About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Bypassing Bypassing Secure Boot using EMFI- 535

RaelizePosted 4 Years Ago
  • Physical device security is important but often forgot about. With physical access to a device, the ability to alter the device is now in play! Clock and power glitching are common and well developed. However, this article discusses Electromagnetic glitches, referred to as EMFI. EMFI is non-invasive, making it a much more practical attack.
  • For doing the attacks, they use the Riscure FI tool. But, there are a plethora of other tools that could be used, such as the Chip Shouter. These tools allow for automatic triggering, changing the type of glitch and controlling the timing of the glitches even!
  • When performing EMFI glitches, there are three important parts to a glitch: position, power and timing. Tuning these parameters, because of the incredibly large space, is difficult to do. In order to narrow down on this space, they run a test run themselves to see where the chip is vulnerable to attacks.
  • The test code is a simple counter that runs over and over again. If the EM effects the chip in some way, then the counter will be different. By automating this process, they were able to get a 30 by 30 grid of experiments on positioning and timing on the chip. Only a single location effected the counter. But, now, we know that the chip is vulnerable to attacks.
  • To time the attack on secure boot, the authors used the flash chip activity in order to time the attack. By randomizing the EM power and timing, they found three successful glitches that bypassed secure boot. This took about 35,000 experiments in about an hour of testing in order to achieve this.
  • Although this attack is fairly amazing, the amount of equipment used in this setup is unreal. They used an insane of amount of Riscure specific hardware in order to fine-tune and automate the parameters. Although this can be built by someone else, it helps to have the off-the-shelf tools.

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed