Guide ‐ First Power Glitching Attack - miswired/glitchy GitHub Wiki

Intro

This page will quickly walk you through a power glitching attack on an Arduino Uno R3. If you purchased a kit you should have everything you need already. If you didn't you will need:

• An Arduino Uno R3
• Wire to solder onto the bypass capacitor and connect to Glitchy's screw terminals
• Male to Male jumper wire
• USB cable or power source for the Uno

Preparing the Arduino

We need to have a good connection to the power input of the ATMEGA chip on the Arduino. Traditionally you remove the capacitor to make it easier to glitch, but this demo works just fine with leaving the capacitor on. What we do need to do is solder some wires to the capacitor.

UPDATE: It is possible to glitch the Arduino just connecting to the 5V and GND header pins with no soldering. This method may be less reliable as it's a higher resistance connection to the board. It may work less often or take longer to glitch. You need to make sure the jumpers are securely placed. But it does work and saves you from having to solder if you are not comfortable with that. The soldering method is still recommended if you have the ability to do so.

Start by striping and "tinning" the tips of your wires with a little bit of solder to make it easier for the wire to adhere to the capacitor terminals.

Next, locate the power capacitor on your board. For the Uno R3 it's between the headers and the chip here.

Now we need to solder the wires to the board. While the wire colors don't really matter, traditionally red is used for positive and black negative or ground. We do need to keep track of which one is which for when we connect to the Glitchy. So I recommend following along. The positive is on the left side of the image and the ground to the right. Here is a closeup of the soldering.

Connecting the Arduino to the Glitchy

We now need to connect the power wires to the crowbar FET (Field Effect Transistor) on the Glitchy. This FET is a high current electrical switch that we can turn on and off really quickly to briefly short power to the Arduino. The goal is we short it just long enough to make the Arduino mess up, but not enough that we make it completely reset.

Connect the two wires you just soldered to the Glitchy's Glitch screw terminals. Positive (red) to the side marked + and negative/GND (black) to the side marked -.

IMPORTANT
We need to make sure we connect the Arduino's GND to the Glitchy's GND. This is needed for us to effectively turn the FET on and off. We also need it to create a common reference for the enter switch signal we will be driving and the unlocked signal we will be monitoring. We do this by using one of the male to male jumper wires and putting in in the header on both boards marked GND.

Next we need to connect the wires between the boards for sending an enter command and a wire to detect the pin going high indicating the glitch was a success. These two represent something like the enter key on a keypad you press and the electronic lock checks your password. And the unlocked signal represents something like an indicator LED or door latch power signal form the lock that we are monitoring. Of course here, we are using this as a controlled lab setup so they are just pins going high and low.

Glitchy pin /Arduino pin 11 / 11 12 / 12

Programming the Arduino with the right target code

Congratulations! The hardware is all hooked up! Now we need to make sure the Arduino has the right target code for us to exploit. You don't need to install all the libraries and board support for the Glitchy's ESP32, but we will need the Arduino IDE to load the super simple code onto the Arduino Uno.

If you need help doing this. See the Arduino environment setup guide here: Arduino-Setup
I currently recommend using the Arduino 1.X version of the IDE, not the 2.x versions as I am still getting buggy behavior from it last I checked.

Make sure you have cloned the Glitchy repo from this github project. There is a code folder, and inside of that a target examples folder.
You need to open up the Target_Glitch project and program the Arduino Uno.

• Open project
• Select Arduino Uno from the Tools>Board menu
• Make sure the correct port is selected under to tools menu
• Hit the arrow pointing right which will compile and upload the program to the Arduino. You should get a done uploading message at the bottom of the window.

What are we trying to glitch?

Now we are ready to start glitching! Lets take a look at what we are actually trying to do.

       
// Defining Pins here
#define ENTER_KEY_PIN 11   
#define LOCKED_LED_PIN 13 
#define UNLOCKED_LED_PIN 12     

//Globals
bool g_button_state = false;         // variable for reading the pushbutton status
volatile bool g_unlocked = false;   //volatile so that the optimizer doesn't remove the code since it is always false

void setup() {
  // initialize pin registers
  pinMode(LOCKED_LED_PIN, OUTPUT);
  pinMode(UNLOCKED_LED_PIN, OUTPUT);
  pinMode(ENTER_KEY_PIN, INPUT);
}

void loop() {
  // read the state of the pushbutton value:
  g_button_state = digitalRead(ENTER_KEY_PIN);

  //Check to see if button is pressed and we should evaluate the unlocked variable.
  if (g_button_state == HIGH) {
    if(g_unlocked)
    {
      //unlocked is always false, should never go here unless we succesfully glitch
      unlock_system();
    }
  } else {
    // Show locked
    digitalWrite(LOCKED_LED_PIN, HIGH);
    digitalWrite(UNLOCKED_LED_PIN, LOW);
  }
}

//The function that should never get called
void unlock_system()
{
  digitalWrite(LOCKED_LED_PIN, LOW);
  digitalWrite(UNLOCKED_LED_PIN, HIGH);

  //Stay here forever
  while(true);
}

The key points here is that the main loop is looking for an enter key press, and checking a variable to see if the system should be unlocked.

if (g_button_state == HIGH) {
    if(g_unlocked)
    {

But the key thing to notice is the variable g_unlocked is set to false and is never set to true anywhere in the code. It's defined here:

volatile bool g_unlocked = false;   //volatile so that the optimizer doesn't remove the code since it is always false

But we want to trick the system and force it to unlock. The build in LED gives us a visual tool to see when the system is locked, unlocked, and if the system is being reset. The LED is turned on to show the system is locked. If the pulse is too long and the board resets you will see the light flicker as the Arduino reboots. If the light goes out and stays out, you likely successfully glitched it. You can know for sure because the unlocked pin goes high. The Glitchy will be monitoring this unlocked pin and stop glitching when it detects a success.

void unlock_system()
{
  digitalWrite(LOCKED_LED_PIN, LOW);
  digitalWrite(UNLOCKED_LED_PIN, HIGH);

  //Stay here forever
  while(true);
}

Lets get to glitching!

So bring up the web interface as described in the Quick Start guide. Go to the glitching tab. Click the start glitching button.

The next screen allows you to adjust the timing for your target. To learn more about what these do and why, see the theory section here.

Start glitching by pressing the Run Test button.

The Glitchy is now generating very fast and small shorts right after pressing the enter key. Then waiting a bit, and repeating. It will repeat each glitch duration three times and then make it a little bit longer until it detects that it has been successful by monitoring the unlocked pin. It's not an exact science and there will be some variability on what works each run. You should eventually see something like this: