Hi,
I managed to get through all the steps OK. So now I’m trying to learn the theory and the approach part.
It mentions to vary things until “an interesting” region is found. How do I know it’s interesting? What output indicates the glitch attack did something? What I’m really asking about is what is the approach in the exploratory phase to zoom in an area of interest? What’s the thought process.
Thanks,
Michael
Hi Michael,
Your three primary goals with this lab are to:
- Use clock glitching to mess up the calculation being run on the device
- Detect when this happens
- Find sets of glitch settings that cause clock glitching successes
The first objective you’re trying to complete by just inserting glitches with various settings.
For the second, try considering three cases.
First, what happens if you insert a glitch and it has no effect (aka a “normal” result)?
Answer
The target will send you the correct result of the calculation (2500 as a hex string, IIRC ['9C, '04', '00', '00']
)
Second, what happens if you insert a glitch and it messes up the calculation (aka a “success” result)?
Answer
The target will send you the incorrect result (maybe 2501 as a hex string instead). This is the “interesting” result you’re looking for.
Finally, what happens if you insert a glitch and it has an effect, but not the one you wanted (called a “reset” result)?
Answer
This one is a bit trickier, as a lot of different things can technically happen, but most likely the target will either crash or reset, meaning you won’t receive anything back.
Regarding the zooming part of your question, glitching has various parameters you can vary, usually width, offset, and ext_offset. Searching exhaustively through these settings can take a very long time, so it makes sense to start with a coarse search, narrowing that down until you find something. Often, successful settings are close to each other (aka “interesting regions”) so, to help with the third objective, it makes sense to do a fine search around where you found successes.
Hope that helps,
Alex
Hi Alex,
Thanks, yes this clarifies things. I’ll play around with it having this in mind.
Michael