swisskyrepo
/
HardwareAllTheThings
mirror of https://github.com/swisskyrepo/HardwareAllTheThings.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Voltage Glitching with Crowbars

pull/25/head
Swissky 2024-10-25 18:09:16 +02:00
parent 866110fae5
commit 4b1aa91bbb
1 changed files with 46 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

50
docs/side-channel/fault-injection.md
View File

@ -1,10 +1,48 @@
# Fault Injection
## Power / VCC Glitch
## Power / VCC - Voltage Glitch
Power glitch injection is a physical attack technique used to test and exploit vulnerabilities in electronic devices by causing controlled, temporary power disturbances.
A VCC glitch, also known as a supply voltage glitch, is a specific type of power glitch attack targeting the voltage supply (VCC) of a microcontroller or integrated circuit (IC) in electronic devices.
Most of the time the goal is one of the following:
* Re-enable debugging features (e.g: Trezor One wallet)
* Bypass secure boot
* Gain code-execution by glitching memcpy
**Tools**
* [Faultier](https://1bitsquared.de/products/faultier) [FW](https://github.com/hextreeio/faultier/releases/tag/0.1.32)
* [PicoGlitcher v1.1](https://www.tindie.com/products/faulty-hardware/picoglitcher-v11/)
* [HydraBus](https://hydrabus.com/shop/)
* [ChipWhisperer-Pro](https://rtfm.newae.com/Capture/ChipWhisperer-Pro/)
* [ChipWhisperer-Husky](https://rtfm.newae.com/Capture/ChipWhisperer-Husky/)
**Voltage Glitching with Crowbars**
```py
import faultier
import serial
ft = faultier.Faultier()
ser = serial.Serial(ft.get_serial_path(), baudrate=115200)
ser.timeout = 0.3
ft.configure_glitcher(
trigger_source = faultier.TRIGGER_IN_EXT0,
trigger_type = faultier.TRIGGER_PULSE_POSITIVE
glitch_output = faultier.OUT_CROWBAR
)
ft.glitch(delay = 1000, pulse = 1)
print(ser.read(3))
```
**Challenges**
* [Fiasco - Riscure Hardware CTF 2016](https://github.com/hydrabus/rhme-2016/blob/master/FaultInjection/Fiasco.md) - solved using HydraBus + Custom Board with MOSFET
```ps1
gpio glitch trigger PB0 pin PC15 length 100 offsets 191200
@ -13,6 +51,7 @@ A VCC glitch, also known as a supply voltage glitch, is a specific type of power
* [Hardware Power Glitch Attack (Fault Injection) - rhme2 Fiesta (FI 100)](https://youtu.be/6Pf3pY3GxBM) - solved using a [custom code](https://gist.github.com/LiveOverflow/cad0e905691ab5a8a2474d483a604d67) running on a Xilinx FPGA
* [AVR Glitch: Modifying Code Execution Paths Using Only Voltage](https://flawed.net.nz/2017/01/29/avr-glitch-modifying-code-execution-paths-using-only-voltage/)
* [Hextree Glitch Tag](https://1bitsquared.de/products/glitch-tag) - The Hextree GlitchTag is a "totally not AirTag inspired" board for the nRF52832 microcontroller. It is intended as a target for the Hextree Faultier. It gives access to all pins that you need to learn basic fault-injection, including glitch characterization and so on. It also allows you to reproduce LimitedResult's APPROTECT bypass (that was also used to hack the AirTags) without needing to microsolder!
## Electromagnetic Fault
@ -24,7 +63,7 @@ Electromagnetic Fault Injection is an advanced technique used in hardware securi
* Create a custom Electromagnetic fault injection tool: [Dirt cheap Electromagnetic Fault Injection](https://pedro-javierf.github.io/devblog/dirtcheapemfaultinjection/)
**Challenges**
**Challenges**
* [Fiesta - Riscure Hardware CTF 2016 - pedro-javierf](https://pedro-javierf.github.io/devblog/rhmefaultinjection/) - solved using a custom EMFI
@ -33,7 +72,7 @@ Electromagnetic Fault Injection is an advanced technique used in hardware securi
This technique involves momentarily disrupting or altering the clock signal of a device to induce errors or malfunctions in its operation.
**Challenges**
**Challenges**
* [Fiesta - Riscure Hardware CTF 2016 - jcldf](https://twitter.com/jcldf/status/1235859271176171521) - solved using a clock glitch
@ -59,4 +98,7 @@ Here is a practical example, putting a cable between MOSI and Chip Select :
* [Solving rhme fiesta from Riscure Hardware CTF 2016 with EM Fault Injection - Dangling Pointr - 2020, Oct 11](https://pedro-javierf.github.io/devblog/rhmefaultinjection/)
* [Hardware Power Glitch Attack (Fault Injection) - rhme2 Fiesta (FI 100) - LiveOverflow - 16 june 2017](https://www.youtube.com/watch?v=6Pf3pY3GxBM)
* [pin2pwn: How to Root an Embedded Linux Box with a Sewing Needle - Brad Dixon - Carve Systems - DEFCON 24](https://media.defcon.org/DEF%20CON%2024/DEF%20CON%2024%20presentations/DEF%20CON%2024%20-%20Brad-Dixon-Pin2Pwn-How-to-Root-An-Embedded-Linux-Box-With-A-Sewing-Needle-UPDATED.pdf)
* [Replicant: Reproducing a Fault Injection Attack on the Trezor One - Voidstar - AUGUST 2022](https://voidstarsec.com/blog/replicant-part-1)
* [Replicant: Reproducing a Fault Injection Attack on the Trezor One - Voidstar - AUGUST 2022](https://voidstarsec.com/blog/replicant-part-1)
* [Your first Glitch/Voltage Fault Injection - hextree.io](https://app.hextree.io/courses/fault-injection-introduction/fault-injection-theory)
* [PicoGlitcher PCB - A dirt chip fault-injection device](https://mkesenheimer.github.io/blog/pico-glitcher-pcb.html)
* [Fault Injection using Crowbars on Embedded Systems - Colin O'Flynn](https://eprint.iacr.org/2016/810.pdf)