How do i voltage glitch to bypass password using a custom firmware

Chinmay · June 25, 2024, 6:31am

For realism, I am going to upload a basic password code onto the target boards. However, that firmware would not contain things like trigger_high(); trigger_low(); and simpleserial_put(‘r’, 1, (uint8_t*)&passok);

how else would i be able to perform a voltage glitch?

Alex_Dewar · June 25, 2024, 2:42pm

Triggering and figuring out when you got a successful glitch can both be pretty tricky. Generally, you’ll want to look for something else you can time your glitch width, such as a reset line or some communication pins. It’s a little harder to give advice for figuring out when you’ve got a successful glitch since that varies a lot per target.

Chinmay · June 26, 2024, 5:07am

Ok i can probably continue using simpleserial_put(‘r’, 1, (uint8_t*)&passok); to see if it worked. However instead of trigger_high() and trigger_low() in the firmware itself, I would like to trigger the voltage glitch using the cw python notebook. I’ve found some examples using scope.glitch.manual_trigger(). Here’s the full cw code:
import chipwhisperer as cw

cw.set_all_log_levels(cw.logging.CRITICAL)

SCOPETYPE = ‘OPENADC’
PLATFORM = ‘CWLITEXMEGA’

scope = cw.scope()

We adjust the clock to fit with the ATMega 328p frequency.

scope.clock.clkgen_freq = 8E6

Set clock to internal chipwhisperer clock

scope.glitch.clk_src = “clkgen”

#“enable_only” - insert a glitch for an entire clock cycle based on the clock of the CW (here at 8MHz so 0,125 micro seconds)
scope.glitch.output = “enable_only”

Enable Low power and High power transistors.

scope.io.glitch_lp = True
scope.io.glitch_hp = True

LP provides a faster response, so sharper glitches. HP can provide better results for targets that have strong power supplies or decoupling capacitors that ca not be removed.

scope.io.vglitch_reset() #it simply sets scope.io.glitch_hp/lp to False, waits delay seconds, then returns to their original settings. In short, reset the glitching module.

How many times the glitch is repeated

scope.glitch.repeat = 1

Send the glitch

scope.glitch.manual_trigger()

scope.dis()
Any better ways?

Alex_Dewar · June 26, 2024, 4:11pm

It’s hard to say without knowing exactly what you want to glitch, but I wouldn’t recommend manual_trigger() if you need any sort of precise timing.

Chinmay · June 27, 2024, 4:23am

I would like to voltage glitch the same firmware simpleserial-glitch.c used for password bypass in the tutorial SOLN_Fault 2_2 - Voltage Glitching to Bypass Password. The only difference being I want to trigger the glitch outside the firmware (for it to be more realistic). Therefore, I’m removing the lines trigger_high() and trigger_low(). So I’m trying the do the same using the cw jupyter notebook code. scope.arm()
scope.glitch.manual_trigger()
target.simpleserial_write(“p”, bytearray([0]*5))
ret = scope.capture()

This doesn’t seem to work though.
Any better way to trigger the glitch outside the firmware? Imagine as if I’m trying to glitch something running on a board not part of the cw lite kit.

Alex_Dewar · June 27, 2024, 12:22pm

Currently you’re trying to glitch before the target does the operation you want. You really do need to figure out a trigger for these sorts of things, a manual trigger wont’ be sufficient. I’d recommend using an IO line in this case.