with glitchkit
play

WITH GLITCHKIT 34TH CHAOS COMMUNICATION CONGRESS KATE TEMKIN & - PowerPoint PPT Presentation

Mar 29, 2023 •312 likes •705 views

OPENING CLOSED SYSTEMS WITH GLITCHKIT 34TH CHAOS COMMUNICATION CONGRESS KATE TEMKIN & DOMINIC SPILL WHO WE ARE Dominic Spill Kate Temkin @dominicgs @ktemkin Major projects: Major projects: FaceDancer HackRF GreatFET

  1. OPENING CLOSED SYSTEMS WITH GLITCHKIT 34TH CHAOS COMMUNICATION CONGRESS KATE TEMKIN & DOMINIC SPILL

  2. WHO WE ARE Dominic Spill Kate Temkin @dominicgs @ktemkin Major projects: Major projects: • FaceDancer • HackRF • GreatFET • GreatFET

  3. PEOPLE SMARTER THAN US • Micah Elizabeth Scott (@scanlime) • Colin O’Flynn (@colinoflynn) • Most of the people in this room! PEOPLE WHO GIVE US MONEY • Great Scott Gadgets [thanks, Mike!]

  5. INTEL 8051-DERIVATIVE MICROCONTROLLER • Serial bootloader in ROM • No debug or ISP port • Readout disabled

  6. FLIR TG-165 THERMAL CAMERA

  11. SECURITY BY NOT MAKING ASSUMPTIONS (my_stack_memory, user_input);

  12. SECURITY BY NOT MAKING ASSUMPTIONS …?! (my_stack_memory, user_input);

  13. SOURCE: COLIN O’FLYNN, CHIPWHISPERER WIKI (MODIFIED) ‘Increment’ PC Parallel Execution Paths Decide if Branch Fetch Instruction is Taken Final Result Next PC Next PC (loaded into register) ( branch not taken) (branch taken)

  14. SOURCE: COLIN O’FLYNN, CHIPWHISPERER WIKI SOURCE: NAVI ET AL, LO LOW-PO POWER AND HIGH-PE PERFORMANCE 1-BI BIT CMOS FUL ULL ADDER R CELL

  15. PSEUDOCODE PSEUDO-EXAMPLE ; [snip] raw = (char *)items; ; compute length length = N * sizeof(items[0]); MUL R1, R11, R12 while (--length) { loop: send_byte(raw++); DEC R1, R1 ; --length } JZ finish CALL send_byte INC R2, R2 ; raw++ JMP loop finish: NOP

  16. PSEUDOCODE PSEUDO-EXAMPLE ; [snip] raw = (char *)items; ; compute length length = N * sizeof(items[0]); while (--length) { loop: send_byte(raw++); DEC R1, R1 ; --length } JZ finish CALL send_byte INC R2, R2 ; raw++ JMP loop ... time finish: NOP

  17. TARGET: DMA CONTROLLERS addr to_send +1 -1 Bus Access Hardware Transceiver

  18. CHIPWHISPERER LITE GLITCHING & SIDE-CHANNEL BOARD https://newae.com/tools/chipwhisperer/ https://github.com/newaetech/chipwhisperer

  20. GlitchKit Synchronization Stimulus Triggering Features Features Generation USB Host Simple Event Triggers Event Routing USB Device UART Triggers eMMC Device Clock Management Trigger Output (not yet complete)

  22. GlitchKit Synchronization Stimulus Triggering Features Features Generation USB Host Simple Event Triggers Event Routing USB Device UART Triggers eMMC Device Clock Management Trigger Output (not yet complete)

  23. GlitchKit Synchronization Stimulus Triggering Features Features Generation USB Host Simple Event Triggers Event Routing USB Device UART Triggers eMMC Device Clock Management Trigger Output (not yet complete)

  24. GlitchKit Synchronization Stimulus Triggering Features Features Generation USB Host Simple Event Triggers Event Routing USB Device UART Triggers eMMC Device Clock Management Trigger Output (not yet complete)

  25. MICAH ELIZABETH SCOTT (SCANLIME)’S GLITCHY FIRMWARE DESCRIPTOR GRAB http://scanlime.org/2016/10/scanlime015-glitchy-descriptor-firmware-grab/

  28. Field Value Field Value Field Value Field Value Field Value Length 256 Length 192 Length 128 Length 64 Length 0 Address 0x1000 Address 0x1040 Address 0x1080 Address 0x10C0 Address 0x1100 PID 64 bytes data IN PID 64 bytes data IN PID 64 bytes data IN PID 64 bytes data IN PID 0 bytes IN data

  29. Field Value Field Value Field Value Field Value Field Value Length 256 Length 1,321,6… Length 1,321,6… Length 1,321,6… Length 1,321,6… Address 0x1000 Address 0x1040 Address 0x1080 Address 0x10C0 Address 0x1100 PID 64 bytes data IN PID 64 bytes data IN PID 64 bytes data IN PID 64 bytes data IN PID 64 bytes data IN

  30. FACEWHISPERER USB CHIPWHISPERER TARGET http://github.com/scanlime/facewhisperer SOURCE: MICAH ELIZABETH SCOTT, IN HER FACEWHISPERER REPO

  31. SOURCE: MICAH ELIZABETH SCOTT, IN AFOREMENTIONED VIDEO

  32. EQUIVALENT GLITCHKIT CODE gf = GreatFET() gf.switch_to_external_clock() gf.glitchkit.provide_target_clock(VBUS_ENABLED); gf.glitchkit.simple.watch_for_event( 1, [('EDGE_RISING', 'J1_P7')]) gf.glitchkit.use_events_for_synchronization(COUNT_REACHED) gf.glitchkit.trigger_on_events(HOST_SETUP_TRANSFER_QUEUED) gf.glitchkit.usb.capture_control_in(request=GET_DESCRIPTOR, value=GET_DEVICE_DESCRIPTOR, length=18)

  33. WITH APOLOGIES TO MICHAEL OSSMANN

  34. GLITCH IN WITH APOLOGIES TO MICHAEL OSSMANN TO EVERYONE HIGHER-Z DECOUPLING NETWORK MEASURE OUT (SCA)

  36. LPC43XX MEMORY MAP

  38. GlitchKit Synchronization Stimulus Triggering Features Features Generation USB Host Simple Event Triggers Event Routing USB Device UART Triggers eMMC Device Clock Management Ethernet Monitor SPI Device + Host I2C Device + Host Trigger Output Ethernet Peer … more?

  39. QUESTIONS ? THANKS FOR LISTENING! JOIN US: https://github.com/glitchkit

Recommend

More recommend