Session
Fahrplan 34C3
Hardware & Making

Opening Closed Systems with GlitchKit

'Liberating' Firmware from Closed Devices with Open Source Hardware
Systems that hide their firmware-- often deep in readout-protected flash or hidden in encrypted ROM chips-- have long stymied reverse engineers, who often have to resort to inventive methods to understand closed systems. To help reduce the effort needed to get a foothold into a new system, we present GlitchKit-- an open source hardware and firmware solution that significantly simplifies the process of fault-injecting your way into a new system -- and of fault-injecting firmware secrets out! This talk presents the development completed thus far, demonstrates the use of GlitchKit in simple attacks, and invites participation in the development of our open-source tools.

Work by a variety of authors has demonstrated the vulnerability of hardware peripherals to fault-injection-driven firmware-disclosure attacks [1]-- or in other words: glitching attacks that cause devices to 'accidentally' disclose their own firmware. A common form of this attack exploits the behavior of hardware peripherals as they send out bits of read-only memory-- by inducing a glitch at the end of a communication, transmitters can often be inticed to transmit memory beyond the end of the scheduled communcation, often leaking firmware and other device secrets.

For glitching attacks to function properly, glitches must be precisely timed relative to communication events-- a requirement that often requires reverse engineers to develop purpose-built glitch-triggering hardware. GitchKit helps to relieve this burden-- providing an easy, context-aware glitching toolkit that can synchronize glitch events to a variety of communications events, including events generated by common protocols such as USB. GlitchKit builds atop existing open-source software and hardware-- including the GreatFET communications multitool, the FaceDancer USB-hacking toolkit, and the ChipWhisperer fault-injection toolkit-- and provides an entirely-open-source stack for easy glitching-- hopefully making it easier for you to get your hands on that elusive piece of firmware!

This talk presents the theory behind firmware-disclosure glitching, and aims to help every hacker start using open-source tools to start opening up closed systems. Accordingly, we discuss the current state of the GlitchKit project, describe in detail how it can be used to 'break open' existing closed systems, and provide live demonstration of GlitchKit features.

[1] e.g, http://scanlime.org/2016/10/scanlime015-glitchy-descriptor-firmware-grab/

Additional information

Type lecture
Language English

More sessions

12/27/17
Hardware & Making
Paul Emmerich
Saal Borg
Network cards are often seen as black boxes: you put data in a socket on one side and packets come out at the other end - or the other way around. Let's have a deeper look at how a network card actually works at the lower levels by writing a simple user space driver from scratch for a 10 Gbit/s NIC.
12/27/17
Hardware & Making
Saal Borg
Did you ever want to run your own IoT cloud on your IoT devices? Or did you ever wonder what data your vacuum cleaning robot is transmitting to the vendor? Why a vacuum cleaning robot needs tcpdump? Nowadays IoT devices are getting more and more powerful and contain a lot of sensors. As most devices are connected directly to the vendor and transmit all data encrypted to the cloud, this may result in privacy issues. An IoT device with no internet connection lacks numerous features or is even ...
12/27/17
Hardware & Making
Jean Rintoul
Saal Clarke
An open source biomedical imaging project using electrical impedance tomography. Imagine a world where medical imaging is cheap and accessible for everyone! We'll discuss this current project, how it works, and future directions in medical physics.
12/27/17
Hardware & Making
Saal Borg
The Apollo Guidance Computer ("AGC") was used onboard the Apollo spacecraft to support the Apollo moon landings between 1969 and 1972. This talk explains "everything about the AGC", including its quirky but clever hardware design, its revolutionary OS, and how its software allowed humans to reach and explore the moon.
12/28/17
Hardware & Making
Saal Dijkstra
Over the past year, we have been developing open source wheelchair add-ons through user research, ideation, design, prototyping and testing. We present the outcome and insights from the process.
12/28/17
Hardware & Making
Katja Bach
Saal Dijkstra
„5.-Klässlerinnen, die über die Millisekunden für einen delay()-Aufruf diskutieren! Gibt es nicht? Doch, gibt es!“ Ein Modellprojekt mit sieben Schulen in Aachen hat diese Frage untersucht – wir haben die Schülerinnen und Schüler begleitet und würden gerne darüber berichten, denn wir wissen jetzt: Programmieren macht ihnen Spaß!
12/28/17
Hardware & Making
MathiasL
Saal Clarke
In this talk I describe the basic makeup of FPGAs and how I reverse engineered the Xilinx 7 Series and Lattice iCE40 Series together with the implications.