SLIDE 1
OPENING CLOSED SYSTEMS
34TH CHAOS COMMUNICATION CONGRESS
WITH GLITCHKIT
KATE TEMKIN & DOMINIC SPILL
WHO WE ARE
Kate Temkin @ktemkin Major projects:
- FaceDancer
- GreatFET
Dominic Spill @dominicgs Major projects:
- HackRF
- GreatFET
WITH GLITCHKIT 34TH CHAOS COMMUNICATION CONGRESS KATE TEMKIN & - - PowerPoint PPT Presentation
WITH GLITCHKIT 34TH CHAOS COMMUNICATION CONGRESS KATE TEMKIN & - - PowerPoint PPT Presentation
OPENING CLOSED SYSTEMS WITH GLITCHKIT 34TH CHAOS COMMUNICATION CONGRESS KATE TEMKIN & DOMINIC SPILL WHO WE ARE Dominic Spill Kate Temkin @dominicgs @ktemkin Major projects: Major projects: FaceDancer HackRF GreatFET
SLIDE 2
SLIDE 3
PEOPLE SMARTER THAN US
- Micah Elizabeth Scott (@scanlime)
- Colin O’Flynn (@colinoflynn)
- Most of the people in this room!
PEOPLE WHO GIVE US MONEY
- Great Scott Gadgets [thanks, Mike!]
SLIDE 4
SLIDE 5
INTEL 8051-DERIVATIVE MICROCONTROLLER
- Serial bootloader in ROM
- No debug or ISP port
- Readout disabled
SLIDE 6
FLIR TG-165 THERMAL CAMERA
SLIDE 7
SLIDE 8
SLIDE 9
SLIDE 10
SLIDE 11
SECURITY BY NOT MAKING ASSUMPTIONS
(my_stack_memory, user_input);
SLIDE 12
SECURITY BY NOT MAKING ASSUMPTIONS …?!
(my_stack_memory, user_input);
SLIDE 13
SOURCE: COLIN O’FLYNN, CHIPWHISPERER WIKI
(MODIFIED)
‘Increment’ PC Fetch Instruction Decide if Branch is Taken Next PC (branch not taken) Next PC (branch taken) Parallel Execution Paths Final Result (loaded into register)
SLIDE 14
SOURCE: COLIN O’FLYNN, CHIPWHISPERER WIKI
SOURCE: NAVI ET AL, LO LOW-PO POWER AND HIGH-PE PERFORMANCE 1-BI BIT CMOS FUL ULL ADDER R CELL
SLIDE 15
PSEUDOCODE PSEUDO-EXAMPLE
raw = (char *)items; length = N * sizeof(items[0]); while (--length) { send_byte(raw++); }
; [snip] ; compute length
MUL R1, R11, R12 loop: DEC R1, R1 ; --length JZ finish CALL send_byte INC R2, R2 ; raw++ JMP loop finish: NOP
SLIDE 16
PSEUDOCODE PSEUDO-EXAMPLE
raw = (char *)items; length = N * sizeof(items[0]); while (--length) { send_byte(raw++); }
; [snip] ; compute length
loop: DEC R1, R1 ; --length JZ finish CALL send_byte INC R2, R2 ; raw++ JMP loop finish: NOP
...
time
SLIDE 17
TARGET: DMA CONTROLLERS
+1
- 1
to_send addr
Bus Access Hardware Transceiver
SLIDE 18
CHIPWHISPERER LITE GLITCHING & SIDE-CHANNEL BOARD
https://newae.com/tools/chipwhisperer/ https://github.com/newaetech/chipwhisperer
SLIDE 19
SLIDE 20
Synchronization Features Stimulus Generation Triggering Features
GlitchKit
Event Routing Clock Management USB Host eMMC Device (not yet complete) USB Device Simple Event Triggers UART Triggers Trigger Output
SLIDE 21
SLIDE 22
Synchronization Features Stimulus Generation Triggering Features
GlitchKit
Event Routing Clock Management USB Host eMMC Device (not yet complete) USB Device Simple Event Triggers UART Triggers Trigger Output
SLIDE 23
Synchronization Features Stimulus Generation Triggering Features
GlitchKit
Event Routing Clock Management USB Host eMMC Device (not yet complete) USB Device Simple Event Triggers UART Triggers Trigger Output
SLIDE 24
Synchronization Features Stimulus Generation Triggering Features
GlitchKit
Event Routing Clock Management USB Host eMMC Device (not yet complete) USB Device Simple Event Triggers UART Triggers Trigger Output
SLIDE 25
MICAH ELIZABETH SCOTT (SCANLIME)’S
GLITCHY FIRMWARE DESCRIPTOR GRAB
http://scanlime.org/2016/10/scanlime015-glitchy-descriptor-firmware-grab/
SLIDE 26
SLIDE 27
SLIDE 28
Field Value Length 256 Address 0x1000 Field Value Length 192 Address 0x1040 Field Value Length 128 Address 0x1080 Field Value Length 64 Address 0x10C0 Field Value Length Address 0x1100
PID IN 64 bytes data PID IN 64 bytes data PID IN 64 bytes data PID IN 64 bytes data PID IN 0 bytes data
SLIDE 29
Field Value Length 256 Address 0x1000 Field Value Length 1,321,6… Address 0x1040 Field Value Length 1,321,6… Address 0x1080 Field Value Length 1,321,6… Address 0x10C0 Field Value Length 1,321,6… Address 0x1100
PID IN 64 bytes data PID IN 64 bytes data PID IN 64 bytes data PID IN 64 bytes data PID IN 64 bytes data
SLIDE 30
FACEWHISPERER USB CHIPWHISPERER TARGET
http://github.com/scanlime/facewhisperer
SOURCE: MICAH ELIZABETH SCOTT, IN HER FACEWHISPERER REPO
SLIDE 31
SOURCE: MICAH ELIZABETH SCOTT, IN AFOREMENTIONED VIDEO
SLIDE 32
EQUIVALENT GLITCHKIT CODE
gf = GreatFET() gf.switch_to_external_clock() gf.glitchkit.provide_target_clock(VBUS_ENABLED); gf.glitchkit.simple.watch_for_event( 1, [('EDGE_RISING', 'J1_P7')]) gf.glitchkit.use_events_for_synchronization(COUNT_REACHED) gf.glitchkit.trigger_on_events(HOST_SETUP_TRANSFER_QUEUED) gf.glitchkit.usb.capture_control_in(request=GET_DESCRIPTOR, value=GET_DEVICE_DESCRIPTOR, length=18)
SLIDE 33
WITH APOLOGIES TO MICHAEL OSSMANN
SLIDE 34
WITH APOLOGIES TO MICHAEL OSSMANN
TO EVERYONE
GLITCH IN MEASURE OUT (SCA)
HIGHER-Z DECOUPLING NETWORK
SLIDE 35
SLIDE 36
LPC43XX
MEMORY MAP
SLIDE 37
SLIDE 38
Synchronization Features Stimulus Generation Triggering Features
GlitchKit
Event Routing Clock Management USB Host eMMC Device USB Device Simple Event Triggers UART Triggers Trigger Output SPI Device + Host I2C Device + Host … more? Ethernet Peer Ethernet Monitor
SLIDE 39
THANKS FOR LISTENING!
QUESTIONS?
JOIN US: https://github.com/glitchkit