Hello,
I have been experimenting with voltage glitching, I have tested on practice targets with a constant loop to glitch out of & on public products with documented fault injection vulnerabilities, which I have been able to successfully glitch. I am now interested in identification of glitch parameters for situations such as debug protection. This can be separated into two main investigations 1.) Glitch width 2.) Glitch delay. The width identification process seems straight forward, write testcode in a loop, continually glitch and adjust width until you see the loop value change. Now where I would like more information is identification of the point where to apply this glitch, take the NRF52 for example, a successful glitch can occur at around 5000 microseconds after triggering at high, with a width of around 10 microseconds. I can test this and successfully glitch. But how is this point identified, I would love a list of methods that are leveraged in identifying glitch points for things such as debug port locking. For example, I watched a talk some time ago (which I now unfortunately am unable to find, if anyone knows what I am referring to, please post link) where the speaker talked about loading the firmware onto the target device then setting a breakpoint in the code where the lock value was copied in memory, on the oscilloscope, this breakpoint caused an obvious flatline indicating where to glitch. Another technique I have seen is glitching from bootup onward in a range and just hoping for success - which seems inefficient. I am looking for more methods to identify these points. Thank you!