Resources
People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!
Look mum, no key! Bypassing Encrypted Secure Boot at Hardware.io
Cristofaro Mune & Niek TimmersPosted 5 Years Ago- Fault injection is super crazy! Instead of the standard voltage/clock glitching, they decided to use electromagnetic fault injection. In this video, they go over how they defeated encrypted secure boot via EM fault injection.
- Their toolkit in order to perform this attack:
- UART communicator
- Electromagnetic fault injection probe
- XYZ stage to move the probe precisely onto the chip.
- FPGA for knowing WHEN to launch the attack
- Besides launching the attack against a particular target, it is important to test to see if the technique has SOME affects on the device. Additionally, is the result predictable in some overall capacity. There's a happy medium where we can make changes, but not TOO many changes.
- From running tests on the chip (with defined code that they wrote), they figured out the BEST location to glitch the code at. On the BPGA chip, there was a single point that corrupted a bunch of corruption.
- Once the bootloader has been completely copied (can be noticed based upon data being sent from a particular location), this is when the fault injection should be sent out. With the glitch, they ONLY worry about the result, in terms of HOW much time it takes, not the amount of attempts.
- The next question is how do we turn data transfer into code execution? They call it instruction corruption by altering HOW instructions just generally work.
- TODO...
