Voltage Glitching with Crowbars
parent
866110fae5
commit
4b1aa91bbb
|
@ -1,10 +1,48 @@
|
||||||
# Fault Injection
|
# Fault Injection
|
||||||
|
|
||||||
## Power / VCC Glitch
|
## Power / VCC - Voltage Glitch
|
||||||
|
|
||||||
Power glitch injection is a physical attack technique used to test and exploit vulnerabilities in electronic devices by causing controlled, temporary power disturbances.
|
Power glitch injection is a physical attack technique used to test and exploit vulnerabilities in electronic devices by causing controlled, temporary power disturbances.
|
||||||
A VCC glitch, also known as a supply voltage glitch, is a specific type of power glitch attack targeting the voltage supply (VCC) of a microcontroller or integrated circuit (IC) in electronic devices.
|
A VCC glitch, also known as a supply voltage glitch, is a specific type of power glitch attack targeting the voltage supply (VCC) of a microcontroller or integrated circuit (IC) in electronic devices.
|
||||||
|
|
||||||
|
Most of the time the goal is one of the following:
|
||||||
|
|
||||||
|
* Re-enable debugging features (e.g: Trezor One wallet)
|
||||||
|
* Bypass secure boot
|
||||||
|
* Gain code-execution by glitching memcpy
|
||||||
|
|
||||||
|
|
||||||
|
**Tools**
|
||||||
|
|
||||||
|
* [Faultier](https://1bitsquared.de/products/faultier) [FW](https://github.com/hextreeio/faultier/releases/tag/0.1.32)
|
||||||
|
* [PicoGlitcher v1.1](https://www.tindie.com/products/faulty-hardware/picoglitcher-v11/)
|
||||||
|
* [HydraBus](https://hydrabus.com/shop/)
|
||||||
|
* [ChipWhisperer-Pro](https://rtfm.newae.com/Capture/ChipWhisperer-Pro/)
|
||||||
|
* [ChipWhisperer-Husky](https://rtfm.newae.com/Capture/ChipWhisperer-Husky/)
|
||||||
|
|
||||||
|
|
||||||
|
**Voltage Glitching with Crowbars**
|
||||||
|
|
||||||
|
```py
|
||||||
|
import faultier
|
||||||
|
import serial
|
||||||
|
|
||||||
|
ft = faultier.Faultier()
|
||||||
|
ser = serial.Serial(ft.get_serial_path(), baudrate=115200)
|
||||||
|
ser.timeout = 0.3
|
||||||
|
|
||||||
|
ft.configure_glitcher(
|
||||||
|
trigger_source = faultier.TRIGGER_IN_EXT0,
|
||||||
|
trigger_type = faultier.TRIGGER_PULSE_POSITIVE
|
||||||
|
glitch_output = faultier.OUT_CROWBAR
|
||||||
|
)
|
||||||
|
ft.glitch(delay = 1000, pulse = 1)
|
||||||
|
print(ser.read(3))
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
**Challenges**
|
||||||
|
|
||||||
* [Fiasco - Riscure Hardware CTF 2016](https://github.com/hydrabus/rhme-2016/blob/master/FaultInjection/Fiasco.md) - solved using HydraBus + Custom Board with MOSFET
|
* [Fiasco - Riscure Hardware CTF 2016](https://github.com/hydrabus/rhme-2016/blob/master/FaultInjection/Fiasco.md) - solved using HydraBus + Custom Board with MOSFET
|
||||||
```ps1
|
```ps1
|
||||||
gpio glitch trigger PB0 pin PC15 length 100 offsets 191200
|
gpio glitch trigger PB0 pin PC15 length 100 offsets 191200
|
||||||
|
@ -13,6 +51,7 @@ A VCC glitch, also known as a supply voltage glitch, is a specific type of power
|
||||||
|
|
||||||
* [Hardware Power Glitch Attack (Fault Injection) - rhme2 Fiesta (FI 100)](https://youtu.be/6Pf3pY3GxBM) - solved using a [custom code](https://gist.github.com/LiveOverflow/cad0e905691ab5a8a2474d483a604d67) running on a Xilinx FPGA
|
* [Hardware Power Glitch Attack (Fault Injection) - rhme2 Fiesta (FI 100)](https://youtu.be/6Pf3pY3GxBM) - solved using a [custom code](https://gist.github.com/LiveOverflow/cad0e905691ab5a8a2474d483a604d67) running on a Xilinx FPGA
|
||||||
* [AVR Glitch: Modifying Code Execution Paths Using Only Voltage](https://flawed.net.nz/2017/01/29/avr-glitch-modifying-code-execution-paths-using-only-voltage/)
|
* [AVR Glitch: Modifying Code Execution Paths Using Only Voltage](https://flawed.net.nz/2017/01/29/avr-glitch-modifying-code-execution-paths-using-only-voltage/)
|
||||||
|
* [Hextree Glitch Tag](https://1bitsquared.de/products/glitch-tag) - The Hextree GlitchTag is a "totally not AirTag inspired" board for the nRF52832 microcontroller. It is intended as a target for the Hextree Faultier. It gives access to all pins that you need to learn basic fault-injection, including glitch characterization and so on. It also allows you to reproduce LimitedResult's APPROTECT bypass (that was also used to hack the AirTags) without needing to microsolder!
|
||||||
|
|
||||||
|
|
||||||
## Electromagnetic Fault
|
## Electromagnetic Fault
|
||||||
|
@ -24,7 +63,7 @@ Electromagnetic Fault Injection is an advanced technique used in hardware securi
|
||||||
* Create a custom Electromagnetic fault injection tool: [Dirt cheap Electromagnetic Fault Injection](https://pedro-javierf.github.io/devblog/dirtcheapemfaultinjection/)
|
* Create a custom Electromagnetic fault injection tool: [Dirt cheap Electromagnetic Fault Injection](https://pedro-javierf.github.io/devblog/dirtcheapemfaultinjection/)
|
||||||
|
|
||||||
|
|
||||||
**Challenges**
|
**Challenges**
|
||||||
|
|
||||||
* [Fiesta - Riscure Hardware CTF 2016 - pedro-javierf](https://pedro-javierf.github.io/devblog/rhmefaultinjection/) - solved using a custom EMFI
|
* [Fiesta - Riscure Hardware CTF 2016 - pedro-javierf](https://pedro-javierf.github.io/devblog/rhmefaultinjection/) - solved using a custom EMFI
|
||||||
|
|
||||||
|
@ -33,7 +72,7 @@ Electromagnetic Fault Injection is an advanced technique used in hardware securi
|
||||||
|
|
||||||
This technique involves momentarily disrupting or altering the clock signal of a device to induce errors or malfunctions in its operation.
|
This technique involves momentarily disrupting or altering the clock signal of a device to induce errors or malfunctions in its operation.
|
||||||
|
|
||||||
**Challenges**
|
**Challenges**
|
||||||
|
|
||||||
* [Fiesta - Riscure Hardware CTF 2016 - jcldf](https://twitter.com/jcldf/status/1235859271176171521) - solved using a clock glitch
|
* [Fiesta - Riscure Hardware CTF 2016 - jcldf](https://twitter.com/jcldf/status/1235859271176171521) - solved using a clock glitch
|
||||||
|
|
||||||
|
@ -59,4 +98,7 @@ Here is a practical example, putting a cable between MOSI and Chip Select :
|
||||||
* [Solving rhme fiesta from Riscure Hardware CTF 2016 with EM Fault Injection - Dangling Pointr - 2020, Oct 11](https://pedro-javierf.github.io/devblog/rhmefaultinjection/)
|
* [Solving rhme fiesta from Riscure Hardware CTF 2016 with EM Fault Injection - Dangling Pointr - 2020, Oct 11](https://pedro-javierf.github.io/devblog/rhmefaultinjection/)
|
||||||
* [Hardware Power Glitch Attack (Fault Injection) - rhme2 Fiesta (FI 100) - LiveOverflow - 16 june 2017](https://www.youtube.com/watch?v=6Pf3pY3GxBM)
|
* [Hardware Power Glitch Attack (Fault Injection) - rhme2 Fiesta (FI 100) - LiveOverflow - 16 june 2017](https://www.youtube.com/watch?v=6Pf3pY3GxBM)
|
||||||
* [pin2pwn: How to Root an Embedded Linux Box with a Sewing Needle - Brad Dixon - Carve Systems - DEFCON 24](https://media.defcon.org/DEF%20CON%2024/DEF%20CON%2024%20presentations/DEF%20CON%2024%20-%20Brad-Dixon-Pin2Pwn-How-to-Root-An-Embedded-Linux-Box-With-A-Sewing-Needle-UPDATED.pdf)
|
* [pin2pwn: How to Root an Embedded Linux Box with a Sewing Needle - Brad Dixon - Carve Systems - DEFCON 24](https://media.defcon.org/DEF%20CON%2024/DEF%20CON%2024%20presentations/DEF%20CON%2024%20-%20Brad-Dixon-Pin2Pwn-How-to-Root-An-Embedded-Linux-Box-With-A-Sewing-Needle-UPDATED.pdf)
|
||||||
* [Replicant: Reproducing a Fault Injection Attack on the Trezor One - Voidstar - AUGUST 2022](https://voidstarsec.com/blog/replicant-part-1)
|
* [Replicant: Reproducing a Fault Injection Attack on the Trezor One - Voidstar - AUGUST 2022](https://voidstarsec.com/blog/replicant-part-1)
|
||||||
|
* [Your first Glitch/Voltage Fault Injection - hextree.io](https://app.hextree.io/courses/fault-injection-introduction/fault-injection-theory)
|
||||||
|
* [PicoGlitcher PCB - A dirt chip fault-injection device](https://mkesenheimer.github.io/blog/pico-glitcher-pcb.html)
|
||||||
|
* [Fault Injection using Crowbars on Embedded Systems - Colin O'Flynn](https://eprint.iacr.org/2016/810.pdf)
|
Loading…
Reference in New Issue