34th Chaos Communication Congress

»Opening Closed Systems with GlitchKit«
2017-12-28, 21:15–22:15, Saal Borg

Systems that hide their firmware-- often deep in readout-protected flash or hidden in encrypted ROM chips-- have long stymied reverse engineers, who often have to resort to inventive methods to understand closed systems. To help reduce the effort needed to get a foothold into a new system, we present GlitchKit-- an open source hardware and firmware solution that significantly simplifies the process of fault-injecting your way into a new system -- and of fault-injecting firmware secrets out! This talk presents the development completed thus far, demonstrates the use of GlitchKit in simple attacks, and invites participation in the development of our open-source tools.

Work by a variety of authors has demonstrated the vulnerability of hardware peripherals to fault-injection-driven firmware-disclosure attacks [1]-- or in other words: glitching attacks that cause devices to 'accidentally' disclose their own firmware. A common form of this attack exploits the behavior of hardware peripherals as they send out bits of read-only memory-- by inducing a glitch at the end of a communication, transmitters can often be inticed to transmit memory beyond the end of the scheduled communcation, often leaking firmware and other device secrets.

For glitching attacks to function properly, glitches must be precisely timed relative to communication events-- a requirement that often requires reverse engineers to develop purpose-built glitch-triggering hardware. GitchKit helps to relieve this burden-- providing an easy, context-aware glitching toolkit that can synchronize glitch events to a variety of communications events, including events generated by common protocols such as USB. GlitchKit builds atop existing open-source software and hardware-- including the GreatFET communications multitool, the FaceDancer USB-hacking toolkit, and the ChipWhisperer fault-injection toolkit-- and provides an entirely-open-source stack for easy glitching-- hopefully making it easier for you to get your hands on that elusive piece of firmware!

This talk presents the theory behind firmware-disclosure glitching, and aims to help every hacker start using open-source tools to start opening up closed systems. Accordingly, we discuss the current state of the GlitchKit project, describe in detail how it can be used to 'break open' existing closed systems, and provide live demonstration of GlitchKit features.

[1] e.g, http://scanlime.org/2016/10/scanlime015-glitchy-descriptor-firmware-grab/