The Chipwhisperer adapter plugged into a ChipWhisperer, with the STM chip mentiuoned soldered on

ChipWhisperer Adapter Helps Reverse-Engineer A Controversial Game Cartridge

February 1, 2023 by Arya Voronova 7 Comments

The ChipWhisperer has been a breakthrough in hobbyist use of power analysis and glitching attacks on embedded hardware. If you own one, you surely have seen the IDC and SMA sockets on it – usable for connecting custom breakouts housing a chip you’re currently probing. Today, [MAVProxyUser] brings us a ChipWhisperer adapter for STM32F446ZEJx, which comes in a UFBGA144 package – and the adapter has quite a backstory to it.

In retro gaming world, a crowdfunding campaign for a game called PAPRIUM has seen a huge success getting funded in 2017. However, the campaign has grossly underdelivered throughout the last five years, and out of those rare cartridges delivered to backers, quite a few have faulty hardware. Getting replacements isn’t realistic at this point, so the repair attempts and game preservation efforts have been ongoing. Trouble is – there are protection mechanisms against dumping the cartridges, and one of the protection mechanisms is the built-in flash read protection of the aforementioned STM32 found on the cartridge. This board adapts the chip to a ChipWhisperer interface for protection bypass exploration, and has quite a few configuration jumpers anyone facing a similar chip is able to use – Eagle files are out there as well, in case your chip needs a slightly different approach.

With reverse-engineering underway, are we likely to see this cartridge’s defenses fall? Our assessment is ‘yes’ – it’s not like there’s a shortage of mechanisms for bypassing security ; from modchips to EMP attacks to blasting the die with a laser, hardware-reliant security is, still, quite bypassable. All in all, despite the drama around the project, this is one more reference design for the ChipWhisperer, and a fun journey to look forward to.

Everything You Didn’t Know You Need To Know About Glitching Attacks

August 25, 2022 by Dan Maloney 1 Comment

If you’ve always been intrigued by the idea of performing hardware attacks but never knew where to start, then we’ve got the article for you: an in-depth look at the hows and whys of hardware glitching.

Attentive readers will recall that we’ve featured [Matthew Alt]’s reverse engineering exploits before, like the time he got root on a Linux-based arcade cabinet. For something a bit more challenging, he chose a Trezor One crypto wallet this time. We briefly covered a high-stakes hack (third item) on one of these wallets by [Joe Grand] a while back, but [Matthew] offers much, much more detail.

After introducing the theory of glitching attacks, which seek to force a processor into an undefined state using various methods, [Matthew] discusses the specifics of the Trezor wallet and how the attack was planned.

His target — the internal voltage regulator of the wallet’s STM32 microcontroller — required desoldering a few caps before the attack could begin, which was performed with a ChipWhisperer. After resolving a few initial timing issues, he was able to glitch the chip into dropping to the lowest level of readout protection, which gave access to the dongle’s SRAM through an ST-Link debugger.

While this summary may make the whole thing sound trivial, it’s obvious that the attack was anything but, nor was the effort that went into writing it all up. The whole thing reads a little like a techno-thriller, and there’s plenty of detail there if you’re looking for a tutorial on chip glitching. We’re looking forward to part 2, which will concentrate on electromagnetic fault-injection using a PicoEMP and what looks like a modified 3D printer.

Remoticon 2021 // Colin O’Flynn Zaps Chips (And They Talk)

February 3, 2022 by Jenny List 5 Comments

One of the many fascinating fields that’s covered by Hackaday’s remit lies in the world of hardware security, working with physical electronic hardware to reveal inner secrets concealed in its firmware. Colin O’Flynn is the originator of the ChipWhisperer open-source analysis and fault injection board, and he is a master of the art of glitching chips. We were lucky enough to be able to welcome him to speak at last year’s Remoticon on-line conference, and now you can watch the video of his talk below the break. If you need to learn how to break RSA encryption with something like a disposable camera flash, this is the talk for you.

This talk is an introduction to signal sniffing and fault injection techniques. It’s well-presented and not presented as some unattainable wizardry, and as his power analysis demo shows a clearly different trace on the correct first letter of a password attack the viewer is left with an understanding of what’s going on rather than hoping for inspiration in a stream of the incomprehensible. The learning potential of being in full control of both instrument and target is evident, and continues as the talk moves onto fault injection with an introduction to power supply glitching as a technique to influence code execution.

Schematic of an EM injector built from a camera flash.

Continue reading “Remoticon 2021 // Colin O’Flynn Zaps Chips (And They Talk)” →

Glitching USB Firmware For Fun

October 4, 2016 by Elliot Williams 37 Comments

[Micah Elizabeth Scott], aka [scanlime], has been playing around with USB drawing tablets, and got to the point that she wanted with the firmware — to reverse engineer, see what’s going on, and who knows what else. Wacom didn’t design the devices to be user-updateable, so there aren’t copies of the ROMs floating around the web, and the tablet’s microcontroller seems to be locked down to boot.

With the easy avenues turning up dead ends, that means building some custom hardware to get it done and making a very detailed video documenting the project (embedded below). If you’re interested in chip power glitching attacks, and if you don’t suffer from short attention span, watch it, it’s a phenomenal introduction.

Continue reading “Glitching USB Firmware For Fun” →

Hacklet 51 – Crowdfunding Projects

June 12, 2015 by Adam Fabio 6 Comments

Ah crowdfunding. You might say we have a love/hate relationship with it here at Hackaday. We’ve seen some great projects funded through sites like Kickstarter, IndieGoGo, and the like. We’ve also seen projects where the creators were promising more than they could deliver. While the missed deliveries and outright scams do get a lot of press, we believe that crowdfunding in general is a viable platform for getting a project funded.

Closer to home, Hackaday.io hosts thousands of projects. It’s no surprise that some of these have had crowdfunding campaigns. This week’s Hacklet focuses on those projects which have taken the leap into the crowdfunding arena.

We start with [Louis Beaudoin] and SmartMatrix. [Louis] has created an awesome Teensy 3.1 based system for displaying images, animated graphics, and random patterns on a 32×32 RGB LED panel. The LED panel is the same type used in commercial LED billboards. SmartMatrix is open source, and includes extra pins for hacking. Our own [Mike Szczys] hacked the SmartMatrix to create a 1-pixel PacMan clone. [Louis’] Kickstarter is almost over, and needs a huge boost for fully-assembled SmartMatrix to make its goal. Even if the campaign isn’t successful, we think its a great project and you can always get a solder-it-yourself kit from The Hackaday Store!

Next up is [Michael R Colton] with PortableSDR. PortableSDR was one of the five finalists in The 2014 Hackaday Prize. This pocket-sized software defined radio transceiver started as a ham radio project: a radio system which would be easy for hams to take with them on backpacking trips. It’s grown into so much more now, with software defined radio reception and transmission, vector network analysis, antenna analysis, GPS, and a host of other features. [Michael] raised a whopping $66,197 in his Kickstarter campaign, and he’s already delivered the hand assembled prototypes to their respective backers! Even the lower level rewards are awesome – [Michael’s] PSDR key chains are actually PCBs which can be turned into maple compatible ARM devboards with just about $10 of additional parts.

Next we have The ChipWhisperer, [Colin Flynn’s] embedded security testing system, which won second place in the 2014 Hackaday Prize. We’ve covered both [Colin] and the ChipWhisperer several times on the Blog. You can always buy the full ChipWhisperer from [Colin’s] company, NewAE Technology Inc. At $1500 USD, the ChipWhisperer is incredibly affordable for a hardware security tool. That price is still a bit high for the average hacker though. [Colin] created a Kickstarter campaign for a light version of the ChipWhisperer. This version is a great platform for learning hardware security, as well as an instrument for testing embedded systems. The campaign was a huge success, raising $72,079.

Not every crowdfunding project has to be a massive megabuck effort though. [ZeptoBit] just wanted to solve a problem, he needed a WiFi shield for Arduino using an ESP8266 module. ESP8266 WiFi modules have been all the rage for months now, but they can be a bit of a pain to wire up to an Arduino Uno. The dual row .100 headers are not bread board friendly. The ESP8266’s 3.3 V power and interface requirements mean that a regulator and level shifters are needed to get the two boards working together. [ZeptoBit] put all that and more on his wingboard. It worked so well that he launched a Kickstarter campaign for a small run of boards – his initial goal was kr3,500, or $425 USD. He ended up raising kr13,705, or $1665 USD. Not bad at all for a hobby project!

If this isn’t enough crowdfunding goodness for you, check out our Crowdfunding list! That’s it for this week’s Hacklet, As always, see you next week. Same hack time, same hack channel, bringing you the best of Hackaday.io!

ChipWhisperer Hits Kickstarter

February 27, 2015 by Brian Benchoff 13 Comments

Even the most well designed crypto algorithms can be broken if someone is smart enough to connect an oscilloscope to a processor. Over the last 15 years or so, an entire domain of embedded security has cropped up around the techniques of power and side channel analysis. The tools are expensive and rare, but [Colin O’Flynn] and the ChipWhisperer are here to bring a new era of hardware security to the masses.

The ChipWhisperer was the second place winner of last year’s Hackaday Prize. It’s an interesting domain of security research, and something that was previously extremely expensive to study. If you’re looking for a general overview of what the ChipWhisperer does, you might want to check out when we bumped into [Colin] at DEFCON last year.

While the original goal of the ChipWhisperer was to bring the cost of the tools required for power and side channel analysis down to something a hackerspace or researcher could afford, this was still too expensive for a Kickstarter campaign. To that end, [Colin] designed the ChipWhisperer Lite, a cut-down version, but still something that does most of what the original could do.

There are two parts to the ChipWhisperer Lite – the main section contains a big microcontroller, a big FPGA, and a high gain, low noise amplifier. This is the core of the ChipWhisperer, and it’s where all the power analysis happens. The other part is a target board containing an XMega microcontroller. This is where you’ll run all your encryption algorithms, and where you’ll find out if they can be broken by power analysis. The main board and target board are held together by a break-away connection, so if you want to run a power analysis on another board, just snap the ChipWhisperer in half.

[Colin] is offering up a ChipWhisperer Lite for around $200 USD – far, far less than what these tools cost just a year ago. We’re looking forward to a successful campaign and all the neat findings people with this board will find.

The Hackaday Prize: Interview With A ChipWhisperer

October 29, 2014 by Brian Benchoff 18 Comments

Every finalist for The Hackaday Prize has some aspect of it that hasn’t been done before; finding the chemical composition of everything with some 3D printed parts is novel, as is building a global network of satellite ground stations with off the shelf components. [Colin]’s ChipWhisperer, though, has some scary and interesting implications. By looking inside a microcontroller as its running, the ChipWhisperer is able to verify – or break – security on these chips. It’s also extremely interesting and somewhat magical being able to figure out what data a chip is processing simply by looking at its power consumption.

We have no idea who the winner of The Hackaday Prize is yet, and I’m hoping to remain ignorant of that fact until the party two weeks from now. Until then, you can read the short interview with [Colin O’Flynn], or check out his five-minute video for the ChipWhisperer below:

Continue reading “The Hackaday Prize: Interview With A ChipWhisperer” →