I do not understand most of the things happening on screen, but this is still gives me a lot of motivation and this is just fun to watch. Thank you for your amazing work. I hope sometime I will be able to do the same Greetings from Russia
As usual, awesome content. I just have little knwoledge in security and you always manage to dig into new subjects, with great teaching. Keep it up ! You are my best YT channel so far ;)
@@josefaschwanden1502 Whatever you do, if someone wants to do serious power glitching they will rip out your psu and all the filters and power it off an fpga as in this video. Heck, they could rip out the important chips and put them on a custom board if so they wish
I highly recomend to use a mosfet instead of this converter for the power, because fpgas are really not made to supply current and a mosfet is only controlled by voltage
I am glad you manage to make your project work on an FPGA, it is a really fun device to play with. As a side not, that was an absolutly overkill there :P please look for 555 circuits, in monostable you can generate a pulse when you press a button (negate the logic to generate a "negative pulse", or astable configurations (periodic pulse), with a potentiometer as the interval selector. Btw YOUR VIDEOS ARE AWSOME, but you just got droped into my speciality :P Btw2, the minimun V you can get from a BJT transistor collector is 0.7, because it act as a diode regulator when no current is passing throught it. You will have to add a transistor serially connected with the supply to short it as well, and to aniquilate that vout.
You took out the ATmega of an arduino to use it as a handy usb-to-serial-adapter. As I said, you can leave the ATmega in, but silence it by putting a jumper cable from GND to RESET. It will then behave exactly the same way as in the video, with the exception that you do not risk bending any pins. You can read more about it by googling "arduino usb to serial" for example.
man i love your videos! and this one was especcially good! the reenactment at the beginning was a very creative idea and you explained the programming very well with help of the nice graphical representation. Thanks so much for your videos!
You need something fast & powerful, which actually can be a challenge. What you see on the scope is not energy from the capacitors (otherwise you would see a capacitor discharge curve --> not constant) but rather your transistor acting as an additional load, resulting in a voltage drop. Two things to try: add more resistance into the power line (but low enough for the board to run fine) or a more powerful MosFET with a gate driver.
I belive we can think this glich as if our brain don't have oxygen then the brain will get destroyed but if we Quick enough we still survive. Same here just with a board i think :) Cool video!
not really with an arduino, as it's not fast enough, but with some electronic engineering skills you could design a cheap ass board for this kind of powerline attack. I mean the hell wants to spend that much money for an FPGA dev board
This is way more complicated on a more advanced MCU however, such as an ARM based one where you have interrupts for virtually any hardware fault. It would be almost impossible to glitch skip a few instructions without ending up in the fault handler rather than the next instruction.
"I want to use a single wire as an output of the FPGA to control an ELECTRONIC SWITCH that turns on or off the power supply - so a transistor". A transistor is just an eletronic switch.
I had this problem by accident, and my microcontroller behaved crazy. It is very hard to debug and the controller didn't had a BOD (brown out detection) When you have a BOD, you can set it up so that the controller resets when the voltages fall under a specific value. That would prevent that attack.
10:57 A computer of mine seems to have something like this wrong with it. The breaker to my room always trips and after many power cuts the computer started having weird seemingly firmware related issues (fan control, booting).
@@CelluloidRacer2 Ok, didn't know that they encrypted their code. The usual way to go on an Atmel controller would be to simple lock the flash, but I guess they want you to still be able to use the Arduino afterwards.
You can still use the Arduino after you lock the flash, erasing the flash will remove the locking. This stops you from reverse engineering the code, but without bricking the chip.
9:16 Why does he use another Arduino board to talk to the Arduino UNO? I mean, he could just use the USB port on the Arduino UNO. Or did I miss something?
Icky! :-/ Is there a huge NOP sled in there? I'm surprised it does anything sensible at all on a brownout glitch :-) Do you have any recommended URL's/sources for this kind of attack - especially those which explain the detailed mechanism(s) of how it is effective? Thanks, another amazingly good video! :-)
Bit late to the party, but from my understanding in VHDL you cant do counter = counter +1 as this will count uncontrollably, rather than doing one increment. I believe the better way of doing it is is having 2 different counters ( counter and counter_new) and you update the counter_new value to the counter when the clock is low, so that this infinite loop never happens.
Yeah I think so, because in VHDL you are not adding to a variable. implementing a " +1" will make an adder circuit that is connected to logic 1... making an infinite counter. Does that make sense? the only limit is how quick the adder circuit is and how many times it can loop before it changes into a different state.
I wrote Verilog, not VHDL :D but I think there is a bit more "magic" to it. The Logic Blocks don't just directly connect, there are Flip-Flops involved because I react to the clock edge etc. This counter is a typical VHDL/Verilog example and it would surprise me if that glitches. but I'm also not sure.
AHH ok, I think maybe when I have written it in the past I have done things asynchronously and have had that issue, do you have a copy of the verilog you wrote? I would like to take a look at it
I hoped you will use serial output as trigger instead of button, then just measure space between bytes and slowly move threshold value when to fire trigger. It would be interesting to see if author runs test just before sending byte, during it (HW USART), after or somewhere in middle of delay. I guess that way you could hide more secret messages into processor and show them one after one :)
Hi LiveOverflow, just wanted to make you know I love these videos, I will be starting Computer Engineering next year thanks to you! However I have a doubt. How is this power glitch able to delete certain part of the ROM?
Hey! Thanks for the reply :P Could you make a video explaining how to protect devices against these kinds of attacks you've been demonstrating? Because I read about it and don't understand almost anything and you explain really good! Thanks!
Woah, this is awesome. I'd never believe this is possible. Could you do the same with just microcontroller instead of using FPGA? Are microcontrollers not fast enough?
given that we can tell it's an arduino and so it's an ATmega328P, why not just use avr dude to read the code out? Depending on the state of the fuses, this is a very real possibility. A simple: "avrdude -c avr109 -p m328p -b 115200 -P com1 -U flash:r:flash.bin:r" or the like then decompile and read the assembly. most likely the flag is stored in the .data section as string. and even if it's not, you could simulate it, or patch past the infinite loop and re-flash.
Are you stupid? That's not how it works. You can't read memory back from avr microcontroller unless you have a specialized debugger dongle (avr ice). And if you even have that. The binary is encrypted. The decryption logic is in the customized bootloader. So how do you can do a static analysis? Or you can try attack the bootloader? Good luck with that.
Wouldn't it be much easier to just use a nand gate? Just add an inverter before the gate so pressing the button will trigger a short pulse when the two inputs of the nand gate are equal for the time the inverter needs to toggle the ouput. You could add more inverters to change the width of the pulse
1:23 Well, hate to burst your bubble, but I know how, you just need to do memory fuzzing, so that you can make the RAM of change, and then the variable "locked" is no longer a Boolean of "false"... ;)
I don't know if you heard this, there's a video on this topic because USB GND is tied to Earth thus you shorted the 5V from arduino to the Earth ground thru your scope. Blowing the arduino voltage regulator. EEVBlog video here : ruclips.net/video/xaELqAo4kkQ/видео.html
I used an Arduino Uno as a USB-UART interface without removing the ATMEGA chip... just leave the RESET triggered: /dev/ttyUSB0 will vanish and /dev/ttyUSB1 will appear as a sniffer at RX/TX pins.
That feeling when I was a hacker at 8 years old preforming fault injection attacks on my N64 by flicking the cartridge while the machine was on.
I was think the same thing to see if i can cheat because my whore mom was to broke to get me a game genie.
Fit For Flogging game shark
@@ramenlover3608 it went by different names in different regions
Dr Bright ok. In the us the game genie and game shark are different things.
It's amazing how simple you explain complex concepts.
I do not understand most of the things happening on screen, but this is still gives me a lot of motivation and this is just fun to watch. Thank you for your amazing work.
I hope sometime I will be able to do the same
Greetings from Russia
Phileas Fogg у нас тоже такого Мозга обнаружил, зацени, будет непонятно но приятно)
ruclips.net/user/ClusterMeerkat
Его и этого смотрю
Nicely done video. This is the only channel i watch as soon as i get notification even if it's middle of the night ( 3am now)
If it's German and says "V1" on it, that's a Baaaaaad sign.... ;-)
Only if its flying towards you
As usual, awesome content. I just have little knwoledge in security and you always manage to dig into new subjects, with great teaching. Keep it up ! You are my best YT channel so far ;)
Your username on Windows: "Debian"
Suuuuuuuuure! lol
and here I thought we wouldnt get a video on friday, always nice to see a new video from you
+Wilhelm Buchmüller sorry, was a bit late today :)
appreciate the narration. Power glitch is amongst the impactful timing attacks (when done right). looking forward to more side channel attack videos.
This is like watching Neo in the first couple of minutes of "The Matrix". Awesome videos! Keep it up.
That was insane, really. Great stuff in this channel ^^
"There is no way we can ever get to that code...thatswhatasoftwaredeveloperwouldsay!" bahahaha :-D
You should also check the BoR fuse value programmed on the Arduino to determine the threshold for power glitch.
When i design my own boards, i shall put bigger caps on board and a faster brown-out detection.
...then an attacker desolders your big ass caps ;-)
nah just put a good power supply infront of it
@@josefaschwanden1502 Whatever you do, if someone wants to do serious power glitching they will rip out your psu and all the filters and power it off an fpga as in this video. Heck, they could rip out the important chips and put them on a custom board if so they wish
So basically somebody would look at it and swap the cap for a smaller cap.
I highly recomend to use a mosfet instead of this converter for the power, because fpgas are really not made to supply current and a mosfet is only controlled by voltage
I really like these hardware sided videos, I hope there will be more in the future
Damn I get amazed every time you come up with a solution I wouldn't dream of
I get chills from almost every video of your's. When the flag popped up it felt better than Frisson. This stuff is really really cool.
I am glad you manage to make your project work on an FPGA, it is a really fun device to play with. As a side not, that was an absolutly overkill there :P please look for 555 circuits, in monostable you can generate a pulse when you press a button (negate the logic to generate a "negative pulse", or astable configurations (periodic pulse), with a potentiometer as the interval selector. Btw YOUR VIDEOS ARE AWSOME, but you just got droped into my speciality :P Btw2, the minimun V you can get from a BJT transistor collector is 0.7, because it act as a diode regulator when no current is passing throught it. You will have to add a transistor serially connected with the supply to short it as well, and to aniquilate that vout.
actually I think your voltaje drops down to 1.4, becouse a transistor is like two diodes connected back to back.
Wow thank you for that information! Thats the first explanation I got!!
a 555 can only generate monostable pulses down to 10us
Omg. I just ordered my first FPGA board. You are awesome mate. I love your channel.
No need to take out the controller of the arduino for serial communication. Just connect reset to ground!
Im not sure what you mean? How would you want me to have it wired up?
You took out the ATmega of an arduino to use it as a handy usb-to-serial-adapter. As I said, you can leave the ATmega in, but silence it by putting a jumper cable from GND to RESET. It will then behave exactly the same way as in the video, with the exception that you do not risk bending any pins. You can read more about it by googling "arduino usb to serial" for example.
Like here: oscarliang.com/use-arduino-as-usb-serial-adapter-converter/
man i love your videos!
and this one was especcially good!
the reenactment at the beginning was a very creative idea
and you explained the programming very well with help of the nice graphical representation.
Thanks so much for your videos!
I love the creativity that can be put into hacking :D
I mean, damn. Forget about being a reverse engineer and a hacker, acting is clearly your future :D Great video, by the way.
U make these look effortless....awesome content....
In my understanding, the "initial" keyword only tells the simulator to initialize some regs to some values, not initializes these regs at power on.
Ayyyy yooooooooo
This is very *Cool*
🔥🔥🔥🔥🔥🔥
In some cases we need the pin from flash IC too along with reset pin of the CPU.
The level converter circuit is meant for signal level conversion only, but not for power.
I would just use a mosfet which connected to the power rail of the target board to do the job.
+Tsz Lam Cheung thanks for the valuable input! I have no clue what I am doing. I knew I could use a mosfet though, but didn't have one
BJT will do the job too
But it works eventually, who cares XD :)
You need something fast & powerful, which actually can be a challenge. What you see on the scope is not energy from the capacitors (otherwise you would see a capacitor discharge curve --> not constant) but rather your transistor acting as an additional load, resulting in a voltage drop. Two things to try: add more resistance into the power line (but low enough for the board to run fine) or a more powerful MosFET with a gate driver.
You studied at TU? I'm there too 🤣. just recently found your channel, love your videos 👍
I am having a motivational blast to become like you. I think that is your motive too
KREOSAN!
I belive we can think this glich as if our brain don't have oxygen then the brain will get destroyed but if we Quick enough we still survive. Same here just with a board i think :)
Cool video!
You can use the delete key to delete characters to the right of the cursor. It's like the reverse backspace.
Awesome! Would it be possible to cause the glitch also with a second arduino instead of the fpga?
not really with an arduino, as it's not fast enough, but with some electronic engineering skills you could design a cheap ass board for this kind of powerline attack. I mean the hell wants to spend that much money for an FPGA dev board
Maybe with a timer.
very impressed as always
This is way more complicated on a more advanced MCU however, such as an ARM based one where you have interrupts for virtually any hardware fault. It would be almost impossible to glitch skip a few instructions without ending up in the fault handler rather than the next instruction.
Easier to preload the counter from the switches and decrement it, detect 0 count.
Mr. LiveOverflow can you exlplain why you said "so a transistor" at 3:06 or give me a link to page where i can look it up?
"I want to use a single wire as an output of the FPGA to control an ELECTRONIC SWITCH that turns on or off the power supply - so a transistor".
A transistor is just an eletronic switch.
oh...didn't even cross my mind...thanks
Thank you so much for the video. I understood very well the subject. Thanks a lot!
awesome video as usual.
I would never dare to stick a roque usb device in my system 😄 You have bigger nerves than I do🤪
I thought I knew hacking but with this channel, mate I'm a crap still trying to start learning hacking
I had this problem by accident, and my microcontroller behaved crazy. It is very hard to debug and the controller didn't had a BOD (brown out detection)
When you have a BOD, you can set it up so that the controller resets when the voltages fall under a specific value. That would prevent that attack.
10:57 A computer of mine seems to have something like this wrong with it. The breaker to my room always trips and after many power cuts the computer started having weird seemingly firmware related issues (fan control, booting).
Adam Messmann that shouldn’t be the issue, as the battery would still be transferrring power as far as I can tell
oh shit this is awesome
also nice intro
would be great to see what the actual FW dump from the chip looks like
I wonder if you could just solder on the JTAG connection for an AVR debugger to get a memory dump
I guess the first thing I would have tried is reading the flash contents of the microcontroller.
It's encrypted, and only gets decrypted by the custom bootloader
@@CelluloidRacer2 Ok, didn't know that they encrypted their code. The usual way to go on an Atmel controller would be to simple lock the flash, but I guess they want you to still be able to use the Arduino afterwards.
You can still use the Arduino after you lock the flash, erasing the flash will remove the locking. This stops you from reverse engineering the code, but without bricking the chip.
@@marcandreservant8824 Ok, didn't know that since I'm not that familiar with Atmel chips.
At first I was like "WHY use an fpga for that?" and then saw the display and buttons and was like "oooohhh, looks nice". Haha
О, креосан, не ожидал увидеть))
Could you have stripped your USB cable, cut the +5v wire, and connected them back together but with the glitch circuit in the middle?
That is an Arduino Nano, you can connect it on your computer and then open arduino IDE, there you can look at the code inside that cip's Memory
Nope. You cannot.
9:16 Why does he use another Arduino board to talk to the Arduino UNO? I mean, he could just use the USB port on the Arduino UNO. Or did I miss something?
Icky! :-/
Is there a huge NOP sled in there?
I'm surprised it does anything sensible at all on a brownout glitch :-)
Do you have any recommended URL's/sources for this kind of attack - especially those which explain the detailed mechanism(s) of how it is effective?
Thanks, another amazingly good video! :-)
Bit late to the party, but from my understanding in VHDL you cant do counter = counter +1 as this will count uncontrollably, rather than doing one increment. I believe the better way of doing it is is having 2 different counters ( counter and counter_new) and you update the counter_new value to the counter when the clock is low, so that this infinite loop never happens.
mhmhmh... yeah I don't know! :D
Do you think my counter might glitch sometimes?
Yeah I think so, because in VHDL you are not adding to a variable. implementing a " +1" will make an adder circuit that is connected to logic 1... making an infinite counter. Does that make sense?
the only limit is how quick the adder circuit is and how many times it can loop before it changes into a different state.
I wrote Verilog, not VHDL :D but I think there is a bit more "magic" to it.
The Logic Blocks don't just directly connect, there are Flip-Flops involved because I react to the clock edge etc. This counter is a typical VHDL/Verilog example and it would surprise me if that glitches.
but I'm also not sure.
AHH ok, I think maybe when I have written it in the past I have done things asynchronously and have had that issue, do you have a copy of the verilog you wrote? I would like to take a look at it
It's in the description of the video :)
gist.github.com/LiveOverflow/cad0e905691ab5a8a2474d483a604d67
0:12 it's an Arduino Nano with black tape xD
I'm so familiar with it that I didn't need even a second to identify it xD
0:10 (Raise my hand) it an Arduino
I hoped you will use serial output as trigger instead of button, then just measure space between bytes and slowly move threshold value when to fire trigger. It would be interesting to see if author runs test just before sending byte, during it (HW USART), after or somewhere in middle of delay.
I guess that way you could hide more secret messages into processor and show them one after one :)
How did you reflash the chip without gaining knowledge of the flag?
Encryption lol
Hi LiveOverflow, just wanted to make you know I love these videos, I will be starting Computer Engineering next year thanks to you! However I have a doubt. How is this power glitch able to delete certain part of the ROM?
+Fabio Silva absolutely no idea. Probably some kind of hard reset that sets a bit that the code is bad.
Hey! Thanks for the reply :P Could you make a video explaining how to protect devices against these kinds of attacks you've been demonstrating? Because I read about it and don't understand almost anything and you explain really good! Thanks!
LiveOverflow how much does it take to slove a chanlleging ctf in must case start from observe it and research and other stuff until solve it?
+Kali H totally depends on the challenge. In the last gql video from the Google CTF I said that that particular challenge took me like 12h
But not continuos 12 hours , separated , you can't stay on some CTF for a long time continuosly .
+Kali H then you haven't felt the tunnel vision during CTFs yet
Well you wright :) i just get started
Woah, this is awesome. I'd never believe this is possible. Could you do the same with just microcontroller instead of using FPGA? Are microcontrollers not fast enough?
I know this is 7 months old, buuut: you can even do it with some chip like NE555 and some circuitry :>
I'm not wizardry enough to pull that off :D
I have a very technical question so I hope you can help me Mr. LiveOverflow; HOW OFTEN DO YOU CLIP YOUR NAILS?!?!?
given that we can tell it's an arduino and so it's an ATmega328P, why not just use avr dude to read the code out? Depending on the state of the fuses, this is a very real possibility. A simple: "avrdude -c avr109 -p m328p -b 115200 -P com1 -U flash:r:flash.bin:r" or the like then decompile and read the assembly. most likely the flag is stored in the .data section as string. and even if it's not, you could simulate it, or patch past the infinite loop and re-flash.
Are you stupid? That's not how it works. You can't read memory back from avr microcontroller unless you have a specialized debugger dongle (avr ice). And if you even have that. The binary is encrypted. The decryption logic is in the customized bootloader. So how do you can do a static analysis? Or you can try attack the bootloader? Good luck with that.
Wouldn't it be much easier to just use a nand gate? Just add an inverter before the gate so pressing the button will trigger a short pulse when the two inputs of the nand gate are equal for the time the inverter needs to toggle the ouput. You could add more inverters to change the width of the pulse
Do I have to learn assembly for hardware's or aurdino base ide
Actually a skilled software engineer would say export the binary and edit out that part of the code. (or similar)
thats amazing!
Poor arduino-compatible-board-chan
I want to remove power button of my computer so that my pc could directly turn on when I on the power supply... can you help me in it?
the power button shorts 2 pins of your motherbord, you could try to short them out with a jumper, but i dont know if thats a good idea.
I like to imagine this is Prismo from Adventure Time
I love your channel :)
2:08 Kreosan. Ukrain blogger. I saw this video.
what people in 1960 did with 2 transistors, people in 2020 do with 10 million transistors. takes an fpga to implement a monostable multivibrator.
It happens cause these kind of boards are bad manufactured. ALL of my arduino nanos died after flashin different codes. they just dont last
12:24 Aaachhh!!!! Magic Smoke Escapes! :'(
Every electronic runs on smoke. When you let the smoke out, it stops working. - Someone on Arduino forum.
Very nice video. Now to do this to a nintendo switch.
coding fpga's was my favorite part of college so far :P
Sounds interesting as hell. I still don't really get it, but I am intrigued.
1:23 Well, hate to burst your bubble, but I know how, you just need to do memory fuzzing, so that you can make the RAM of change, and then the variable "locked" is no longer a Boolean of "false"... ;)
Man Ur so so much good , Relay I love Ur Chinal & Videos its Give me High quality of standing up all think I my live
Thanks Very much U the Best ❤
rule no. 1 never ever plug a random found usb stick in your personal computer
just like the xbox 360 rgh :D
You says that they are not realistic though if i'm not mistaken that have been used to crack the Xbox 360 as a softmod
Why an fpga and not a micrkcontroller?
faster. But for this simple example a microcontroller would have probably worked too. I just wanted to do it with an FPGA to practice more with it.
You erased the code and some seconds later the nano continues printing lock on the screen???
I was wondering the same thing. He never explicitly said that he was able to recover what was on it which was the reason for the attack.
he didnt erase the code and he never said that.
Nice video 👍
there are modchips for the xbox360 that also use glitching
Do you live in germany?
Would this be how the Xbox 360 reset glitch hack works?
github.com/gligli/tools/blob/master/reset_glitch_hack/reset_glitch_hack.txt
Cool video, but you really shouldn't use initial for resetting the values in verilog, heck it shouldn't even be synthesisable.
Are you from Germany or do you use an German VPN?
Wäre ja nice wenn ;)
Kannst du den deutschen Akzent wirklich nicht raushören?
Isnt that an arduino nano?
I don't know if you heard this, there's a video on this topic because USB GND is tied to Earth thus you shorted the 5V from arduino to the Earth ground thru your scope. Blowing the arduino voltage regulator. EEVBlog video here : ruclips.net/video/xaELqAo4kkQ/видео.html
nice intro
get a cheap avr ice an read the firmware of the chip can also step through the code execution .
Ah reminds me of the Xbox 360 glitch chips
I used an Arduino Uno as a USB-UART interface without removing the ATMEGA chip... just leave the RESET triggered: /dev/ttyUSB0 will vanish and /dev/ttyUSB1 will appear as a sniffer at RX/TX pins.
You know that’s an arduino...
right?
1:23 You *REALLY* _hate_ software developers, don't you? :(
No why?