An Analog Charge Pump Fabrication-Time Attack Compromises A Processor

We will all be used to malicious software, computers and operating systems compromised by viruses, worms, or Trojans. It has become a fact of life, and a whole industry of virus checking software exists to help users defend against it.

Underlying our concerns about malicious software is an assumption that the hardware is inviolate, the computer itself can not be inherently compromised. It’s a false one though, as it is perfectly possible for a processor or other integrated circuit to have a malicious function included in its fabrication. You might think that such functions would not be included by a reputable chip manufacturer, and you’d be right. Unfortunately though because the high cost of chip fabrication means that the semiconductor industry is a web of third-party fabrication houses, there are many opportunities during which extra components can be inserted before the chips are manufactured. University of Michigan researchers have produced a paper on the subject (PDF) detailing a particularly clever attack on a processor that minimizes the number of components required through clever use of a FET gate in a capacitive charge pump.

On-chip backdoors have to be physically stealthy, difficult to trigger accidentally, and easy to trigger by those in the know. Their designers will find a line that changes logic state rarely, and enact a counter on it such that when they trigger it to change state a certain number of times that would never happen accidentally, the exploit is triggered. In the past these counters have been traditional logic circuitry, an effective approach but one that leaves a significant footprint of extra components on the chip for which space must be found, and which can become obvious when the chip is inspected through a microscope.

The University of Michigan backdoor is not a counter but an analog charge pump. Every time its input is toggled, a small amount of charge is stored on the capacitor formed by the gate of a transistor, and eventually its voltage reaches a logic level such that an attack circuit can be triggered. They attached it to the divide-by-zero flag line of an OR1200 open-source processor, from which they could easily trigger it by repeatedly dividing by zero. The beauty of this circuit is both that it uses very few components so can hide more easily, and that the charge leaks away with time so it can not persist in a state likely to be accidentally triggered.

The best hardware hacks are those that are simple, novel, and push a device into doing something it would not otherwise have done. This one has all that, for which we take our hats off to the Michigan team.

If this subject interests you, you might like to take a look at a previous Hackaday Prize finalist: ChipWhisperer.

[Thanks to our colleague Jack via Wired]

Different Differentials & The Pitfalls of the Easy Swap

I dig cars, and I do car stuff. I started fairly late in life, though, and I’m only just starting to get into the whole modification thing. Now, as far as automobiles go, you can pretty much do anything you set your mind to – engine swaps, drivetrain conversions, you name it – it’s been done. But such jobs require a high level of fabrication skill, automotive knowledge, and often a fully stocked machine shop to match. Those of us new to the scene tend to start a little bit smaller.

So where does one begin? Well, there’s a huge realm of mods that can be done that are generally referred to as “bolt-ons”. This centers around the idea that the install process of the modification is as simple as following a basic set of instructions to unbolt the old hardware and bolt in the upgraded parts. Those that have tread this ground before me will be chuckling at this point – so rarely is a bolt-on ever just a bolt-on. As follows, the journey of my Mazda’s differential upgrade will bear this out.

The car in question, currently known as the “Junkbox MX-5” until it starts running well enough to earn a real name. It somehow looks passable here, but in person I promise you, it looks awful.

It all started when I bought the car, back in December 2016. I’d just started writing for Hackaday and my humble Daihatsu had, unbeknownst to me, just breathed its last. I’d recently come to the realisation that I wasn’t getting any younger, and despite being obsessed with cars, I’d never actually owned a sports car or driven one in anger. It was time to change. Continue reading “Different Differentials & The Pitfalls of the Easy Swap”

Papa Loves Mamba: Slithering Robot is Reconfigurable

It makes sense considering evolution, but nature comes up with lots of different ways to do things. Consider moving. Land animals walk on four feet or two, some jump, and some use peristalsis or otherwise slither. Oddly, though, mother nature never developed the wheel (although the mother-of-pearl moth’s caterpillar will form its entire body into a hoop and roll away from attackers). Human-developed robots which, on the other hand, most often use wheels. Even a tank track has wheels within. [Joesinstructables] latest robot still uses wheels, but it emulates the slithering motion of a snake, He calls it the Lake Erie Mamba.

The most interesting thing about the robot is that it can reconfigure and move in several different modalities. Like the caterpillar, it can even form a wheel like an ouroboros and roll. You can see that at the end of the video, below.

Continue reading “Papa Loves Mamba: Slithering Robot is Reconfigurable”

Model Sputnik Finds its Voice After Decades of Silence

As we approach the 60th anniversary of the human race becoming a spacefaring species, Sputnik nostalgia will no doubt be on the rise. And rightly so — even though Sputnik was remarkably primitive compared to today’s satellites, its 1957 launch was an inflection point in history and a huge achievement for humanity.

The Soviets, understandably proud of their accomplishment, created a series of commemorative models of Earth’s first artificial moon as gifts to other countries. How one came into possession of the Royal Society isn’t clear, but [Fran Blanche] found out about it through a circuitous route detailed in the video below, and undertook to reproduce the original electronics from the model that made the distinctive Sputnik beeps.

The Royal Society’s version of the model no longer works, but luckily it came with a schematic of the solid-state circuit used to emulate the original’s vacuum-tube guts. Intent on building the circuit as close to vintage as possible and armed with a bag of germanium transistors from the 60s, [Fran] worked through the schematic, correcting a few issues here and there, and eventually brought the voice of Sputnik back to life.

If you think we’ve covered Sputnik’s rebirth before, you may be thinking about our article on how some hams rebuilt Sputnik’s guts from a recently uncovered Soviet-era schematic. [Fran]’s project just reproduces the sound of Sputnik — no license required!

Continue reading “Model Sputnik Finds its Voice After Decades of Silence”