0 00:00:00,000 --> 00:00:30,000 Dear viewer, these subtitles were generated by a machine via the service Trint and therefore are (very) buggy. If you are capable, please help us to create good quality subtitles: https://c3subtitles.de/talk/329 Thanks! 1 00:00:09,570 --> 00:00:12,299 Because in the keynote, it was said that 2 00:00:12,300 --> 00:00:14,519 we should go to talks where we have no 3 00:00:14,520 --> 00:00:16,979 clue what the title or the description 4 00:00:16,980 --> 00:00:18,809 of the talks means. 5 00:00:18,810 --> 00:00:21,209 So I thought I can use that as an excuse 6 00:00:21,210 --> 00:00:23,909 to do the Herald job for this, 7 00:00:23,910 --> 00:00:24,910 sir. 8 00:00:25,470 --> 00:00:27,629 And this guy will talk about reverse 9 00:00:27,630 --> 00:00:29,759 engineering of chips 10 00:00:29,760 --> 00:00:32,079 of ICS integrated circuits 11 00:00:32,080 --> 00:00:34,199 in nondestructive but 12 00:00:34,200 --> 00:00:35,969 rather complex way of 13 00:00:37,020 --> 00:00:39,089 doing electrical stuff that's not in 14 00:00:39,090 --> 00:00:41,369 the data sheets rather 15 00:00:41,370 --> 00:00:42,629 randomly at times. 16 00:00:44,670 --> 00:00:46,199 The priest that should give us this 17 00:00:46,200 --> 00:00:47,639 introduction into this type of voodoo 18 00:00:47,640 --> 00:00:49,709 magic is let's be 19 00:00:49,710 --> 00:00:51,209 excited about Exide. 20 00:01:01,140 --> 00:01:03,419 All right, so thanks, everyone, for 21 00:01:03,420 --> 00:01:05,769 coming out here. So the 22 00:01:05,770 --> 00:01:07,739 title of this talk is GLITCHING for 23 00:01:07,740 --> 00:01:09,989 Newby's A Journey to Coax Out 24 00:01:09,990 --> 00:01:11,819 Chip's Inner Secrets. 25 00:01:11,820 --> 00:01:14,249 So basically, this is kind of 26 00:01:14,250 --> 00:01:17,099 over the last couple of years, I've 27 00:01:17,100 --> 00:01:19,259 got interested in the topic of 28 00:01:19,260 --> 00:01:21,479 glitching and have 29 00:01:21,480 --> 00:01:22,619 been trying a whole bunch of different 30 00:01:22,620 --> 00:01:24,359 experiments and trying to learn for 31 00:01:24,360 --> 00:01:25,559 myself what it was all about. 32 00:01:25,560 --> 00:01:27,899 So this will kind of be a chronological 33 00:01:27,900 --> 00:01:30,479 kind of summary of what 34 00:01:30,480 --> 00:01:31,799 I've been up to in the last couple of 35 00:01:31,800 --> 00:01:34,019 years and what my findings have have 36 00:01:34,020 --> 00:01:35,020 been. 37 00:01:37,200 --> 00:01:39,659 So just the quick agenda for 38 00:01:39,660 --> 00:01:42,659 the talk, quick intro 39 00:01:42,660 --> 00:01:43,829 background, which is kind of the 40 00:01:43,830 --> 00:01:46,229 classroom learning about what glitching 41 00:01:46,230 --> 00:01:48,329 is platforms, which 42 00:01:48,330 --> 00:01:50,669 is some of the various hardware 43 00:01:50,670 --> 00:01:52,739 platforms I've I've come up with 44 00:01:52,740 --> 00:01:53,849 in the last couple of years. 45 00:01:53,850 --> 00:01:56,069 Some of them were epic failures. 46 00:01:56,070 --> 00:01:58,349 Some of them were actually actually 47 00:01:58,350 --> 00:02:00,269 seemed to work. So it'll be an 48 00:02:00,270 --> 00:02:02,349 explanation of the pros and cons, 49 00:02:02,350 --> 00:02:04,529 for example, 50 00:02:04,530 --> 00:02:07,829 will be a real world example 51 00:02:07,830 --> 00:02:09,538 of a secure microcontroller where I was 52 00:02:09,539 --> 00:02:11,699 able to basically 53 00:02:11,700 --> 00:02:14,609 get some glitching results out of and 54 00:02:14,610 --> 00:02:16,889 and maybe some food for thought, some 55 00:02:16,890 --> 00:02:18,749 some thoughts that you guys could carry 56 00:02:18,750 --> 00:02:20,159 forward and how you could approach some 57 00:02:20,160 --> 00:02:22,649 of the some of your own chips. 58 00:02:22,650 --> 00:02:24,990 And then finally, any Q&A section. 59 00:02:26,160 --> 00:02:28,109 So intro about me. 60 00:02:28,110 --> 00:02:30,569 I'm an IT monkey or a consultant 61 00:02:30,570 --> 00:02:32,819 by day and I consider 62 00:02:32,820 --> 00:02:34,369 myself a hardware hacker by night. 63 00:02:35,520 --> 00:02:37,859 So some of my interests are designing 64 00:02:37,860 --> 00:02:40,259 and reversing embedded systems. 65 00:02:40,260 --> 00:02:42,449 I see security and failure analysis, 66 00:02:42,450 --> 00:02:44,729 arcade platforms and automotive stuff. 67 00:02:44,730 --> 00:02:46,679 Anything electrical or mechanical or 68 00:02:46,680 --> 00:02:49,079 whatever is pretty cool to me. 69 00:02:49,080 --> 00:02:51,419 And my contact info you can see there 70 00:02:51,420 --> 00:02:53,369 is just my Exide three one three three 71 00:02:53,370 --> 00:02:55,019 seven at Yahoo! 72 00:02:55,020 --> 00:02:56,129 Dotcom email. 73 00:02:59,060 --> 00:03:01,639 So let's go into the background section, 74 00:03:01,640 --> 00:03:03,379 the classroom section, so what is 75 00:03:03,380 --> 00:03:05,809 glitching so a glitch 76 00:03:05,810 --> 00:03:07,759 and this is not necessarily electrical. 77 00:03:07,760 --> 00:03:09,379 Right now, the definition would be a 78 00:03:09,380 --> 00:03:11,929 transient, which can induce alteration 79 00:03:11,930 --> 00:03:13,069 in a device operation. 80 00:03:13,070 --> 00:03:15,169 So a glitch is something that can mess 81 00:03:15,170 --> 00:03:17,299 up a device's normal operation. 82 00:03:17,300 --> 00:03:18,469 For this talk, we'll talk about 83 00:03:18,470 --> 00:03:20,749 electrical glitches specifically 84 00:03:20,750 --> 00:03:22,789 and specifically Klok glitching and 85 00:03:22,790 --> 00:03:24,529 voltage or power glitching. 86 00:03:24,530 --> 00:03:25,939 And there are other our other variants 87 00:03:25,940 --> 00:03:27,829 like laser thermal, radioactive. 88 00:03:27,830 --> 00:03:30,109 But I'm not enough of an expert 89 00:03:30,110 --> 00:03:32,399 in those topics to 90 00:03:32,400 --> 00:03:35,299 to give them a good speech. 91 00:03:35,300 --> 00:03:37,639 So if we focus on the right hand side, 92 00:03:37,640 --> 00:03:38,640 they're on 93 00:03:39,980 --> 00:03:42,169 noninvasive, semi invasive and invasive 94 00:03:42,170 --> 00:03:43,189 types. 95 00:03:43,190 --> 00:03:44,809 So electrical glitching would be 96 00:03:44,810 --> 00:03:46,999 considered a form of noninvasive attack 97 00:03:47,000 --> 00:03:48,319 on a device. 98 00:03:48,320 --> 00:03:50,629 So this doesn't permanently alter 99 00:03:50,630 --> 00:03:53,149 the devices package, the physical epoxy 100 00:03:53,150 --> 00:03:54,770 block part of the chip. 101 00:03:55,910 --> 00:03:58,189 It doesn't permanently alter operation 102 00:03:58,190 --> 00:04:00,139 of the device. So when you remove the 103 00:04:00,140 --> 00:04:02,449 glitching stimulus or you stop glitching, 104 00:04:03,560 --> 00:04:05,509 it should work normally again and it's 105 00:04:05,510 --> 00:04:07,849 repeatable, which means you can you can 106 00:04:07,850 --> 00:04:09,919 start glitching, stop, go 107 00:04:09,920 --> 00:04:11,479 away for a little while, come back and do 108 00:04:11,480 --> 00:04:13,099 it again. And it's not going to harm the 109 00:04:13,100 --> 00:04:16,099 device and you can keep repeating it. 110 00:04:16,100 --> 00:04:18,439 It's also surreptitious, which means 111 00:04:18,440 --> 00:04:20,809 there's no miling or drilling or etching 112 00:04:20,810 --> 00:04:22,069 or things of that nature. 113 00:04:22,070 --> 00:04:25,129 So it shouldn't look like you actually 114 00:04:25,130 --> 00:04:26,899 did anything to the chip physically. 115 00:04:26,900 --> 00:04:28,669 It should just look like normal. 116 00:04:28,670 --> 00:04:31,129 And another characteristic that's 117 00:04:31,130 --> 00:04:33,139 fairly important is that noninvasive 118 00:04:33,140 --> 00:04:34,249 attacks are usually cheap. 119 00:04:34,250 --> 00:04:36,529 So you don't need an expensive lab 120 00:04:36,530 --> 00:04:38,809 and you usually don't need things 121 00:04:38,810 --> 00:04:41,419 like specialized microscopes or 122 00:04:41,420 --> 00:04:43,519 other expensive tools. 123 00:04:43,520 --> 00:04:45,619 And the kind 124 00:04:45,620 --> 00:04:48,259 of drawback to the noninvasive attack 125 00:04:48,260 --> 00:04:50,389 is that any background details you 126 00:04:50,390 --> 00:04:52,729 have beforehand are very helpful 127 00:04:52,730 --> 00:04:55,069 because they'll help to narrow 128 00:04:55,070 --> 00:04:57,109 the scope and what strategy you want to 129 00:04:57,110 --> 00:04:58,249 do when you're trying to glitch rather 130 00:04:58,250 --> 00:05:00,859 than a completely black box 131 00:05:00,860 --> 00:05:02,419 device where you have no idea to where to 132 00:05:02,420 --> 00:05:04,289 start. You could take many wrong turn. 133 00:05:04,290 --> 00:05:07,069 So any information you have beforehand 134 00:05:07,070 --> 00:05:08,949 would be quite helpful. 135 00:05:10,430 --> 00:05:12,889 So some examples of 136 00:05:12,890 --> 00:05:15,379 noninvasive attacks in the 137 00:05:15,380 --> 00:05:17,719 umbrella, there's three one umbrella, 138 00:05:17,720 --> 00:05:19,159 so there'd be fault injection, which 139 00:05:19,160 --> 00:05:21,559 would include Klok leeching voltage 140 00:05:21,560 --> 00:05:22,879 glitching. 141 00:05:22,880 --> 00:05:24,469 You can do thermal glitching, which is 142 00:05:24,470 --> 00:05:25,789 kind of where you're trying to affect the 143 00:05:25,790 --> 00:05:27,769 junction temperature of transistors. 144 00:05:27,770 --> 00:05:29,689 So but really, from a noninvasive 145 00:05:29,690 --> 00:05:31,669 standpoint, you're either trying to heat 146 00:05:31,670 --> 00:05:33,769 up an individual pin 147 00:05:33,770 --> 00:05:35,899 or try and heat up the 148 00:05:35,900 --> 00:05:37,729 whole chip package all at once. 149 00:05:37,730 --> 00:05:38,959 And it's not really precise. 150 00:05:38,960 --> 00:05:41,179 So I'm not sure if there's if 151 00:05:41,180 --> 00:05:42,859 a lot of beneficial effects could come 152 00:05:42,860 --> 00:05:44,179 from the thermal side. 153 00:05:44,180 --> 00:05:46,519 There's also radiation 154 00:05:46,520 --> 00:05:47,809 radioactive glitching. 155 00:05:47,810 --> 00:05:49,849 So if you just happen to have a source of 156 00:05:49,850 --> 00:05:52,009 x rays, gamma rays, alpha particles 157 00:05:52,010 --> 00:05:53,329 are neutrons walking around in your 158 00:05:53,330 --> 00:05:55,909 pocket, you may be able to sit 159 00:05:55,910 --> 00:05:58,459 those nearby the chip and get it to 160 00:05:58,460 --> 00:06:00,559 flip bits of memory or cause the 161 00:06:00,560 --> 00:06:02,749 CPU's instruction to 162 00:06:02,750 --> 00:06:04,819 cause the CPU to latch 163 00:06:04,820 --> 00:06:06,409 or invalid instruction or something like 164 00:06:06,410 --> 00:06:07,399 that. 165 00:06:07,400 --> 00:06:09,559 So the next umbrella is kind of side 166 00:06:09,560 --> 00:06:11,959 channels. So that's where there's power 167 00:06:11,960 --> 00:06:13,999 analysis where you're basically studying 168 00:06:14,000 --> 00:06:15,319 the current consumption or power 169 00:06:15,320 --> 00:06:17,899 consumption. The chip, which can leak 170 00:06:17,900 --> 00:06:19,999 operations being performed, 171 00:06:20,000 --> 00:06:22,459 can reveal things like Krypto 172 00:06:22,460 --> 00:06:24,979 round keys or kind of intermediate 173 00:06:24,980 --> 00:06:27,109 keys that could be used to derive like a 174 00:06:27,110 --> 00:06:29,209 full break on the encryption. 175 00:06:29,210 --> 00:06:31,309 And it can also indicate where 176 00:06:31,310 --> 00:06:34,039 the CPU CPU is, 177 00:06:34,040 --> 00:06:36,169 provide an indicator where the CPU is in 178 00:06:36,170 --> 00:06:38,929 its instruction, in its instruction 179 00:06:38,930 --> 00:06:41,029 execution of the overall program. 180 00:06:41,030 --> 00:06:42,829 So there's timing attacks, which is 181 00:06:42,830 --> 00:06:44,959 simply trying to exploit 182 00:06:44,960 --> 00:06:47,449 the fact that conditional branches, 183 00:06:47,450 --> 00:06:48,919 when you're checking for a password or 184 00:06:48,920 --> 00:06:51,019 something else, you might stop when you 185 00:06:51,020 --> 00:06:53,419 find the first incorrect 186 00:06:53,420 --> 00:06:55,819 character and it'll stop a lot 187 00:06:55,820 --> 00:06:59,029 faster than if it went through 188 00:06:59,030 --> 00:07:00,229 all the correct characters. 189 00:07:00,230 --> 00:07:01,639 So you'd be able to exploit the 190 00:07:01,640 --> 00:07:03,529 difference in timing to know if your 191 00:07:03,530 --> 00:07:05,599 guess at a secret password is correct 192 00:07:05,600 --> 00:07:07,489 or not. Data Revenants. 193 00:07:07,490 --> 00:07:09,349 That's pretty much kind of like your cold 194 00:07:09,350 --> 00:07:10,429 boot type attacks. 195 00:07:11,780 --> 00:07:14,629 Or if you do a reset or 196 00:07:14,630 --> 00:07:16,249 power up the device and it doesn't wipe 197 00:07:16,250 --> 00:07:18,619 its memory, then there might be 198 00:07:18,620 --> 00:07:20,419 secrets still in memory. 199 00:07:20,420 --> 00:07:22,609 And then finally, the third umbrella is 200 00:07:22,610 --> 00:07:24,649 software. So this could be simple code 201 00:07:24,650 --> 00:07:26,599 vulnerabilities. The authors of the 202 00:07:26,600 --> 00:07:28,849 secure device may 203 00:07:28,850 --> 00:07:30,619 not actually be that versed in secure 204 00:07:30,620 --> 00:07:32,569 coding practices. So there may be just 205 00:07:32,570 --> 00:07:33,979 vulnerabilities sitting around like 206 00:07:33,980 --> 00:07:36,079 buffer overflow, stack overflow and 207 00:07:36,080 --> 00:07:38,179 things like that brute 208 00:07:38,180 --> 00:07:39,079 forcing. 209 00:07:39,080 --> 00:07:41,539 So you this you could try 210 00:07:41,540 --> 00:07:43,189 you could simply try brute forcing. 211 00:07:43,190 --> 00:07:45,380 If the key strength is is small enough, 212 00:07:46,730 --> 00:07:48,829 the the secret that gets gains 213 00:07:48,830 --> 00:07:51,169 you access to, to restricted 214 00:07:51,170 --> 00:07:53,359 memory areas, code protection. 215 00:07:53,360 --> 00:07:55,159 You might try brute forcing a crypto key, 216 00:07:55,160 --> 00:07:56,569 but if it's a relatively modern 217 00:07:56,570 --> 00:07:58,219 implementation, it's probably not going 218 00:07:58,220 --> 00:08:00,349 to work for you. 219 00:08:00,350 --> 00:08:03,199 And then finally, the back doors, 220 00:08:03,200 --> 00:08:05,269 which could be undocumented 221 00:08:05,270 --> 00:08:08,179 instructions in the CPU core, 222 00:08:08,180 --> 00:08:10,789 could be debug interfaces geotag. 223 00:08:10,790 --> 00:08:12,769 You are hanging off the device somewhere. 224 00:08:12,770 --> 00:08:14,809 I scored CSPI, stuff like that. 225 00:08:14,810 --> 00:08:17,029 So those are can 226 00:08:17,030 --> 00:08:18,439 be some of the more low hanging fruit, 227 00:08:18,440 --> 00:08:20,329 but may or may not be present. 228 00:08:22,000 --> 00:08:24,099 So the second major class of 229 00:08:24,100 --> 00:08:26,349 attack is semi invasive, so this 230 00:08:26,350 --> 00:08:28,629 is where you are altering the 231 00:08:28,630 --> 00:08:30,759 package of the device, so 232 00:08:30,760 --> 00:08:32,499 you might decapitate, so you might etch 233 00:08:32,500 --> 00:08:34,569 away the epoxy packaging of the chip 234 00:08:34,570 --> 00:08:36,879 or you might miss the 235 00:08:36,880 --> 00:08:38,889 chip from the top of the bottom to to 236 00:08:38,890 --> 00:08:40,989 gain a better access of the 237 00:08:40,990 --> 00:08:43,089 actual dye sitting inside 238 00:08:43,090 --> 00:08:44,619 the chip package. 239 00:08:44,620 --> 00:08:46,629 It doesn't permanently alter the device 240 00:08:46,630 --> 00:08:48,789 operations. So, again, you'll be 241 00:08:48,790 --> 00:08:50,859 able to to apply or 242 00:08:50,860 --> 00:08:53,469 remove some sort of glitching stimulus 243 00:08:53,470 --> 00:08:54,489 to the chip. 244 00:08:54,490 --> 00:08:56,739 And when you're done glitching, it 245 00:08:56,740 --> 00:08:58,419 should it should operate normally. 246 00:08:58,420 --> 00:09:00,489 Again, it's repeatable unless 247 00:09:00,490 --> 00:09:02,649 you're doing laser laser glitching 248 00:09:02,650 --> 00:09:04,149 where you leave the laser on too long and 249 00:09:04,150 --> 00:09:05,619 you burn up something that you didn't 250 00:09:05,620 --> 00:09:07,869 want to, it's 251 00:09:07,870 --> 00:09:10,359 more expensive. So now you 252 00:09:10,360 --> 00:09:12,009 you may need things like lasers, 253 00:09:12,010 --> 00:09:14,439 microscopes, chemicals, 254 00:09:14,440 --> 00:09:16,689 a M. And this may be this class 255 00:09:16,690 --> 00:09:19,059 of attack maybe beyond a single person's 256 00:09:19,060 --> 00:09:21,219 budget. So it depends 257 00:09:21,220 --> 00:09:22,569 how well-funded you are not. 258 00:09:22,570 --> 00:09:24,699 And then this kind of attack can provide 259 00:09:24,700 --> 00:09:26,919 background details rather than require 260 00:09:26,920 --> 00:09:29,589 them. So you'll be able to 261 00:09:29,590 --> 00:09:31,689 to help narrow the scope and strategy 262 00:09:31,690 --> 00:09:33,579 potentially for your noninvasive 263 00:09:33,580 --> 00:09:34,580 glitching attack 264 00:09:35,680 --> 00:09:37,899 and get a basic floor plan of the chip, 265 00:09:37,900 --> 00:09:39,639 for example, if you've got an optical 266 00:09:39,640 --> 00:09:41,679 microscope or something like that. 267 00:09:41,680 --> 00:09:44,139 So some semi invasive 268 00:09:44,140 --> 00:09:46,389 examples glitching, you can still glitch 269 00:09:46,390 --> 00:09:47,859 semi invasively. 270 00:09:47,860 --> 00:09:50,589 So now you've got access to the chips 271 00:09:50,590 --> 00:09:52,269 surface in some way. 272 00:09:52,270 --> 00:09:54,369 So you can use things like 273 00:09:54,370 --> 00:09:56,439 laser flash, like a camera 274 00:09:56,440 --> 00:09:58,689 flash, high intensity light 275 00:09:58,690 --> 00:10:00,759 and thermal glitching where now 276 00:10:00,760 --> 00:10:02,139 you might be able to direct a source of 277 00:10:02,140 --> 00:10:04,479 heat at a more precise area, 278 00:10:04,480 --> 00:10:06,669 but still going to be probably pretty 279 00:10:07,810 --> 00:10:09,489 could be fairly unreliable all year 280 00:10:09,490 --> 00:10:10,179 round. 281 00:10:10,180 --> 00:10:12,279 You'll end up altering 282 00:10:12,280 --> 00:10:14,499 bits, order or transistor gates 283 00:10:14,500 --> 00:10:15,500 in a larger area. 284 00:10:16,960 --> 00:10:19,029 So another 285 00:10:19,030 --> 00:10:20,739 type of example is laser scanning. 286 00:10:20,740 --> 00:10:22,419 So you can do it with the device being 287 00:10:22,420 --> 00:10:24,039 unpowered or powered. 288 00:10:24,040 --> 00:10:26,199 And so when it's unpowered, you 289 00:10:26,200 --> 00:10:28,089 basically have an optical beam inducing a 290 00:10:28,090 --> 00:10:30,189 current flow in the chip, which 291 00:10:30,190 --> 00:10:31,929 will change the current signature, the 292 00:10:31,930 --> 00:10:33,789 like the power consumption signature. 293 00:10:33,790 --> 00:10:36,069 And then if the device is powered on your 294 00:10:36,070 --> 00:10:38,229 optical beam can cause a measurable 295 00:10:38,230 --> 00:10:40,869 voltage change in the 296 00:10:40,870 --> 00:10:42,370 in the output of the transistor 297 00:10:43,480 --> 00:10:44,799 or the bus that the transistor is 298 00:10:44,800 --> 00:10:46,869 connected to. So it may be possible to do 299 00:10:46,870 --> 00:10:49,209 things like read out memory bit at a time 300 00:10:49,210 --> 00:10:50,859 by watching the current consumption and 301 00:10:50,860 --> 00:10:53,289 then sweeping the the beam across 302 00:10:53,290 --> 00:10:55,449 the different rows or columns of 303 00:10:55,450 --> 00:10:56,859 a memory, for example. 304 00:11:00,330 --> 00:11:02,609 And then finally, there is the you 305 00:11:02,610 --> 00:11:04,679 can do imaging attacks were either 306 00:11:04,680 --> 00:11:06,749 due from the front of the chip or the 307 00:11:06,750 --> 00:11:08,909 back of the chip where you mulloway the 308 00:11:08,910 --> 00:11:10,259 back material. 309 00:11:10,260 --> 00:11:12,329 You can do visible wavelengths 310 00:11:12,330 --> 00:11:14,819 versus infrared and 311 00:11:14,820 --> 00:11:16,679 you can do things like using optical 312 00:11:16,680 --> 00:11:18,899 microscopes versus electron 313 00:11:18,900 --> 00:11:21,359 or iron beam based workstations. 314 00:11:21,360 --> 00:11:23,429 And this will allow you to get 315 00:11:23,430 --> 00:11:25,229 the floor plan of the structures and 316 00:11:25,230 --> 00:11:26,849 features of the chip a lot more 317 00:11:26,850 --> 00:11:29,099 precisely. So things like rom 318 00:11:29,100 --> 00:11:31,719 ram, flash E squared configuration, 319 00:11:31,720 --> 00:11:33,839 security, fuzes, things 320 00:11:33,840 --> 00:11:34,229 like that. 321 00:11:34,230 --> 00:11:36,419 So now the the 322 00:11:36,420 --> 00:11:38,669 highest notch, the most complicated 323 00:11:38,670 --> 00:11:41,399 type of attack is the invasive attack. 324 00:11:41,400 --> 00:11:43,289 So this is where you not only have the 325 00:11:43,290 --> 00:11:44,909 copulation and miling of the semi 326 00:11:44,910 --> 00:11:46,949 invasive, but now you also have DIW 327 00:11:46,950 --> 00:11:47,919 alteration itself. 328 00:11:47,920 --> 00:11:49,049 So the actual little 329 00:11:50,070 --> 00:11:52,829 the little chip part of the 330 00:11:52,830 --> 00:11:54,569 of the microchip. 331 00:11:54,570 --> 00:11:56,969 And you can render the device 332 00:11:56,970 --> 00:11:58,709 nonfunctional with this process. 333 00:11:58,710 --> 00:12:00,359 For example, if you're trying to image 334 00:12:00,360 --> 00:12:02,849 the device layer by layer, obviously 335 00:12:02,850 --> 00:12:04,559 you're removing your etching away 336 00:12:04,560 --> 00:12:06,479 material. So the device, once that 337 00:12:06,480 --> 00:12:07,839 layer's gone, it's gone for good. 338 00:12:07,840 --> 00:12:10,019 So you'll want to have many 339 00:12:10,020 --> 00:12:12,419 samples available so that you can 340 00:12:12,420 --> 00:12:14,639 image the device like that. 341 00:12:14,640 --> 00:12:16,739 However, if you if you don't want to 342 00:12:16,740 --> 00:12:18,449 do that, but you want to have access to 343 00:12:18,450 --> 00:12:19,949 the to the service of the chip, for 344 00:12:19,950 --> 00:12:22,139 example, and depending if 345 00:12:22,140 --> 00:12:24,389 you're if you've got 346 00:12:24,390 --> 00:12:26,789 access to an FRB workstation where 347 00:12:26,790 --> 00:12:29,039 the device input pins like voltage, 348 00:12:29,040 --> 00:12:31,019 ground clock, et cetera, are outside the 349 00:12:31,020 --> 00:12:33,239 vacuum chamber or outside the chuck, you 350 00:12:33,240 --> 00:12:34,889 can actually power the device up and run 351 00:12:34,890 --> 00:12:36,749 it while you're making modifications to 352 00:12:36,750 --> 00:12:39,029 it. So like 353 00:12:39,030 --> 00:12:40,859 I said, this these most these techniques 354 00:12:40,860 --> 00:12:43,079 are one time, especially the delayering 355 00:12:43,080 --> 00:12:45,209 process. Where is the FIB workstation can 356 00:12:45,210 --> 00:12:47,399 allow you to create edits, undo 357 00:12:47,400 --> 00:12:50,219 edits, and so you can go back and forth. 358 00:12:50,220 --> 00:12:52,409 So this class of attack is 359 00:12:52,410 --> 00:12:53,640 can be very costly. 360 00:12:54,780 --> 00:12:57,509 So whereas the the decapitation 361 00:12:57,510 --> 00:12:59,849 and the readouts of the the imaging 362 00:12:59,850 --> 00:13:02,459 of the chip can be somewhat reasonable, 363 00:13:02,460 --> 00:13:04,859 the actual being able to edit 364 00:13:04,860 --> 00:13:06,869 the chip can be very prohibitive, 365 00:13:06,870 --> 00:13:09,209 depending on if you have access 366 00:13:09,210 --> 00:13:11,069 to the equipment or kind of an hourly 367 00:13:11,070 --> 00:13:12,719 rate to get on the equipment. 368 00:13:12,720 --> 00:13:15,059 And then finally, this type of 369 00:13:15,060 --> 00:13:17,699 this class of attack will pretty much 370 00:13:17,700 --> 00:13:18,929 provide you with complete background 371 00:13:18,930 --> 00:13:21,539 details so you can use all the floor 372 00:13:21,540 --> 00:13:23,729 plan data. You can actually 373 00:13:23,730 --> 00:13:25,859 force certain transistors or 374 00:13:25,860 --> 00:13:28,019 busses on circuit nets 375 00:13:28,020 --> 00:13:30,299 on and off and actually get a good idea 376 00:13:30,300 --> 00:13:31,619 of how the device operates. 377 00:13:31,620 --> 00:13:33,329 And then you can feed this information 378 00:13:33,330 --> 00:13:35,279 back into the semi invasive and 379 00:13:35,280 --> 00:13:37,079 noninvasive attacks to make them a lot 380 00:13:37,080 --> 00:13:39,329 easier because you know where on the chip 381 00:13:39,330 --> 00:13:40,330 to target. 382 00:13:41,400 --> 00:13:43,589 So as I mentioned previously, 383 00:13:43,590 --> 00:13:45,719 so some examples of invasive are 384 00:13:45,720 --> 00:13:47,819 decapitation. So taking 385 00:13:47,820 --> 00:13:50,369 the chip out of the package, delayering 386 00:13:50,370 --> 00:13:52,769 the actual dye, you could do a memory 387 00:13:52,770 --> 00:13:54,929 readout, which if the circuit has ROM, 388 00:13:54,930 --> 00:13:56,549 for example, you'd need to get through 389 00:13:56,550 --> 00:13:58,379 all the layers, all the metal layers down 390 00:13:58,380 --> 00:13:59,669 to the very first metal layer. 391 00:13:59,670 --> 00:14:01,229 And then that's where the actual Romme 392 00:14:01,230 --> 00:14:02,879 transistors are formed. 393 00:14:02,880 --> 00:14:03,999 You can do circuit edit. 394 00:14:04,000 --> 00:14:06,119 So etching where you're removing material 395 00:14:06,120 --> 00:14:08,909 from the from the dye in certain areas, 396 00:14:08,910 --> 00:14:10,799 deposition where you're using something 397 00:14:10,800 --> 00:14:13,049 like platinum or tungsten to 398 00:14:13,050 --> 00:14:15,269 to deposit conductive material 399 00:14:15,270 --> 00:14:18,179 on the surface. So you actually create a 400 00:14:18,180 --> 00:14:20,369 conductive path wire bonding where 401 00:14:20,370 --> 00:14:21,690 you're actually taking 402 00:14:22,800 --> 00:14:24,389 a wire bonding machine and putting gold 403 00:14:24,390 --> 00:14:26,309 bonding wires from the dye of the chip or 404 00:14:26,310 --> 00:14:28,169 from areas of the chip out to a larger, 405 00:14:28,170 --> 00:14:30,179 more human friendly package, like a very 406 00:14:30,180 --> 00:14:32,519 large dip or something, a dip package 407 00:14:32,520 --> 00:14:34,769 where it's two rows of, you know, 408 00:14:34,770 --> 00:14:36,029 10 or 20 pins or whatever. 409 00:14:36,030 --> 00:14:38,069 And then you can you can easily work with 410 00:14:38,070 --> 00:14:39,809 that. And then you could also purposely 411 00:14:39,810 --> 00:14:41,909 destroy traces or transistors at this 412 00:14:41,910 --> 00:14:43,709 point if they're causing some sort of 413 00:14:43,710 --> 00:14:45,929 functionality you don't want. 414 00:14:45,930 --> 00:14:47,399 And finally, you can do microprobe 415 00:14:47,400 --> 00:14:48,629 probings. So when you've got really, 416 00:14:48,630 --> 00:14:51,029 really tiny, for example, tungsten 417 00:14:51,030 --> 00:14:53,249 needles, you can actually stick them down 418 00:14:53,250 --> 00:14:54,569 on the surface of the chip and either 419 00:14:54,570 --> 00:14:56,729 listen to what's going on or if 420 00:14:56,730 --> 00:14:58,949 that or drive 421 00:14:58,950 --> 00:15:01,319 drive a signal back into 422 00:15:01,320 --> 00:15:03,269 the core of the chip somewhere. 423 00:15:03,270 --> 00:15:05,459 So that kind of concludes 424 00:15:05,460 --> 00:15:07,559 the different classes of attacks and 425 00:15:07,560 --> 00:15:09,659 kind of from the cheapest, the most 426 00:15:09,660 --> 00:15:11,309 expensive. 427 00:15:11,310 --> 00:15:13,619 So back to electrical 428 00:15:13,620 --> 00:15:15,239 glitch. So how do you actually where do 429 00:15:15,240 --> 00:15:16,379 you get started? 430 00:15:16,380 --> 00:15:17,969 How do you how do you do how do you 431 00:15:17,970 --> 00:15:19,469 generate glitches? 432 00:15:19,470 --> 00:15:21,419 So when you're when you're making these 433 00:15:21,420 --> 00:15:23,159 glitch pulses that you're sending into 434 00:15:23,160 --> 00:15:24,839 the chip either through either on the 435 00:15:24,840 --> 00:15:26,489 clock lines or the power lines of the 436 00:15:26,490 --> 00:15:28,559 chip, here's four methods that 437 00:15:28,560 --> 00:15:29,669 I basically came up with. 438 00:15:29,670 --> 00:15:31,379 And I'm you guys are some of you guys are 439 00:15:31,380 --> 00:15:32,759 probably really smart and can think of 440 00:15:32,760 --> 00:15:34,589 other ideas. But these these are the ones 441 00:15:34,590 --> 00:15:36,719 that I could think of a simple clock 442 00:15:36,720 --> 00:15:39,449 divider phase locked loop. 443 00:15:39,450 --> 00:15:41,489 If your device in this example had an 444 00:15:41,490 --> 00:15:43,799 FPGA with a PLL, 445 00:15:43,800 --> 00:15:46,229 use that Pawley pulse 446 00:15:46,230 --> 00:15:48,119 with multiple modulation where you've got 447 00:15:48,120 --> 00:15:50,939 multiple ummed signals 448 00:15:50,940 --> 00:15:52,559 for their part from each other and then 449 00:15:52,560 --> 00:15:54,689 poly phase where you've got three 450 00:15:54,690 --> 00:15:56,549 signals that differ from each other in 451 00:15:56,550 --> 00:15:57,869 their phase. 452 00:15:57,870 --> 00:15:59,709 So the first. 453 00:15:59,710 --> 00:16:01,929 Divider example, this one's the simplest, 454 00:16:01,930 --> 00:16:04,509 where you literally 455 00:16:04,510 --> 00:16:06,669 take as many flip flops as 456 00:16:06,670 --> 00:16:08,949 you want, and every time 457 00:16:08,950 --> 00:16:11,199 you go through a through 458 00:16:11,200 --> 00:16:13,149 D flip flop, you basically divide the 459 00:16:13,150 --> 00:16:15,519 original input signal by two. 460 00:16:15,520 --> 00:16:17,529 When you when you when you feed the 461 00:16:17,530 --> 00:16:18,999 output of the flip flop back to the 462 00:16:19,000 --> 00:16:21,219 input. So you go from forty eight 463 00:16:21,220 --> 00:16:23,049 divided by two down to twenty four, 464 00:16:23,050 --> 00:16:24,950 divide by two again down to 12. 465 00:16:25,960 --> 00:16:27,459 And so now what you do is you have this 466 00:16:27,460 --> 00:16:29,619 multiplexed where you feed it, the 467 00:16:29,620 --> 00:16:32,439 slow 12 megahertz signal and the original 468 00:16:32,440 --> 00:16:34,089 system clock. Forty eight megahertz 469 00:16:34,090 --> 00:16:36,729 signal for example, and 470 00:16:36,730 --> 00:16:38,919 you run the device through most 471 00:16:38,920 --> 00:16:41,439 of its lifetime on the slow 472 00:16:41,440 --> 00:16:43,509 signal and then you toggle the glitch 473 00:16:43,510 --> 00:16:44,979 select line down here. 474 00:16:44,980 --> 00:16:46,929 At the moment you want a glitch and then 475 00:16:46,930 --> 00:16:48,879 now all of a sudden you'll get some forty 476 00:16:48,880 --> 00:16:51,339 eight megahertz pulse pulses, pulse train 477 00:16:51,340 --> 00:16:53,589 instead of the slower 478 00:16:53,590 --> 00:16:54,609 12 megahertz in this case. 479 00:16:54,610 --> 00:16:56,199 And you can use this directly as the 480 00:16:56,200 --> 00:16:59,019 clock signal to the input of the device, 481 00:16:59,020 --> 00:17:01,389 or you can use it to get the switching 482 00:17:01,390 --> 00:17:03,519 of the voltage from a 483 00:17:03,520 --> 00:17:06,009 high value to a value that's known 484 00:17:06,010 --> 00:17:08,679 to cause the device issues so 485 00:17:08,680 --> 00:17:10,118 it gets flexible and can be used either 486 00:17:10,119 --> 00:17:12,098 way. So this is what the waveform would 487 00:17:12,099 --> 00:17:13,989 kind of look like. Here's let's say 488 00:17:13,990 --> 00:17:16,149 here's a single speed clock 489 00:17:16,150 --> 00:17:17,858 and here's a double speed clock. 490 00:17:17,859 --> 00:17:19,689 And then when you bring your select line 491 00:17:19,690 --> 00:17:21,578 high on the which is a select line on 492 00:17:21,579 --> 00:17:23,709 this multiplex down here, 493 00:17:23,710 --> 00:17:25,809 then all of a sudden you 494 00:17:25,810 --> 00:17:27,999 will switch the actual waveform that goes 495 00:17:28,000 --> 00:17:29,889 to the chip from the slow to the fast. 496 00:17:29,890 --> 00:17:31,929 So it simply just switches between slow 497 00:17:31,930 --> 00:17:32,930 and fast. 498 00:17:35,650 --> 00:17:37,509 So the second method is the phase locked 499 00:17:37,510 --> 00:17:39,819 loop PLL, so the the 500 00:17:39,820 --> 00:17:42,729 the PLL uses integer 501 00:17:42,730 --> 00:17:44,529 multipliers and dividers to create a 502 00:17:44,530 --> 00:17:46,749 fraction of an integer fraction, 503 00:17:46,750 --> 00:17:49,029 something over something that can 504 00:17:49,030 --> 00:17:50,679 be used to multiply up and then divide 505 00:17:50,680 --> 00:17:52,659 down to get you many more different kinds 506 00:17:52,660 --> 00:17:54,909 of clock speeds than simply 507 00:17:54,910 --> 00:17:56,349 dividing by two each time. 508 00:17:56,350 --> 00:17:58,749 So then this way you'll get for example, 509 00:17:58,750 --> 00:18:00,999 have the feed the PLL with the normal 510 00:18:01,000 --> 00:18:03,549 fast clock and then instead of 24 and 12, 511 00:18:03,550 --> 00:18:05,649 you also get 16 and four or 512 00:18:05,650 --> 00:18:07,329 whatever combination of speeds you want 513 00:18:07,330 --> 00:18:08,330 in between. 514 00:18:09,100 --> 00:18:11,289 Combine all those with the with the fast 515 00:18:11,290 --> 00:18:13,449 system clock, add a couple more select 516 00:18:13,450 --> 00:18:14,859 lines and now you've just given yourself 517 00:18:14,860 --> 00:18:16,779 more choices in terms of what speeds you 518 00:18:16,780 --> 00:18:18,549 want to play around with. So if you do 519 00:18:18,550 --> 00:18:20,409 the if you do this work up front, then 520 00:18:20,410 --> 00:18:21,410 you don't have to 521 00:18:22,600 --> 00:18:24,519 have to keep changing your circuitry down 522 00:18:24,520 --> 00:18:26,439 the road. It's more flexible. 523 00:18:26,440 --> 00:18:28,539 So the third method is poorly. 524 00:18:28,540 --> 00:18:30,639 Um, so this is where 525 00:18:30,640 --> 00:18:34,479 you use multiple pulseless modulation 526 00:18:34,480 --> 00:18:36,129 blocks to generate clock signals was 527 00:18:36,130 --> 00:18:37,749 successively longer and longer duty 528 00:18:37,750 --> 00:18:39,819 cycles. So now in this case, instead of 529 00:18:39,820 --> 00:18:41,949 change in the frequency, we just keep 530 00:18:41,950 --> 00:18:44,259 our system clock at 12, 12, 531 00:18:44,260 --> 00:18:45,819 12, 12 all the way through these blocks. 532 00:18:45,820 --> 00:18:47,379 But now we have a 50 percent duty cycle, 533 00:18:47,380 --> 00:18:49,479 which means 50 percent 534 00:18:49,480 --> 00:18:51,489 duty cycle means half half of the 535 00:18:51,490 --> 00:18:52,490 waveform. 536 00:18:53,410 --> 00:18:55,869 There's equal parts on and off 537 00:18:55,870 --> 00:18:57,249 in the cycle of a waveform. 538 00:18:57,250 --> 00:18:59,679 So you'll see in the picture 70 539 00:18:59,680 --> 00:19:01,959 percent means that the waveform is on 70 540 00:19:01,960 --> 00:19:03,789 percent of the time, off 30 percent of 541 00:19:03,790 --> 00:19:05,619 the time. So the remainder between 542 00:19:05,620 --> 00:19:07,419 seventy and one hundred percent. 543 00:19:07,420 --> 00:19:09,139 And then the third one is eighty five 544 00:19:09,140 --> 00:19:10,599 percent. 545 00:19:10,600 --> 00:19:12,219 And then what you do is you feed this 546 00:19:12,220 --> 00:19:14,439 into XOR gate and 547 00:19:14,440 --> 00:19:15,759 then the output of that couple it with 548 00:19:15,760 --> 00:19:17,469 one more exer. So it's basically like 549 00:19:17,470 --> 00:19:19,059 you're, you're exploring the two signals 550 00:19:19,060 --> 00:19:20,799 and then exploring in the third signal 551 00:19:20,800 --> 00:19:23,319 with it and then that'll get you 552 00:19:23,320 --> 00:19:24,039 a glitch pulse. 553 00:19:24,040 --> 00:19:25,839 And then again you just take your select 554 00:19:25,840 --> 00:19:28,179 line to go between the original 555 00:19:28,180 --> 00:19:30,459 clock and then the the 556 00:19:30,460 --> 00:19:31,689 shorter pulse. 557 00:19:31,690 --> 00:19:33,099 And here's kind of 558 00:19:34,120 --> 00:19:36,339 how how the how the pulse, 559 00:19:36,340 --> 00:19:37,629 the short pulse gets generated. 560 00:19:37,630 --> 00:19:39,479 So again, the frequency is the same. 561 00:19:39,480 --> 00:19:40,509 The phase is fixed. 562 00:19:40,510 --> 00:19:41,679 So these things are locked. 563 00:19:41,680 --> 00:19:43,779 If you look here right in the 564 00:19:43,780 --> 00:19:45,879 middle, those lines all start at the same 565 00:19:45,880 --> 00:19:47,679 time. So the phase is they're all locked 566 00:19:47,680 --> 00:19:48,680 with each other. 567 00:19:49,450 --> 00:19:51,759 However, when you 568 00:19:51,760 --> 00:19:54,219 when you change the duty cycle, 569 00:19:54,220 --> 00:19:56,769 you'll see that the 60 percent wave 570 00:19:56,770 --> 00:19:58,539 is on a little bit longer than the 50 571 00:19:58,540 --> 00:20:00,249 percent and the 70 percents longer than 572 00:20:00,250 --> 00:20:02,259 both of them. And it kind of it's like a 573 00:20:02,260 --> 00:20:03,819 staircase effect. 574 00:20:03,820 --> 00:20:06,069 And so what happens is when you run 575 00:20:06,070 --> 00:20:08,559 these through the those two XOR gates, 576 00:20:08,560 --> 00:20:10,089 the difference between the. 577 00:20:11,860 --> 00:20:14,589 The first and the first and the second 578 00:20:14,590 --> 00:20:16,749 pulse gives you when you want the pulse 579 00:20:16,750 --> 00:20:18,969 to start. So that's right. 580 00:20:18,970 --> 00:20:21,069 This this left side of it right here is 581 00:20:21,070 --> 00:20:23,889 when you want it to start in 582 00:20:23,890 --> 00:20:26,619 horizontal relation to 583 00:20:26,620 --> 00:20:28,749 the end part of the pulse and then this 584 00:20:28,750 --> 00:20:30,849 third duty cycle with 585 00:20:30,850 --> 00:20:32,289 the difference between the third and the 586 00:20:32,290 --> 00:20:32,719 second. 587 00:20:32,720 --> 00:20:34,569 So the 70 percent in the 60 percent gives 588 00:20:34,570 --> 00:20:36,669 you how long you want the actual pulse 589 00:20:36,670 --> 00:20:39,129 to last for how long you want it on for. 590 00:20:39,130 --> 00:20:41,889 So this is actually a pretty flexible 591 00:20:41,890 --> 00:20:44,079 method and you don't need PLL hardware 592 00:20:44,080 --> 00:20:46,329 in your device if you want to be able to 593 00:20:46,330 --> 00:20:48,069 generate these waveforms. 594 00:20:48,070 --> 00:20:50,229 And so basically you get one 595 00:20:50,230 --> 00:20:51,640 pulse of it, whereas the 596 00:20:52,720 --> 00:20:54,309 kind of the fourth Messitte method that I 597 00:20:54,310 --> 00:20:56,229 can think of was poorly fais so 598 00:20:56,230 --> 00:20:57,489 multiphase. 599 00:20:57,490 --> 00:20:59,349 And this is where you generate multiple 600 00:20:59,350 --> 00:21:01,389 waveforms, but each one is phase shifted 601 00:21:01,390 --> 00:21:03,639 from the previous waveform 602 00:21:03,640 --> 00:21:06,189 by some so many of degrees. 603 00:21:06,190 --> 00:21:07,989 So the frequency again, the frequency is 604 00:21:07,990 --> 00:21:10,119 the same 12 megahertz, 12, 12, 12. 605 00:21:10,120 --> 00:21:11,349 So it's all 12. 606 00:21:11,350 --> 00:21:12,999 But now you're shifting the actual 607 00:21:13,000 --> 00:21:15,309 relation of the second and third waves 608 00:21:15,310 --> 00:21:18,009 to the first wave and 609 00:21:18,010 --> 00:21:20,199 again, selecting when you want normal 610 00:21:20,200 --> 00:21:22,509 normal clock versus glitch clock. 611 00:21:23,830 --> 00:21:26,199 So now the only real difference is 612 00:21:26,200 --> 00:21:28,389 now the waves, the on time 613 00:21:28,390 --> 00:21:30,309 duration, for example, right here is the 614 00:21:30,310 --> 00:21:32,259 same in all three waves. 615 00:21:32,260 --> 00:21:34,869 So it's not different like last time, but 616 00:21:34,870 --> 00:21:35,979 the waves are offset. 617 00:21:37,180 --> 00:21:39,489 They're beginning when they start is 618 00:21:39,490 --> 00:21:40,839 is further and further ahead from each 619 00:21:40,840 --> 00:21:41,469 other. 620 00:21:41,470 --> 00:21:43,749 And effectively what it does is it gives 621 00:21:43,750 --> 00:21:45,489 you a glitch pulse on the leading the 622 00:21:45,490 --> 00:21:47,769 beginning edge and the trailing the the 623 00:21:47,770 --> 00:21:49,989 end edge of the waveform. 624 00:21:49,990 --> 00:21:52,239 So you get twice the many pulses as 625 00:21:52,240 --> 00:21:53,829 you did with the polyp. 626 00:21:53,830 --> 00:21:55,749 So do you need it or not? 627 00:21:55,750 --> 00:21:57,069 It all depends on your application. 628 00:21:57,070 --> 00:21:58,899 It may help you to be able to generate 629 00:21:58,900 --> 00:22:01,839 them more quickly or more often, but 630 00:22:01,840 --> 00:22:04,259 it's just another way to 631 00:22:04,260 --> 00:22:06,549 to do that. So a quick aside, 632 00:22:06,550 --> 00:22:08,679 like I'm using ultra FPGA so you 633 00:22:08,680 --> 00:22:09,759 don't have to worry about reading all 634 00:22:09,760 --> 00:22:10,749 this big paragraph. 635 00:22:10,750 --> 00:22:12,489 This was just an excerpt out of Ultra's 636 00:22:12,490 --> 00:22:14,409 manual on, for example. 637 00:22:14,410 --> 00:22:17,049 And Xilinx will be similar if the FPGA 638 00:22:17,050 --> 00:22:19,179 has a hardware PLL 639 00:22:19,180 --> 00:22:20,859 how you're able to. 640 00:22:20,860 --> 00:22:22,449 These are the steps. How to instruct the 641 00:22:22,450 --> 00:22:24,789 Paltalk should create phase shifts 642 00:22:24,790 --> 00:22:26,619 from its different PLL outputs, which is 643 00:22:26,620 --> 00:22:27,999 basically how I took those different 644 00:22:28,000 --> 00:22:30,519 phase shifted outputs and created the 645 00:22:30,520 --> 00:22:31,869 these waveforms. 646 00:22:31,870 --> 00:22:34,239 So then 647 00:22:34,240 --> 00:22:36,639 it's got this specific timing 648 00:22:36,640 --> 00:22:38,259 diagram where you're supposed to give it 649 00:22:38,260 --> 00:22:40,419 these, whether you want to step 650 00:22:40,420 --> 00:22:42,219 at one or more degrees, one that you want 651 00:22:42,220 --> 00:22:44,679 to step forwards or backwards 652 00:22:44,680 --> 00:22:47,679 and phase done is just what the 653 00:22:47,680 --> 00:22:49,599 module outputs back to you when it's done 654 00:22:49,600 --> 00:22:51,909 shifting. So this was looking kind 655 00:22:51,910 --> 00:22:53,649 of complicated to get all these timings 656 00:22:53,650 --> 00:22:55,779 right, because the FPGA was using had 657 00:22:55,780 --> 00:22:56,769 a soft CPU in it. 658 00:22:56,770 --> 00:22:58,959 So I ended up 659 00:22:58,960 --> 00:23:01,239 having to make a state machine because 660 00:23:01,240 --> 00:23:03,549 the my soft CPU 661 00:23:03,550 --> 00:23:06,579 was so slow in relation to the peoples 662 00:23:06,580 --> 00:23:08,229 ability to shift its phase that I would 663 00:23:08,230 --> 00:23:10,509 say go shift by what I think 664 00:23:10,510 --> 00:23:12,069 is one degree and it would come back like 665 00:23:12,070 --> 00:23:14,649 seven or eight degrees of shift, which 666 00:23:14,650 --> 00:23:16,899 to be to be scientific 667 00:23:16,900 --> 00:23:18,369 about it. I want to go one degree at a 668 00:23:18,370 --> 00:23:20,379 time so I could see the effects with each 669 00:23:20,380 --> 00:23:21,429 degree of shift. 670 00:23:21,430 --> 00:23:23,019 So I just made a simple state machine 671 00:23:23,020 --> 00:23:25,179 that just literally when the CPU says, 672 00:23:25,180 --> 00:23:26,950 I want you to shift one degree, 673 00:23:28,030 --> 00:23:30,159 it goes off programs, 674 00:23:30,160 --> 00:23:31,959 the PLL and then it exits the state 675 00:23:31,960 --> 00:23:34,269 machine and waits. 676 00:23:34,270 --> 00:23:36,489 So and the CPU will still have said, 677 00:23:36,490 --> 00:23:38,409 I want you to to shift one degree and 678 00:23:38,410 --> 00:23:39,879 it'll be stuck in the start equals one 679 00:23:39,880 --> 00:23:42,369 position. Then finally, like many, 680 00:23:42,370 --> 00:23:44,409 many clock cycles later when the CPU, 681 00:23:44,410 --> 00:23:46,779 because it's much slower than this PLL 682 00:23:46,780 --> 00:23:48,459 when it finally responds, then you can 683 00:23:48,460 --> 00:23:50,739 tell it to put the start bit to zero 684 00:23:50,740 --> 00:23:52,419 and then it'll, it'll bring you back to 685 00:23:52,420 --> 00:23:54,489 the initial. So this way allows you to 686 00:23:54,490 --> 00:23:55,989 shift one degree at a time so it'll get 687 00:23:55,990 --> 00:23:57,909 trapped in this loop until you're to your 688 00:23:57,910 --> 00:23:59,380 CPU is actually able to 689 00:24:00,400 --> 00:24:01,400 shift. 690 00:24:02,160 --> 00:24:04,349 So back 691 00:24:04,350 --> 00:24:06,239 to the corner of the classroom. 692 00:24:06,240 --> 00:24:08,979 So what is glitching actually doing? 693 00:24:08,980 --> 00:24:11,039 So basically 694 00:24:11,040 --> 00:24:12,869 it's a momentary burst in frequency, as 695 00:24:12,870 --> 00:24:14,159 you could see, with those little pulses 696 00:24:14,160 --> 00:24:16,559 compared to the normal clock pulse. 697 00:24:16,560 --> 00:24:18,569 Also, you had a quick one, usually 698 00:24:18,570 --> 00:24:20,249 greater than the max frequency of the 699 00:24:20,250 --> 00:24:21,269 device. 700 00:24:21,270 --> 00:24:22,919 So simple cases. 701 00:24:22,920 --> 00:24:24,659 If you got a datasheet, look it up, see 702 00:24:24,660 --> 00:24:26,579 what the device is rated to run at and go 703 00:24:26,580 --> 00:24:28,859 even faster or many multiples faster. 704 00:24:30,420 --> 00:24:31,839 The glitching is timing critical. 705 00:24:31,840 --> 00:24:35,009 So the value of 706 00:24:35,010 --> 00:24:37,109 the program where the program is 707 00:24:37,110 --> 00:24:39,239 and its overall execution, where the CPU 708 00:24:39,240 --> 00:24:40,799 is and its overall execution of its 709 00:24:40,800 --> 00:24:42,989 program, you need to know if 710 00:24:42,990 --> 00:24:44,729 at the specific point you think it's 711 00:24:44,730 --> 00:24:45,749 going to be doing a compare. 712 00:24:45,750 --> 00:24:46,829 You know, it's doing a compare. 713 00:24:46,830 --> 00:24:48,989 You have you want it to land there and 714 00:24:48,990 --> 00:24:50,219 then now you know that it's doing a 715 00:24:50,220 --> 00:24:52,109 compare where in the actual compare 716 00:24:52,110 --> 00:24:54,119 instruction, do you want the glitch to 717 00:24:54,120 --> 00:24:56,249 hit? So that's your offset of the glitch 718 00:24:56,250 --> 00:24:58,289 within a single instruction. 719 00:24:58,290 --> 00:24:59,999 And then finally, how long do you want 720 00:25:00,000 --> 00:25:02,159 that pulse to last, which was kind 721 00:25:02,160 --> 00:25:04,229 of that third duty cycle or that 722 00:25:04,230 --> 00:25:06,719 third phase shift wave in those diagrams, 723 00:25:06,720 --> 00:25:09,059 determined how long the actual pulse 724 00:25:09,060 --> 00:25:10,529 lasted for? 725 00:25:10,530 --> 00:25:12,599 So basically what 726 00:25:12,600 --> 00:25:14,849 this does is it causes registers 727 00:25:14,850 --> 00:25:16,829 inside the device or flip flops to latch 728 00:25:16,830 --> 00:25:18,959 invalid data because signals 729 00:25:18,960 --> 00:25:20,429 are still propagating through 730 00:25:20,430 --> 00:25:22,919 combinatorial logic through the device 731 00:25:22,920 --> 00:25:24,359 when you suddenly clock it. 732 00:25:24,360 --> 00:25:26,639 And so basically the destination flip 733 00:25:26,640 --> 00:25:28,799 flop. So from from the source to 734 00:25:28,800 --> 00:25:30,569 the destination, as the signals 735 00:25:30,570 --> 00:25:32,159 propagating, you clock it ahead of 736 00:25:32,160 --> 00:25:34,349 schedule. So the device 737 00:25:34,350 --> 00:25:35,879 will basically latch invalid data because 738 00:25:35,880 --> 00:25:37,709 the correct signal hasn't propagated its 739 00:25:37,710 --> 00:25:39,869 way towards the destination flip flop 740 00:25:39,870 --> 00:25:40,870 yet. 741 00:25:41,490 --> 00:25:43,589 So what the SO will actually be 742 00:25:43,590 --> 00:25:44,639 happening is you'll either get 743 00:25:44,640 --> 00:25:46,349 instruction instructions in the CPU 744 00:25:46,350 --> 00:25:49,019 korrell, either be duplicated or mutated 745 00:25:49,020 --> 00:25:50,909 so and so what would happen with a 746 00:25:50,910 --> 00:25:52,969 duplication is, let's say, 747 00:25:52,970 --> 00:25:55,229 the real program, how to compare 748 00:25:55,230 --> 00:25:56,489 and then followed by a jump. 749 00:25:56,490 --> 00:25:58,739 So it's checking some condition in an if 750 00:25:58,740 --> 00:26:00,779 statement and then jumping. 751 00:26:00,780 --> 00:26:02,249 What you'll actually get is the COMPAR 752 00:26:02,250 --> 00:26:04,829 will become compare, compare, so 753 00:26:04,830 --> 00:26:06,539 that jump will actually go away. 754 00:26:06,540 --> 00:26:08,279 And that's usually caused by a fault in 755 00:26:08,280 --> 00:26:10,409 the fetch stage of 756 00:26:10,410 --> 00:26:12,749 of instruction processing. 757 00:26:12,750 --> 00:26:15,269 So you've got usually fetch, decode, 758 00:26:15,270 --> 00:26:16,270 execute 759 00:26:18,060 --> 00:26:19,589 memory operations and register right 760 00:26:19,590 --> 00:26:21,149 back, or typically you're four or five 761 00:26:21,150 --> 00:26:23,159 stages of your risk CPU, for example. 762 00:26:23,160 --> 00:26:25,259 So it'll mess up the very first 763 00:26:25,260 --> 00:26:27,839 stage. The next is mutation. 764 00:26:27,840 --> 00:26:30,839 And this is where you actually turn 765 00:26:30,840 --> 00:26:33,119 like a jump instruction into an ad, which 766 00:26:33,120 --> 00:26:34,599 is probably harmless in this case. 767 00:26:34,600 --> 00:26:35,819 It gets you what you want. 768 00:26:35,820 --> 00:26:38,219 It bypasses an error check, for example, 769 00:26:38,220 --> 00:26:40,259 but just turns it into an ad. 770 00:26:40,260 --> 00:26:42,449 And usually in the fetch decode 771 00:26:42,450 --> 00:26:44,789 execution step, it's the actual 772 00:26:44,790 --> 00:26:47,039 execution stage that gets messed up 773 00:26:47,040 --> 00:26:49,079 when instruction is mutated. 774 00:26:49,080 --> 00:26:51,149 So the actual core is about to execute an 775 00:26:51,150 --> 00:26:53,339 instruction and then it gets mutated into 776 00:26:53,340 --> 00:26:54,449 something else. 777 00:26:54,450 --> 00:26:56,249 So this is kind of the hardware 778 00:26:56,250 --> 00:26:58,589 equivalent of patching a software binary 779 00:26:58,590 --> 00:27:00,269 where you go into your hex editor at its 780 00:27:00,270 --> 00:27:02,069 edit instruction to become something 781 00:27:02,070 --> 00:27:03,089 harmless. 782 00:27:03,090 --> 00:27:05,159 And so kind of technically 783 00:27:05,160 --> 00:27:07,049 the instruction is not actually skipped. 784 00:27:08,190 --> 00:27:09,869 So the program counter, the instruction 785 00:27:09,870 --> 00:27:11,939 pointer on the CPU doesn't just 786 00:27:11,940 --> 00:27:14,319 skip ahead to two memory locations. 787 00:27:14,320 --> 00:27:15,959 The next instruction, it's still 788 00:27:15,960 --> 00:27:18,029 executed. It's just it's either going 789 00:27:18,030 --> 00:27:19,979 to do it's going to become a duplication 790 00:27:19,980 --> 00:27:23,309 or or a mutation. 791 00:27:23,310 --> 00:27:24,310 So 792 00:27:25,830 --> 00:27:27,269 it'll feel like it's being skipped, 793 00:27:27,270 --> 00:27:28,899 though, in those cases. 794 00:27:28,900 --> 00:27:30,959 So sometimes this quick burst 795 00:27:30,960 --> 00:27:33,119 of clock frequency can affect your config 796 00:27:33,120 --> 00:27:34,709 or security fuzes. 797 00:27:34,710 --> 00:27:36,959 So they'll either fail to set in some in 798 00:27:36,960 --> 00:27:39,029 some cases or they're set incorrectly. 799 00:27:39,030 --> 00:27:40,919 So this can this could actually be kind 800 00:27:40,920 --> 00:27:43,289 of helpful to wipe out some certain 801 00:27:43,290 --> 00:27:45,239 code, protect fuzes or things like that. 802 00:27:45,240 --> 00:27:47,009 But it's a lot more 803 00:27:48,450 --> 00:27:50,369 particular in how it works depending on 804 00:27:50,370 --> 00:27:51,659 the device. 805 00:27:51,660 --> 00:27:53,729 So here's kind of an overview of that 806 00:27:53,730 --> 00:27:56,129 phenomenon where you have the source 807 00:27:56,130 --> 00:27:58,349 flip flop and the destination flip flop. 808 00:27:58,350 --> 00:27:59,969 Then you've got a bunch of material like 809 00:27:59,970 --> 00:28:01,559 individual and or etc. 810 00:28:01,560 --> 00:28:02,729 gates through the middle. 811 00:28:02,730 --> 00:28:04,829 And what you're doing is you have. 812 00:28:07,390 --> 00:28:09,489 You have a clock event, so now you 813 00:28:09,490 --> 00:28:11,769 also know you have your glitch pulse, and 814 00:28:11,770 --> 00:28:13,959 this pulse occurs down here 815 00:28:13,960 --> 00:28:16,359 well before it was expected 816 00:28:16,360 --> 00:28:17,949 over on the right hand side, which 817 00:28:17,950 --> 00:28:19,659 coincides with where the actual 818 00:28:19,660 --> 00:28:21,699 destination flip flop is in time and 819 00:28:21,700 --> 00:28:23,079 propagation distance. 820 00:28:23,080 --> 00:28:24,639 So you clock it way ahead of schedule and 821 00:28:24,640 --> 00:28:26,889 now it'll clock in some garbage 822 00:28:26,890 --> 00:28:28,929 data here rather than the proper signal 823 00:28:28,930 --> 00:28:30,220 making its way all the way through. 824 00:28:32,400 --> 00:28:34,679 So that was clock ticking, so 825 00:28:34,680 --> 00:28:35,849 what are the what are the what's the 826 00:28:35,850 --> 00:28:38,069 mechanism of voltage glitching? 827 00:28:38,070 --> 00:28:39,929 So this is a momentary reduction in 828 00:28:39,930 --> 00:28:41,909 supply voltage to the device. 829 00:28:41,910 --> 00:28:44,249 So what you do is you you drop the 830 00:28:44,250 --> 00:28:47,429 the voltage to or below the transistors 831 00:28:47,430 --> 00:28:49,229 switching threshold. 832 00:28:49,230 --> 00:28:51,809 And a rule of thumb is try 833 00:28:51,810 --> 00:28:54,149 supply voltage divided by two and 834 00:28:54,150 --> 00:28:55,409 and start from there. 835 00:28:55,410 --> 00:28:57,239 It could be it could be lower. 836 00:28:57,240 --> 00:28:58,439 It could be higher. But it's a good 837 00:28:58,440 --> 00:28:59,399 starting point. 838 00:28:59,400 --> 00:29:01,139 So what this does is this increases the 839 00:29:01,140 --> 00:29:03,589 propagation delay, which is 840 00:29:03,590 --> 00:29:06,209 literally the delay this 841 00:29:06,210 --> 00:29:07,529 of the signal propagating through the 842 00:29:07,530 --> 00:29:09,449 device. So it gives you kind of the same 843 00:29:09,450 --> 00:29:10,919 end effect. 844 00:29:10,920 --> 00:29:13,139 And why that happens is because you 845 00:29:13,140 --> 00:29:14,849 when you decrease the supply voltage, it 846 00:29:14,850 --> 00:29:16,259 decreases the drive strength of the 847 00:29:16,260 --> 00:29:18,599 transistors and this lower drive strength 848 00:29:18,600 --> 00:29:20,789 will cause slower rise 849 00:29:20,790 --> 00:29:22,499 time. So you'll actually, instead of a 850 00:29:22,500 --> 00:29:24,659 sharp edge rate, a sharp transition 851 00:29:24,660 --> 00:29:27,149 of of signal transitioning, 852 00:29:27,150 --> 00:29:28,889 you'll actually get a slow it'll take a 853 00:29:28,890 --> 00:29:31,109 long time to plateau and a long 854 00:29:31,110 --> 00:29:32,769 time to discharge, basically. 855 00:29:32,770 --> 00:29:34,679 So that gives you that buys you that 856 00:29:34,680 --> 00:29:36,959 gives you that effect where it's 857 00:29:36,960 --> 00:29:39,119 slows that propagation of the signal 858 00:29:39,120 --> 00:29:42,029 down. And again, just like 859 00:29:42,030 --> 00:29:43,799 clock clicking, you want to be accurate 860 00:29:43,800 --> 00:29:45,929 to where the instruction 861 00:29:45,930 --> 00:29:48,149 is in the overall program, where 862 00:29:48,150 --> 00:29:49,919 inside the particular instruction you 863 00:29:49,920 --> 00:29:51,509 want the offset of the glitch and then 864 00:29:51,510 --> 00:29:52,710 how long you want it to 865 00:29:53,790 --> 00:29:56,279 how long you want it to be 866 00:29:56,280 --> 00:29:57,239 active for. 867 00:29:57,240 --> 00:29:58,769 So also. 868 00:29:58,770 --> 00:30:00,599 So what it's doing is it's also altering 869 00:30:00,600 --> 00:30:02,219 the values at the memory sensor 870 00:30:02,220 --> 00:30:04,829 amplifiers for for for flash 871 00:30:04,830 --> 00:30:06,659 E squared, RAM, et cetera. 872 00:30:06,660 --> 00:30:09,239 And so this has the effect of 873 00:30:09,240 --> 00:30:11,399 corrupting, corrupting 874 00:30:11,400 --> 00:30:13,269 data latched onto the address or data. 875 00:30:13,270 --> 00:30:15,059 So you can actually have the program 876 00:30:15,060 --> 00:30:17,429 swing off wildly to an invalid location 877 00:30:17,430 --> 00:30:20,129 because you you lock a 878 00:30:20,130 --> 00:30:21,719 bad value onto the address. 879 00:30:21,720 --> 00:30:23,339 Most cases it'll crash the chip, but in 880 00:30:23,340 --> 00:30:25,109 some cases it might jump you into an area 881 00:30:25,110 --> 00:30:27,389 that the program was never supposed 882 00:30:27,390 --> 00:30:28,529 to reach. 883 00:30:28,530 --> 00:30:30,869 So and again, Security Fuze logic 884 00:30:30,870 --> 00:30:32,700 in the voltage glitching mode 885 00:30:34,020 --> 00:30:36,419 can also latch KRUP values due to that 886 00:30:36,420 --> 00:30:39,029 effect where you're right at the 887 00:30:39,030 --> 00:30:41,099 switching threshold of the transistors. 888 00:30:42,450 --> 00:30:45,000 So just to dispel a few misconceptions. 889 00:30:46,280 --> 00:30:48,379 I don't recommend throwing random volt 890 00:30:48,380 --> 00:30:50,459 voltage sags and 891 00:30:50,460 --> 00:30:52,579 sags and surges at the AC and seeing what 892 00:30:52,580 --> 00:30:53,479 happens. 893 00:30:53,480 --> 00:30:55,759 I would recommend respecting the absolute 894 00:30:55,760 --> 00:30:57,919 maximum VXI and VXI for 895 00:30:57,920 --> 00:30:59,629 the Eyeopener ratings on the data sheet 896 00:30:59,630 --> 00:31:00,929 if you have one. 897 00:31:00,930 --> 00:31:02,689 Otherwise you can have lock-Up occur, 898 00:31:02,690 --> 00:31:04,129 which is basically kind of a short 899 00:31:04,130 --> 00:31:06,109 between the power rails of a device or 900 00:31:06,110 --> 00:31:08,449 two to two pins of an icy. 901 00:31:08,450 --> 00:31:10,849 And this can cause the device to overheat 902 00:31:10,850 --> 00:31:13,039 or basically destruct due to overcount. 903 00:31:13,040 --> 00:31:15,109 So you want to avoid Lache up some 904 00:31:15,110 --> 00:31:16,339 74 series logic. 905 00:31:16,340 --> 00:31:18,709 You can you can give it very 906 00:31:18,710 --> 00:31:20,329 high and low voltage swings on the input 907 00:31:20,330 --> 00:31:22,459 pins, but usually they have a current 908 00:31:22,460 --> 00:31:24,589 limited condition in the data sheet, 909 00:31:24,590 --> 00:31:26,359 like specific Fairchild chips, for 910 00:31:26,360 --> 00:31:28,219 example. But not National Semiconductor 911 00:31:28,220 --> 00:31:31,309 will say you can do this, and 912 00:31:31,310 --> 00:31:33,679 that's because you have to put a giant 913 00:31:33,680 --> 00:31:35,389 current limiting resistor in front of the 914 00:31:35,390 --> 00:31:36,390 pin, basically. So. 915 00:31:37,960 --> 00:31:40,389 Don't don't throw these crazy 916 00:31:40,390 --> 00:31:42,159 high or low voltages out a chip unless 917 00:31:42,160 --> 00:31:43,449 you've got a bunch of them, basically. 918 00:31:45,010 --> 00:31:46,629 And you're not randomly jarring the clock 919 00:31:46,630 --> 00:31:48,939 frequency, to what extent you're 920 00:31:48,940 --> 00:31:50,829 you're specifically targeting that pulse 921 00:31:50,830 --> 00:31:52,929 at a certain point and you're not 922 00:31:52,930 --> 00:31:55,419 technically skipping instructions, you're 923 00:31:55,420 --> 00:31:57,009 as I said, you're kind of duplicating or 924 00:31:57,010 --> 00:31:57,939 mutating them. 925 00:31:57,940 --> 00:32:00,069 Again, it's timing critical. 926 00:32:00,070 --> 00:32:02,169 And finally, if the chip unless the 927 00:32:02,170 --> 00:32:04,089 chip is stuck in a loop, just randomly 928 00:32:04,090 --> 00:32:06,189 glitching like like with with random 929 00:32:06,190 --> 00:32:08,469 voltages or the clock 930 00:32:08,470 --> 00:32:10,779 at certain offsets randomly 931 00:32:10,780 --> 00:32:11,829 is not is usually going to be 932 00:32:11,830 --> 00:32:13,929 counterproductive unless 933 00:32:13,930 --> 00:32:15,789 the device is stuck in a loop, a tight 934 00:32:15,790 --> 00:32:17,019 loop with a few instructions. 935 00:32:17,020 --> 00:32:18,669 Then obviously the search space that your 936 00:32:18,670 --> 00:32:21,189 glitch has to hit is very constrained. 937 00:32:21,190 --> 00:32:23,259 It's very small and it's more 938 00:32:23,260 --> 00:32:24,519 likely you can pop out of the loop. 939 00:32:25,630 --> 00:32:27,879 So what are some of the outcomes 940 00:32:27,880 --> 00:32:29,739 in general that voltage or clock 941 00:32:29,740 --> 00:32:31,929 glitching can or potentially 942 00:32:31,930 --> 00:32:34,029 any glitch and can can provide for you 943 00:32:34,030 --> 00:32:36,009 so you can make the CPU replace impeding 944 00:32:36,010 --> 00:32:38,139 instructions. So you turn that jump 945 00:32:38,140 --> 00:32:39,999 into a compare compare, which doesn't 946 00:32:40,000 --> 00:32:41,739 jump anymore. 947 00:32:41,740 --> 00:32:43,689 You can truncate cryptographic operations 948 00:32:43,690 --> 00:32:45,729 or keys, so reduce the number of rounds 949 00:32:45,730 --> 00:32:46,930 in a crypto 950 00:32:48,280 --> 00:32:50,059 encryption or decryption process. 951 00:32:50,060 --> 00:32:52,179 You can do linear code extraction where 952 00:32:52,180 --> 00:32:53,309 you basically dump you. 953 00:32:53,310 --> 00:32:55,959 You walk the address space of the device, 954 00:32:55,960 --> 00:32:57,969 address location, one, two, three, four, 955 00:32:57,970 --> 00:33:00,309 all the way until the memory map loops, 956 00:33:00,310 --> 00:33:02,169 dumping out the data from the device bite 957 00:33:02,170 --> 00:33:04,269 by bite. However, you do usually need an 958 00:33:04,270 --> 00:33:06,069 IO channel to actually get the data out. 959 00:33:06,070 --> 00:33:08,649 So you are PIN or 960 00:33:08,650 --> 00:33:09,999 something of that nature. 961 00:33:10,000 --> 00:33:12,519 You can do things like bypass bootloader 962 00:33:12,520 --> 00:33:14,649 enforced checks so you can stop the 963 00:33:14,650 --> 00:33:17,199 memory management unit or page tables 964 00:33:17,200 --> 00:33:19,599 from initializing if they're mapping in 965 00:33:19,600 --> 00:33:21,339 sections of memory overtop of the 966 00:33:21,340 --> 00:33:22,959 bootloader to hide it or conceal it or 967 00:33:22,960 --> 00:33:25,209 just to save to provide more space, 968 00:33:25,210 --> 00:33:27,279 you can stop that from happening. 969 00:33:27,280 --> 00:33:29,469 In some cases, you can prevent lock out 970 00:33:29,470 --> 00:33:30,789 counters from rolling. So if it's a 971 00:33:30,790 --> 00:33:32,649 secure crypto memory or something like 972 00:33:32,650 --> 00:33:34,359 that where you only have so many tries 973 00:33:34,360 --> 00:33:36,339 before your lock, though, the device, if 974 00:33:36,340 --> 00:33:37,839 you glitch when it's recording or 975 00:33:37,840 --> 00:33:40,239 decrement in your try counter 976 00:33:40,240 --> 00:33:42,339 that the number of tries will never 977 00:33:42,340 --> 00:33:42,789 change. 978 00:33:42,790 --> 00:33:45,069 So you can just keep doing 979 00:33:45,070 --> 00:33:46,629 your malicious activity over and over 980 00:33:46,630 --> 00:33:48,999 again without the device finally reaching 981 00:33:49,000 --> 00:33:51,369 zero and then erasing itself or halting 982 00:33:51,370 --> 00:33:52,779 or something of that nature. 983 00:33:52,780 --> 00:33:54,729 And then finally, in some cases, you can 984 00:33:54,730 --> 00:33:57,039 trace security forces are lock bits. 985 00:33:57,040 --> 00:33:58,539 So what this will do is keep the Flash 986 00:33:58,540 --> 00:33:59,679 and R-squared intact. 987 00:33:59,680 --> 00:34:01,359 So then you can just take the device off 988 00:34:01,360 --> 00:34:02,739 the board, for example, plug it into a 989 00:34:02,740 --> 00:34:04,569 parallel, parallel or similar program and 990 00:34:04,570 --> 00:34:06,110 just read out the device that way. 991 00:34:07,450 --> 00:34:09,698 So if you're looking at chips to try 992 00:34:09,699 --> 00:34:11,709 some of this stuff on, there's pretty 993 00:34:11,710 --> 00:34:12,939 much your general purpose and your 994 00:34:12,940 --> 00:34:14,138 security enhanced categories. 995 00:34:14,139 --> 00:34:16,089 So things like general purpose, things 996 00:34:16,090 --> 00:34:18,428 like CPU's, microcontrollers, memories, 997 00:34:18,429 --> 00:34:20,019 digital signal processors. 998 00:34:20,020 --> 00:34:21,759 Then on the security and hand side, 999 00:34:21,760 --> 00:34:23,379 you've got things like SIM card, smart 1000 00:34:23,380 --> 00:34:25,428 meters, military devices, chip and PIN, 1001 00:34:25,429 --> 00:34:27,619 pay-TV transit transmitter, 1002 00:34:27,620 --> 00:34:29,329 metro and then automotive devices. 1003 00:34:29,330 --> 00:34:31,689 However, the security and hand side is 1004 00:34:31,690 --> 00:34:33,849 I'm not saying like stuff's going to work 1005 00:34:33,850 --> 00:34:35,559 necessarily there. It depends on the age 1006 00:34:35,560 --> 00:34:37,448 of the device and how smart the 1007 00:34:37,449 --> 00:34:38,589 developers were when they made it. 1008 00:34:38,590 --> 00:34:40,329 A lot of these security enhanced devices 1009 00:34:40,330 --> 00:34:42,019 are actually really, really good. 1010 00:34:42,020 --> 00:34:44,379 So things I don't recommend is 1011 00:34:44,380 --> 00:34:46,479 trying to trying to 1012 00:34:46,480 --> 00:34:48,908 attack like FPGA is or ASICs simply 1013 00:34:48,909 --> 00:34:50,678 because there's so many unknown 1014 00:34:50,679 --> 00:34:52,238 variables. And unless, you know, there's 1015 00:34:52,239 --> 00:34:54,789 a certain CPU core inside that async or 1016 00:34:54,790 --> 00:34:56,829 that they've programed a certain block of 1017 00:34:56,830 --> 00:34:59,320 logic in the FPGA, it's 1018 00:35:00,910 --> 00:35:03,069 you'd be fishing around in the dark, 1019 00:35:03,070 --> 00:35:04,449 basically. 1020 00:35:04,450 --> 00:35:06,849 So what are some countermeasures that, 1021 00:35:06,850 --> 00:35:08,559 for example, a manufacturer or if you're 1022 00:35:08,560 --> 00:35:10,659 writing code or embedded embedded 1023 00:35:10,660 --> 00:35:12,069 code for a device, what could you do as a 1024 00:35:12,070 --> 00:35:13,179 countermeasure? 1025 00:35:13,180 --> 00:35:15,249 You could use a CPU which halts or traps 1026 00:35:15,250 --> 00:35:17,259 on invalid instructions. 1027 00:35:17,260 --> 00:35:18,849 However, in the case of the instruction 1028 00:35:18,850 --> 00:35:21,609 mutation, where your jump became an ad, 1029 00:35:21,610 --> 00:35:23,409 the ad instruction is still a valid 1030 00:35:23,410 --> 00:35:25,239 instruction in the in the table of 1031 00:35:25,240 --> 00:35:26,319 instructions in that device. 1032 00:35:26,320 --> 00:35:27,909 So that may not even trigger in an 1033 00:35:27,910 --> 00:35:30,489 invalid instruction fault. 1034 00:35:30,490 --> 00:35:32,589 So better than nothing, 1035 00:35:32,590 --> 00:35:34,659 though you could erase volatile 1036 00:35:34,660 --> 00:35:36,909 memory on start up or reset 1037 00:35:36,910 --> 00:35:38,919 just no matter what device comes up. 1038 00:35:38,920 --> 00:35:42,339 Just a good best practice to wipe the 1039 00:35:42,340 --> 00:35:43,689 wipe the memory. 1040 00:35:43,690 --> 00:35:44,979 So what you want to do is minimize the 1041 00:35:44,980 --> 00:35:46,599 number of copies of important secrets are 1042 00:35:46,600 --> 00:35:48,819 primitives. So like for RSA, P 1043 00:35:48,820 --> 00:35:51,369 and Q or any combination of those 1044 00:35:51,370 --> 00:35:53,619 intermediate values that could drive 1045 00:35:53,620 --> 00:35:55,119 back to your private key, 1046 00:35:56,290 --> 00:35:57,879 keep as few of those as possible and 1047 00:35:57,880 --> 00:35:59,979 obviously wipe them between iterations of 1048 00:35:59,980 --> 00:36:02,139 a routine in certain 1049 00:36:02,140 --> 00:36:03,339 parts of the program. If you don't need 1050 00:36:03,340 --> 00:36:04,539 them, if you don't need them, get rid of 1051 00:36:04,540 --> 00:36:05,540 them. 1052 00:36:05,860 --> 00:36:07,299 So clocking when you're clocking the 1053 00:36:07,300 --> 00:36:09,369 device, you could run, you could use a 1054 00:36:09,370 --> 00:36:11,019 device that runs off an internal 1055 00:36:11,020 --> 00:36:13,389 oscillator. So it just ignores 1056 00:36:13,390 --> 00:36:14,979 the clock pin from the outside world. 1057 00:36:14,980 --> 00:36:17,049 So that pretty much would cut 1058 00:36:17,050 --> 00:36:19,959 off any clock launching attacks. 1059 00:36:19,960 --> 00:36:22,089 You could use asynchronous logic wherever 1060 00:36:22,090 --> 00:36:23,709 you could. So if something didn't need to 1061 00:36:23,710 --> 00:36:26,019 be clocked by a clock signal, then 1062 00:36:26,020 --> 00:36:27,159 don't. 1063 00:36:27,160 --> 00:36:29,199 And finally, you could use a periodic or 1064 00:36:29,200 --> 00:36:30,999 random clock period generation, which is 1065 00:36:31,000 --> 00:36:33,429 where the actual clock 1066 00:36:33,430 --> 00:36:35,499 period is changing between cycles. 1067 00:36:35,500 --> 00:36:37,659 So it's it's unpredictable in 1068 00:36:37,660 --> 00:36:39,999 terms of the timing. 1069 00:36:40,000 --> 00:36:41,679 Finally, you could use obscurity, which 1070 00:36:41,680 --> 00:36:43,479 is another kind of last layer of defense. 1071 00:36:43,480 --> 00:36:44,949 It's not a. 1072 00:36:44,950 --> 00:36:47,289 Not a prime defense, but use a really 1073 00:36:47,290 --> 00:36:49,779 complicated 48 bit, very long instruction 1074 00:36:49,780 --> 00:36:52,179 word DSP corps with poor documentation 1075 00:36:52,180 --> 00:36:53,619 in your product, it'd probably make it 1076 00:36:53,620 --> 00:36:55,209 harder for you to write if you're the 1077 00:36:55,210 --> 00:36:57,279 developer as well. So it's not that great 1078 00:36:57,280 --> 00:36:58,280 of a countermeasure. 1079 00:36:59,560 --> 00:37:02,439 Finally. So supply voltage 1080 00:37:02,440 --> 00:37:04,629 use, glitch or brownout detection. 1081 00:37:04,630 --> 00:37:07,719 And this can be very complicated 1082 00:37:07,720 --> 00:37:09,729 with fans fast transition detection that 1083 00:37:09,730 --> 00:37:11,259 actually detects and responds. 1084 00:37:11,260 --> 00:37:13,029 You could use a simple low pass filter 1085 00:37:13,030 --> 00:37:15,159 which simply 1086 00:37:15,160 --> 00:37:17,559 ignores and erases that quick transient 1087 00:37:17,560 --> 00:37:19,239 as far as the chips concerned so it 1088 00:37:19,240 --> 00:37:20,389 doesn't even see it. 1089 00:37:20,390 --> 00:37:22,509 Or you could be more aggressive 1090 00:37:22,510 --> 00:37:24,429 and reset, halt or wipe the device if you 1091 00:37:24,430 --> 00:37:26,529 detect someone is trying 1092 00:37:26,530 --> 00:37:28,299 to mess with your chip this way. 1093 00:37:28,300 --> 00:37:30,399 So many general-purpose devices have 1094 00:37:30,400 --> 00:37:31,849 little or no design and protection. 1095 00:37:31,850 --> 00:37:34,029 So these are chips that you guys 1096 00:37:34,030 --> 00:37:35,440 could look at in terms of 1097 00:37:36,760 --> 00:37:38,439 interesting targets. 1098 00:37:38,440 --> 00:37:40,869 So Abers picks Tempy, 1099 00:37:40,870 --> 00:37:42,969 for example. They do have they do have 1100 00:37:42,970 --> 00:37:45,299 code protection. So 1101 00:37:45,300 --> 00:37:47,049 it may not be your first choice if you're 1102 00:37:47,050 --> 00:37:48,729 if you're just starting out learning. 1103 00:37:48,730 --> 00:37:50,559 And then at the at the extreme level, 1104 00:37:50,560 --> 00:37:53,139 modern spart smart cards, 1105 00:37:53,140 --> 00:37:55,239 chip cards have extensive protections. 1106 00:37:55,240 --> 00:37:56,649 So they've got glitch detectors. 1107 00:37:56,650 --> 00:37:58,209 They've got the random in a periodic 1108 00:37:58,210 --> 00:38:00,669 internal clock, which is changing and 1109 00:38:00,670 --> 00:38:02,859 changing in its length between cycles. 1110 00:38:02,860 --> 00:38:05,049 And you'll have to CPU cores 1111 00:38:05,050 --> 00:38:06,909 in lock step that are sanity checking one 1112 00:38:06,910 --> 00:38:08,799 another. So if something if some 1113 00:38:08,800 --> 00:38:10,689 instruction goes wrong in one chord, the 1114 00:38:10,690 --> 00:38:12,729 other core will be offset and catch it 1115 00:38:12,730 --> 00:38:14,829 and do something like either reset the 1116 00:38:14,830 --> 00:38:17,229 device or erase the memory, etc.. 1117 00:38:17,230 --> 00:38:19,389 So this will detail some 1118 00:38:19,390 --> 00:38:20,409 of the actual 1119 00:38:22,090 --> 00:38:23,469 hardware platforms that I made over the 1120 00:38:23,470 --> 00:38:25,719 last couple of years that that 1121 00:38:25,720 --> 00:38:27,349 were that I use for voltage and clock 1122 00:38:27,350 --> 00:38:29,589 glitching. So the summary of this guy 1123 00:38:29,590 --> 00:38:32,109 is basically this is an off the shelf 1124 00:38:32,110 --> 00:38:34,389 aero low power reference platform 1125 00:38:34,390 --> 00:38:36,009 board that I found for really cheap on 1126 00:38:36,010 --> 00:38:37,629 eBay, like I think it was between 20 and 1127 00:38:37,630 --> 00:38:39,279 50 US dollars. 1128 00:38:39,280 --> 00:38:42,489 So not not crazy expensive. 1129 00:38:42,490 --> 00:38:45,159 So it has an ultra cyclone, three FPGA, 1130 00:38:45,160 --> 00:38:47,409 which I put a MIPS 32 bit soft 1131 00:38:47,410 --> 00:38:49,899 CPU inside of it, that 1132 00:38:49,900 --> 00:38:50,949 3:00 a.m. 1133 00:38:50,950 --> 00:38:51,859 clock generator. 1134 00:38:51,860 --> 00:38:54,459 So it should be for the three 1135 00:38:54,460 --> 00:38:56,229 polyphasic the polyphasic clock 1136 00:38:56,230 --> 00:38:58,689 generator. It's got a regular 60 and 550 1137 00:38:58,690 --> 00:38:59,979 UAT. 1138 00:38:59,980 --> 00:39:02,439 It's got some driver functionality 1139 00:39:02,440 --> 00:39:04,569 for RAM and flash control and then some 1140 00:39:04,570 --> 00:39:06,999 output. Multiplex's to switch between 1141 00:39:07,000 --> 00:39:09,219 your low speed normal signal 1142 00:39:09,220 --> 00:39:11,109 and your high speed glitch signal. 1143 00:39:11,110 --> 00:39:13,269 And then this massive breadboard 1144 00:39:13,270 --> 00:39:15,339 at the bottom is just doing a voltage 1145 00:39:15,340 --> 00:39:17,619 level shifting and signal conditioning, 1146 00:39:17,620 --> 00:39:20,199 conditioning and buffering so that 1147 00:39:20,200 --> 00:39:22,329 the end target in the FPGA, for 1148 00:39:22,330 --> 00:39:24,549 example, doesn't get blown up by if the 1149 00:39:24,550 --> 00:39:26,379 target device is running higher voltages 1150 00:39:26,380 --> 00:39:27,380 than the FPGA. 1151 00:39:28,480 --> 00:39:30,729 So this is a close up where you've got 1152 00:39:30,730 --> 00:39:31,779 kind of general purpose. 1153 00:39:31,780 --> 00:39:33,339 It opens up here. 1154 00:39:33,340 --> 00:39:34,869 You got three point three volt supply, 1155 00:39:34,870 --> 00:39:35,870 five volt supply, 1156 00:39:36,970 --> 00:39:39,129 thirty two USB to 1157 00:39:39,130 --> 00:39:41,529 you, chip SD 1158 00:39:41,530 --> 00:39:43,029 card, which I'm not using at the moment, 1159 00:39:43,030 --> 00:39:44,349 but could probably be used for data 1160 00:39:44,350 --> 00:39:45,350 logging. 1161 00:39:46,060 --> 00:39:48,459 CPD, which is just used to program 1162 00:39:48,460 --> 00:39:51,279 the FPGA from a PC, 1163 00:39:51,280 --> 00:39:53,679 the actual FPGA intel flash 1164 00:39:53,680 --> 00:39:55,329 and then some micron dram which is 1165 00:39:55,330 --> 00:39:57,429 actually dram with rapt 1166 00:39:57,430 --> 00:39:58,599 with an stream interface. 1167 00:39:58,600 --> 00:40:00,969 So it's just easier to to 1168 00:40:00,970 --> 00:40:02,559 work with it. You don't need to have all 1169 00:40:02,560 --> 00:40:04,239 the crazy DRM timing signals. 1170 00:40:04,240 --> 00:40:05,439 Exactly right. 1171 00:40:05,440 --> 00:40:06,969 And then on the Saulius breadboard, 1172 00:40:06,970 --> 00:40:09,579 there's just some these 74, 1173 00:40:09,580 --> 00:40:10,719 the LV is important. 1174 00:40:10,720 --> 00:40:12,219 So one twenty five is just 1175 00:40:13,630 --> 00:40:15,429 a buffer that takes it just a buffer, 1176 00:40:15,430 --> 00:40:17,529 takes an input signal, provides an 1177 00:40:17,530 --> 00:40:19,779 output and then it's got an beside each 1178 00:40:19,780 --> 00:40:21,399 pair, those input output pins, there's an 1179 00:40:21,400 --> 00:40:23,739 output enabled pen lets you 1180 00:40:23,740 --> 00:40:25,599 float the signal or drive it. 1181 00:40:25,600 --> 00:40:27,849 And the LV is important because it's 1182 00:40:27,850 --> 00:40:29,859 five volt tolerant. 1183 00:40:29,860 --> 00:40:31,539 So you can power the device with three 1184 00:40:31,540 --> 00:40:33,499 point three but it'll accept five volts 1185 00:40:33,500 --> 00:40:35,679 as input. So any outputs from 1186 00:40:35,680 --> 00:40:37,239 it will be three point three. 1187 00:40:37,240 --> 00:40:39,099 But let's say your device runs at five 1188 00:40:39,100 --> 00:40:40,989 volts. It can output it signals to the 1189 00:40:40,990 --> 00:40:43,209 input of this as five and then this 1190 00:40:43,210 --> 00:40:44,739 will output them at three point three to 1191 00:40:44,740 --> 00:40:47,139 the FPGA where you won't blow it up, 1192 00:40:47,140 --> 00:40:49,449 whereas if you drive it the FPGA at five, 1193 00:40:49,450 --> 00:40:51,219 it won't last very long. 1194 00:40:51,220 --> 00:40:53,409 So other not just your 1195 00:40:53,410 --> 00:40:54,759 five and three point three volt power 1196 00:40:54,760 --> 00:40:56,109 rails. And then just the pull up part I 1197 00:40:56,110 --> 00:40:58,389 was playing with to strengthen 1198 00:40:58,390 --> 00:41:00,340 the the drive strength of the 1199 00:41:01,570 --> 00:41:02,769 one of the signals. 1200 00:41:02,770 --> 00:41:05,409 So here is another another iteration, 1201 00:41:05,410 --> 00:41:07,659 Saderat Breadboard, which is kind of 1202 00:41:07,660 --> 00:41:09,759 beefed up version of this that 1203 00:41:09,760 --> 00:41:11,259 I thought would work at higher 1204 00:41:11,260 --> 00:41:12,489 frequencies because it's slaughtered. 1205 00:41:12,490 --> 00:41:14,439 But clearly you can see from this mess of 1206 00:41:14,440 --> 00:41:16,599 wires that my routing is amazing. 1207 00:41:16,600 --> 00:41:18,789 And so 1208 00:41:18,790 --> 00:41:20,589 I use this board for both Voltage and 1209 00:41:20,590 --> 00:41:21,519 Klok looking. 1210 00:41:21,520 --> 00:41:23,679 And it has what I call a ghetto deck, 1211 00:41:23,680 --> 00:41:24,790 which is basically 1212 00:41:26,170 --> 00:41:28,689 you provide a source of varying 1213 00:41:28,690 --> 00:41:30,759 duty cycle signal of how much 1214 00:41:30,760 --> 00:41:32,559 on time to off time into a low pass 1215 00:41:32,560 --> 00:41:34,569 filter. And the output out low pass 1216 00:41:34,570 --> 00:41:37,089 filter will actually be a steady 1217 00:41:37,090 --> 00:41:40,599 zero to five volt range 1218 00:41:40,600 --> 00:41:42,669 DC voltage based on the pulse 1219 00:41:42,670 --> 00:41:43,779 width of the signal coming. 1220 00:41:43,780 --> 00:41:45,099 And so it's just an easy way for a 1221 00:41:45,100 --> 00:41:47,289 microcontroller or FPGA to send 1222 00:41:47,290 --> 00:41:49,299 a signal and you end up getting a varying 1223 00:41:49,300 --> 00:41:51,579 voltage rather than having a real 1224 00:41:51,580 --> 00:41:53,709 digital to analog chip that 1225 00:41:53,710 --> 00:41:55,779 does that in its 1226 00:41:55,780 --> 00:41:56,780 own way. 1227 00:41:59,430 --> 00:42:01,919 So for a while, I 1228 00:42:01,920 --> 00:42:04,109 seriously considered Arduino for about 1229 00:42:04,110 --> 00:42:06,419 seven minutes, because 1230 00:42:06,420 --> 00:42:07,439 why not? 1231 00:42:07,440 --> 00:42:10,589 And the problem with Arduino is 1232 00:42:10,590 --> 00:42:13,049 the crystal is fixed on board 1233 00:42:13,050 --> 00:42:14,519 wherever wherever it is. 1234 00:42:14,520 --> 00:42:15,520 Uh. 1235 00:42:16,590 --> 00:42:18,329 Can't see it at the moment, but anyways, 1236 00:42:18,330 --> 00:42:19,739 it's I think it's 16 megahertz. 1237 00:42:20,850 --> 00:42:22,739 And as soon as you go and use any of the 1238 00:42:22,740 --> 00:42:24,869 timer output, compare registers 1239 00:42:24,870 --> 00:42:26,669 to divide that clock down. 1240 00:42:26,670 --> 00:42:29,069 You can't actually you can't take the 16 1241 00:42:29,070 --> 00:42:31,259 megahertz and provide it directly at 16 1242 00:42:31,260 --> 00:42:32,459 megahertz on an output pin. 1243 00:42:32,460 --> 00:42:34,079 It automatically goes through a divide by 1244 00:42:34,080 --> 00:42:35,579 two as soon as you turn any of those 1245 00:42:35,580 --> 00:42:36,939 timers or compare features on. 1246 00:42:36,940 --> 00:42:39,329 So already before I even started, 1247 00:42:39,330 --> 00:42:41,009 all I could do is eight megahertz signals 1248 00:42:41,010 --> 00:42:42,239 out of this thing. 1249 00:42:42,240 --> 00:42:44,399 And so if your device 1250 00:42:44,400 --> 00:42:46,379 is running at two or four megahertz, that 1251 00:42:46,380 --> 00:42:48,119 might be enough. But if your device is 1252 00:42:48,120 --> 00:42:49,649 running at thirty two megahertz, then 1253 00:42:49,650 --> 00:42:50,849 obviously this isn't even 1254 00:42:52,140 --> 00:42:54,359 going to help you. So it just wasn't 1255 00:42:54,360 --> 00:42:55,529 flexible enough. 1256 00:42:55,530 --> 00:42:57,599 So then I thought I'd make an even more 1257 00:42:57,600 --> 00:43:00,089 feature. Rich Boards and 1258 00:43:00,090 --> 00:43:02,159 because I'm thrifty, decided to educate 1259 00:43:02,160 --> 00:43:04,439 myself, which was 1260 00:43:04,440 --> 00:43:06,629 pretty much an epic failure because 1261 00:43:06,630 --> 00:43:08,639 what happened was my transparency that 1262 00:43:08,640 --> 00:43:11,069 you shine the fluorescent light through 1263 00:43:11,070 --> 00:43:13,139 with your mask of the layout was 1264 00:43:13,140 --> 00:43:14,699 slightly off the surface of the board, 1265 00:43:14,700 --> 00:43:16,169 which had the effect of being out of 1266 00:43:16,170 --> 00:43:18,090 focus. The artwork was out of focus. 1267 00:43:19,350 --> 00:43:21,089 So basically I had blurred pads and 1268 00:43:21,090 --> 00:43:23,159 traces that didn't develop properly. 1269 00:43:23,160 --> 00:43:25,469 So you can see stuff 1270 00:43:25,470 --> 00:43:27,689 like this probably isn't conducting 1271 00:43:27,690 --> 00:43:29,009 too much credit through it. 1272 00:43:29,010 --> 00:43:30,509 Sections right here were wiped out 1273 00:43:30,510 --> 00:43:31,379 entirely. 1274 00:43:31,380 --> 00:43:32,639 And you can see the ground plane is 1275 00:43:32,640 --> 00:43:34,169 starting to get attacked because you 1276 00:43:34,170 --> 00:43:36,359 leave it in there to try and 1277 00:43:36,360 --> 00:43:37,469 eat through some areas. 1278 00:43:37,470 --> 00:43:38,579 Meanwhile, it's starting to eat through 1279 00:43:38,580 --> 00:43:40,979 areas you want to stay there. 1280 00:43:40,980 --> 00:43:43,199 Here's another kind of example of that. 1281 00:43:45,050 --> 00:43:47,239 More failure, so then 1282 00:43:47,240 --> 00:43:49,099 what I decided to do is break down and go 1283 00:43:49,100 --> 00:43:51,319 to Ash Park and make a professional PCB 1284 00:43:51,320 --> 00:43:52,999 because as you can see, it required a few 1285 00:43:53,000 --> 00:43:55,069 edits after the fact already. 1286 00:43:55,070 --> 00:43:57,469 And so this board was primarily designed 1287 00:43:57,470 --> 00:43:59,629 for for voltage glitching. 1288 00:43:59,630 --> 00:44:02,149 It has a tiny 23 13 1289 00:44:02,150 --> 00:44:04,309 CPU that I just had lying around. 1290 00:44:04,310 --> 00:44:06,709 And why it's not great for Klok 1291 00:44:06,710 --> 00:44:07,999 leeching is that it's obviously there's a 1292 00:44:08,000 --> 00:44:09,169 fixed crystal on there. 1293 00:44:09,170 --> 00:44:11,419 So you only have a certain range of 1294 00:44:11,420 --> 00:44:12,739 divisions you can do with that. 1295 00:44:14,850 --> 00:44:16,709 And it also, like the other board uses, 1296 00:44:16,710 --> 00:44:18,929 the uses the ghetto deck, 1297 00:44:18,930 --> 00:44:21,119 and this buffer simply strengthens 1298 00:44:21,120 --> 00:44:23,039 the output drive current so that you can 1299 00:44:23,040 --> 00:44:25,079 actually power the device up through this 1300 00:44:25,080 --> 00:44:27,269 buffer rather than having a weak, you 1301 00:44:27,270 --> 00:44:29,519 know, five, 10, 20 million signal coming 1302 00:44:29,520 --> 00:44:31,589 right off of one of these seventy 1303 00:44:31,590 --> 00:44:33,390 four series logic chips or. 1304 00:44:35,740 --> 00:44:37,359 Here is another device, my 1305 00:44:38,410 --> 00:44:40,479 my sniffer board, which is just 1306 00:44:40,480 --> 00:44:42,249 basically used as a man in the middle, so 1307 00:44:42,250 --> 00:44:44,259 this would plug into the FPGA and then 1308 00:44:44,260 --> 00:44:46,359 this HHC one twenty five is just like 1309 00:44:46,360 --> 00:44:48,099 this seventy four, LV one twenty five. 1310 00:44:48,100 --> 00:44:50,349 So it's just a five volt tolerant 1311 00:44:50,350 --> 00:44:51,999 chip that can drive signals at three 1312 00:44:52,000 --> 00:44:54,099 point three volts to correct the 1313 00:44:54,100 --> 00:44:56,199 voltage mismatch between the FPGA 1314 00:44:56,200 --> 00:44:57,200 and the target. 1315 00:44:58,540 --> 00:45:00,399 And so basically that allows for data 1316 00:45:00,400 --> 00:45:01,479 logging. 1317 00:45:01,480 --> 00:45:03,669 And then what you can also 1318 00:45:03,670 --> 00:45:05,949 do for a cheap and dirty data logging and 1319 00:45:05,950 --> 00:45:08,589 logic analysis is you can use this 1320 00:45:08,590 --> 00:45:10,870 logic block called ultra signal top two 1321 00:45:12,340 --> 00:45:13,239 in the FPGA. 1322 00:45:13,240 --> 00:45:15,489 And what this is, is a logic and kind 1323 00:45:15,490 --> 00:45:17,739 of a soft logic analyzer block 1324 00:45:17,740 --> 00:45:19,869 that can analyze almost any signal 1325 00:45:19,870 --> 00:45:21,909 that boss, external pins, whatever you 1326 00:45:21,910 --> 00:45:24,039 want, and you can save more 1327 00:45:24,040 --> 00:45:25,929 and more samples by using up more logic 1328 00:45:25,930 --> 00:45:28,059 elements or slices if in Xilinx 1329 00:45:28,060 --> 00:45:30,039 terminology of the FPGA. 1330 00:45:30,040 --> 00:45:32,199 So there's plenty of trigger 1331 00:45:32,200 --> 00:45:34,029 options from simple, low, higher edge 1332 00:45:34,030 --> 00:45:36,459 triggering, too. You can chain events, do 1333 00:45:36,460 --> 00:45:37,869 multiple segments of capture. 1334 00:45:37,870 --> 00:45:40,479 So it's got all sorts of triggering 1335 00:45:40,480 --> 00:45:42,579 and storing that a full logic and 1336 00:45:42,580 --> 00:45:44,299 a hardware logic analyzer would have. 1337 00:45:44,300 --> 00:45:46,539 Then you can export the data in plaintext 1338 00:45:46,540 --> 00:45:48,699 images or 1339 00:45:48,700 --> 00:45:50,889 other formats of the plaintext would be a 1340 00:45:50,890 --> 00:45:52,869 time a comma separated list of the 1341 00:45:52,870 --> 00:45:54,579 signals over time, like one zero one 1342 00:45:54,580 --> 00:45:56,289 zero. Then you can pack that back into an 1343 00:45:56,290 --> 00:45:58,659 actual parse it back into a protocol. 1344 00:45:58,660 --> 00:45:59,559 So it's equivalent. 1345 00:45:59,560 --> 00:46:01,329 It's also called Xilinx Chip Scope if 1346 00:46:01,330 --> 00:46:03,519 you're using if you're using 1347 00:46:03,520 --> 00:46:05,169 the Xilinx product. 1348 00:46:05,170 --> 00:46:07,689 So here's a quick summary of 1349 00:46:08,710 --> 00:46:09,159 what you do. 1350 00:46:09,160 --> 00:46:10,929 Just you basically pick the clock that 1351 00:46:10,930 --> 00:46:13,119 you want to clock the logic analyzer at 1352 00:46:13,120 --> 00:46:14,979 pick which signals of interest you want 1353 00:46:14,980 --> 00:46:16,839 and what logic levels or triggering you 1354 00:46:16,840 --> 00:46:19,209 want the the recording 1355 00:46:19,210 --> 00:46:20,379 to kick in at. 1356 00:46:20,380 --> 00:46:23,019 And then you get a nice 1357 00:46:23,020 --> 00:46:25,179 you get a nice waveform view where it 1358 00:46:25,180 --> 00:46:27,039 shows you what those signals did after 1359 00:46:27,040 --> 00:46:28,899 the trigger, after and below that before 1360 00:46:28,900 --> 00:46:30,399 the trigger point if you want. 1361 00:46:30,400 --> 00:46:32,589 So let's roll 1362 00:46:32,590 --> 00:46:34,449 into the last section, which is the 1363 00:46:34,450 --> 00:46:36,849 example of example 1364 00:46:36,850 --> 00:46:38,469 device I was I was playing with. 1365 00:46:39,640 --> 00:46:41,709 So I had a victim, I see I knew it was a 1366 00:46:41,710 --> 00:46:43,449 secure microcontroller, but I wasn't sure 1367 00:46:43,450 --> 00:46:45,369 what the internal architecture was of the 1368 00:46:45,370 --> 00:46:47,469 CPU core, I knew that it paired 1369 00:46:47,470 --> 00:46:48,529 with a partner device. 1370 00:46:48,530 --> 00:46:50,919 So a reader 1371 00:46:50,920 --> 00:46:52,719 and then the target chip. 1372 00:46:52,720 --> 00:46:54,789 So the target, the reader would send 1373 00:46:54,790 --> 00:46:55,569 data to the chip. 1374 00:46:55,570 --> 00:46:57,129 The chip would encrypt and decrypt it 1375 00:46:57,130 --> 00:46:58,959 with a key that was inside of it and then 1376 00:46:58,960 --> 00:47:00,489 send the data back to the reader, which 1377 00:47:00,490 --> 00:47:03,219 would go off to the rest of the device. 1378 00:47:03,220 --> 00:47:04,749 So I was basically starting with a black 1379 00:47:04,750 --> 00:47:06,819 box and so I wasn't sure 1380 00:47:06,820 --> 00:47:07,929 what data sheets to look for. 1381 00:47:07,930 --> 00:47:09,849 Even if the device was not on, the data 1382 00:47:09,850 --> 00:47:10,929 sheets might not have been public 1383 00:47:10,930 --> 00:47:12,339 anyways. 1384 00:47:12,340 --> 00:47:14,439 So what I did was basically 1385 00:47:14,440 --> 00:47:16,839 start probing the pads of the 1386 00:47:16,840 --> 00:47:18,609 of the chip of the victim. 1387 00:47:18,610 --> 00:47:20,619 Chip did an initial sweep of the 1388 00:47:20,620 --> 00:47:22,089 multimeter. I've got like a little fluke 1389 00:47:22,090 --> 00:47:23,859 meter. So the little bar graph part of 1390 00:47:23,860 --> 00:47:25,659 the meter will respond a lot faster than 1391 00:47:25,660 --> 00:47:27,819 the actual numeric digits. 1392 00:47:27,820 --> 00:47:29,709 And then I'd come back with an actual 1393 00:47:29,710 --> 00:47:31,239 oscilloscope for any pads that showed 1394 00:47:31,240 --> 00:47:33,999 interesting quick moving activity. 1395 00:47:34,000 --> 00:47:36,489 So one I found one pad appeared to speak 1396 00:47:36,490 --> 00:47:38,349 slowish serial protocol. 1397 00:47:38,350 --> 00:47:40,179 So all I did was capture and just 1398 00:47:40,180 --> 00:47:41,769 transcribe the beginning of that waveform 1399 00:47:41,770 --> 00:47:44,499 because my scope had a really 1400 00:47:44,500 --> 00:47:46,689 small amount of memory onboard memory 1401 00:47:46,690 --> 00:47:48,159 and it was only one pin doing that. 1402 00:47:48,160 --> 00:47:49,959 So my guess was that it was some sort of 1403 00:47:49,960 --> 00:47:51,759 have to flex communication going back and 1404 00:47:51,760 --> 00:47:53,919 forth because I knew what the the 1405 00:47:53,920 --> 00:47:55,359 victim talked to the reader. 1406 00:47:55,360 --> 00:47:57,429 So then I used that sniffer board 1407 00:47:57,430 --> 00:47:59,559 to to basically man 1408 00:47:59,560 --> 00:48:00,639 in the middle of the conversation. 1409 00:48:00,640 --> 00:48:02,919 And I use that signal type logic 1410 00:48:02,920 --> 00:48:05,139 analyzer software in FPGA to export 1411 00:48:05,140 --> 00:48:07,149 the waveforms, the plaintext pack those 1412 00:48:07,150 --> 00:48:09,219 individual bits back into bytes, read 1413 00:48:09,220 --> 00:48:11,319 the byte string. And I found out that I 1414 00:48:11,320 --> 00:48:13,439 after Googling that, I had a 1415 00:48:13,440 --> 00:48:16,749 ISO seventy eight sixteen AP du header 1416 00:48:16,750 --> 00:48:18,069 that I found. 1417 00:48:18,070 --> 00:48:19,389 So at that point this was good. 1418 00:48:19,390 --> 00:48:21,129 So then what I was able to do is add a U 1419 00:48:21,130 --> 00:48:23,379 r to the FPGA and so 1420 00:48:23,380 --> 00:48:24,279 that sixteen five fifty. 1421 00:48:24,280 --> 00:48:26,049 So what this does was allow for hardware 1422 00:48:26,050 --> 00:48:28,209 framing of the transmission and 1423 00:48:28,210 --> 00:48:29,619 receive data with the victim. 1424 00:48:29,620 --> 00:48:31,269 Otherwise you don't need a report, you 1425 00:48:31,270 --> 00:48:33,189 can do it with Big Bang, but then you 1426 00:48:33,190 --> 00:48:34,629 have to waste like two or three days 1427 00:48:34,630 --> 00:48:36,849 potentially to get the timing perfect. 1428 00:48:36,850 --> 00:48:38,589 So just easier. 1429 00:48:38,590 --> 00:48:41,499 And then with the Altera you can use this 1430 00:48:41,500 --> 00:48:42,909 logic block called Geotag. 1431 00:48:42,910 --> 00:48:45,039 You are to talk to the MIPS 1432 00:48:45,040 --> 00:48:46,809 thirty two bit soft CPU running in the 1433 00:48:46,810 --> 00:48:49,479 FPGA and then the CPU 1434 00:48:49,480 --> 00:48:50,539 can talk to the victim. 1435 00:48:50,540 --> 00:48:51,789 So then that way you just need one 1436 00:48:51,790 --> 00:48:54,309 programing cable from the board to a USB 1437 00:48:54,310 --> 00:48:55,539 port on your computer. You don't need a 1438 00:48:55,540 --> 00:48:57,789 cable to the victim and a cable to the 1439 00:48:57,790 --> 00:48:59,919 FPGA. So now that I had 1440 00:48:59,920 --> 00:49:02,229 that kind of intermediate speaking going 1441 00:49:02,230 --> 00:49:04,419 on, I had the PC speak 1442 00:49:04,420 --> 00:49:06,009 ISO seventy eight, sixteen smart card 1443 00:49:06,010 --> 00:49:07,090 protocol with the victim. 1444 00:49:08,500 --> 00:49:10,419 And so the seven, eight, 16 header has a 1445 00:49:10,420 --> 00:49:12,549 length field, so I made a 1446 00:49:12,550 --> 00:49:14,709 I proposed the theory that the 1447 00:49:14,710 --> 00:49:17,319 victim is probably comparing the length 1448 00:49:17,320 --> 00:49:19,989 that you send it in the length field from 1449 00:49:19,990 --> 00:49:22,149 from from the device or 1450 00:49:22,150 --> 00:49:24,279 from the reader to the max 1451 00:49:24,280 --> 00:49:26,589 that'll allow as its buffer 1452 00:49:26,590 --> 00:49:28,029 input usually like I'm not going to allow 1453 00:49:28,030 --> 00:49:29,259 you any more than this because I've only 1454 00:49:29,260 --> 00:49:31,299 set aside sixty four bytes of RAM to 1455 00:49:31,300 --> 00:49:34,569 store the commands to RAM, for example. 1456 00:49:34,570 --> 00:49:36,789 And if the length is if the length, my 1457 00:49:36,790 --> 00:49:38,559 hunch was that if the length was too long 1458 00:49:38,560 --> 00:49:41,019 then issue an error. 1459 00:49:41,020 --> 00:49:43,269 So then what I was able to do, 1460 00:49:43,270 --> 00:49:45,519 the next theory was issued a whole 1461 00:49:45,520 --> 00:49:48,279 bunch of two long 1462 00:49:48,280 --> 00:49:50,829 commands to the victim, but otherwise 1463 00:49:50,830 --> 00:49:52,899 corrected up the checksum to correct it 1464 00:49:52,900 --> 00:49:55,569 up the checksum so that it was correct 1465 00:49:55,570 --> 00:49:57,459 and then observed the error response from 1466 00:49:57,460 --> 00:49:59,050 the from the 1467 00:50:00,760 --> 00:50:01,599 CPU. 1468 00:50:01,600 --> 00:50:02,600 And at this point 1469 00:50:04,000 --> 00:50:05,630 now is when you get ready to glitch. 1470 00:50:06,850 --> 00:50:08,949 So this is what I call the sucker punch, 1471 00:50:08,950 --> 00:50:11,019 which is this is a clock glitch where you 1472 00:50:11,020 --> 00:50:14,319 see a quick pulse in time 1473 00:50:14,320 --> 00:50:15,489 versus the normal. 1474 00:50:15,490 --> 00:50:17,439 Like this pulse wouldn't be here normally 1475 00:50:17,440 --> 00:50:19,780 in the normal speed of the device. 1476 00:50:21,730 --> 00:50:23,379 So you can do a one two punch, which is 1477 00:50:23,380 --> 00:50:25,539 simply two pulses, one after another, and 1478 00:50:25,540 --> 00:50:27,549 you can try any variation of this one, 1479 00:50:27,550 --> 00:50:30,249 two, three, four, five different 1480 00:50:30,250 --> 00:50:31,250 periods. 1481 00:50:32,200 --> 00:50:34,569 So this is clock clicking and glitching 1482 00:50:34,570 --> 00:50:36,669 during the suspected victims 1483 00:50:36,670 --> 00:50:38,589 command handler. 1484 00:50:38,590 --> 00:50:40,419 So where the where the victim would be 1485 00:50:40,420 --> 00:50:42,009 accepting commands and checking the 1486 00:50:42,010 --> 00:50:44,109 length on them, the length 1487 00:50:44,110 --> 00:50:45,189 of the packet. 1488 00:50:45,190 --> 00:50:47,139 So what I do is try a different pulse, 1489 00:50:47,140 --> 00:50:48,819 offsets and durations to try and narrow 1490 00:50:48,820 --> 00:50:50,949 down when it was when it was 1491 00:50:52,000 --> 00:50:53,829 executing, for example, to compare 1492 00:50:53,830 --> 00:50:55,119 instruction that would be checking the 1493 00:50:55,120 --> 00:50:57,189 length of the packet you're sending it. 1494 00:50:57,190 --> 00:50:58,989 And so, you know, you've hit a milestone 1495 00:50:58,990 --> 00:51:01,359 when the victim instead 1496 00:51:01,360 --> 00:51:03,969 of instead of when you give it these 1497 00:51:03,970 --> 00:51:06,279 length, these packets 1498 00:51:06,280 --> 00:51:08,289 that are very long, but with correct 1499 00:51:08,290 --> 00:51:10,389 checksums and it normally errors out, 1500 00:51:10,390 --> 00:51:12,099 all of a sudden it doesn't erode. 1501 00:51:12,100 --> 00:51:13,629 And it actually processes the command, 1502 00:51:13,630 --> 00:51:15,369 even though it's carloss garbage bytes at 1503 00:51:15,370 --> 00:51:17,619 the end of it, to make it way longer. 1504 00:51:17,620 --> 00:51:19,689 So now you know that you've 1505 00:51:19,690 --> 00:51:21,549 probably hit the COMPAR or the jump 1506 00:51:21,550 --> 00:51:23,529 instruction with your glitch and you've 1507 00:51:23,530 --> 00:51:26,079 stopped the the device from 1508 00:51:26,080 --> 00:51:27,080 issuing an error. 1509 00:51:28,030 --> 00:51:30,129 So at this point, if 1510 00:51:30,130 --> 00:51:31,719 if you're already sure, like there's 1511 00:51:31,720 --> 00:51:33,909 usually Motorola six zero five based 1512 00:51:33,910 --> 00:51:35,919 cores or until 1851 cores are the 1513 00:51:35,920 --> 00:51:38,049 majority of of smaller eight 1514 00:51:38,050 --> 00:51:40,429 or 16 bit embedded devices. 1515 00:51:40,430 --> 00:51:42,639 So use 1516 00:51:42,640 --> 00:51:44,169 that as your guess you can. 1517 00:51:44,170 --> 00:51:46,449 So as I said, you had more and more data 1518 00:51:46,450 --> 00:51:48,699 to the end of the to the end of the 1519 00:51:48,700 --> 00:51:51,009 command and then wait till the victim 1520 00:51:51,010 --> 00:51:53,469 crashes or does something weird. 1521 00:51:53,470 --> 00:51:55,719 So you 1522 00:51:55,720 --> 00:51:57,819 might if so, as you're padding 1523 00:51:57,820 --> 00:51:58,959 more and more data eventually if it 1524 00:51:58,960 --> 00:52:01,179 crashes. So now you've sent in a too long 1525 00:52:01,180 --> 00:52:03,249 value, but you make it 1526 00:52:03,250 --> 00:52:04,419 even more longer. 1527 00:52:04,420 --> 00:52:05,529 More long. 1528 00:52:05,530 --> 00:52:06,789 That's not good English, but whatever. 1529 00:52:06,790 --> 00:52:09,069 So eventually you'll stock the smash 1530 00:52:09,070 --> 00:52:10,749 or but it could be hard to notice if 1531 00:52:10,750 --> 00:52:12,729 there's a hardware watchdog that notices 1532 00:52:12,730 --> 00:52:14,469 that all of a sudden the CPU flew off 1533 00:52:14,470 --> 00:52:16,569 into nowhere land and then reset it. 1534 00:52:16,570 --> 00:52:18,669 But basically, that's what I 1535 00:52:18,670 --> 00:52:20,559 was able to get to the point where I knew 1536 00:52:20,560 --> 00:52:22,119 where the stock pointer was gone, be on 1537 00:52:22,120 --> 00:52:24,369 it and over and over wrote 1538 00:52:24,370 --> 00:52:25,839 the return address. 1539 00:52:25,840 --> 00:52:28,509 So now that you know, 1540 00:52:28,510 --> 00:52:30,219 now that you know where the return 1541 00:52:30,220 --> 00:52:31,509 address is, you can actually start 1542 00:52:31,510 --> 00:52:33,249 writing programs for this device because 1543 00:52:33,250 --> 00:52:35,229 now you control the return address so you 1544 00:52:35,230 --> 00:52:37,059 can write minimal tiny little program 1545 00:52:37,060 --> 00:52:39,069 that tries to write to low address 1546 00:52:39,070 --> 00:52:40,909 special registers to like Motorola 60 1547 00:52:40,910 --> 00:52:43,029 800, for example, port, which 1548 00:52:43,030 --> 00:52:45,189 is the output pin value 1549 00:52:45,190 --> 00:52:47,199 pin, which is the input pin DDR, which is 1550 00:52:47,200 --> 00:52:48,789 your data direction register. 1551 00:52:48,790 --> 00:52:50,289 Start playing with those and seeing if 1552 00:52:50,290 --> 00:52:52,239 you see if you can get your eyeopener one 1553 00:52:52,240 --> 00:52:54,069 of the important pins on your victim to 1554 00:52:54,070 --> 00:52:55,719 toggle all of a sudden change 1555 00:52:56,740 --> 00:52:58,839 because now you know where the address 1556 00:52:58,840 --> 00:52:59,289 now. 1557 00:52:59,290 --> 00:53:01,269 Now you know which that those pins exist 1558 00:53:01,270 --> 00:53:02,500 and how they're mapped into memory. 1559 00:53:04,250 --> 00:53:06,679 So here is your typical layout 1560 00:53:06,680 --> 00:53:08,769 of the 1561 00:53:08,770 --> 00:53:10,719 the victims memory space. 1562 00:53:10,720 --> 00:53:12,619 Yeah, so your next milestone is where you 1563 00:53:12,620 --> 00:53:14,449 do actually have the output pin chain, 1564 00:53:14,450 --> 00:53:16,249 one of the pins on the device, either the 1565 00:53:16,250 --> 00:53:18,289 eye open that you're talking to it on or 1566 00:53:18,290 --> 00:53:19,849 a different pin that might be bonded into 1567 00:53:19,850 --> 00:53:21,500 the chip if it changes 1568 00:53:22,610 --> 00:53:24,709 value. Now, you've confirmed code 1569 00:53:24,710 --> 00:53:26,629 execution. Your architecture guess is 1570 00:53:26,630 --> 00:53:28,069 probably pretty good because you wrote a 1571 00:53:28,070 --> 00:53:29,329 little program in that target 1572 00:53:29,330 --> 00:53:31,189 architecture of a few bytes to write to 1573 00:53:31,190 --> 00:53:32,419 that low area. 1574 00:53:32,420 --> 00:53:34,399 And it's probably von Neumann or modified 1575 00:53:34,400 --> 00:53:36,769 hardware Halvard that lets you do that. 1576 00:53:36,770 --> 00:53:38,959 So now you're getting really 1577 00:53:38,960 --> 00:53:41,029 close to the next thing I did 1578 00:53:41,030 --> 00:53:43,489 was write more code in that architecture 1579 00:53:43,490 --> 00:53:45,439 in the six zero five that loads a dummy 1580 00:53:45,440 --> 00:53:47,689 ASCII byte like five or F or A 1581 00:53:47,690 --> 00:53:49,820 or some value of words, alternating bits 1582 00:53:50,930 --> 00:53:52,579 into a register like. 1583 00:53:52,580 --> 00:53:54,769 Yeah, so a on the sixty five for example, 1584 00:53:54,770 --> 00:53:57,319 then sweep's jumps into outer space. 1585 00:53:57,320 --> 00:53:59,089 So what that's doing is I'm searching for 1586 00:53:59,090 --> 00:54:01,789 the serial transmit routine 1587 00:54:01,790 --> 00:54:03,439 software, the address and software, 1588 00:54:03,440 --> 00:54:05,449 because this thing, the victim bit bang 1589 00:54:05,450 --> 00:54:06,859 the output. So it didn't have a hardware, 1590 00:54:06,860 --> 00:54:08,569 you thought it had to jump to a software 1591 00:54:08,570 --> 00:54:10,669 address when it wanted to exabyte back to 1592 00:54:10,670 --> 00:54:13,219 me. So I just kept sweeping addresses 1593 00:54:13,220 --> 00:54:15,319 in as far as that return address 1594 00:54:15,320 --> 00:54:17,839 with the with the smash stack until 1595 00:54:17,840 --> 00:54:19,999 I got my byte back 1596 00:54:20,000 --> 00:54:21,769 that I sent in. And now I knew I found 1597 00:54:21,770 --> 00:54:23,689 that the serial transmit handler and 1598 00:54:23,690 --> 00:54:25,909 software of the microcontroller. 1599 00:54:25,910 --> 00:54:27,979 So now all you have to do is make a code 1600 00:54:27,980 --> 00:54:29,929 loop that starts wherever you want, 1601 00:54:29,930 --> 00:54:31,159 wherever the current execution is, or 1602 00:54:31,160 --> 00:54:33,229 maybe it jumps to zero zero zero zero 1603 00:54:33,230 --> 00:54:35,029 loads. The data from zero zero zero 1604 00:54:35,030 --> 00:54:37,609 addresses, zero into a register 1605 00:54:37,610 --> 00:54:39,349 jumps to the serial transmit routine 1606 00:54:39,350 --> 00:54:41,359 which will which will echo that data, 1607 00:54:41,360 --> 00:54:43,759 byte out the serial port, increment 1608 00:54:43,760 --> 00:54:45,259 the address pointer, and then keep going 1609 00:54:45,260 --> 00:54:46,789 over and over again, moving to the next 1610 00:54:46,790 --> 00:54:48,049 memory location. 1611 00:54:48,050 --> 00:54:50,149 And you have to be prepared to 1612 00:54:50,150 --> 00:54:52,219 empty the FGS, 1613 00:54:52,220 --> 00:54:54,679 receive your buffer quickly 1614 00:54:54,680 --> 00:54:56,509 and regularly, because basically the 1615 00:54:56,510 --> 00:54:58,459 entire code and data space in this 1616 00:54:58,460 --> 00:55:00,019 particular chip will be dumped out in an 1617 00:55:00,020 --> 00:55:01,459 endless loop. It'll just keep mirroring 1618 00:55:01,460 --> 00:55:03,319 and rapping over the the outer space. 1619 00:55:03,320 --> 00:55:05,329 And this is kind of what's known as 1620 00:55:05,330 --> 00:55:07,249 linear code extraction. 1621 00:55:07,250 --> 00:55:09,529 So the summary, so 1622 00:55:09,530 --> 00:55:11,239 now that you've got this whole dump of 1623 00:55:11,240 --> 00:55:13,189 the code and data space, you can try and 1624 00:55:13,190 --> 00:55:14,239 figure out the memory map. 1625 00:55:14,240 --> 00:55:16,339 If if you're still not 1626 00:55:16,340 --> 00:55:17,779 sure of it, analyze the dump for any 1627 00:55:17,780 --> 00:55:18,979 mirroring of the outer space. 1628 00:55:18,980 --> 00:55:21,079 So you know where the overall dump 1629 00:55:21,080 --> 00:55:22,399 starts repeating because it's going to be 1630 00:55:22,400 --> 00:55:23,719 in an endless loop. So eventually it's 1631 00:55:23,720 --> 00:55:25,699 going to be a finite bounds of where the 1632 00:55:25,700 --> 00:55:27,709 memory map is. Try poking values into 1633 00:55:27,710 --> 00:55:29,029 certain memory locations, see if they 1634 00:55:29,030 --> 00:55:31,369 change. If they are, you're 1635 00:55:31,370 --> 00:55:33,319 probably dealing with REM or maybe E 1636 00:55:33,320 --> 00:55:35,229 squared or flash depending, but usually 1637 00:55:35,230 --> 00:55:36,769 estcourt and flash of more complicated 1638 00:55:36,770 --> 00:55:37,949 right routines. 1639 00:55:37,950 --> 00:55:40,129 And now you're back in familiar territory 1640 00:55:40,130 --> 00:55:41,809 so you can disassemble that code dump you 1641 00:55:41,810 --> 00:55:43,849 have or write a disassembly. 1642 00:55:43,850 --> 00:55:45,889 If if you don't have one on hand, you can 1643 00:55:45,890 --> 00:55:48,259 search for crypto secrets or keys 1644 00:55:48,260 --> 00:55:51,059 in that dump, serial numbers, 1645 00:55:51,060 --> 00:55:52,729 keys, whatever, and you can discover any 1646 00:55:52,730 --> 00:55:54,499 code vulnerabilities that where it was 1647 00:55:54,500 --> 00:55:56,779 just pure craftsmanship on the 1648 00:55:56,780 --> 00:55:58,909 on the creator of the of the code 1649 00:55:58,910 --> 00:56:01,309 where you can just find Vollans so 1650 00:56:01,310 --> 00:56:03,469 conclusion's electrical glitch and can be 1651 00:56:03,470 --> 00:56:05,239 a viable attack vector against a variety 1652 00:56:05,240 --> 00:56:07,399 of eses except for security, 1653 00:56:07,400 --> 00:56:09,619 hardened purpose built security. 1654 00:56:09,620 --> 00:56:11,899 EQs can be cheap to perform. 1655 00:56:11,900 --> 00:56:13,699 You don't need a big lab or expensive 1656 00:56:13,700 --> 00:56:15,439 lab. It's usually nondestructive in 1657 00:56:15,440 --> 00:56:17,389 nature, so it doesn't affect the device. 1658 00:56:17,390 --> 00:56:19,399 And it's another tool in the in your 1659 00:56:19,400 --> 00:56:21,649 arsenal when when 1660 00:56:21,650 --> 00:56:23,869 other approaches have failed. 1661 00:56:23,870 --> 00:56:26,599 So that is everything. 1662 00:56:26,600 --> 00:56:28,909 And I guess I'm not sure if we can 1663 00:56:28,910 --> 00:56:30,799 get a few a couple of questions or. 1664 00:56:30,800 --> 00:56:32,569 Yeah, I think we have some time for time 1665 00:56:32,570 --> 00:56:35,029 for maybe three or four questions. 1666 00:56:35,030 --> 00:56:36,829 If you have questions, please line up at 1667 00:56:36,830 --> 00:56:38,509 the microphones down here. 1668 00:56:38,510 --> 00:56:40,309 Up there, there are no microphones for 1669 00:56:40,310 --> 00:56:41,479 questions. 1670 00:56:41,480 --> 00:56:43,819 And while you pile up, we 1671 00:56:43,820 --> 00:56:45,679 hear a question from the Internet. 1672 00:56:45,680 --> 00:56:47,599 Angel, thank you. 1673 00:56:47,600 --> 00:56:49,219 First question, how many chips do you 1674 00:56:49,220 --> 00:56:51,229 destroy on average until you successfully 1675 00:56:51,230 --> 00:56:53,539 break in some devices where 1676 00:56:53,540 --> 00:56:55,639 you where you only have one 1677 00:56:55,640 --> 00:56:57,829 device? You have to be very careful with 1678 00:56:57,830 --> 00:56:59,899 how you proceed. So in those ones you 1679 00:56:59,900 --> 00:57:01,519 like I said, with the absolute maximum 1680 00:57:01,520 --> 00:57:03,049 ratings of the device, you do not exceed 1681 00:57:03,050 --> 00:57:05,329 them. You play it very safe. 1682 00:57:05,330 --> 00:57:07,219 Other devices where it's a more general 1683 00:57:07,220 --> 00:57:08,609 purpose, microcontroller, whatever, you 1684 00:57:08,610 --> 00:57:10,549 got a whole tube of them, then you can 1685 00:57:10,550 --> 00:57:12,709 throw seventeen volts at a five volt chip 1686 00:57:12,710 --> 00:57:14,779 or whatever you want, and in some cases 1687 00:57:14,780 --> 00:57:16,999 you'll blow up 10 percent of the devices 1688 00:57:17,000 --> 00:57:18,409 very quickly. But the other 1689 00:57:19,700 --> 00:57:21,109 story, you'll blow up ninety percent of 1690 00:57:21,110 --> 00:57:22,199 your devices very quickly. 1691 00:57:22,200 --> 00:57:23,659 About 10 percent of might actually latch 1692 00:57:23,660 --> 00:57:25,279 something advantageous and do something 1693 00:57:25,280 --> 00:57:26,690 you want before they blow up. 1694 00:57:28,080 --> 00:57:30,329 Thanks. There is somebody at microphone 1695 00:57:30,330 --> 00:57:32,069 one, please ask a short question. 1696 00:57:33,110 --> 00:57:35,179 But I was just wondering how 1697 00:57:35,180 --> 00:57:37,459 reproducible the glitches are, 1698 00:57:37,460 --> 00:57:39,139 like if you find a particular offset in 1699 00:57:39,140 --> 00:57:41,359 length, once you find the offset, 1700 00:57:41,360 --> 00:57:43,729 depending on the timing drift 1701 00:57:43,730 --> 00:57:44,959 of your own hardware. 1702 00:57:44,960 --> 00:57:46,159 That's pretty much the limitation. 1703 00:57:46,160 --> 00:57:48,199 You will be able to hit that construction 1704 00:57:48,200 --> 00:57:49,200 every single time. 1705 00:57:50,030 --> 00:57:51,979 Nearly always do the same thing every 1706 00:57:51,980 --> 00:57:52,759 time. 1707 00:57:52,760 --> 00:57:54,289 Usually. Usually, yeah. Like if it is a 1708 00:57:54,290 --> 00:57:56,119 compar or a jump right after it from a 1709 00:57:56,120 --> 00:57:58,429 conditional branch, it will stop 1710 00:57:58,430 --> 00:58:00,169 the branch from happening or caused the 1711 00:58:00,170 --> 00:58:02,719 branch to happen with very good 1712 00:58:02,720 --> 00:58:04,249 repeatability other than the drift in 1713 00:58:04,250 --> 00:58:06,050 your own clocking hardware. 1714 00:58:08,540 --> 00:58:11,119 And are there any more questions? 1715 00:58:11,120 --> 00:58:13,519 Yes. Microphone number four, please. 1716 00:58:13,520 --> 00:58:14,089 Yes. 1717 00:58:14,090 --> 00:58:16,459 Is it possible to work a glitch 1718 00:58:16,460 --> 00:58:18,169 through a PLL? 1719 00:58:18,170 --> 00:58:20,479 It's almost impossible or two 1720 00:58:20,480 --> 00:58:22,609 to glitch an actual PLL device or one 1721 00:58:22,610 --> 00:58:25,159 that's clocked behind a PLL as 1722 00:58:25,160 --> 00:58:27,529 proof that I haven't actually 1723 00:58:27,530 --> 00:58:29,719 tried. I would assume it would be a good 1724 00:58:29,720 --> 00:58:32,089 defense, but I can't comment 1725 00:58:32,090 --> 00:58:34,069 too much more. I haven't haven't actually 1726 00:58:34,070 --> 00:58:36,439 tried specific hadan devices 1727 00:58:36,440 --> 00:58:37,440 like that. 1728 00:58:40,170 --> 00:58:41,459 No more questions for now.