Hello,
I want to mount a clock glitch attack against a signing scheme using the cw308 and STM32F4.
I have two questions:
1- in my file glitch_simpleserial.c I called the signing function. Let’s call it “f”. I want to inject the fault to skip an instruction called during the signing but not existing in the main file. i.e., “f” calls a function “g”, “g” calls another function “h”. The instruction to be skipped is in the function “h”. How should I place the trigger_high() and trigger_low()? Or should I have all the code in the same file?
2- My second question, is how can I specify the range of the offset and offset_ext, the width? And does the glitch.repeat increase the success probability of the glitch?
I would put the trigger_high() in h, near the instruction you want to glitch. Use ext_offset to bridge the gap between the trigger and the target instruction.
For the rest of the glitch parameters, I would first run one of our glitch tutorials on this same target, to more easily find successful glitch parameters. Use these parameters as a starting point for attacking your own firmware.
Thanx Jean-Pierre,
Does it help if I take the address from the assembly file and put it in offset?
To be honest, i succeeded to run the tutorials, but my code is huge as compared to the code there. And I have a feeling that my offset of very far from the correct one
Why don’t you put trigger_high() immediately before the target instruction.
Then you know that the target instructions are being executed very soon after the trigger goes high.