Brownout VCC Glitching on External Targets

Embedded Security Glitching
1

Hey all,
I’m ramping up on voltage glitching, and had some questions about how to wire up target boards for a brown-out voltage glitching attack. Most sources I’ve found mention that you should remove decoupling caps to reduce the capacitance available on the board for a more effective glitch, then wire the ChipWhisperer glitch line to the voltage in line of the target board.

One modification I see recommended often when performing a brownout attack is cutting a trace from the power supply pin of the target chip. (https://www.blackhat.com/docs/eu-15/materials/eu-15-Giller-Implementing-Electrical-Glitching-Attacks.pdf Slide 28)

What would be the purpose of this? How would the chip continue to receive power if this trace is cut? As far as I understand, the CW glitch line does not provide power to the board.

Thanks in advance, having a great time learning!

2

Hi, you’re right that CW glitch doesn’t power the target; its role is to short the target VCC to ground, as illustrated here:

image

I think what’s meant by the BH slide is that by cutting the power trace on the board, you can fully control the target VCC. What’s implied is that you need to supply it :slight_smile:.

Here are a couple of real-world target VCC glitching examples that you might find useful:

  1. The RPi example at the end of Tutorial A3.
  2. Dmitry Nedospasov’s bootloader bypass attack.

Hope this helps,
Jean-Pierre

1 Like