Breaking Code Read Protection on the NXP LPC-family Microcontrollers

Video thumbnail (Frame 0) Video thumbnail (Frame 1890) Video thumbnail (Frame 11473) Video thumbnail (Frame 12686) Video thumbnail (Frame 20732) Video thumbnail (Frame 23796) Video thumbnail (Frame 25515) Video thumbnail (Frame 28575) Video thumbnail (Frame 30520) Video thumbnail (Frame 37051) Video thumbnail (Frame 47690) Video thumbnail (Frame 48946) Video thumbnail (Frame 52100) Video thumbnail (Frame 54187) Video thumbnail (Frame 55941) Video thumbnail (Frame 58348) Video thumbnail (Frame 59470) Video thumbnail (Frame 63418) Video thumbnail (Frame 66703) Video thumbnail (Frame 68449) Video thumbnail (Frame 69530) Video thumbnail (Frame 70647) Video thumbnail (Frame 74628) Video thumbnail (Frame 83131)
Video in TIB AV-Portal: Breaking Code Read Protection on the NXP LPC-family Microcontrollers

Formal Metadata

Breaking Code Read Protection on the NXP LPC-family Microcontrollers
Title of Series
Part Number
Number of Parts
CC Attribution 4.0 International:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date
Production Place

Content Metadata

Subject Area
A look at bypassing the Code Read Protection in the NXP LPC family of ARM microcontrollers. This is an example of one of the simple security features found in common microcontrollers, and how it is easily bypassed. The Code Read Protection (CRP) is implemented in bootloader software and can be easily read and disassembled, showing the fragility of the CRP mechanism. This talk describes the path to exploiting the bootloader software, developing and using a simple glitcher. A glitcher is designed, the chip is tested for vulnerability to glitch, and an attack is formulated to disable CRP and enable readout of FLASH contents. As glitch attacks go, this is a simple and ‘beginner-level’ attack which should be easily reproducible. The talk will include hardware and software design, including schematics and source code, for a glitcher able to bypass CRP.
Game controller Arm Flash memory Set (mathematics) Microcontroller Bit Mereology Rule of inference Computer animation Strategy game Peripheral Hacker (term) Data compression Semiconductor memory Different (Kate Ryan album) Pattern language Family
Computer program Group action Serial port Multiplication sign 1 (number) Set (mathematics) Function (mathematics) Mereology Virtual memory Data compression Semiconductor memory Different (Kate Ryan album) Computer configuration Bus (computing) Area Personal identification number Block (periodic table) Inference engine Structural load Bit Representational state transfer Process (computing) Chain Right angle Reading (process) Speicheradresse Trail Functional (mathematics) Open source Link (knot theory) Flash memory Information systems Microcontroller Flowchart Energy level Booting Address space Compilation album Condition number Noise (electronics) Addition Standard deviation Interface (computing) Content (media) Cartesian coordinate system Compiler Uniform resource locator Word Pointer (computer programming) Computer animation Software Communications protocol Family Window Booting Library (computing)
Computer program Serial port Multiplication sign Coroutine Set (mathematics) Water vapor Open set Mereology Tracing (software) Roundness (object) Bit rate Data compression Different (Kate Ryan album) Computer configuration Network socket Bus (computing) Touchscreen Structural load Software developer Serial communication Electronic mailing list Bit Maxima and minima Variable (mathematics) Connected space Order (biology) Right angle Whiteboard P-value Reading (process) Asynchronous Transfer Mode Point (geometry) Functional (mathematics) Information systems Flash memory Power (physics) Peripheral Energy level Software testing Booting Noise (electronics) Pairwise comparison Interface (computing) Cartesian coordinate system Word Uniform resource locator Film editing Loop (music) Computer animation Software Family Booting Disassembler
Point (geometry) Slide rule Computer program Dataflow Digital electronics Direction (geometry) Mass Mereology Tracing (software) Power (physics) Medical imaging Different (Kate Ryan album) Data compression Energy level Booting Interface (computing) Software developer Serial communication Mathematical analysis Bit Computer Cartesian coordinate system Cursor (computers) Measurement Connected space Radical (chemistry) Word Network topology Duality (mathematics) Pattern language Right angle Whiteboard Booting
Medical imaging Greatest element Arithmetic mean Data compression Direction (geometry) Videoconferencing Mathematical analysis Pattern language Cartesian coordinate system Booting Asynchronous Transfer Mode Power (physics)
Game controller Digital electronics Multiplication sign Microcontroller Online help Function (mathematics) Frequency Different (Kate Ryan album) Negative number Energy level Diagram Personal identification number Noise (electronics) Structural load Software developer Projective plane Sound effect Parallel port Maxima and minima Bit Cartesian coordinate system Entire function Computer animation output Normal (geometry) Right angle Quicksort Whiteboard Asynchronous Transfer Mode
Functional (mathematics) Numbering scheme Game controller Digital electronics Serial port Length Multiplication sign Real number Letterpress printing Set (mathematics) Microcontroller Function (mathematics) Power (physics) Mathematics Programmschleife Different (Kate Ryan album) Synchronization Computer configuration Data compression Single-precision floating-point format Energy level Software testing Series (mathematics) Condition number Physical system Noise (electronics) Binary decision diagram Inheritance (object-oriented programming) Assembly language Block (periodic table) Software developer Mathematical analysis Maxima and minima Total S.A. Variable (mathematics) Opcode Entire function Loop (music) Angle Software Personal digital assistant Normal (geometry) output Waveform Right angle Cycle (graph theory) Whiteboard
Point (geometry) Computer program Numbering scheme Group action Length Multiplication sign Set (mathematics) Data compression Computer configuration Different (Kate Ryan album) Hacker (term) Videoconferencing Energy level Software testing Area Noise (electronics) Dependent and independent variables Dot product Assembly language Electronic mailing list Sound effect Bit Line (geometry) Variable (mathematics) Compiler Uniform resource locator Pointer (computer programming) Loop (music) Computer animation Resultant
Point (geometry) F-Verteilung Group action Greatest element Length Mathematical analysis Sound effect Set (mathematics) Bit Open set Power (physics) Medical imaging Loop (music) Hexagon Pointer (computer programming) Computer animation Personal digital assistant Normal (geometry) Right angle Quicksort Service-oriented architecture Window Resultant
Greatest element Ferry Corsten Multiplication sign Mathematical analysis Sound effect Mereology Power (physics) Medical imaging Mathematics Uniform resource locator Loop (music) Pointer (computer programming) Hexagon Roundness (object) Computer animation Pattern language Cycle (graph theory) Resultant
Point (geometry) Computer program Dataflow Greatest element Functional (mathematics) Multiplication sign Flash memory Power (physics) Prototype Different (Kate Ryan album) Data compression Videoconferencing Software testing Booting Mathematical analysis Content (media) Serial communication Bit Maxima and minima Cartesian coordinate system Uniform resource locator Word Process (computing) Computer animation Normal (geometry) Asynchronous Transfer Mode Booting
Point (geometry) Computer program Dataflow Flash memory Open set Mereology Rule of inference Power (physics) Revision control Medical imaging Peripheral Different (Kate Ryan album) Data compression Energy level Software testing Booting Interface (computing) Debugger Mathematical analysis Bit Price index Cartesian coordinate system Word Computer animation Personal digital assistant Cycle (graph theory) Booting
Pairwise comparison Numbering scheme Arm Spherical cap Lecture/Conference Flash memory Bit Series (mathematics) Mereology
Area Matrix (mathematics) Quicksort Rectangle
Point (geometry) Computer program Dataflow Greatest element Presentation of a group Digital electronics Multiplication sign Characteristic polynomial Microcontroller Insertion loss Branch (computer science) Perspective (visual) Theory Power (physics) Frequency Goodness of fit Strategy game Bit rate Data compression Semiconductor memory Different (Kate Ryan album) Energy level Software testing Booting Proxy server Computer architecture Area Theory of relativity Block (periodic table) Software developer Mathematical analysis Sound effect Maxima and minima Bit Line (geometry) Opcode Reduced instruction set computing Oscillation Type theory Uniform resource locator Arithmetic mean Process (computing) Loop (music) Computer animation Personal digital assistant Whiteboard Family Computer worm
I wrap Hagman Merman come rule down some didn't idiom a I did a long while staying patterns strategy my name is crystal in the I am a hacker from Canada and I'm here today to talk about how to break the code reproduction on the NXT LPC family of ah microcontrollers the the
LPC family of microcontrollers there a low-cost 32 bit ARM microcontroller others a variety of parts in the family they have an internal flash ranging anywhere from 8 to 512 kilobytes the and from 1 to 282 kilobytes of RAM different parts from the family have a different set of various peripherals including the you art USB can an Ethernet controllers but there's a a variety of parts and in the family but they all share a lot in common it's it's mostly the peripherals and the memory size that differs between them the the the
inside of the parts they have a boot loader inference system programming the us is below the allows you to elogia programmed into the flash area it's a quite a simple bootloader using a serial protocol others a list of of the available commands here including to right to flash also to read from flash using the REST interface out there is all the existing software that you can use to use the ice the interface there's a software from NXT that runs in Windows others nice open-source program called LPC 21 IST and there's some others 2 of you could write your own quite easily they have all the documentation for this protocol and the data sheets inside the bootloader they have support for a CRP here called reproduction they have 3 levels of the code for reproduction that they've defined the CRP level 1 will disable the read command in the boot loader but it does allow flash rights the summaries of the chip the CRP level 2 well disable the read command and also disable flash traits and then the CRP level 3 will disable all the commands and it will also disable access to the bootloader entirely so you have no access to the incessant programming additionally they have a 4th level that they called the y S P which doesn't disable any of the debugging features in the chip but it does disable the serial bootloader let's an additional option of for the CRP levels 1 2 and 3 in any of these the debugging will be disabled this so here we have a flow chart showing the group process and inside the wrong bootloader inside these ships on we can see from reset it as an initialization it will do a check then to see if the could read protection at any level 1 2 and 3 is set if the code protection is set then it will disable the debugging otherwise it will enable the debug interface Sunday tag it does some other tracks like checking if the watched on by good was set and if so then it will go back into the program because it had a reset to watch lots of otherwise it will continue and will check if the code reproduction of all 3 were the noise that these these ones will disable access to the boot loader if they're not set then it will check to see if you're holding 1 of the GP I O pins load that triggers the access to the boot loader if it does not go into the bootloader will go into the application before it goes into the application it will check if it considers the flash could valid and it does this by calculating a check some of the 1st area of the i-vectors inside flash if this checksums is valid then it will jump to the reset lecture inside flash otherwise it will fall through again into the boot loader interface some of the chips have a USB bootloader in addition to the serial below the but some of them don't don't some of them don't support the US in if they do support the US people loaded then it will determine if you have the USB connected by checking if there is a high voltage on the the bus spin of the chip are so if you want to disable the USB interface and access the serial bootloader instead you have to hold of the bus can lol and if all these conditions are met then eventually it will execute the serial bootloader out of wrong so we can see that the area the use of 32 bit word in flash to define if the could read protection set so they have for values which will enable some level of code protection this chapter if any of those for the possibilities of a 32 bit word or set in this location of flash and release a locking sets if any other value exist in this location than the chip is going to start up and the boot loader and be totally unlocked so out of the possible 32 bit words there's 4 of them that will lock the chest or 4 billion 294 million 967 thousand 292 that will result in the shipping unlocked but so you can see already that this may be a rather fragile lock on the show that there is there's some good chance that we might be able to trigger to read incorrectly this is the memory map of 1 of the parts this is for the LPC 13 43 just the other members of the family are quite similar as far as the memory layout some blocks might be moved around so we can see that the flash starts at address 0 and they also list where the boot ROM is starting at address 1 F F F 0 0 0 0 and have a 16 K bytes inside of this chapter most of them have very similar to ground some of the parts like the LPC 21 48 actually have a bootloader inside a flash area at a different memory location but in general there they're quite similar to this this set up so here are just some quick links for some useful tools for using the LPC chips the first one the top is the OPC 21 I as the this is a nice simple open source software to program the LPC family microcontrollers from the command line and then also I I've shown some links for various example codes to use the GCC farm compiler to be obliterate programs all run on these chips of another option is to use the the official toolchain supported by NXT but generally that's going to be on Windows compilers and some of them we actually have to pay for to get the full feature set of so it's kind of nice to build a work with GCC and have 0 of more standard tool chain where everything is free and open the the
so to sort out we're going to want to see what they're actually doing inside the so I rate a very simple program that I can load inside of a blank LPC chip and I put a function like this inside that simply assets of appointed and start with the pointer pointing to the beginning of a grant and then read 1 bite at a time and output some of the serial port of because the example code that's available that is quite nice incomplete and supports a lot of the standard C library functions we have even print out so it makes a nice and simple and clean to be able to read the memory of this chapter to using a function like this we and loaded into the ship and have it sent us the contents of the program so that we can see exactly what it's doing inside the boot loader so this is the beginning
of the bootloader the the the 1st code that executes after the chip is reset this is a disassembly of a part of the code so we can see that the very 1st thing that it does is it's going to check if the CRP level 1 2 or 3 a set and if they are a set then it will disable the debugging otherwise it will enable the dividing so we can see what they do here is if the CRP 1 2 3 a set then they're rating of the value the 7 6 5 4 3 2 1 to the register at 4 0 0 4 8 3 F 0 which isn't documented but clearly this register is what enables or disables the debugging so again if they raise to the 1 specific value to this register will disable the debugging interface if anything else is written to this register then it will actually enable the debugging interface because the chip is considered a lot to yeah so in the in the 1st part here there are setting up for the debugging is enabled not and now we can continue on to the next piece of cut 0 just segments of the wrong to I kind of the relevant parts that we're not looking at it too much disassembly here so what they will do next is they will look at the value and flash that the if the code reproduction is set in the reading this value or the flash and the storing it in a variable inside of RAM in this disassembly of labeled as variables European value in around and and then later on in the code we can see that they start to do some comparisons to see what's your appeal level is set in the middle segment of the disassembly here they're checking if the CRP level 3 years that or if the no S you value sets and if either of those are set then it's going to jump into the application otherwise it's going to check to see if for holding a GPI open loaded trigger the boot loader the and they're doing this comparison not directly against the value flash but they compare against the variable that they've loaded into RAM already In this screen here this is a function that I called select motor the boot code is going to end up in this treaty and if we don't have the noise here this year 3 enabled and if the Buddha has been triggered so at this point it's going to check to see if it should go to the USB water or this serial bootloader and again we can see that they they do the same thing where the reading the value from flash for the CRP and the storing it in again the same variable in so at this point they have the this year p-value if it's that started in their variable in round and they're ready to enter the serial ISP software so that is serialised he this is the very beginning of it we can see that they set up some registers and the setting registers or 6 an our 7 here too be initialized with the values that would enable syrupy level 2 or syrupy level 3 and then there continuing directly into the command loop where you can send the IST commands like the serial interface the this is deeper into the IRS routine this is after you've sent it to a command and it is going to check the command to see if it's on the list of of commands that will be disabled grave could read protection that so we can see that right from the very top I've started where if it's command such as the read or write to flesh then it will set register are 2 the 1 which indicates later in the program that this is a command that would be disabled by CRP and then they're going to continue and they're going to check to see which Sierra value is actually set now if we look here we can see that they're actually doing the CRP checked against this variable that they have in RAM at this point so inside of the surreal bootloader when they want to know is this commando out there always comparing this year p value the lock value against this this value that they've already loaded into the variable in RAM so at this point they're not even looking into the flash anymore to see if it's locked they loaded this value after resets and now they're able to just check round every time so to continue from here I am ready to start testing on the chips so I took a variety of chips from the family and I mounted them on different bread words so this is 1 of the smaller members of the LPC family this is an LPC 8 12 on the vertical board this is another small
member of a family this is the LPC 11 14 this is the LPC 1751 and you can see heavily populated some on the brink of board this is because really I only to power the chip to enter the bootloader mode and to have a serial access I'm not interested in so many of the other peripherals started a try to keep it simple this is an LPC 21 all 1 another member of the family the and this is an LPC 21 48 sorted by cervical cord that I found with his if socket that's a lot more convenient to work with if you can be changing between a lot of different ships and then another option is also to use a pre-made Development Board this is all the max board for the LPC 1343 chip this 1 is been modified a little bit I've removed 2 of the capacitors capacitor C 1 and C for the user the filter capacitors on the VDT of because I'm planning to which this chip that's going to involve quickly dropping out of the power supplies so I don't want those filter capacitors they're going to be trouble for me but also i've cut to traces on the board which are 4 the VTT and VDT I O signals this development board is set up nicely that they they give you a spot specifically to cut if you want to disable the power supply from the board 5 installed jumpers on those locations so I can connect of my own power connection and then also that this green wire and this screen wire is just connected between the ground and on the debug port and the the bus signal going into the chip because normally this development board is designed so that you'll be using the USB below the so in order to disable the USB pelota I've added this green wire which is simply holding the bus spin low so will enter the serial bootloader instead yeah so
this is my basic set up that I use for a for quitting chips at the the top I have an oscilloscope that are used so that I can actually see a little bit of what's going on a below that I have a power supply dual dual-output adjustable power supplies like set 2 voltage levels independently in front of that I have a little mass of wires and development words with the on at no x Mega board that I use for a controlling my glitch inferred talked into industrial connection to the chapter I have 1 of the LPC boards on a breakout board the I have another use small breadboard with the actual glitches circuit that'll get into more in depth in a few more slides and then i have the oscilloscope probes connecting in the background I have the computer that is connected to on my computer just running minicom I have just a direct serial interface to the X make a board that I'm going to be using and a run a little terminal program within the x may and this is this is my interface for the glitches of so they
have a bit of an idea of what's going on in the inside of the chip it during boot up using simple power analysis on this trip I do power analysis I connected 10 ohm resistor in series with the ground single going to the of these measurements are from an LPC 8 12 chip and again as I noted it's that simply tunnel resistance trees of ground and I measure the voltage across this resister so as the power consumption of the chip is changing you see a difference in the voltage measured across this resister and then on the oscilloscope we can get these traces which look quite noisy but still we can we can see that there's some pattern to it the image of the top left is showing immediately after resetting the chair and entering into the application and then the image of the bottom right is showing when we reset the chip and it enters into the boot loader so we can see that the the left half of the image is quite similar between the 2 of them and then around the middle of the oscilloscope image we start to see that there's some differences in so we can see exactly which instructions are being executed but we can clearly see that there is some difference in the code that that's been taken you so this is a measurement of the same thing again it's the reset and starting the application comparing to reset inserting the bootloader I've marked with curses on the on the scope here so we can see with the alliance the exact point at which the cold flow starts to differ so we can gather from this that the the part between the 2 yellow curses at the left of the image this is the boot ROM code the initialization and the initial checking of the code read protection and then everything to the right of the cursor differs depending on whether we triggered the bootloader Mordor whether it's going directly into the application the so this is a
video showing the the light image from the oscilloscope right now it's starting into the bootloader mode . it was the application would this is a going to the bootloader mode now it's switching back to the application mode so you know it's noisy and jumps around you can see some different patterns as it switches between the bootloader navigation mode the so even with these dirty signals I were not going to get all the detail that we might really want but it's definitely enough to build to see if the code flows taking the path that we expect or if it's going in and some different directions this
is showing on another chip this is looking at the LPC 1343 so the very top trace by measuring the power consumption using a resistor in series with the VDT pens and then near the bottom by measuring the power supply With the resistor in series with the ground and see you can get that you can do the power analysis on the VDT or on the ground but generally yield do get a nicer cleaner signal measuring off the ground mean we can see some differences in in this image what
either on either trace with keep the VDT here the ground but clearly the the bottom trace the with the ground is much easier to actually see some differences in what's going on as we trigger between the boot-loader in the application mode yeah so to get into a glittering of my glitches based entirely around this chip this is the max 46 19 ship uh this is almost the entire glittering right here in this 1 show the max 46 19
is a chip that contains 3 single-pole double throw switches with fast switching time and up load risen series resistance when the switched on so what this means is that were able to switch between the 2 inputs the and that will address the local level and we have switching times better is low is 10 to 15 nanoseconds are so this means that we can very quickly switch between 2 voltage sources and this is I will actually produce the big which open so this is a diagram again from the max 46 19 datasheet is showing that the actual circuit inside the max 46 19 and you can see it it's quite simple it really is just 3 switches inside so we have 3 inputs y 0 y 1 x 0 x 1 z 0 z 1 and then the 3 outputs sort of the x y and z outputs and the controls for the switches which selects the there's 0 input or the 1 input are a B and C. there's also an enable pin which if you will that lower then the max 46 19 will output voltage the chip if we release that high that it won't have any help at the chip at all so we can actually use this to be able to completely cut off the power supply to the chip the so this is the schematic of the lecture circuit that I use the all that I've done here is I tied the 3 switches in the chip together in parallel so I do this it's helps to lower the effective resistance that we see through the chip so it has a little bit less effect on the voltage level itself of those still together very fast I only actually need 1 switch because I'm only switching 1 thing only the VD towards the chips so I've tried the Y 1 z 1 x 1 signals together and tied the y 0 v 0 x 0 signals together the same with the control signals ABC also the outputs from x y and z 1 the story that the inputs x y and z 1 hour coming from my power supply and the of those will be the glitch voltage level that I said well while the input 0 0 is the normal power supply level that I said to the outputs x y and z are the output actually owing to the target ship so to control this I just need to signals and running these to my at Malik negative development board that I use so the enable I ran to the x Megaport 83 which allows me to enable or disable the output to the chip entirely and then the control pins ABC I run into another x mega support a 0 and this is how I'm going to switch between the normal and the glitch voltage levels so this is the actual circuit with the max 46 19 this is basically you behold which aboard minus the x major that I use as a microcontroller of I like the solderless breadboards there's they're very convenient to work on allow you to change your ideas very quickly and has different things out of any problems with with high frequency noise or anything like that really for most of the projects I do I I don't notice too much of a problem with that I'm able to ignore it and kind of do things the the cheap and easy way so I I enjoy that I'm able to just pop a chip into the breadboard connect these wires and in in a few minutes I build a question like this so this is a picture of than
LPC 812 chip were connected to the clincher as you can see I'm very careful always with my wiring keep everything nice and neat of but really I as I said the the noise and things that you see in in most cases it's only a minor annoyance and everything is actually still gonna work so I I like this quick and dirty method of working this is another angle of the
same the same glitches set up again showing off the nice clean wearing that I tend to do so here I have everything labeled the the blue development board is an x mega a 1 explain board this has and at no x make a chip which is a Navy that runs at 32 megahertz then below that's on the block breadboard I have the max 46 19 glitches circuit you can see that I have a 10 ohm resistors that I put in series with the ground with real PCA 12 that's how I'm doing the power analysis so I simply put that in series of ground and I connect oscilloscope probe to the side of the resister that the LPC shippers connected to and that's going to be my power analysis signal and then at the top right you can see that there's the LPC 812 that mounted on a breadboard for testing what for the power supply to control the the VDT levels to this chip user benchtop power supply so it has 2 outputs the 1st output I can set the normal BDD level of the chapel run at and then I'm going to use the 2nd output and that's how I'm going to adjust the level of the voltage dropped while I actually perform a glitch on the chip there's a lot of different options actually for supplying power to the chip or you could build a circuit and be able to have a digitally controllable personally I like the hands on method of having a benchtop power supply like this again it lets me quickly connect different things and has different ideas of I want and I I find it very nice way to work to actually be able to adjust the knobs in and see the difference in the outputs and it's a nice quick and easy just to connect everything together so this shows the development board together with the breadboard with a glitches circuits so this is essentially the whole lecture circuit minus the target board with the LPC chip and without the power supply at the very top we can see where the inputs from the adjustable power supply will come from so the light wire is going to be ground from the power supply the red wire is the normal Walters level and the green wire is the 2nd voltage level that will use for the glitch then we have the VDD ground output ports target the and then other than this will also have the serial port your connected between the LPC chip and the explained development board but as far as the glitching circuit goes so this is the entire system right here the it was very dark so I don't know how well you can now you can see this because of the colors that I have but this is the C and assembler code that I run inside of the expenditure territory control the glittering so the the basic concept is that I use the out instruction on the AB Archer so the out instruction is a single cycle opcode I so this means that if we're going to execute a series of out instructions we can actually change the output signal on the port at every clock cycle at 32 megahertz so that means that we can actually trigger a glitch that would have a length of as low as 31 . 2 5 nanoseconds it'll be a little bit different than actually because of the switch on and off time within the max 46 19 other generally speaking you can do quite quite sure glitches of so what I'm doing here is I have a series of out instructions that will set the the level on this out but then and before I call my glitch function i.e. set up some variables to define what kind of a glitch waveform that I want the so I can have it anywhere from 1 cycle at 32 megahertz up to a clock cycles of 32 megahertz as we change very easily with and software and I don't have to have a separate you for each different length of glitch so this lets the kind of change things on the fly and still have the flexibility to have these very short glitches so the start finding which the the chip the easiest way is if I'm able to execute a glitch against code that I know exactly what the code is doing and since he's a common microcontrollers I could buy a blank and I can load my own code inside so using the GCC armor toolchain parents in simple C code so I have here is a is a while loop that will continue executing forever and I initial I have 2 variables that use inside of this loop a and B and so well initialize B to value that I've set as number of glitch loops which in the case of this test our active set to 16 the I I will toddle some GPI opens this allows me to have my synchronization between the LPC chip and the AVR trip that will do glittering so that I have my timing Mason precise and then I have in the middle of for loop so this for loop is going to increment the a variable from 0 until it reaches the the total number of questions we wanted to and during this loop it's going to decrement the B register so what this does is normally at the end of the loop we should know that the AT variable is going to end up being 16 because that's how I have the glitch loops defined and the B variables should always be 0 that the end of this of while loop that I'm checking to see are the a and the p values actually what I expect if the code is operating normally then the the 1st condition will be true for any equals number of questions loops and equals 0 In this case I'm printing of the serial port to a dot this indicates that there was no glitch that the court operated normally but if this chapter of the a the B variables fails that they have a different value that I'm going to print the serial port what those values were and that indicates that at some kind of a glitch actually occurred that the code did not execute normally like it would so I I wrote
this test code in C so we can actually look at the assembler code that would be generated by GCC to see exactly what instructions are going to be executed that we're going to try to glitch another option would have been to write the code directly a similar but it's such a simple test program and the idea is only to see if it has an effect so I prefer to work in see it's it's amazing easier convenient way to work until the nicer than having to write in assembler for everything other we can see that what the compiler did here is is really quite simple except for all the extra noise from the listing that basically it starts with a equals 0 it decrements B that increments they and it checks to see if we've had uh the end of the number of which looks at so this video is
showing what I see through many common when I'm running the test code so all these dots mean that no glitches happened so I I mean waiting for this for loop to start and then i'll do a quick glitch and as this is running time adjusting the voltage level on the power supply so you can see when I start to lowers the voltage on the power supply we start to see some strange responses come out of the chip so all these lines showing what a and B are are are indicating that a glitch occurred the X is that come up that indicates that the chip reset and we can see a bunch of axes come up the once as a dropped the voltage level even lower so because they start to see a lot of 3 sets of of altered levels so low at that point I increase the voltage level a little bit and what I'm doing here is is trying to find the sweet spot where the chip runs and it still has the most strange effects coming when a glitch inside this FOR loop also we can see that normally the or value in a should be hacks 10 and the value b should be 0 but we are at all kinds of different values depending on exactly which instruction that we clinched within the loop to but we have lots of results that are like 80 is 5 0 0 3 0 0 9 this will be because a is actually pointing to the location within ground where that variable was stored so because it wasn't just a loop or was incrementing registers action variables around so we ended up with a pointer instead of the actual value there because where the glitch book broke the loop of a variety of different effects but the main point here is just that we're having some effect on the check the code is operating normally all that I'm doing at this point is that dropping the the VDT supplied to the chip very briefly during that loop so by doing this kind of a test this so lets me have a nice area to target where I can kind of 2 things in and find what length of a glitch and 1 voltage levels will actually most likely have a good effect on the chip so this is a showing the
oscilloscope image along with the the many commerce screenshot showing of actually glitching during this set target loop so the top channel is the power analysis channel the middle channel there is showing a GPI open it's pulling the GPI OLO while it's within the hour FOR loop that were targeting and then the bottom 1 there was just reset so it's always high during this so we can see it's attempting to gleichen it's attempting to glitch and then finally it stops and we can see that when the glitch action had effect are loop got much shorter we can see because the GPI 0 was held lower for less time and on the bottom window there we can see that we ended up with the value in aiding 5 0 0 3 0 0 0 8 so again it was set to the pointer value not the actual value of the variable and we can see that the B variable ended up with text be at so be would have started out with hex 10 and it got decremented twice to and then to be and then at that point we broke out of the loop so the loop the shorter and the the variable matches the length of the loop because it it count out all the way the this is showing
several screenshots of of watching and seeing different effects that of the chip so the top left we have a screenshot of when we did the glitch but it did not have any effect so the ending results in variable a was hacks 10 and the was 0 below that we can see that the glitch had effect 80 ended up with the normal value but the ended up with the value F F F F F F F 1 of sort is actually happened here is we can see that the loop was extended a little bit and so the B variable actually got decremented more times than normal so it ended up with the wrong value the at the top right we can see again that the loop broker earlier we have a the set to a pointer value and then we have these attacks the instead of being documented all the way down to 0 and in the bottom right we have another result that comes up and again it's similar to the 1 at the bottom left but in this case the was documented down to F F F F F F F 2 instead you the so now if we
adjust the glitch to hit a different part of the loop I've of change the timing so I'm I'm waiting a few more clock cycles before a glitch here it has an effect again so we can see that the the loop was shortened because of the glitch we broke out of this FOR loop and we can see again that the variable a is set to this pointer value tends to get left out and the variable b is now set hex a so the variable that decremented a few more times because we waited further through the for loop to glitch and here we have lot of
screenshots showing the the different results that we have a weekly at at this time location versus the first one so we waited through a couple more rounds of the for loop and the now something else that we can notice in these images if you look especially at the top left image you can see when the for loop executes and we can see little pattern they're not pattern we see repeating exactly 16 times so from the power analysis we don't necessarily know what instructions execute but it really is very clear that there's a for loop that's executing exactly 16 times and we compared to the bottom left image then you see that it hasn't executed 16 times you see it executes about 5 times and then we have the the glitch the big spike on the power consumption and then it completes 1 more loop and then it exits so using this power analysis is is very nice to have a much better idea of what's going on inside the chip it doesn't tell you everything but you you can really get a lot of the the the the so
now this is showing a video of from reset we can see that the channel for the the bottom 1 the oscilloscope is the reset signal from the rising edge of research is where we're starting to trigger and then the top trace again is the power analysis and as it begins here it's entering into the application mode i and were not able to enter the bootloader mode because we have analyzed the the set but by a glitch in near the location where previously we saw the difference between entering bootloader or entering application we can actually glitch at this spot and were able to see a very
clearly on the power analysis that instead of going into the application like it is now when the glitch finally hits and lands the following tracing the power analysis is is is showing that we're going to the bootloader instead we can verify this by sending a command that chip and it does actually respond to the boot loader so after we've done this In in my very simple X may code what I've done is in instead of injured in implementing the entire I the code myself I simply do a serial port pass through so I I run this process I glitch enabled enter the bootloader even though it's been disabled and then after this step I akin to drop back to the command line and I can use that 1 of the commonly available tools this is now able to read the function of an LPC 1343 chips so it reads it through the normalized the interface because as far as it's concerned this is much we can see the flash contents NJ it didn't really is just that simple we've been able to identify the locations in the the boot ROM start up words checking the code reproduction values where it's checking if it's allowed access the loader we perform a glitch at that location it's able to cross the cold flow but the chips still operates other than a few corrupted instructions so we've entered the boot loader once we've entered the bootloader then we can drop back to any of the LPC and programming tools and it's able to just read the chip normally as if it was an entirely on March the so I have uploaded my in my test code for the clincher to get of it's not exactly production-ready code but it's what I used it said it does mostly work it's not well documented but I guess that's kind of normal I'm so this is called for the explain Development Board the AVR chips and this has my yeah serial interface code and also all the time code for the glitches to control the max 46 19 and and performer watching on this if you're interested you can take a look there hopefully as time goes on I might actually be of a little bit and documented that better so it'll it'll be a little bit more usable itself very much a prototype at this point so as you can see it does work actually watching the chip or
something interesting that I saw while I was working on this is that there's an application notes from annex p application Note 10 8 6 6 this is for a secondary USB bootloader of they do have some ships that have the USB peripheral but they didn't include USB bootloader in the program are so they've provided this application note explaining how you can make your own USB boot-loader and if so also supports the familiar could reproduction levels what's interesting about this 1 tho is that they only allow readout through this version of the boot loader if the code re protection word is actually set to 1 specific value that they've defined as no p so we can we can see here that they've actually made the application of the suggestions for the user ruler is implemented in a more secure way than actual rumble loaded of there's about 4 . 2 billion fewer possibilities to corrupt the Sierra p-value actually allow the readout in this case and so clearly you somebody is aware that there's some issues with the coterie protection and that is not so much that they can do inside the wrong now also so another thing that I looked at on this chip was looking closely at the power analysis during start up so I have to whistle scope screenshots here the first one is showing the start up with the knows Europe's set so there's no no real protection enabled and the 2nd 1 is showing if I have the code protection level 1 enabled so if I kind of flip back and forth between them you can see that they look almost identical except for the syrupy 1 just past the halfway point there's a little Paul that's a little bit longer so you can see there's a slight difference in the cold flow between nocere Peter European level 1 being set and then if we go back and look at a
disassembly of the program we can actually see that directly in the start up this is where the checking if they have this European level 1 set to know if they can enable the debugging interface or not but so we can see from these oscilloscope images exactly where this piece of code is being executed and I didn't actually test this but I expect that this might actually be an even easier target than the serial bootloader to try and unlock the chip of because if you can corrupt this value that's being written the undocumented register for 0 0 4 8 3 F 0 then the you're debugging interface enabled so rather than having to deal with the surreal bootloader at all you could just plug in the take debugger and read out the flash directly from this again it's clear from the code that if any other value besides 8 7 6 5 4 3 2 1 and separate into this register you going to have a wide open debugging part so be it was see this code flow difference and the power analysis is quite nice because it gives us an indication exactly when we need to glitch within a few clock cycles so good look
also just at the chips directly I I did a quick handicap cap of the chips this is an LPC 21 48 chip it's 1 of the older series of LPC chips this 1 contains the flash motor not the wrong loaded of a generally there also quite similar they're all the 32 bit ARM chips in the corner of the chip we have
the the part number and low before the chip also so that again this is the LPC 21 48 this for comparison
now this is 1 of the numerous series the LPC 1343 we have again
a nice little the part number in the corner very easy to identify the chip in another corner and we have a
nice little piece of art work here of
so looking more toward the middle of the chip or we have the actual circuitry this is from the LPC 21 48 and we can see that the the circuitries quite dense the also for an invasive attack with with probing of country can be possible but it would need fairly advanced equipment it's gonna be tough just to put a needle directly down on top of a chip like this of all so we can see a lot of these sort of rectangular pieces of metal there are because any of the mental any of those areas on the top layer that don't have metal they filled in with filler to keep the the of wealth i's also areas on the chip that
there's the top layer of the chip that are empty are covered with metal like this so we have actually not much access to the bottom of the chip without further due processing unwanted which is possible there's not really much recent actually do invasive attack but because it's so covered in metal this this does make it more difficult if you wanna do us a laser attacker anything like this I mean maybe can still be possible but it's it's a lot harder to do that kind of thing when you don't actually have access to the transistors below of so yeah this is quite dense this is the 21 48 in the newer chips even smaller so from invasive perspective it's a little bit difficult work on this chip unless you have high and equipment so but the coaching works great and so the noninvasive attack is exactly the way to go these ships are quite easy to get a glitch and because you can read out the program so easily and it set up in such a simple way it's a it's a nice target and it's quite easy to unprotect 2 so that's that's about all that I have I a I hope that have been able to show how easy it is to us to build a simple glitches set up so you can get a lot more advanced than this but personally I like to do with the simple easy cheap way and it works good enough are you can get more precise with your glitch timing and and with different which waveforms all this kind of thing but but even in this case all you need is 1 max 46 19 and power supply and you can have find that you can have an effect on the chip very quickly and then it's just a matter of finding your target location which again with the power analysis makes it very easy and the code is quite simple on so the bottom line is don't trust coterie protection too much on these ships of but it's not really too specific to the NXP LPC family I generally a lot of the basic microcontrollers are set up in similar way as the blocks tend to be quite fragile so I'm not really intending to to pick too much on this family of chips this is just a nice example to work with of most of the simple microcontrollers that have a blue wrong with the bootloader inside will have similar defects to this that if you're able to find a way to glitch the chips then probably you can bypass it in the same way the thank
you the the I I would like to ask can do you provide the clock from the picture circuits to be and she was well or was it running from an internal harshly possibly tie yes that that's something that I glossed over for shared by these chips are generally running from the internal RC oscillator of some of the family do you need an extra clock the LPC 21 48 for example runs off an external clock but in general the whole family does support the external clock but during the Boer on it's running off of the internal clock as so for my testing I didn't even supply a clock signal to it because it had no effect at the time of the program that I was looking at all of the LPC 21 48 when I worked on that 1 of something that I did find that was worth noting was that the development board that I was using had a 12 megahertz oscillate around it I which I was able to us so the chip but when I increase the oscillator speed to 16 megahertz is the chip becomes much more easy to glitch so if you have the ability to run from the extra loss later then if you increase at to kind of the highest level that you can the chips tend to get easier to glitch on but I mean and unfortunately for me in this case most of these ships were running from the internal see us I have have 1 additional question have you tried uh using the chip whisper I haven't usership whisper I've ever that it's good tool but I haven't had she had a chance to get any hands on experience with it thank you that mm below the very nice presentation thank you especially because it's a quite low cost do to this type of attack but I have to kind of related questions the 1st 1 is and how is how long was the leach campaign when you're studying for the characteristics of the click and the 2nd 1 I want to find this characteristics of the glitch what's that the success percentage both rethinking get that so to to find the glitch initially on on this when I was fairly lucky and mean this this is the 1st of that I've tried a glitch so I sort of have this strategy that I follow and by loading my test coincide with this for loop that I can target it gives you a nice targeted area where you have a defined effect if you're able to have an effect on so I think within the 1st days of of playing with this chip I was able to see some effects from the glittering and then it took a little bit longer to actually you find the precise point at which to access the bootloader but it was it was fairly quick that I was able to and then the repeatability so that the glitch doesn't necessarily work every time but if you only need to do 1 glitch in the program to get to the point where you want and you can try many times then it's not so bad so I mean in this case I having a glitch success rate of maybe 1 % but I can make more than 100 times in a 2nd so I'm and so having accessible success with a 2nd or 2 OK thank you the the a of this talk focused on an in on which to break out of some kind a loop or a bypass a conditional and your your previous stock uh to see in the can last year I had you could change you change like a branch target so you're jumping appeal memory ADC that certain architectures are certain passive family is there more susceptible to certain types of glitches or you can characterize like what's actually happening in their based on some criteria on on most the chips that have looked at I haven't done so much characterization typically and is looking for something that's going to corrupt and instruction and the exact details I'm not so worried about as long as it doesn't corrupt too much but depending on the architecture does make a difference if you using a chip with a Harvard architecture where data memory in your code memory on shared then I can make some types of attacks more difficult mean in this case it doesn't really matter because it's such a simple target but that as you mentioned free for my previous talk I wanted to actually put a code payload in how that executed us of that should have been a Harvard architecture that would've been a lot more difficult to actually get that into an executable area of the the different effects depending on the type of the chip so on on a RISC chip period instructions are going to generally all the same length so you're going to have most likely some effect on this instruction than the rest the code is going to execute normally if you're on assist ship for the opcode the different lines that you can have an effect where you might cause your code to be read as an incorrect or code in which case it's going to end up executing from the middle of the next instruction and so in this case you can have a of more wildly different cold flow this this this this and this and that and in theory