Get Your Glitch On With A PicoEMP And A 3D Printer

We’re not sure what [Aaron Christophel] calls his automated chip glitching setup built from a 3D printer, but we’re going to go ahead and dub it the “Glitch-o-Matic 9000.” Has a nice ring to it.

Of course, this isn’t a commercial product, or even a rig that’s necessarily intended for repeated use. It’s more of a tactical build, which is still pretty cool if you ask us. It started with a proof-of-concept exploration, summarized in the first video below. That’s where [Aaron] assembled and tested the major pieces, which included a PicoEMP, the bit that actually generates the high-voltage pulses intended to scramble a running microcontroller temporarily, along with a ChipWhisperer and an oscilloscope.

The trouble with the POC setup was that glitching the target chip, an LPC2388 microcontroller, involved manually scanning the business end of the PicoEMP over the package. That’s a tedious and error-prone process, which is perfect for automation. In the second video below, [Aaron] has affixed the PicoEMP to his 3D printer, giving him three-axis control of the tip position. That let him build up a heat map of potential spots to glitch, which eventually led to a successful fault injection attack and a clean firmware dump.

It’s worth noting that the whole reason [Aaron] had to resort to such extreme measures in the first place was the resilience of the target chip against power supply-induced glitching attacks. You might not need to build something like the Glitch-o-Matic, but it’s good to keep in mind in case you run up against such a hard target. Continue reading “Get Your Glitch On With A PicoEMP And A 3D Printer”

The Chipwhisperer adapter plugged into a ChipWhisperer, with the STM chip mentiuoned soldered on

ChipWhisperer Adapter Helps Reverse-Engineer A Controversial Game Cartridge

The ChipWhisperer has been a breakthrough in hobbyist use of power analysis and glitching attacks on embedded hardware. If you own one, you surely have seen the IDC and SMA sockets on it – usable for connecting custom breakouts housing a chip you’re currently probing. Today, [MAVProxyUser] brings us a ChipWhisperer adapter for STM32F446ZEJx, which comes in a UFBGA144 package – and the adapter has quite a backstory to it.

In retro gaming world, a crowdfunding campaign for a game called PAPRIUM has seen a huge success getting funded in 2017. However, the campaign has grossly underdelivered throughout the last five years, and out of those rare cartridges delivered to backers, quite a few have faulty hardware. Getting replacements isn’t realistic at this point, so the repair attempts and game preservation efforts have been ongoing. Trouble is – there are protection mechanisms against dumping the cartridges, and one of the protection mechanisms is the built-in flash read protection of the aforementioned STM32 found on the cartridge. This board adapts the chip to a ChipWhisperer interface for protection bypass exploration, and has quite a few configuration jumpers anyone facing a similar chip is able to use – Eagle files are out there as well, in case your chip needs a slightly different approach.

With reverse-engineering underway, are we likely to see this cartridge’s defenses fall? Our assessment is ‘yes’ – it’s not like there’s a shortage of mechanisms for bypassing security ; from modchips to EMP attacks to blasting the die with a laser, hardware-reliant security is, still, quite bypassable. All in all, despite the drama around the project, this is one more reference design for the ChipWhisperer, and a fun journey to look forward to.

Everything You Didn’t Know You Need To Know About Glitching Attacks

If you’ve always been intrigued by the idea of performing hardware attacks but never knew where to start, then we’ve got the article for you: an in-depth look at the hows and whys of hardware glitching.

Attentive readers will recall that we’ve featured [Matthew Alt]’s reverse engineering exploits before, like the time he got root on a Linux-based arcade cabinet. For something a bit more challenging, he chose a Trezor One crypto wallet this time. We briefly covered a high-stakes hack (third item) on one of these wallets by [Joe Grand] a while back, but [Matthew] offers much, much more detail.

After introducing the theory of glitching attacks, which seek to force a processor into an undefined state using various methods, [Matthew] discusses the specifics of the Trezor wallet and how the attack was planned.

His target — the internal voltage regulator of the wallet’s STM32 microcontroller — required desoldering a few caps before the attack could begin, which was performed with a ChipWhisperer. After resolving a few initial timing issues, he was able to glitch the chip into dropping to the lowest level of readout protection, which gave access to the dongle’s SRAM through an ST-Link debugger.

While this summary may make the whole thing sound trivial, it’s obvious that the attack was anything but, nor was the effort that went into writing it all up. The whole thing reads a little like a techno-thriller, and there’s plenty of detail there if you’re looking for a tutorial on chip glitching. We’re looking forward to part 2, which will concentrate on electromagnetic fault-injection using a PicoEMP and what looks like a modified 3D printer.

Remoticon 2021 // Colin O’Flynn Zaps Chips (And They Talk)

One of the many fascinating fields that’s covered by Hackaday’s remit lies in the world of hardware security, working with physical electronic hardware to reveal inner secrets concealed in its firmware. Colin O’Flynn is the originator of the ChipWhisperer open-source analysis and fault injection board, and he is a master of the art of glitching chips. We were lucky enough to be able to welcome him to speak at last year’s Remoticon on-line conference, and now you can watch the video of his talk below the break. If you need to learn how to break RSA encryption with something like a disposable camera flash, this is the talk for you.

This talk is an introduction to signal sniffing and fault injection techniques. It’s well-presented and not presented as some unattainable wizardry, and as his power analysis demo shows a clearly different trace on the correct first letter of a password attack the viewer is left with an understanding of what’s going on rather than hoping for inspiration in a stream of the incomprehensible. The learning potential of being in full control of both instrument and target is evident, and continues as the talk moves onto fault injection with an introduction to power supply glitching as a technique to influence code execution.

Schematic of an EM injector built from a camera flash.
Schematic of an EM injector built from a camera flash.

Continue reading “Remoticon 2021 // Colin O’Flynn Zaps Chips (And They Talk)”

Glitching USB Firmware For Fun

[Micah Elizabeth Scott], aka [scanlime], has been playing around with USB drawing tablets, and got to the point that she wanted with the firmware — to reverse engineer, see what’s going on, and who knows what else. Wacom didn’t design the devices to be user-updateable, so there aren’t copies of the ROMs floating around the web, and the tablet’s microcontroller seems to be locked down to boot.

With the easy avenues turning up dead ends, that means building some custom hardware to get it done and making a very detailed video documenting the project (embedded below). If you’re interested in chip power glitching attacks, and if you don’t suffer from short attention span, watch it, it’s a phenomenal introduction.

Continue reading “Glitching USB Firmware For Fun”

Hacklet 51 – Crowdfunding Projects

Ah crowdfunding. You might say we have a love/hate relationship with it here at Hackaday. We’ve seen some great projects funded through sites like Kickstarter, IndieGoGo, and the like. We’ve also seen projects where the creators were promising more than they could deliver. While the missed deliveries and outright scams do get a lot of press, we believe that crowdfunding in general is a viable platform for getting a project funded.

Closer to home, Hackaday.io hosts thousands of projects. It’s no surprise that some of these have had crowdfunding campaigns. This week’s Hacklet focuses on those projects which have taken the leap into the crowdfunding arena.

matrixWe start with [Louis Beaudoin] and SmartMatrix. [Louis] has created an awesome Teensy 3.1 based system for displaying images, animated graphics, and random patterns on a 32×32 RGB LED panel. The LED panel is the same type used in commercial LED billboards. SmartMatrix is open source, and includes extra pins for hacking. Our own [Mike Szczys] hacked the SmartMatrix to create a 1-pixel PacMan clone. [Louis’] Kickstarter is almost over, and needs a huge boost for fully-assembled SmartMatrix to make its goal. Even if the campaign isn’t successful, we think its a great project and you can always get a solder-it-yourself kit from The Hackaday Store!

psdrNext up is [Michael R Colton] with PortableSDR. PortableSDR was one of the five finalists in The 2014 Hackaday Prize. This pocket-sized software defined radio transceiver started as a ham radio project: a radio system which would be easy for hams to take with them on backpacking trips. It’s grown into so much more now, with software defined radio reception and transmission, vector network analysis, antenna analysis, GPS, and a host of other features. [Michael] raised a whopping $66,197 in his Kickstarter campaign, and he’s already delivered the hand assembled prototypes to their respective backers! Even the lower level rewards are awesome – [Michael’s] PSDR key chains are actually PCBs which can be turned into maple compatible ARM devboards with just about $10 of additional parts.

chip whisperNext we have The ChipWhisperer, [Colin Flynn’s] embedded security testing system, which won second place in the 2014 Hackaday Prize. We’ve covered both [Colin] and the ChipWhisperer  several times on the Blog. You can always buy the full ChipWhisperer from [Colin’s] company, NewAE Technology Inc. At $1500 USD, the ChipWhisperer is incredibly affordable for a hardware security tool. That price is still a bit high for the average hacker though. [Colin] created a Kickstarter campaign for a light version of the ChipWhisperer. This version is a great platform for learning hardware security, as well as an instrument for testing embedded systems. The campaign was a huge success, raising $72,079.

wingboardNot every crowdfunding project has to be a massive megabuck effort though. [ZeptoBit] just wanted to solve a problem, he needed a WiFi shield for Arduino using an ESP8266 module. ESP8266 WiFi modules have been all the rage for months now, but they can be a bit of a pain to wire up to an Arduino Uno. The dual row .100 headers are not bread board friendly. The ESP8266’s 3.3 V power and interface requirements mean that a regulator and level shifters are needed to get the two boards working together. [ZeptoBit] put all that and more on his wingboard. It worked so well that he launched a Kickstarter campaign for a small run of boards – his initial goal was kr3,500, or $425 USD. He ended up raising kr13,705, or $1665 USD. Not bad at all for a hobby project!

If this isn’t enough crowdfunding goodness for you, check out our Crowdfunding list! That’s it for this week’s Hacklet, As always, see you next week. Same hack time, same hack channel, bringing you the best of Hackaday.io!

ChipWhisperer Hits Kickstarter

Even the most well designed crypto algorithms can be broken if someone is smart enough to connect an oscilloscope to a processor. Over the last 15 years or so, an entire domain of embedded security has cropped up around the techniques of power and side channel analysis. The tools are expensive and rare, but [Colin O’Flynn] and the ChipWhisperer are here to bring a new era of hardware security to the masses.

The ChipWhisperer was the second place winner of last year’s Hackaday Prize. It’s an interesting domain of security research, and something that was previously extremely expensive to study. If you’re looking for a general overview of what the ChipWhisperer does, you might want to check out when we bumped into [Colin] at DEFCON last year.

While the original goal of the ChipWhisperer was to bring the cost of the tools required for power and side channel analysis down to something a hackerspace or researcher could afford, this was still too expensive for a Kickstarter campaign. To that end, [Colin] designed the ChipWhisperer Lite, a cut-down version, but still something that does most of what the original could do.

There are two parts to the ChipWhisperer Lite – the main section contains a big microcontroller, a big FPGA, and a high gain, low noise amplifier. This is the core of the ChipWhisperer, and it’s where all the power analysis happens. The other part is a target board containing an XMega microcontroller. This is where you’ll run all your encryption algorithms, and where you’ll find out if they can be broken by power analysis. The main board and target board are held together by a break-away connection, so if you want to run a power analysis on another board, just snap the ChipWhisperer in half.

[Colin] is offering up a ChipWhisperer Lite for around $200 USD – far, far less than what these tools cost just a year ago. We’re looking forward to a successful campaign and all the neat findings people with this board will find.