I am currently attempting to see if it would be possible to use a voltage fault injection attack on the Atmega328p. The difference is that I am not interested at this point in glitching a vulnerable program, I have already done this using the provided tutorials along with the notduino board.
Instead, I would like to see if it is possible to glitch the security and lock bits on the chip. the goal would be a firmware dump from a chip with read write protections on it. I could find no information on doing this kind of attack on the Atmega328p.
I am using the Chipwhisperer lite with the Notduino board. Currently I am attempting to glitch in the first 10 microseconds after the nRESET pin goes high with a width of -45 to -41 with a repeat of 3. This seems to be the most likely time range for the lock bit read. From what I can tell, there is a place in the Non Volatile Memory space that stores the various lock bit and other setting bits. this is read to memory after the internal 8MHz RC clock starts up (I’m giving that about 6 micro seconds). The values are then read to physical switches on the die itself that control the various settings. I want to corrupt the reading of the bit settings from the NVM to the latches to bypass the security settings. we are using the Chipwhisperer to supply a 7.37MHz clock, but from the datasheet I can tell that for the initial hardware setup it using the internal 8MHz RC clock.
I’m a bit out of my depth here, so any ideas and info about how to go about this or what I might be able to try to increase the odds of success to a more reasonable level would be helpful. If I need to provide any additional information let me know. I’m not even sure if this is a feasible attack to do in the first place.
Thanks for the help.