in the USB device enumerator strings. Using a Chip Whisperer (second place in Hackaday Prize 2014!) and the “FaceWhisperer” add-on board of her own design, [Micah] could send power-supply glitches just as the tablet was identifying itself to the computer. Instead of stopping after the few device descriptor bytes, it just kept on going. And going. In fact, in one of the many brute-force attempts, it dumped its ROM twice, making it easy to find the beginning and end of the code stream.

Next up is disassembling and reversing the software, which is no small feat. We can’t wait to see what [Micah] comes up with.

Thanks to [Ben] and [Tim] for the nearly-simultaneous tips.

36 thoughts on “Glitching USB Firmware for Fun

    1. Hadn’t heard of the Palm Pilot stuff, but I did look at linux-wacom. Most of it hasn’t been reversed to a deep level; they have some canned requests that put specific tablets into their featureful modes, but my reversing so far has already turned up lots of stuff that is nowhere in any of the public drivers I’ve seen.

    1. A trick as old as digital circuits goes that anyone who learnt about the need of decoupling caps should know well, but now thanks to modern tools affordable to anyone without all the cumbersome custom work.

      Back then we started glitching counters in LED clocks, now they glitch registers of highly complex SoC.

      The beauty is in the implementation and the superb detailed explanation from some so knowledgeable!

    2. I used to do something similar, as did friends, with Atari 2600 cartridges: flip the power switch quickly and get things like unlimited lives, lots of points and other things.

  1. If you follow her twitter you’ll see she spends over a week editing and creating excellent work. Thankyou mikeselectricstuff for turning me onto a great mind… HaD took you long enough -,,.- jk njk nnjk < jk !jk messing

    1. The work she puts into the video shows, it’s polished and information dense at a reasonable pace. That work plus some talent makes for an excellent result. Just the right measure of knowledge for those new to an area of knowledge. There will always be some that complain about the level of detail but those people are the ones you don’t want to ask questions. Nice setup by the way.

    2. “HaD took you long enough” :)

      She’s been a judge for the Hackaday prize, and we’ve covered [scanlime]’s hacks since the ATtiny RFID tag hack of 2011, and were probably one of the first outlets to run a story on her coastermelt project.

      Heck, I wrote up a section on her fadecandy board in my writeup on driving RGB LEDs, but it got cut due to space constraints. It’s still the most sophisticated color driver board/system I’ve ever seen.

      And her vids are all _amazing_. Respect!

      1. Your automatic response proves that the vast majority of any comment section is just angry nonsense. I was having a friendly joking poke not at her never being featured (as I’ve been following for years, both HaD and Micah) only that this wasn’t posted 2-3 days ago when it was released. “!jk jk” ect. Maybe I’m not as funny as I thought I was or possibly a little sleep deprived at the time but c’mon I don’t need the well written detailed oversight of what you’ve done. I’m removing myself from all future interaction from this fine establishment. My apologies

  2. I love how she was able to fit the whole process into a 36 minute video. Wonderful to see this kind of commitment into a hack and documentation.
    I had only heard of side-channel attacks, but never saw one in action, and had no idea of the extent of control that is possible by simply glitching the power supply (very precisely).
    Great entertainment and information, thanks!

      1. thanks, I didn’t know of that software. When you say “worth” thousands of dollars, do you mean it costs less but is worth more? They do sell some pretty expensive stuff, and stuff they don’t mention the price off, which is usually a sign of bad things to come!

  3. Very interesting! I bought a used Wacom tablet thingy for next to nothing at a local Goodwill store. Wacom has a habit of not supporting older models with the latest Windows version so they end up in thrift stores and landfllls. I also came across one of the hugely expensive porfessional desktop sized models for a mere 20 euro. Didn’t have the essential pen though so i had to pass.

      1. You’re lucky with the serial-only ones… they have a pretty standard interface and that info is all over the internets, if you can’t figure it out via hyperterminal, etc.
        There are tons of projects to make them useful, but maybe less-so in the Windows-realm. MacOS has TabletMagic, Linux has support, and more… Throw in a USB-Serial dongle and your endeavors are *much* easier than glitching firmware via USB…
        And if you’re looking for a hack-job, the wacom-digitizers in most windows-machines’ LCDs are 3.3V serial, as well… though their protocols sometimes vary slightly, it’s usually not too difficult to figure out.

  4. I’ve seen this done with old embedded gaming devices and calculators to dump roms. It works like a user-after-free attack but you use the clock control to make it happen and sometimes it’s a use-before-free.

  5. Wow, I’ve heard of things like this, glitching, and remember, (now that it’s been mentioned) getting some interesting effects from quickly power-cycling vid-games… But to pin it down to anything less than random, to use it for actual dumping of the ROM (or even just increasing your vid-game’s lives) seems like it’d be nothing but chance. Even with precision-timing. There’re interrupts and context-switching, timers whose values will never be the same between consecutive glitch-runs, plausibly a core that runs at a different speed than the memory-accesses… There’s a ton of amazingly precise science going on here, but then, the USB descriptor mightn’t’ve been loaded from ROM, at all, but plausibly from static variables… in which case not a ROM-dump, but a RAM-dump. Or maybe a different memory-space entirely (eeprom?). And, if that weren’t enough, what’s causing that counter to go sequential in the first place… we’ve already glitched it to the point of skipping its end-point, one variable/instruction destroyed, how do we know this thing is outputting data sequentially at all? It’s like using tremendous amounts of highly sophisticated scientific equipment to locate a unicorn. And yet, from the sounds of it, it’s not only been done, but people do it somewhat regularly. Wow!

    1. You should look how similar CPU clock dumps are to ring-0 vulnerability exploitation on x86. It’s mostly DMA and interrupt-changes so even if you find something it’s usually impractical to exploit reliably.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s