The Piezoelectric Glitching Attack

Many readers will be familiar with the idea of a glitching attack, introducing electrical noise into a computer circuit in the hope of disrupting program flow and causing unexpected behaviour which might lead to hitherto unavailable access to memory or other system resources. [David Buchanan] has written a piece investigating glitching attacks on PC memory, and the tool he’s used is the ubiquitous piezoelectric lighter.

Attaching a short piece of wire to one of the lines on a SODIMM memory module, he can glitch a laptop at will with the lighter through the electromagnetic noise its discharge creates. It’s a cool trick, but the real meat of the write-up lies in his comprehensive description of how virtual memory works, and how a glitch can be used to break out of the “sandbox” of memory allocated to a particular process. He demonstrates it in a video which we’ve placed below the break, in which he gains root access and runs an arbitrary piece of code on a Linux laptop. It’s probable that not many of us have the inclination to do this for ourselves, but even so it’s fascinating to know how such an attack works.

Continue reading “The Piezoelectric Glitching Attack”

Laser Fault Injection On The Cheap

One can only imagine the wonders held within the crypto labs of organizations like the CIA or NSA. Therein must be machines of such sophistication that no electronic device could resist their attempts to defeat whatever security is baked into their silicon. Machines such as these no doubt bear price tags that only a no-questions-asked budget could support, making their techniques firmly out of reach of even the most ambitious home gamer.

That might be changing, though, with this $500 DIY laser fault injection setup. It comes to us from Finnish cybersecurity group [Fraktal], who have started a series of blog posts detailing how they built their open-source reverse-engineering rig. LFI is similar to other “glitching” attacks we’ve covered before, such as EMP fault injection, except that a laser shining directly on a silicon die is used to disrupt its operation rather than a burst of electromagnetic energy.

Since LFI requires shining the laser very precisely on nanometer-scale elements of a bare silicon die, nanopositioning is the biggest challenge. Rather than moving the device under attack, the [Fraktal] rig uses a modified laser galvanometer to scan an IR laser over the device. The galvo and the optical components are all easily available online, and they’ve started a repo to document the modifications needed and the code to tire everything together.

Of course, this technique requires the die in the device under study to be exposed, but [Fraktal] has made that pretty approachable too. They include instructions for milling away the epoxy from the lead-frame side of a chip, which is safer for the delicate structures etched into the top of the die. The laser can then shine directly through the die from the bottom. For “flip-chip” packages like BGAs, the same milling technique would be done from the top of the package. Either way, we can imagine a small CNC mill making the process safer and quicker, even though they seem to have done pretty well with a Dremel.

This looks like a fantastic reverse engineering tool, and we’re really looking forward to the rest of the story.
Continue reading “Laser Fault Injection On The Cheap”

To the left, a breadboard with the ATMega328P being attacked. To the right, the project's display showing multiple ;) smiley faces, indicating that the attack has completed successfully.

Glitching An ATMega328P Has Never Been Simpler

Did you know just how easily you can glitch microcontrollers? It’s so easy, you really have no excuse for not having tried it out yet. Look, [lord feistel] is doing glitching attacks on an ATMega328P! All you need is an Arduino board with its few SMD capacitors removed or a bare 328P chip, a FET, and some sort of MCU to drive it. All of these are extremely generic components, and you can quickly breadboard them, following [lord feistel]’s guide on GitHub.

In the proof-of-concept, you can connect a HD44780 display to the chip, and have the victim MCU output digits onto the display in an infinite loop. Inside of the loop is a command to output a smiley face – but the command is never reachable, because the counter is reset in an if right before it. By glitching the ATMega’s power input, you can skip the if and witness the ;) on your display; it is that simple.

What are you waiting for? Breadboard it up and see for yourself, this might be the method that you hack your next device and make it do your bidding. If the FET-and-MCU glitching starts to fail you at some point, there’s fancier tools you can use, like the ChipWhisperer. As for practical examples, [scanlime]’s elegant glitching-powered firmware hack is hard to forget.

Everything You Didn’t Know You Need To Know About Glitching Attacks

If you’ve always been intrigued by the idea of performing hardware attacks but never knew where to start, then we’ve got the article for you: an in-depth look at the hows and whys of hardware glitching.

Attentive readers will recall that we’ve featured [Matthew Alt]’s reverse engineering exploits before, like the time he got root on a Linux-based arcade cabinet. For something a bit more challenging, he chose a Trezor One crypto wallet this time. We briefly covered a high-stakes hack (third item) on one of these wallets by [Joe Grand] a while back, but [Matthew] offers much, much more detail.

After introducing the theory of glitching attacks, which seek to force a processor into an undefined state using various methods, [Matthew] discusses the specifics of the Trezor wallet and how the attack was planned.

His target — the internal voltage regulator of the wallet’s STM32 microcontroller — required desoldering a few caps before the attack could begin, which was performed with a ChipWhisperer. After resolving a few initial timing issues, he was able to glitch the chip into dropping to the lowest level of readout protection, which gave access to the dongle’s SRAM through an ST-Link debugger.

While this summary may make the whole thing sound trivial, it’s obvious that the attack was anything but, nor was the effort that went into writing it all up. The whole thing reads a little like a techno-thriller, and there’s plenty of detail there if you’re looking for a tutorial on chip glitching. We’re looking forward to part 2, which will concentrate on electromagnetic fault-injection using a PicoEMP and what looks like a modified 3D printer.

BBQ lighter fault injector

Blast Chips With This BBQ Lighter Fault Injection Tool

Looking to get into fault injection for your reverse engineering projects, but don’t have the cash to lay out for the necessary hardware? Fear not, for the tools to glitch a chip may be as close as the nearest barbecue grill.

If you don’t know what chip glitching is, perhaps a primer is in order. Glitching, more formally known as electromagnetic fault injection (EMFI), or simply fault injection, is a technique that uses a pulse of electromagnetic energy to induce a fault in a running microcontroller or microprocessor. If the pulse occurs at just the right time, it may force the processor to skip an instruction, leaving the system in a potentially exploitable state.

EMFI tools are commercially available — we even recently featured a kit to build your own — but [rqu]’s homebrew version is decidedly simpler and cheaper than just about anything else. It consists of a piezoelectric gas grill igniter, a little bit of enameled magnet wire, and half of a small toroidal ferrite core. The core fragment gets a few turns of wire, which then gets soldered to the terminals on the igniter. Pressing the button generates a high-voltage pulse, which gets turned into an electromagnetic pulse by the coil. There’s a video of the tool in use in the Twitter thread, showing it easily glitching a PIC running a simple loop program.

To be sure, a tool as simple as this won’t do the trick in every situation, but it’s a cheap way to start exploring the potential of fault injection.

Thanks to [Jonas] for the tip.

PicoEMP EMFI tool

Glitch Your Way To Reverse-Engineering Glory With The PicoEMP

Most of our projects are, to some extent, an exercise in glitch-reduction. Whether they’re self-inflicted software or hardware mistakes, or even if the glitches in question come from sources beyond our control, the whole point of the thing is to get it running smoothly and predictably.

That’s not always the case, though. Sometimes inducing a glitch on purpose can be a useful tool, especially when reverse engineering something. That’s where this low-cost electromagnetic fault injection tool could come in handy. EMFI is a way to disrupt the normal flow of a program running on an embedded system; properly applied and with a fair amount of luck, it can be used to put the system into an exploitable state. The PicoEMP, as [Colin O’Flynn] dubs his EMFI tool, is a somewhat tamer version of his previous ChipSHOUTER tool. PicoEMP focuses on user safety, an important consideration given that its business end can put about 250 volts across its output. Safety features include isolation for the Raspberry Pi Pico that generates the PWM signals for the HV section, a safety enclosure over the HV components, and a switch to discharge the capacitors and prevent unpleasant surprises.

In use, the high-voltage pulse is applied across an injection tip, which is basically a ferrite-core antenna. The tip concentrates the magnetic flux in a small area, which hopefully will cause the intended glitch in the target system. The video below shows the PicoEMP being used to glitch a Bitcoin wallet, as well as some tests on the HV pulse.

If you’re interested in the PicoEMP and glitching in general, be sure to watch out for [Colin]’s 2021 Remoticon talk on the subject. Until that comes out, you might want to look into glitching attacks on a Nintendo DSi and a USB glitch on a Wacom tablet.

Continue reading “Glitch Your Way To Reverse-Engineering Glory With The PicoEMP”

555 timer circuit for the contest

Doing The Right Thing The Wrong Way: Dumping STM8 Firmware With 555 Timers

When [Jarrett] decided to enter the 555 Contest that’s just wrapped up, he leaned up on an idea that’s been rattling around in his noggin for a few years: Using 555 timers to trigger a firmware dump on a microcontroller. It’s definitely the wrong tool for the job, but [Jarrett] got it working and documented it nicely at Hackaday.io.

The premise is that by interrupting the power supply to the STM8 microcontroller at just the right time and for just the right duration, it would skip the instruction telling it not to allow its firmware to be read. Time and duration… things the 555 is well known for being capable of. There was a problem, however.

The first problem is that the duration was to be measured in nanoseconds. A garden variety 555 has can only pulse down to about 10 microseconds. The solution? Well, you’ll have to read the excellent project page to find out, but don’t worry- it’s a 555. The second problem? He was using 555’s!

Was [Jarrett] successful? After much fiddling and twiddling, he absolutely was! The old firmware was dumped from the STM8 processor and the new firmware could be flashed with impunity.

This 555 contest has seen some truly epic entries, including but not limited to this 555 based accordion like instrument that this particular author just can’t get enough of!