Hello all,
Is there any tutorial about how to use BP for glitching attacks?
I’m not sure if the BP hardware can be used as-is for glitching attacks at all.
For example when you do voltage glitching, you must be able to reduce the voltage at a precise time and very quickly. While the timing could be done, the voltage regulator in the BP hardware doesn’t have a way to reduce the voltage fast enough. If you downprogram the voltage, it just gradually falls off as the charge in the capacitors is used by the load. This doesn’t cut it for voltage glitching, there you need to actively discharge to a preprogrammed low-setpoint with some kind of crowbar circuit or similar.
Also for developing a glitching attack you usually want to monitor the current draw of the victim with a high time resolution, to be able to figure out the precise moment you want to launch your attack. While the BP has current monitoring capability, I wouldn’t consider it good enough for this. It means developing an attack is much more difficult.
So I’d say you’d have to add additional hardware to the BP. This is possible through the 10-pin connector. But I’m not aware of existing hardware for this, so you’d have to develop your own.
I use a Chip Whisperer for glitching attacks; it has an FPGA for more precise timing as well as higher power FETs for power glitching.
Timing is so critical for triggering the glitch. Maybe a PIO could be used for some specific cases, but in this case I think dedicated hardware is going to work better.
Don’t get me wrong, I LOVE using the BP for everything I can.
I made a lame attempt to glitch an sle4442 IC card and proposed some hardware to counter the effects electronic_eel mentions. The code is still in the sle4442.c command file, but I don’t think there’s an command line option to invoke it, it was an itch I had.
i actually found that faultier is pretty good at it, then there is the curious badge i was going to look into https://bolt.curious.supplies, and then there is actually picoemp. i agree chipwhisperer is nice but 300 bucks is pretty steep, there nano can do a few tricks for 50 which i have but stil haven’t found a middle road yet.
Chip Whisperer is extremely expansive, do you know some other tool that is more pocket friendly ?
There is PicoGlitcher | Hackaday.io
I guess this is as cheap as you can get. But it comes at the cost of taking you longer to develop a successful attack. With more precise monitoring and timing you are faster and it is easier to learn how to do it.
I’ve been perfectly happy with Faultier.
Take a look at Faultier:
Totally agree - the Chip Whisperer is one of my most expensive personal pieces of kit. If you’re serious about glitching, it’s the tool to have and use. I was lucky enough for my previous employer to send me to training at Black Hat to learn the basics.
I also have a Chip Shouter Pico, which is cheap, but is really just an EMP blaster; you still need something to trigger it. Or you just blast randomly like crazy and hope for results
I don’t know of a mid-range glitching tool either. It’s either the Ferrari or the [insert name of your favorite cheap car here]. I think the market is split between those who just want to explore a bit/play with the idea of glitching and those with time and motivation to actually do it. At this point, anyway.
This is kind of how the electronics market was when I was first starting out in the 80’s: there were the professional tools and there was Heathkit and home-made tools (from information found in actual paper magazines, lol).
Things are so much more accessible now! You can get cheap Arduino and other hardware to play with, and it even comes with a mature and free dev environment. There are projects, like the excellent Bus Pirate, that not only help you learn and grow, but are extremely useful in production and real-world environments.
Maybe it’s just a matter of a few more years before the glitching tools catch up, but for now it’s a pretty niche market with only a few vendors.
That’s my $0.02 anyway
The Curious Bolt is not too expensive ($50 USD), and comes with both the Bolt plus a hardware target preprogrammed with flags to capture, a cheap STM32 SWD programmer, and cheap chip probes.
The Bolt is a crowbar voltage glitcher, an 8-channel logic analyzer, and differential power scope.
Here’s a simple glitcher using an ESP8266 (or any other processor) GitHub - PythonHacker24/fault-injector: A fault injection toolkit based on ESP8266 for glitching electronic circuits. It's low-cost, reliable and can be built anywhere. A must have DIY tool for Hardware Hackers.
thanks for that grymoire.
There is also the Pico Debug’n’Dump AirTag Glitcher
by StackSmashing (which got a bit of press) but the project is somewhat neglected. Also there is Another AirTag glitcher which describes a glitcher using a pico, a mosfet, some parts, and a SWD Programmer, and either a scope or lots of time.
One more thing. Ross Anderson (who is legendary) has made a deal with his publisher to allow public access to his 3rd edition of Security Engineering. Chapter 19 deals with side channel attacks. There are also several videos used in his class at this link. This is worth bookmarking.
That is a spectacular resource! Thank you for sharing it!
Since there are already glitching solutions around the RP chip, I wish I had the necessary hardware design skills to develop a plank for glitching attacks.
Thanks everybody for sharing information and solutions! such a great community
One of the links shows how to combine a mosfet, a transistor, and some resistors to make the circuit. Start with a breadboard, and then see where you go. I’ve never used KiCad, and I have used extra-long mail headers, a stripboard, and the quick connector to build little boards that can plug into the BP. If we had a proto plank (blank plank), this would be easier to make a glitcher.
A blank ‘proto’ plank would be a really cool thing! I have similar that I bought with my Flipper for experimenting. I would definitely be buying a few if they were available…
How would it look? A simple proto board kind of thing? A small bread board?
Should be 10P connector be soldered?
Perhaps 2 rows of the secondary 10P header (the one not currently populated on the planks)? One populated, one not?
Any useful accessories like LEDs for blinking? A button or switch?