Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Dmitry Nedospasov, Thorsten Schreder. Let the Hardware Do All the Work: Adding Programmable Logic to Your Toolbox.


Published on

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

Dmitry Nedospasov, Thorsten Schreder. Let the Hardware Do All the Work: Adding Programmable Logic to Your Toolbox.

  1. 1. Let the Hardware doall the WorkPHDays 2013, МоскваDmitry Nedospasov, Thorsten Schröder
  2. 2. About usDmitry Nedospasov• PhD Student TU BerlinThorsten Schröder• Founder, modzero AG
  3. 3. LeCroy 7-Zi MSO120,000€
  4. 4. MicrocontrollerSource: Arduino Project
  5. 5. Microcontroller• Real-time analysis.• High-level programming languages.• Cheap.• Integrated interfaces for embeddedprotocols.
  6. 6. ArduinoSource: Arduino Project25€
  7. 7. GoodFETSource: GoodFET Project15€*
  8. 8. BusPirateSource:€
  9. 9. FPGASource: Xilinx
  10. 10. Field Programmable Gate Array• Reprogrammablelogic.• Logic simultaneously“executes” in a singleclock cycle.• Embedded memoriesfor data buffering.Source:
  11. 11. Xilinx ML605Source: Xilinx2,500€
  12. 12. Xilinx SP605Source: Xilinx700€
  13. 13. When in doubt...
  14. 14. SASEBOSource: Digilent2,000€
  15. 15. Terasic DE NanoSource: Terasic80€
  16. 16. MojoSource: Embedded Micro50€
  17. 17. Die Datenkrake<100€
  18. 18. Die Datenkrake• Open-Source Hardware & Software• User friendly interfaces and connectors• Test pads, breakout of GPIO pins(terminated & unterminated),bread-boardable• Firmware & bitstream updates of theDDK via USB serial interface
  19. 19. Die Datenkrake• NXP LPC1765 ARM Cortex-M3microcontroller- 100 MHz, 512kB Flash ROM, 64kB RAM• Microsemi Actel A3PN125 FPGA- 125k system gates, 36 kbit SRAM, 71 IO• FTDI FT230X Serial-USB converter- 3Mbaud
  20. 20. Microcontroller• Controls FPGA power and reset• Controls buffer power• Provides clock for FPGA• Interfaces to the user/PC• IEEE1532 ISP of FPGA
  21. 21. FPGA• 3 UARTs / 6 GPIO interfacing the µCfor data exchange• 16bit parallel bus interfacing the µCfor data and command exchange• 56 general purpose 3.3/5V tolerant,terminated I/O for interfacing yourtargets
  22. 22. Die Datenkrake
  23. 23. Die Datenkrake
  24. 24. Die Datenkrake
  25. 25. Die Datenkrake
  26. 26. Die DatenkrakeARMFPGAHeadersHeadersBufBufBufBufBufBufBufBufCH5CH6CH7CH8 CH1CH4CH3CH2USB
  27. 27. Targets
  28. 28. Hardware Fuzzing• Fuzzing multiple hardware instances.• Determine the current state of the target.• Example application: concurrent monitoringof embedded linux devices via serial interface(Odroid-U2)• Crash detection, target device reset andlogging (FIFO memory).• Multiplexing signals to the device.
  29. 29. chXu1u2rst1tx1rx1rst2tx2rx2Figure 1: Odroid channel moduleHardware Fuzzing
  30. 30. Hardware Glitching• Transient, non-invasive fault injection (rise &hold-time violations).• Attacks a single clock cycle. May cause"incorrect" values to be loaded into registers ormemory locations.• Require precise timing on the order offractions of clock-cycles of the target.• Two common forms: Voltage supply and clockglitching.
  31. 31. Clock Glitching• Alter the clock period during execution.• Results in incorrect intermediate valuesas the result is sampled too early.• DDK includes PLLs, frequency dividersand multiple global clock signals.• Multiple clock frequencies can begenerated (i.e. 20ns, 10ns ...).
  32. 32. Hardware Glitchingin-ges,se-im-rialperesetsixcesour-U2. Inhar-ncehinuto-dulechXsmartcardmvccmgndvccgndoeclkrstI/Os1s2vccvglitchvglitchFigure 2: Hardware GlitcherSecure systems are susceptible to several classes of
  33. 33. Software Defined Radio• Utilize digital RF transceivers with a digitalserial output of data.• Multiple transceivers and multipleconfigurations can be monitoredsimultaneously.• Only certain parts of the payload are ofinterest while others can be discarded.• Protocol decoding must keep up with the datarate of the target.
  34. 34. Software Defined Radio• Example: Keykeriki - Difficulties &challenges• 2.4GHz Nordic Semiconductor NRF24family• Enhanced Shockburst protocol• 2Mbit/s RF (2MHz = 500ns per bit)
  35. 35. Software Defined RadiochX RFmodecsscksdiogioFigure 4: A7125/RF channel module
  36. 36. Acknowledgements• Joachim Steiger (roh)• Daniel Mack• Jonas Hilt• Felix von Leitner (Фефе)• Hugo Fortier
  37. 37. Rec0n Training•• 4-Day training• Datenkrake!1!!!• Oscilloscopes!!!
  38. 38. Questions?
  39. 39. Thanks! Nedospasov Schröder