Using an FPGA to Glitch the Olimex LPC-P1343

After trying out hardware hacking using an FPGA to interface with target hardware, [Grazfather] was inspired to try using the iCEBreaker (one of the many hobbyist FPGAs to have recently flooded the market) to build a UART-controllable glitcher for the Olimex LPC-P1343.

FPGA Modules (The cmd module intercepts what the host computer sends over UART, the resetter holds the reset line until the target is reset, the delay starts counting on reset and waits for a configured number of cycles before sending its signal, the trigger waits for the delay to finish before telling the pulse module to send a pulse, and the pulse works similar to the delay module and outputs to the power multiplexer.)

When the target board boots up, the bootROM reads the flash and determines whether the UART goes to a shell and if the shell can be used to read out the flash. This is meant for developing firmware and debugging it in the bootloader, only flashing a version when the firmware is production-ready. The vulnerability is that only a specific value read from address 0x2FC and the state of a few pins can lock the bootloader in the expected way, and any other value at the address causes the bootROM to consider the device unlocked. Essentially, the mechanism is the opposite of how a lock ought to work.

The goal is to get the CPU to misread the flash at the precise moment it is meant to be reading the specific value, then jumping to the bootloader in the unlocked state. The FPGA can be used as a tool between the host machine and target board, communicating via UART. The FGPA can support configuring the delay between resetting the target board and pulsing a ‘glitch voltage’, as well as resetting the target board and activating the glitch. The primary reasons for using the FPGA over a different microcontroller are that the FPGA allows for precise timing (83.3ns precision) and removes worries about jitters (a Raspberry Pi might have side effects from OS scheduling and other processes and microcontrollers might have interrupts messing up the timing).

The logic analyzer view

To simulate the various modules, [Grazfather] used Icarus Verilog as well as GTKWave to observe the waveforms generated. A separate logic analyzer observes the effects on real hardware.

With enough time, it is possible to brute force any combination of delay and width until you get a dump of the flash you’re not meant to read. You can check out how the width of the pulse gets wider until the max, when the delay is incremented and the width values are tried again.



from Hackaday https://ift.tt/3bV49PF

Comments

Post a Comment

Popular posts from this blog

Fleksy + GIF Keyboard v9.0.0 [Premium] [Latest]

Fleksy is the most fun, customizable way to type, and officially the fastest keyboard in the world. Find and send GIFs & Stickers, and customize your keyboard with powerful extensions & colorful themes.. Use Extensions like: GIFs, Hotkeys, Number Row, Cursor Control, One-Handed Typing, Stickers, Rainbow Key Pops and more. • “This is much better than your standard input methods and predictive text engines.” – TechCrunch • Killer text prediction that works with even the sloppiest of writing – TIME MAGAZINE Really awesome app and best keyboard in whole playstore Please remain like this forever and don’t become like other app which gives so much advertisement and gives so much of trouble so be good like present. It is the The post Fleksy + GIF Keyboard v9.0.0 [Premium] [Latest] appeared first on APK4Free . from APK4Free http://ift.tt/2uy8jbp
Read more

Clipboard Manager : Clipo Pro v8.19-pro [Paid] [Latest]

Clipo creates quick and smart actions for your copied text and shows them as a notification or a intuitive and beautiful list in the app! Features: Cloud Backup and Sync across multiple devices! See all your clips, in a clean and intuitive materially designed list! You can quickly copy an older clip to the Clipboard for using! Search: Get a quick action to search the copied text on the search engine of your choice – Google, Bing, Baidu, AOL, DuckDuckGo! Call: Filters your clips and detects phone numbers to give you a one tap to call experience! Add to Contacts: Filter phone numbers and quickly add to contacts! Open Link: Quickly open a link in your clip! Shorten Link: Quickly The post Clipboard Manager : Clipo Pro v8.19-pro [Paid] [Latest] appeared first on APK4Free . from APK4Free http://ift.tt/2wGr9ht
Read more

VPN 365 – Free Unlimited VPN Proxy & WiFi VPN v1.6.0 [Ad-Free] [Latest]

VPN 365, the best free high-speed WiFi VPN with unlimited proxy connection time. Offers you the freedom to access your favorite content, websites, apps, videos from anywhere and encrypts your internet activities to protect you from hackers. Why use a VPN? To view websites restricted in your region For a more secure internet environment: When connected to a VPN, your IP Address will be hidden when you surf the internet, so no one can track your browsing activities. If you are on a business trip or studying abroad, a VPN is your great tool to use. How to use VPN 365? Tap the Connect button in the app, accept permission request if it shows up, and wait for the connection The post VPN 365 – Free Unlimited VPN Proxy & WiFi VPN v1.6.0 [Ad-Free] [Latest] appeared first on APK4Free . from APK4Free https://ift.tt/2yZWC0o via
Read more