Submit Search
Upload
Movie-Style Hardware Hacking
•
0 likes
•
14 views
A
archwisp
Follow
How to automate voltage shorting attacks with a chipwhisperer
Read less
Read more
Devices & Hardware
Report
Share
Report
Share
1 of 56
Download now
Download to read offline
Recommended
Exploring Hardware Security
Exploring Hardware Security
Speck&Tech
[HTML5DevConf SF] Hardware Hacking for Javascript Developers
[HTML5DevConf SF] Hardware Hacking for Javascript Developers
Tomomi Imura
Building Droids with JavaScript
Building Droids with JavaScript
Andrew Fisher
Applying IoT
Applying IoT
NorseDisc
Infrastructure as code might be literally impossible
Infrastructure as code might be literally impossible
ice799
Hardware Hacking
Hardware Hacking
Andrew Brockhurst
Device Emulation with OSGi and Flash
Device Emulation with OSGi and Flash
georgemesesan
Design and Evolution of cyber-dojo
Design and Evolution of cyber-dojo
Jon Jagger
Recommended
Exploring Hardware Security
Exploring Hardware Security
Speck&Tech
[HTML5DevConf SF] Hardware Hacking for Javascript Developers
[HTML5DevConf SF] Hardware Hacking for Javascript Developers
Tomomi Imura
Building Droids with JavaScript
Building Droids with JavaScript
Andrew Fisher
Applying IoT
Applying IoT
NorseDisc
Infrastructure as code might be literally impossible
Infrastructure as code might be literally impossible
ice799
Hardware Hacking
Hardware Hacking
Andrew Brockhurst
Device Emulation with OSGi and Flash
Device Emulation with OSGi and Flash
georgemesesan
Design and Evolution of cyber-dojo
Design and Evolution of cyber-dojo
Jon Jagger
Infrastructure as code might be literally impossible / Joe Domato (packageclo...
Infrastructure as code might be literally impossible / Joe Domato (packageclo...
Ontico
Cfgmgmt Challenges aren't technical anymore
Cfgmgmt Challenges aren't technical anymore
Julien Pivotto
Rat Pack Remote Control - a technical Internet of Things (tm) basics primer
Rat Pack Remote Control - a technical Internet of Things (tm) basics primer
Sven Kräuter
EkoParty 2010: iPhone Rootkit? There's an App for that.
EkoParty 2010: iPhone Rootkit? There's an App for that.
Eric Monti
Adversary Pattern Analysis - A Journey with APNIC Honeypot
Adversary Pattern Analysis - A Journey with APNIC Honeypot
A. S. M. Shamim Reza
Rat Pack Remote Control – an Internet of Things basics hands on workshop by S...
Rat Pack Remote Control – an Internet of Things basics hands on workshop by S...
Codemotion
PuppetConf 2014 Killer R10K Workflow With Notes
PuppetConf 2014 Killer R10K Workflow With Notes
Phil Zimmerman
It's Assembler, Jim, but not as we know it: (ab)using binaries from embedded ...
It's Assembler, Jim, but not as we know it: (ab)using binaries from embedded ...
Priyanka Aash
Meet the Eclipse SmartHome powered Mars Rover
Meet the Eclipse SmartHome powered Mars Rover
Michael Vorburger
AdaCore Paris Tech Day 2016: Jerome Lambourg - Cross and BareBoard Team Insid...
AdaCore Paris Tech Day 2016: Jerome Lambourg - Cross and BareBoard Team Insid...
jamieayre
[Forward4 Webinar 2016] Building IoT Prototypes w/ Raspberry Pi
[Forward4 Webinar 2016] Building IoT Prototypes w/ Raspberry Pi
Tomomi Imura
GDGPH Hack Fair Presentation
GDGPH Hack Fair Presentation
Mithi Sevilla
penetration testing - black box type.
penetration testing - black box type.
luigi capuzzello
RaspberryPiPico.pptx
RaspberryPiPico.pptx
SakshiGupta294972
Advanced view arduino projects list use arduino for projects {2}
Advanced view arduino projects list use arduino for projects {2}
WiseNaeem
IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?
Zoltan Balazs
Project: Intrusion Detection
Project: Intrusion Detection
Jay Schulman
The Chronicle of iPhone Automation -- From Frank to UISpec to UIAutomation to...
The Chronicle of iPhone Automation -- From Frank to UISpec to UIAutomation to...
Hinling Yeung
Velocity 2011 - Our first DDoS attack
Velocity 2011 - Our first DDoS attack
Cosimo Streppone
neo4j
neo4j
hck157kushwaha
Abortion Pill for sale in Riyadh ((+918761049707) Get Cytotec in Dammam
Abortion Pill for sale in Riyadh ((+918761049707) Get Cytotec in Dammam
ahmedjiabur940
Abort pregnancy in research centre+966_505195917 abortion pills in Kuwait cyt...
Abort pregnancy in research centre+966_505195917 abortion pills in Kuwait cyt...
drmarathore
More Related Content
Similar to Movie-Style Hardware Hacking
Infrastructure as code might be literally impossible / Joe Domato (packageclo...
Infrastructure as code might be literally impossible / Joe Domato (packageclo...
Ontico
Cfgmgmt Challenges aren't technical anymore
Cfgmgmt Challenges aren't technical anymore
Julien Pivotto
Rat Pack Remote Control - a technical Internet of Things (tm) basics primer
Rat Pack Remote Control - a technical Internet of Things (tm) basics primer
Sven Kräuter
EkoParty 2010: iPhone Rootkit? There's an App for that.
EkoParty 2010: iPhone Rootkit? There's an App for that.
Eric Monti
Adversary Pattern Analysis - A Journey with APNIC Honeypot
Adversary Pattern Analysis - A Journey with APNIC Honeypot
A. S. M. Shamim Reza
Rat Pack Remote Control – an Internet of Things basics hands on workshop by S...
Rat Pack Remote Control – an Internet of Things basics hands on workshop by S...
Codemotion
PuppetConf 2014 Killer R10K Workflow With Notes
PuppetConf 2014 Killer R10K Workflow With Notes
Phil Zimmerman
It's Assembler, Jim, but not as we know it: (ab)using binaries from embedded ...
It's Assembler, Jim, but not as we know it: (ab)using binaries from embedded ...
Priyanka Aash
Meet the Eclipse SmartHome powered Mars Rover
Meet the Eclipse SmartHome powered Mars Rover
Michael Vorburger
AdaCore Paris Tech Day 2016: Jerome Lambourg - Cross and BareBoard Team Insid...
AdaCore Paris Tech Day 2016: Jerome Lambourg - Cross and BareBoard Team Insid...
jamieayre
[Forward4 Webinar 2016] Building IoT Prototypes w/ Raspberry Pi
[Forward4 Webinar 2016] Building IoT Prototypes w/ Raspberry Pi
Tomomi Imura
GDGPH Hack Fair Presentation
GDGPH Hack Fair Presentation
Mithi Sevilla
penetration testing - black box type.
penetration testing - black box type.
luigi capuzzello
RaspberryPiPico.pptx
RaspberryPiPico.pptx
SakshiGupta294972
Advanced view arduino projects list use arduino for projects {2}
Advanced view arduino projects list use arduino for projects {2}
WiseNaeem
IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?
Zoltan Balazs
Project: Intrusion Detection
Project: Intrusion Detection
Jay Schulman
The Chronicle of iPhone Automation -- From Frank to UISpec to UIAutomation to...
The Chronicle of iPhone Automation -- From Frank to UISpec to UIAutomation to...
Hinling Yeung
Velocity 2011 - Our first DDoS attack
Velocity 2011 - Our first DDoS attack
Cosimo Streppone
neo4j
neo4j
hck157kushwaha
Similar to Movie-Style Hardware Hacking
(20)
Infrastructure as code might be literally impossible / Joe Domato (packageclo...
Infrastructure as code might be literally impossible / Joe Domato (packageclo...
Cfgmgmt Challenges aren't technical anymore
Cfgmgmt Challenges aren't technical anymore
Rat Pack Remote Control - a technical Internet of Things (tm) basics primer
Rat Pack Remote Control - a technical Internet of Things (tm) basics primer
EkoParty 2010: iPhone Rootkit? There's an App for that.
EkoParty 2010: iPhone Rootkit? There's an App for that.
Adversary Pattern Analysis - A Journey with APNIC Honeypot
Adversary Pattern Analysis - A Journey with APNIC Honeypot
Rat Pack Remote Control – an Internet of Things basics hands on workshop by S...
Rat Pack Remote Control – an Internet of Things basics hands on workshop by S...
PuppetConf 2014 Killer R10K Workflow With Notes
PuppetConf 2014 Killer R10K Workflow With Notes
It's Assembler, Jim, but not as we know it: (ab)using binaries from embedded ...
It's Assembler, Jim, but not as we know it: (ab)using binaries from embedded ...
Meet the Eclipse SmartHome powered Mars Rover
Meet the Eclipse SmartHome powered Mars Rover
AdaCore Paris Tech Day 2016: Jerome Lambourg - Cross and BareBoard Team Insid...
AdaCore Paris Tech Day 2016: Jerome Lambourg - Cross and BareBoard Team Insid...
[Forward4 Webinar 2016] Building IoT Prototypes w/ Raspberry Pi
[Forward4 Webinar 2016] Building IoT Prototypes w/ Raspberry Pi
GDGPH Hack Fair Presentation
GDGPH Hack Fair Presentation
penetration testing - black box type.
penetration testing - black box type.
RaspberryPiPico.pptx
RaspberryPiPico.pptx
Advanced view arduino projects list use arduino for projects {2}
Advanced view arduino projects list use arduino for projects {2}
IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?
Project: Intrusion Detection
Project: Intrusion Detection
The Chronicle of iPhone Automation -- From Frank to UISpec to UIAutomation to...
The Chronicle of iPhone Automation -- From Frank to UISpec to UIAutomation to...
Velocity 2011 - Our first DDoS attack
Velocity 2011 - Our first DDoS attack
neo4j
neo4j
Recently uploaded
Abortion Pill for sale in Riyadh ((+918761049707) Get Cytotec in Dammam
Abortion Pill for sale in Riyadh ((+918761049707) Get Cytotec in Dammam
ahmedjiabur940
Abort pregnancy in research centre+966_505195917 abortion pills in Kuwait cyt...
Abort pregnancy in research centre+966_505195917 abortion pills in Kuwait cyt...
drmarathore
一比一定(购)UNITEC理工学院毕业证(UNITEC毕业证)成绩单学位证
一比一定(购)UNITEC理工学院毕业证(UNITEC毕业证)成绩单学位证
wpkuukw
Abortion pills in Jeddah +966572737505 <> buy cytotec <> unwanted kit Saudi A...
Abortion pills in Jeddah +966572737505 <> buy cytotec <> unwanted kit Saudi A...
samsungultra782445
Hilti's Latest Battery - Hire Depot.pptx
Hilti's Latest Battery - Hire Depot.pptx
hiredepot6
Point of Care Testing in clinical laboratory
Point of Care Testing in clinical laboratory
oyebolasonuga14
Critical Commentary Social Work Ethics.pptx
Critical Commentary Social Work Ethics.pptx
بشير امين حيدر
In Riyadh Saudi Arabia |+966572737505 | Buy Cytotec| Get Abortion pills
In Riyadh Saudi Arabia |+966572737505 | Buy Cytotec| Get Abortion pills
Abortion pills in Riyadh +966572737505 get cytotec
一比一原版(USYD毕业证书)澳洲悉尼大学毕业证如何办理
一比一原版(USYD毕业证书)澳洲悉尼大学毕业证如何办理
uodye
怎样办理圣芭芭拉分校毕业证(UCSB毕业证书)成绩单留信认证
怎样办理圣芭芭拉分校毕业证(UCSB毕业证书)成绩单留信认证
ehyxf
怎样办理斯威本科技大学毕业证(SUT毕业证书)成绩单留信认证
怎样办理斯威本科技大学毕业证(SUT毕业证书)成绩单留信认证
tufbav
一比一原版(Otago毕业证书)奥塔哥理工学院毕业证成绩单学位证靠谱定制
一比一原版(Otago毕业证书)奥塔哥理工学院毕业证成绩单学位证靠谱定制
uodye
怎样办理昆士兰大学毕业证(UQ毕业证书)成绩单留信认证
怎样办理昆士兰大学毕业证(UQ毕业证书)成绩单留信认证
ehyxf
Mankhurd Call Girls, 09167354423 Mankhurd Escorts Services,Mankhurd Female Es...
Mankhurd Call Girls, 09167354423 Mankhurd Escorts Services,Mankhurd Female Es...
Priya Reddy
怎样办理维多利亚大学毕业证(UVic毕业证书)成绩单留信认证
怎样办理维多利亚大学毕业证(UVic毕业证书)成绩单留信认证
tufbav
Abortion pills in Jeddah |+966572737505 | Get Cytotec
Abortion pills in Jeddah |+966572737505 | Get Cytotec
Abortion pills in Riyadh +966572737505 get cytotec
在线办理(scu毕业证)南十字星大学毕业证电子版学位证书注册证明信
在线办理(scu毕业证)南十字星大学毕业证电子版学位证书注册证明信
oopacde
怎样办理阿德莱德大学毕业证(Adelaide毕业证书)成绩单留信认证
怎样办理阿德莱德大学毕业证(Adelaide毕业证书)成绩单留信认证
ehyxf
LANDSLIDE MONITORING AND ALERT SYSTEM FINAL YEAR PROJECT BROCHURE
LANDSLIDE MONITORING AND ALERT SYSTEM FINAL YEAR PROJECT BROCHURE
F2081syahirahliyana
一比一定(购)新西兰林肯大学毕业证(Lincoln毕业证)成绩单学位证
一比一定(购)新西兰林肯大学毕业证(Lincoln毕业证)成绩单学位证
wpkuukw
Recently uploaded
(20)
Abortion Pill for sale in Riyadh ((+918761049707) Get Cytotec in Dammam
Abortion Pill for sale in Riyadh ((+918761049707) Get Cytotec in Dammam
Abort pregnancy in research centre+966_505195917 abortion pills in Kuwait cyt...
Abort pregnancy in research centre+966_505195917 abortion pills in Kuwait cyt...
一比一定(购)UNITEC理工学院毕业证(UNITEC毕业证)成绩单学位证
一比一定(购)UNITEC理工学院毕业证(UNITEC毕业证)成绩单学位证
Abortion pills in Jeddah +966572737505 <> buy cytotec <> unwanted kit Saudi A...
Abortion pills in Jeddah +966572737505 <> buy cytotec <> unwanted kit Saudi A...
Hilti's Latest Battery - Hire Depot.pptx
Hilti's Latest Battery - Hire Depot.pptx
Point of Care Testing in clinical laboratory
Point of Care Testing in clinical laboratory
Critical Commentary Social Work Ethics.pptx
Critical Commentary Social Work Ethics.pptx
In Riyadh Saudi Arabia |+966572737505 | Buy Cytotec| Get Abortion pills
In Riyadh Saudi Arabia |+966572737505 | Buy Cytotec| Get Abortion pills
一比一原版(USYD毕业证书)澳洲悉尼大学毕业证如何办理
一比一原版(USYD毕业证书)澳洲悉尼大学毕业证如何办理
怎样办理圣芭芭拉分校毕业证(UCSB毕业证书)成绩单留信认证
怎样办理圣芭芭拉分校毕业证(UCSB毕业证书)成绩单留信认证
怎样办理斯威本科技大学毕业证(SUT毕业证书)成绩单留信认证
怎样办理斯威本科技大学毕业证(SUT毕业证书)成绩单留信认证
一比一原版(Otago毕业证书)奥塔哥理工学院毕业证成绩单学位证靠谱定制
一比一原版(Otago毕业证书)奥塔哥理工学院毕业证成绩单学位证靠谱定制
怎样办理昆士兰大学毕业证(UQ毕业证书)成绩单留信认证
怎样办理昆士兰大学毕业证(UQ毕业证书)成绩单留信认证
Mankhurd Call Girls, 09167354423 Mankhurd Escorts Services,Mankhurd Female Es...
Mankhurd Call Girls, 09167354423 Mankhurd Escorts Services,Mankhurd Female Es...
怎样办理维多利亚大学毕业证(UVic毕业证书)成绩单留信认证
怎样办理维多利亚大学毕业证(UVic毕业证书)成绩单留信认证
Abortion pills in Jeddah |+966572737505 | Get Cytotec
Abortion pills in Jeddah |+966572737505 | Get Cytotec
在线办理(scu毕业证)南十字星大学毕业证电子版学位证书注册证明信
在线办理(scu毕业证)南十字星大学毕业证电子版学位证书注册证明信
怎样办理阿德莱德大学毕业证(Adelaide毕业证书)成绩单留信认证
怎样办理阿德莱德大学毕业证(Adelaide毕业证书)成绩单留信认证
LANDSLIDE MONITORING AND ALERT SYSTEM FINAL YEAR PROJECT BROCHURE
LANDSLIDE MONITORING AND ALERT SYSTEM FINAL YEAR PROJECT BROCHURE
一比一定(购)新西兰林肯大学毕业证(Lincoln毕业证)成绩单学位证
一比一定(购)新西兰林肯大学毕业证(Lincoln毕业证)成绩单学位证
Movie-Style Hardware Hacking
1.
Movie-Style Hardware Hacking
2.
In hardware gigs,
one of the things we want to know is: What happens if we interrupt the boot process?
3.
You’ve probably seen
this before
4.
Well, this is
what it looks like from an electrical point of view
5.
And if we
tamper with that data signal at just the right time…
6.
For instance, with
a grounded probe.
7.
Or be like
Loren. He made a cool button to do it.
8.
A…
9.
GLITCH SWITCH?
10.
Anyway, it’s a
pretty well- known attack
11.
In fact, it’s
documented in a whitepaper from 2020 https://labs.f-secure.com/assets/BlogFiles/ 2020-05-u-booting-securely-wp- fi nal.pdf
12.
So why are
we talking about this?
13.
Because I’m a
nerd and decided to automate it
14.
But before we
get into it… https://www.riverloopsecurity.com/blog/ 2021/09/introducing- fl ash-bash/ 🤬 We are now enemies.
15.
It started with this
16.
My primary lab
equipment runs the bootloader I’m interested in: U-Boot Let’s attack it!
17.
:( (I didn’t even
get a photo)
18.
Luckily, a re fl ash fi xed
it :)
19.
Bonus: I learned
that this thing is way more pleasant to use with the back cover removed
20.
But back the
attack I really wanted better control over the timing of the short
21.
I have a ChipWhisperer
I had been wanting to learn to use…
22.
Two weeks later…
23.
ChipWhisperer Attacks - Reset
target - Delay - Perform glitch - Parse terminal output - Adjust delay - Repeat
24.
The CW provides
a lot of the features I need, all controllable from python
25.
But it’s not
really the right tool for the job: Overclock: Same FPGA Glitch: overkill
26.
But WAIT! https://chipwhisperer.readthedocs.io/en/latest/api.html
27.
So… YOLO?
28.
Welllll…
29.
Let’s prove this out
on something a little cheaper fi rst :)
30.
Target Simulation Attack -
Boot - Start a timer - Wait for GPIO signal - Output - Too early - Too late - Success - Reset target - Delay - Send GPIO signal - Parse terminal output - Adjust delay - Repeat until success - Binary search My concept
31.
Microseconds? There’s no
way this will work… 2 minutes later ->
32.
I was not
expecting that.
33.
Welp. So now
we attack the Rigol?
34.
Well, sending a
GPIO signal != a short
35.
It turns out,
U- Boot can run on a Raspberry Pi And I have one in a box
36.
And it costs
a lot less than $1500
37.
Okay, so people
have run U-Boot on a Raspberry Pi
38.
Two weeks later…
39.
It boots!
40.
Now we can
build our attack circuit
41.
Conections We Need -
Reset target - Perform short - Parse terminal output - Control terminal after short
42.
This is nice
43.
UART = serial terminal
44.
USB serial Adapter
45.
Reset point
46.
Data lead
47.
As I mentioned, GPIO
signal != a short
48.
We’ll use a
relay
49.
GPIO signal = press
button
50.
ChipWhisper only outputs 3.3v
51.
Let’s goooooooooo
52.
53.
54.
Awesome!
55.
Questions?
56.
Bye!
Download now