Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Joe Grand is an OG hacker from the days of the L0pt. He runs hardware hacking trainings all over the world. In this instance, somebody had a crypto wallet with 2 million of a cryptography, but forgot the password. Joe is trying to free the coins off of the wallet with hardware hacking black magic.

The wallet is a piece of hardware that stores the private key of the crypto wallet. By getting this information from the wallet, an attacker can get the bitcoin. In this case, the wallet has a pin on it that will give the private key if the pin is correct. Luckily for them, the source code for this product is open source.

Joe Grand (King Pin) thought that fault injection would be a good avenue to attack this from. Fault injection is the act of forcing the computer into a bad/unexpected state. If a fault is created, such as with clock or voltage glitches, instructions could be skipped, ran twice or values changed altogether. This is done by physically modifying the hardware of the computer, which he practiced on other wallets prior to this one.

The Micro Controller for the wallet has a protection that makes it impossible to read the contents of the memory. The goal is to glitch this check to allow for the reading of the memory by putting it into a DEBUG mode. Since the key is copied into RAM via a memcpy, this allows for the secret information to be recovered.

Practically, setting up the glitch is complicated though; even the teardown is hard! The author first removes all of the protection gunk of the chip to be able to connect to the proper headers on the PCB. After this, they remove the capacitors that are explicitly there to protect against voltage fluctuations. If these were still on there, then the glitching would be less consistent and harder to do.

To set this up properly, the authors used a Chip Whisperer. This was done by externally providing power to the chip via this tool then activating the glitch programmatically through the tool. If the attack worked, then a JTAG debugging menu should appear; the author has a JLink setup to communicate with the chip in the event that the attack works.

The Chip Whisperer has an amazing software interface. Using this, the author tries many different glitch timings. On every run, they see if the interface is open to connect. Otherwise, they try again. What is amazing about this, is that the process is completely automated. At this point, they simply have to wait!

After the glitch succeeds, Joe Grand used a Python program to dump the memory contents via JTAG. After running strings on the memory dump, a pin appears to unlock the device! At this point, they can recover the key from the device to get the money.

Hardware hacking requires lots of failures, patience and knowledge. This was an amazing article on how the hardware hacking was done to get the key off of the wallet. Trezor, the maker of the wallet, has a list of security vulnerabilities on their website as well.