The Chipwhisperer adapter plugged into a ChipWhisperer, with the STM chip mentiuoned soldered on

ChipWhisperer Adapter Helps Reverse-Engineer A Controversial Game Cartridge

February 1, 2023 by 7 Comments

The ChipWhisperer has been a breakthrough in hobbyist use of power analysis and glitching attacks on embedded hardware. If you own one, you surely have seen the IDC and SMA sockets on it – usable for connecting custom breakouts housing a chip you’re currently probing. Today, [MAVProxyUser] brings us a ChipWhisperer adapter for STM32F446ZEJx, which comes in a UFBGA144 package – and the adapter has quite a backstory to it.

In retro gaming world, a crowdfunding campaign for a game called PAPRIUM has seen a huge success getting funded in 2017. However, the campaign has grossly underdelivered throughout the last five years, and out of those rare cartridges delivered to backers, quite a few have faulty hardware. Getting replacements isn’t realistic at this point, so the repair attempts and game preservation efforts have been ongoing. Trouble is – there are protection mechanisms against dumping the cartridges, and one of the protection mechanisms is the built-in flash read protection of the aforementioned STM32 found on the cartridge. This board adapts the chip to a ChipWhisperer interface for protection bypass exploration, and has quite a few configuration jumpers anyone facing a similar chip is able to use – Eagle files are out there as well, in case your chip needs a slightly different approach.

With reverse-engineering underway, are we likely to see this cartridge’s defenses fall? Our assessment is ‘yes’ – it’s not like there’s a shortage of mechanisms for bypassing security ; from modchips to EMP attacks to blasting the die with a laser, hardware-reliant security is, still, quite bypassable. All in all, despite the drama around the project, this is one more reference design for the ChipWhisperer, and a fun journey to look forward to.

After The Prize: Chipwhisperer

November 1, 2016 by 9 Comments

We’re less than a week away from the Hackaday Superconference, where we’ll be announcing the winners of the Hackaday Prize. The Hackaday Prize is a celebration of the greatest hardware the Hackaday community has to offer, and in the past three years we’ve been running this amazing contest, we’ve seen some awesome stuff.

While not every project entered into the Hackaday Prize has gotten off the ground — the lawnmower-powered killacopter of decapitation is still tethered to its test stand — there have been some spectacular projects over the past few years that have already had an incredible impact in industry, academia, and the security industry. For the next few days, we’re going to revisit these projects, see how they’re doing, and look at the impact they’ve had on the world of Open Source hardware.

The first project we’re taking a look at is the ChipWhisperer a tool created by Colin O’Flynn to look at the secret insides of chips and firmware despite whatever embedded security is enabled on said chip. The ChipWhisperer was an entry into the first Hackaday Prize where it won second place. Since then, the ChipWhisperer has become the de facto hardware tool for investigating clock glitching, side channel analysis, and other exotic magic tricks that make security analysis so much fun.

Continue reading “After The Prize: Chipwhisperer”

ChipWhisperer Hits Kickstarter

February 27, 2015 by 13 Comments

Even the most well designed crypto algorithms can be broken if someone is smart enough to connect an oscilloscope to a processor. Over the last 15 years or so, an entire domain of embedded security has cropped up around the techniques of power and side channel analysis. The tools are expensive and rare, but [Colin O’Flynn] and the ChipWhisperer are here to bring a new era of hardware security to the masses.

The ChipWhisperer was the second place winner of last year’s Hackaday Prize. It’s an interesting domain of security research, and something that was previously extremely expensive to study. If you’re looking for a general overview of what the ChipWhisperer does, you might want to check out when we bumped into [Colin] at DEFCON last year.

While the original goal of the ChipWhisperer was to bring the cost of the tools required for power and side channel analysis down to something a hackerspace or researcher could afford, this was still too expensive for a Kickstarter campaign. To that end, [Colin] designed the ChipWhisperer Lite, a cut-down version, but still something that does most of what the original could do.

There are two parts to the ChipWhisperer Lite – the main section contains a big microcontroller, a big FPGA, and a high gain, low noise amplifier. This is the core of the ChipWhisperer, and it’s where all the power analysis happens. The other part is a target board containing an XMega microcontroller. This is where you’ll run all your encryption algorithms, and where you’ll find out if they can be broken by power analysis. The main board and target board are held together by a break-away connection, so if you want to run a power analysis on another board, just snap the ChipWhisperer in half.

[Colin] is offering up a ChipWhisperer Lite for around $200 USD – far, far less than what these tools cost just a year ago. We’re looking forward to a successful campaign and all the neat findings people with this board will find.

The Hackaday Prize: Interview With A ChipWhisperer

October 29, 2014 by 18 Comments

chipwhisperer

Every finalist for The Hackaday Prize has some aspect of it that hasn’t been done before; finding the chemical composition of everything with some 3D printed parts is novel, as is building a global network of satellite ground stations with off the shelf components. [Colin]’s ChipWhisperer, though, has some scary and interesting implications. By looking inside a microcontroller as its running, the ChipWhisperer is able to verify – or break – security on these chips. It’s also extremely interesting and somewhat magical being able to figure out what data a chip is processing simply by looking at its power consumption.

We have no idea who the winner of The Hackaday Prize is yet, and I’m hoping to remain ignorant of that fact until the party two weeks from now. Until then, you can read the short interview with [Colin O’Flynn], or check out his five-minute video for the ChipWhisperer below:

Continue reading “The Hackaday Prize: Interview With A ChipWhisperer”

The ChipWhisperer At Defcon

August 20, 2014 by 24 Comments

We’ve seen [Colin]’s entry to The Hackaday Prize before. After seeing his lightning talk at Defcon, we had to get an interview with him going over the intricacies of this very impressive piece of hardware.

The ChipWhisperer is a security and research platform for embedded devices that exploits the fact that all security measures must run on real hardware. If you glitch a clock when a microcontroller is processing an instruction, there’s a good probability something will go wrong. If you’re very good at what you do, you can simply route around the code that makes up the important bits of a security system. Power analysis is another trick up the ChipWhisperer’s sleeve, analyzing the power consumption of a microcontroller when it’s running a bit of code to glean a little information on the keys required to access the system. It’s black magic and dark arts, but it does work, and it’s a real threat to embedded security that hasn’t had an open source toolset before now.

Before our interview, [Colin] did a few short and sweet demos of the ChipWhisperer. They were extraordinarily simple demos; glitching the clock when a microcontroller was iterating through nested loops resulted in what can only be described as ‘counter weirdness’. More advanced applications of the ChipWhisperer can supposedly break perfectly implemented security, something we’re sure [Colin] is saving for a followup video.

You can check out [Colin]’s 2-minute video for his Hackaday Prize entry below.

Continue reading “The ChipWhisperer At Defcon”

THP Entry: Embedded Hardware Security With The ChipWhisperer

July 4, 2014 by 13 Comments

KONICA MINOLTA DIGITAL CAMERA

There are thousands upon thousands of papers discussing various aspects of embedded hardware security, and dozens of books covering the same subject. The attacks discussed in the literature are very cool – things like side-channel power analysis and clock glitching used to extract keys from a system. The experimental setups in these papers are extraordinarily expensive – you can buy a new car for less. [coflynn] was disheartened with the price of these tools, and thought building his own would make for a great entry to The Hackaday Prize.

The hardware part of the ChipWhisperer includes a breakout board with an FPGA, ADC, and connectors for a lot of different probes, adapters, breakout boards, and a target board, With all these tools, it’s not unreasonable to say that [coflynn] could carry out a power analysis attack on a lot of embedded hardware.

Open source hardware is just one part of this entry. The biggest focus of this project is the open source software for analyzing whatever the probes and target boards record. With this software, anyone can monitor the power used when a chip runs a cryptographic function, or glitch a clock for some unintended functionality in a device. In keeping with the academic pedigree of all the literature on these attacks, there are a ton of tutorials for the ChipWhisperer for all those budding security researchers out there. Very cool stuff, and arguably one of the most technical entries to The Hackaday Prize.

Video below.

SpaceWrencherThe project featured in this post is an entry in The Hackaday Prize. Build something awesome and win a trip to space or hundreds of other prizes.

Continue reading “THP Entry: Embedded Hardware Security With The ChipWhisperer”

Using The ESP8266 For Low-Cost Fault Injection

January 15, 2025 by 10 Comments

As a general concept, fault injection is a technique that studies how a system reacts to unusual or unexpected external forces. The idea is that, if you can trigger a glitch at the precise moment, you might be able to use that to your advantage in disabling security features or otherwise gaining further access to the device in question. In the hardware world, this could be achieved by fiddling with the power going into the device, or subjecting it to extreme temperatures.

We’ve covered voltage glitching attacks on these pages in the past, but most of the tools used are fairly expensive if you’re not doing this kind of thing professionally. Luckily for us, [Aditya Patil] has developed a fault injection tool that can run on a standard ESP8266 development board. Obviously it’s not as capable as a bespoke device costing hundreds of dollars, but if you just want to experiment with the concept, it’s a fantastic way to wrap your head around it all.

Continue reading “Using The ESP8266 For Low-Cost Fault Injection”