Skip to content
/ avr-glitch-101 Public
forked from deanjerkovich/avr-glitch-101

The most basic introduction to performing a Vcc glitch attack.

6 stars 3 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

kholia/avr-glitch-101

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

8 Commits
arduino_code
arduino_code
 
 
datasheets
datasheets
 
 
doc/images
doc/images
 
 
fiesta_challenge
fiesta_challenge
 
 
icebreaker_code
icebreaker_code
 
 
icebreaker_pll_aes_code
icebreaker_pll_aes_code
 
 
icebreaker_with_pll_code
icebreaker_with_pll_code
 
 
icestick_code
icestick_code
 
 
images
images
 
 
rz_easyfpga_a2.x_code
rz_easyfpga_a2.x_code
 
 
tinyfpga_bx_code
tinyfpga_bx_code
 
 
README.md
README.md
 
 

Repository files navigation

AVR-Glitch-101

The most basic introduction to performing a power glitch attack.

Author: Dean Jerkovich (https://github.com/deanjerkovich)

Author 2: Dhiru Kholia (https://github.com/kholia)

Intro

The basic idea here is to set up some inexpensive hardware and watch what happens when the power supply into the AVR (on the Arduino) is intentionally interrupted. Some simple code that performs arithmetic is loaded on to the AVR and it communicates back to the host computer over serial. The ground wire to the AVR is running via a transistor which is switchable by an FPGA. The FPGA has a simple piece of verilog which drops an output to 0 for a small number of clock ticks every 20 million or so clock ticks (a bit over a second of time, given the 12MHz clock). The net effect is that the AVR loses power for very small factions of time, causing noticable disruptions in arithmetic and logic without triggering the brown-out detection or causing a full reset.

Requirements

  • An iCEstick / iCEBreaker / TinyFPGA BX FPGA board.

  • An Arduino Uno target board (see sparkfun) and Arduino IDE

  • Some connecting wires, 2N7000 MOSFET (TO-92 package for ease of use), 1k resistor (0.25W is fine)

    • FPGA's ground pin is connected to 2N7000's source (Pin 1)

    • FPGA's glitch output pin is connected to 2N7000's gate (Pin 2)

    • 2N7000's drain (Pin 3) is connected to the target's ground pin

    Note: 2N7000 and BS170 are non-RF MOSFETS but they are used widely in amateur RF applications (HF operations up to 30 MHz). They should be good enough for our low-current-usage purposes, especially the BS170.

    For higher-current applications, IRLZ44 should suffice.

  • https://github.com/open-tool-forge/summon-fpga-tools - script to install open-source FPGA toolchains

Wiring it up

See the blog post.

Hardware Setup

Results

Solving the avr-glitch-101 challenge:

Demo 1

Solving the Rhme2 challenge (2016) - Fiesta challenge:

Demo 2

The Differential Fault Injection Against AES challenge:

AES 0 AES 1 AES 2 AES 3

w00t!

Note: We use our same GND glitching hardware setup for this DFI attack against AES. This is different, and simpler from the upstream's approach.

References

About

The most basic introduction to performing a Vcc glitch attack.

Resources

Readme
Activity

Stars

6 stars

Watchers

1 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • Verilog 54.0%
  • Makefile 33.6%
  • C++ 7.7%
  • Tcl 4.7%