Update 2017-08-19: Updated Links, linked to follow on parts

Previous Parts

First of all, if you’re reading this I assume you’ve completed Part 1 and Part 2. In the last part we covered what the logic might look like. I assume you’ve built your python scripts and FPGA logic in such a way that you can now readout a device where the firmware is unlocked. You have logic capable of generating glitch pulses of varying widths with varying delays, but have yet to glitch the target.

The Logic

So I published my logic to the Toothless Github, so you can grab a copy here. This Project contains both the python script as well as the necessary Verilog. Here I’m just going to outline the Verilog as it was last week’s TODO.

Some hardware hacking equipment required

People always ask me what lab equipment to buy, so I started a spreadsheet. https://t.co/ZsPpH9z1FL

— Dmitry Nedospasov (@nedos) August 14, 2017

I started to put together a Recommended Lab Equipment. Lab Equipment turned out to be such a popular topic, I’m certain I will revisit it regularly. The question I always get is “what’s the difference?” or “why can’t I buy the cheap Chinese version?”. What you’re paying for when you buy good lab equipment is confidence - confidence it’s working as it should. For example, when you’re buying a multimeter you want to be sure it will warn you that the battery is low instead of giving you false measurements. You want to be confident that if you turn the range switch, it won’t explode. When it comes to power supplies, you want them to output voltages accurately and clamp over currents quickly. You don’t want them to overshoot the voltage, potentially damaging your circuit.

The good news with good lab equipment is, you only buy it once and it’ll serve you for many, many years. So if anything consider it an investment in yourself. However, I’ll readily admit that a balance has to be struck in terms of the money you’re shelling out and when. One of the problems I see the most with companies is a lack of sufficient equipment. For example if you have 6 engineers, 1 good multimeter is not enough. That’s what I tried to highlight with my list. If you’re a company, you’ll want to eventually have multiple multimeters, power supplies, logic analyzers and oscilloscopes. If you’re just funding you’re own hobby/interest than the story is a bit different. I promise, I’ll go over some of my favorite lab equipment, but in the mean time I highly recommend you check out some of Dave Jones’ reviews on Youtube.

Necessary Electronics

At the very least, you’ll need the following electronics:

I strongly recommend you grab a couple items from the list to make debugging your circuit much easier.

Soldering Equipment

For the modifications we’ll be doing you won’t need anything special. Even a cheap soldering iron will probably do, but if you don’t yet own a soldering station, now would be a good time to get one. You can take a look at my recommended equipment list and hop over to the Soldering Equipment tab. If you just want a good a starter soldering station, consider getting the Hakko FX888D.

Modifying the target

To glitch the target we’ll need to disconnect the microcontroller from all of the bypass capacitors and supply circuitry as these all have some capacitance, which will effectively filter the glitch. One option would be to take the microcontrolelr, desolder it and solder it back onto a breakout board. However, that’s too much work, so it’s easier just to modify the Olimex P1343 development board. I annotated the necessary modifications in the image below.

Top module

Here’s a quick run down for clarity:

  1. Remove the decoupling capacitors C1 and C4.
  2. Disconnect the microcontroller from the supply. The microcontroller is connected via 2 pins to the supply, so we’ll have to cut two wires on the PCB. Fortunately on this development board, it’s really easy. We simply need to cut through the wire running between the two pads of the 3.3V_CORE_E footprint and the 3.3V_CORE_IO_E footprint, respectively. I recommend using a scalpel or knife. Verify that there is no connection between each of the two pads using the continuity test on your multimeter.
  3. Finally cut one end of a jumper wire, leaving a male connector on the other side. We’ll use the male connector to connect to female headers on the Digilent Arty FPGA board. Now strip the wire and solder it to the VCC pads of 3.3V_CORE_E and 3.3V_CORE_IO_E.

The final result will look something like this (I’ll try to upload a nicer image when I get back home):

Top module

Connecting the Max4619 on the Breadboard

Whenever you work with a power supply, always set a current limit. A reasonable current limit for our applications is 200mA or 0.2A. That’s already way more than we will end up using. Next, when connecting the Max4619 there’s a couple of gotchas if you’re not used to working with these kinds of devices. First of all, the enable is active low, meaning you must tie it to ground for anything to happen. Also we’ll only be using one channel even though the Max4619 has 3. It’s best practice to tie all the unused inputs to ground with a device like this. Below you’ll find a wiring diagram describing the connections you’ll need to make.

Top module

Here’s a quick run down of the different signals:

What’s next?

First of all, if you need a binary that sets CRP to CRP1, try this one. Try wiring it all up on the breadboard. As a sanity check, make sure you can still communicate with the board. Make sure nothing is getting hot either. Next try playing around with VCC, the supply voltage to the target. Tweak VCC until the target board is just barely running stable. Try different glitch voltages. As I said, I’ve had success with glitch voltages ranging from 0V to 0.6V. The chip takes less than 100us to boot up fully. Hence you should try glitching from 0 to 100us after reset. I’ve gotten glitch pulses ranging from 10 to 25 clock cycles to succeed, i.e. 10/100MHz to 25/100MHz, which is about 100ns - 250ns. Once you’ve done all of that, head over to Part 3.

Want to access to future material before anyone else? Just subscribe.

Sign up for our mailing list and you’ll get our solutions before anyone else. Our newsletter also gets you discounts on upcoming trainings.

New to all of this? Building out a hardware lab? Take a training.

If you’re new to all of this, you should consider taking one of our trainings. This specific assignment is part of our five day course, which we currently only offer in Berlin. We also offer onsite trainings for companies, starting at just 5 participants. If you’re building out a lab or need to teach your engineers on the proper use of lab equipment, we can help.

Questions? Comments?

You can always DM me on twitter or email me at dmitry [at] toothless.co.