CHIP.FAIL

Glitching the silicon of the Internet-of-Things.



Introduction

At Black Hat USA 2019 we presented our research on glitching standard microcontrollers using equipment of less than a 100 US dollars. The slides of our talk can be found here.

The targets we were able to glitch during our research include, but are not limited to:

  • STMicroelectronics STM32F2 (incl. a vulnerability that allows downgrading the read-out protection)
  • Espressif ESP32
  • Microchip SAM L11 Secure Microcontroller
  • Microchip SAM D21
  • Nordic Semiconductor nRF52840

The goal of chip.fail is to provide hardware developers and hardware auditors with an easy-to-use framework for testing the susceptability of chips for glitching.

Equipment needed

The chip.fail glitcher is based on an FPGA module produced by Digilent:

As multiplexer for providing interruptable power and for controlling the glitch-pulse, we use the Maxim MAX4619 Multiplexer, for which we have designed a custom PCB that plugs right into the Cmod A7. Feel free to ask us (in person or by e-mail) for a PCB, the schematic & design files can also be found here:

A power-supply is used to feed in the core voltage to the CPU. In our case, we used the DSP3003/DPS3005/DPS5005 power supplyes that can be found for cheap on sites like Amazon, Alibaba etc.

Source-code

The source-code for FPGA can be found here, it also includes the Jupyter Notebooks used to control the glitcher: