DESYNK

An iCEBreaker-based hardware glitching thing

Purpose

Break black-box hardware devices by messing with their clock or power feed.

Specifically, a glitch introduced at the right time can bypass individual instructions, which has interesting security implications.

Functionality

Several of the blocks above are designed to have drop-in replacements. For example, the Detector module used to trigger glitching. This must detect a predictable and stable starting state in the target device. In some cases, perhaps it's enough to snoop an indicator LED. For other targets, perhaps an I2C bus must be sniffed to detect a specific message. Implement a new Detector module and connect it!

The Control block consists of a very simple state machine:

Wait for the trigger signal, indicating the target is ready
Start the delay countdown
At the end of the delay, inject a glitch
If a Success signal is detected, halt
Alter the delay
Reset the target device
Start over

On Success, we've found a specific Delay value (counted in cycles) and a specific glitch mode which causes the target device to do what we want it to do.

Setup

A target device, running something sensitive. For example, computes some hash and checks its result against a fixed "proper" value.

Connections to the DESYNK board:

TARGET_CLK which drives the target device
TRIGGER which the target sets HIGH at a fixed time before the check
SUCCESS which the target sets HIGH if the check is bypassed
POWER which enables the power feed to the target device
THROTTLE which grounds the power feed of the target device

Configuration

Edit top.sv to modify the pin mapping and set various parameters. Eventually, the parameters specified here will be used to select which modules are active.

Glitch Modes

`glitch_clk_fast`

Injects a number of faster clock cycles on the target's clock input. The following figure shows three different instances of the glitching module, injecting 1, 2 and 7 cycles respectively.

Detector Modules

`detect_edge`

Triggered by a simple digital input signal. Set RISING_EDGE=1 to detect leading edge, or RISING_EDGE=0 to trigger on a falling edge.

Usage

This is all theoretical, since nothing is implemented

The USR button on the iCEBreaker resets the board. On boot, a normal 16MHz clock signal is generated without glitches, to allow for target reprogramming and such.

The top button starts glitching. The top LED indicates that glitching is underway.

Ideas

Modular target control to reset the target

Direct power control
Reset pin on the target

Modular detector for TRIGGER and SUCCESS signals

Signal pin
UART snooping

Modular glitch mode:

Single quick-cycle
Skip cycle
Multiple quick cycles
Power glitches

Name		Name	Last commit message	Last commit date
Latest commit History 27 Commits
doc		doc
.gitignore		.gitignore
Makefile		Makefile
README.md		README.md
clk_div_2.sv		clk_div_2.sv
clk_div_3.sv		clk_div_3.sv
clk_div_3_tb.sv		clk_div_3_tb.sv
controller.sv		controller.sv
desynk.sv		desynk.sv
desynk_tb.sv		desynk_tb.sv
detect_edge.sv		detect_edge.sv
detect_edge_tb.sv		detect_edge_tb.sv
dummy_target_clk.sv		dummy_target_clk.sv
glitch_clk_fast.sv		glitch_clk_fast.sv
glitch_clk_fast_tb.sv		glitch_clk_fast_tb.sv
icebreaker.pcf		icebreaker.pcf
target_control_power.sv		target_control_power.sv
target_control_power_tb.sv		target_control_power_tb.sv
target_control_reset.sv		target_control_reset.sv
target_control_reset_tb.sv		target_control_reset_tb.sv
top.sv		top.sv
trigger_delay.sv		trigger_delay.sv
trigger_delay_tb.sv		trigger_delay_tb.sv

eldstal/desynk

Folders and files

Latest commit

History

Repository files navigation

DESYNK

Purpose

Functionality

Setup

Configuration

Glitch Modes

glitch_clk_fast

Detector Modules

detect_edge

Usage

Ideas

About

Resources

Stars

Watchers

Forks

Languages

`glitch_clk_fast`

`detect_edge`