PicoGlitcher v2

Most of the components for assembling the PicoGlitcher hardware have arrived. I am still waiting for the PCBs...

During the last days I refined the software and I added example scripts to attack ESP32 and STM32 processors.

The library works and is able to produce reliable glitches. First I tried to reproduce results that were previously published by Sec-Consult. In this scenario the read-out protection (RDP) of STM32 microcontrollers is attacked during the bootloader stage. If a glitch is successful, the RDP level can be reduced and thus the internal flash memory be dumped. The above figure shows a successful glitching campaign. On the x-axis the glitch delay in nanoseconds is shown. This is the time between the trigger and the point in time were the glitch is set. The y-axis shows the duration of the glitch (length) in nanoseconds. The longer this time is, the more aggressive is our glitch and the target is more likely to fail. 

Points in green and yellow are expected behavior or communication errors (not shown in the plot). Magenta and red points are successful glitches and successful memory dumps. With this setup we reach a success rate of about 0.2% which is considered good.

Since the PicoGlitcher hardware is not ready yet, the attack was made in this case with the ChipWhisperer Pro.

The design of the PCB has been finished and the boards are being produced. Next step is to order the electronic components and to assemble the boards. Shipping of the PCBs is expected to be in mid June. Hence, there is a bit of time to finish the software until then.

Coding starts by forking the project from raelize. The code from raelize is already a good starting point, however, to my taste there are lacking some features. For example, the library from raelize only supports the ChipWhisperer Husky which is a good but expensive device. I wanted to use this library with cheaper hardware. So I had to build my own.

Moreover, the database functionality of the original project could be improved and I made several improvements to better handle the glitching campaigns. Now my fault-injection-library is an independent project with more than 90 commits, example codes, schematics and PCB design files.