Really tough guy. 99% would have given up. Only 10 players solved this challenge (the rest being mostly HW guys). So, well done, and a impressive show of technical and fast learning skills.
Funny thing about this, he can get banned for sharing the answer. Not only 10 people solved this challenge, but now thousands+ know the answer. Job well done
@@xorxpert It is not longer an event. The challenge and solution are available for education or personal challenges. If you don't want to know the solution, don't search for it.
I feel your pain here man, I was implementing some frequency analysis for the crypto pals challenges and realized like 8 days in that I was trying to run the attack against the hex of the potential plaintext instead of the actual potential plain text. I was ready to throw that laptop off the building.
Thank you for sharing your experience. The constant setbacks are an integral part of most projects I embark upon, so it was refreshing to see them be someone else's problem for a change. ;) Your final line is what makes it all worth it for me: if I do something outside of my comfort zone, it's a living hell, but I learn something from it. Thank you for giving me a fast track through this project, and please know that I have never seen another person deal with such failures like I do... until today.
+RedDragonflyxx everybody is just always trying to hide the failures. It took me a long time to feel comfortable showing my struggles this publicly. We always try to pose as perfect professionals that know everything. I hope I can show that struggling is no weakness :)
Looking back at this old video from years in the future as a watcher of your current channel content, I really liked the rawness of this old one with a few cuss words thrown around :)
It's great to see the entire journey of how you managed to solve the challenge and kept persisting with it. Most of the writeups these days just make you feel stupid as they already seem to know what has been done.
I really love the way you explain the hardest challenge to achieve the target. It so fuc*ing hilarious .. and thats make me thinking twice to do the same thing like what you had done..
I was not aware of the existence of such highly developed open source hardware for SCA on AES. Very impressive and puts quite a new view onto embedded security primarily protected by encryption. I assume to make it also work on e.g. serpent or twofish the hardware is sufficient and just the software needs to be adapted ? BTW the more frustrating it gets, the higher the learning experience when finally overcoming the issue. So being frustrated is an excellent albeit unpleasant way to improvement and personal growth.
Keep it up! I really love your videos. I am a web developer so I only scratch the surface in your videos but I must say I've been learning a lot from you!
I'm seriously trying to figure out how to do this. Any tips? I failed out of college a while ago, so should I take some classes here to improve my GPA first? Thanks.
I've been there. But remember to not get locked into a set of doing things one way. A problem that you encounter, may require a completely different outlook from things you have done in the past. Try not to get yourself locked into attacking them from the problems you have solved, but the skill you have really learned is how to solve.
Joe grand has an excellent explanation on side channel attacks in general using his own board and a 4 digit pin and how a 4x4x4x4=1024 possible calculations compared to 4+4+4+4=16 possible solutions while using side channel attack techniques
11:30 "...I was about to jump down from the next building" I didn't know whether to laugh or cry for you. I chose the former. What a pain. At last... Interesting stuff 👀👌
Hi, Can somebody tell me the exact wiring between the Arduino NANO and the Chipwhisperer? Honesly I'm struggrling, cannot find the power trace of the AES encryption. There is a simple AES impl running on the board.
dude... this is so awesome. Most of videos do focus on problem - most successful attempt - solution methodology. while watching i've actually felt your pain, but still it was so satisfying to watch you overcoming shitload of small hurdles. just if i was looking at myself at my random attempts to do stuff. sincere respect and extra 50 points from me for being stubborn enough - you've earned it ;d
Heya, not sure if you will end up reading this, but if you remember, would you mind giving some more detail as to how you hooked up the nano to the chipwhisperer, specifically, the power/measurement bits? It looks like you only used one wire for the measurement pin, but would you need some form of reference voltage? Did you wire the Nano and the CW to the same ground, or was it enough that they were both powered by the same PC, and had a common ground via that? Or did I miss something, and you used a differential probe? Thanks!
I’m not 100% sure because this was a loooong time ago. But I think I meassured the voltage accross the shunt resistor. So gnd and vcc before and after the resistor. If I didn’t do that, then definetly hooked gnd to nano gnd
For anyone else that may come across this comment, I figured it out! I put a 100 ohm resistor between pin 4 and the pad, then lead one wire from the load bearing side of the resistor to the middle measurement pin on the CW, and another wire connected from arduino ground to the ground pin of the measurement area on the CW. However, I was still getting crappy measurements, nothing like what was displayed at 10:53. I tried all sorts of things to improve my results (messing with oscilliscope, different resistances, removing decoupling capacitors), but nothing seemed to work. However, after lifting pin 6 of the 328p (which is _also_ VCC), I started seeing *much* better output. It might be that the power was bypassing the resistor entirely via that pin...? I still haven't managed to extract the key yet, but hopefully this helps anyone else who has this issue :)
Awesome video, very informative! I was trying to reproduce this challenge without the help of ChipWhisper, however I noticed that every time the serial connection is open, there's tons of noisy spikes in the power trace, did you experienced similar situation? Thanks!
@LiveOverflow Eine Frage, hast du als Bachelor TI oder normal info studiert? Ich würde deinen Master als E-techniker vielleicht in Betracht ziehen und wollte fragen, ob der überhaupt zur Wahl steht :)
“Angewandte Informatik” als duales Studium. IMO total egal was du machst. Hauptsache es motiviert dich über die Studieninhalte hinaus dich damit zu beschäftigen und du hast Spaß!
LiveOverflow Danke :) Naja, ich bin mir manchmal unsicher ob Informatik nicht besser als E Technik gewesen wäre, vor allem als ich deine Videos gefunden hab ^^'.
Holy shit, 325 dollars for a board like that? I can't even afford IDA (nor binary ninja, nor hopper), and I do reversing challenges with objdump and radare like some poor fuck, I have probably spent about 50 bucks total on electronics and necessary tools as a student, I find this amount unfathomable.
I understand, I was a student once too. Now I'm lucky to work a nice job and these things become affordable. And I also now understand why they cost that much. I still can't quite afford a full IDA license, but binary ninja, hopper and similar tools are very affordable now. Good tools are worth a lot, but you can still learn a ton without them. To be honest I can't even use them to their full potential. Keep learning and in a few years, when you get out of school, you have great prospects in finding a good job because you are ahead of the people your age. And then you can buy the toys too :)
Thanks for the encouraging words. However I don't consider 100 dollars to be very affordable :( I could pay that, but it'd make a real dent on my quality of life for a long while. Sometimes I wish I won the "security lottery" and found a bug worth a few k$, as that would greatly impact me.
To be fair, the Chip Whisperer does have a pretty nice (and not cheap) Spartan-6 FPGA on it, plus Colin O'Flynn put a lot of work into developing both the hardware and software for this tool.
The honest reason is, that I was lazy regarding the bureaucracy at university, so I went to the Uni where some friends went to. so they can tell me which forms to fill out.
Arduino nano ist doch ein 328p, der 3,3v kann. Außer die Einstellungen der fuses lassen ihn erst später starten. Ein Versuch, diese mit isp zu bearbeiten wäre dann denkbar.
I love your channel, though you make me look like a super noob and you look like some technical God. Amazing, always impressed. Super geek I wish I was as impressive :)
Great video, but all that level converter stuff wouldnt have really been necessary with an arduino. Just put a voltage divider betwenn arduino tx and Chip whisperer rx, and for the other way ardound you have to do nothing because arduinos usually still detect anything around 3v as "high"
LoL this logic analyzer issue you were having reminds me of an issue I had trying to get the CRC code to work on a chip I am testing... It turns out the c to python conversion was wrong in the sense that I had to take into account the variables were not 16 bits, so I had to mask everywhere I could to get it to work... took my almost a whole day testing every possible thing to figure out this was the issue lol... I should've just programmed an arduino with the original CRC calculation function and hard code it from the start (which was what I did)... The moral of the story is: the more you fiddle with things the higher the chances of you making dumb shit, so always verify what you are doing before moving on...
FYI, all that level conversion you did was mostly pointless. you can easily take the 3v signal and put it into the 5v pin and should work just fine. as far as the other way around(5v to 3v) just a single series resistor should do the job. They also make ready to use logic level converters just for that purpose but I guess that was easier for you.
+OtakuSanel thanks! I never had done it before. I didn't wanna wait on new parts. Didn't try the other idea. I'm sure it was not great what I did, but it worked :D
As long as it works lol all that really matters. Just a bit more complicated than it needed to be. Is there a reason you went with that scope over the ds1054? 2 channels tends to be very limiting especially when you want to do any kind of communication protocol analysis. Granted there are other tools for that like a salae logic analyzer but still.
the 1054z can as well and it's less than half the cost but twice the input channels! Unless you plan on working with RF woodoo magic I really don't see a reason why you would need such a high sampling rate. Is there any particular use for it or just wanted the fastest and that was within budget? Also be aware that the max sampling rate is ONLY achieved when you're using a single channel under certain modes. if you use the 2nd channel the rate gets divided in half as it's multiplexed or using high res modes or various other configurations it won't actually go that fast. You may also want to look into the buspirate, you may find a use for it.
+OtakuSanel I also got a buspirate :) So I got buspirate, Saleae, busblaster, microcontrollers for a few more custom stuff, FPGA dev boards for even faster custom stuff and all I missed was a high sampling osci. And I had experience with it from university. So as I didn't have a lot of experience with other oscilloscopes I got the one I knew I would find helpful :) But I agree, maybe I would never need that speed, and a 1054z or a new keysight would have matched my usage better :)
Seriously, this introduced me to a tool I hadn't heard of before and explained side-channel attacks in greater detail. Keep making these videos! But also when do we get to meet your SO
Maybe it was only 100 points because wanted to have such a challenge in the CTF, but it is actually pay to win, so you do not get such a huge amount of points, if you have all the hardware and stuff.
Yeah it was difficult, but you had never tried it before. You had no reference point so it involved a lot of frustrating trial and error. But see it from an experience HW attacker. It would be easily done in an hour.
Let's say the guy establishing the code gets unbelievably drunk, jams on the keyboard and thereby establishes the key with no memory. It seems to me that is secure....
Really tough guy. 99% would have given up. Only 10 players solved this challenge (the rest being mostly HW guys). So, well done, and a impressive show of technical and fast learning skills.
I missed the inscription phase, is there a way to join the challenge (cause you know the arduino has a "special" bootloader)?
The challenges (most of them) are on Riscure's Github repository. You can play with your own board. The encryption/authentication layer was removed.
great ! thanks for te reply
Funny thing about this, he can get banned for sharing the answer. Not only 10 people solved this challenge, but now thousands+ know the answer. Job well done
@@xorxpert It is not longer an event. The challenge and solution are available for education or personal challenges. If you don't want to know the solution, don't search for it.
Chatting and ranting over ctf challenges at 04:30 AM - I feel you :D
I feel your pain here man, I was implementing some frequency analysis for the crypto pals challenges and realized like 8 days in that I was trying to run the attack against the hex of the potential plaintext instead of the actual potential plain text. I was ready to throw that laptop off the building.
Thank you for sharing your experience. The constant setbacks are an integral part of most projects I embark upon, so it was refreshing to see them be someone else's problem for a change. ;)
Your final line is what makes it all worth it for me: if I do something outside of my comfort zone, it's a living hell, but I learn something from it. Thank you for giving me a fast track through this project, and please know that I have never seen another person deal with such failures like I do... until today.
+RedDragonflyxx everybody is just always trying to hide the failures. It took me a long time to feel comfortable showing my struggles this publicly. We always try to pose as perfect professionals that know everything.
I hope I can show that struggling is no weakness :)
LiveOverflow Respect!
2:42 "This is AES. Fuck my life" .. you made my day 😂😂😂😂
Looking back at this old video from years in the future as a watcher of your current channel content, I really liked the rawness of this old one with a few cuss words thrown around :)
It's great to see the entire journey of how you managed to solve the challenge and kept persisting with it. Most of the writeups these days just make you feel stupid as they already seem to know what has been done.
I really love the way you explain the hardest challenge to achieve the target. It so fuc*ing hilarious .. and thats make me thinking twice to do the same thing like what you had done..
Kudos for not giving up!
Great video man, love your presentation style and sense of humor.
I was not aware of the existence of such highly developed open source hardware for SCA on AES. Very impressive and puts quite a new view onto embedded security primarily protected by encryption. I assume to make it also work on e.g. serpent or twofish the hardware is sufficient and just the software needs to be adapted ?
BTW the more frustrating it gets, the higher the learning experience when finally overcoming the issue. So being frustrated is an excellent albeit unpleasant way to improvement and personal growth.
Keep it up! I really love your videos. I am a web developer so I only scratch the surface in your videos but I must say I've been learning a lot from you!
Wish I had this much patience! Great job
100 points .... for so much work .... wow xD
"Thats the awesome thing about university, you can get access as well as help & advice" - Perks of not going to a US college
come to Germany! :)
I'm seriously trying to figure out how to do this. Any tips? I failed out of college a while ago, so should I take some classes here to improve my GPA first?
Thanks.
Not really. Majority of decent US universities have this setup. I had to ask around and got a similar setup.
I've been there. But remember to not get locked into a set of doing things one way. A problem that you encounter, may require a completely different outlook from things you have done in the past. Try not to get yourself locked into attacking them from the problems you have solved, but the skill you have really learned is how to solve.
points aint everything. Atleast you have learned something new.
Great video, great explanation. Keep up the good work!
Cool 33c3 wristband btw :)
Good work... If anyone had to start from scratch all your work will help us to have a jumpstart...
Joe grand has an excellent explanation on side channel attacks in general using his own board and a 4 digit pin and how a 4x4x4x4=1024 possible calculations compared to 4+4+4+4=16 possible solutions while using side channel attack techniques
this is AES.. fml.. couldnt stop laughing ^^ - btw: love your channel. stuck since days here :D
10:41 the way he said that made my day
Love Berlin and love your vids. Really interesting power analysis, keep up the good work! I have to see if my uni has such toy...equipment too.
Well done - persistence! (And knowledge of ground loops!)
11:30 "...I was about to jump down from the next building" I didn't know whether to laugh or cry for you. I chose the former. What a pain. At last... Interesting stuff 👀👌
very nice, makes you wonder to what ridiculous scale our sigint staff are capable of pulling off.
Thanks for sharing and not giving up. Inspirational :)
can you pleeease make video tutorial on how to extract authentication keys from 3g/4g sims?
Could you please answer how you capture the power traces and transfer them onto PC as you're not using the cw capture board in this experiment?
GOAT in making! awesome!
Hi,
Can somebody tell me the exact wiring between the Arduino NANO and the Chipwhisperer? Honesly I'm struggrling, cannot find the power trace of the AES encryption. There is a simple AES impl running on the board.
dude... this is so awesome. Most of videos do focus on problem - most successful attempt - solution methodology.
while watching i've actually felt your pain, but still it was so satisfying to watch you overcoming shitload of small hurdles.
just if i was looking at myself at my random attempts to do stuff.
sincere respect and extra 50 points from me for being stubborn enough - you've earned it ;d
I'm really impressed!
Heya, not sure if you will end up reading this, but if you remember, would you mind giving some more detail as to how you hooked up the nano to the chipwhisperer, specifically, the power/measurement bits?
It looks like you only used one wire for the measurement pin, but would you need some form of reference voltage? Did you wire the Nano and the CW to the same ground, or was it enough that they were both powered by the same PC, and had a common ground via that? Or did I miss something, and you used a differential probe? Thanks!
I’m not 100% sure because this was a loooong time ago. But I think I meassured the voltage accross the shunt resistor. So gnd and vcc before and after the resistor. If I didn’t do that, then definetly hooked gnd to nano gnd
@@LiveOverflow Thank you! Will have an experiment :)
For anyone else that may come across this comment, I figured it out! I put a 100 ohm resistor between pin 4 and the pad, then lead one wire from the load bearing side of the resistor to the middle measurement pin on the CW, and another wire connected from arduino ground to the ground pin of the measurement area on the CW.
However, I was still getting crappy measurements, nothing like what was displayed at 10:53. I tried all sorts of things to improve my results (messing with oscilliscope, different resistances, removing decoupling capacitors), but nothing seemed to work. However, after lifting pin 6 of the 328p (which is _also_ VCC), I started seeing *much* better output. It might be that the power was bypassing the resistor entirely via that pin...?
I still haven't managed to extract the key yet, but hopefully this helps anyone else who has this issue :)
Awesome to hear you haven’t given up yet!!
@@LiveOverflow I pulled it off! Thanks for the help. I'm going to give fault injection a try next :)
mind sharing that IRSSI setup?
great video btw :D
Hey, I'm also studying at TU Berlin. But I'm studying mathematics :)
They thought Kevin Mitnick could whistle into the phone and set off nuclear bombs... they were wrong this guy can
In the chips you buy for your computer, we make SCAing AES a little more difficult.
Awesome video man!
Did you need the oscilloscope or was it just helpful for debugging?
This is advance. You're amazing.
To find out the secret key of any chip even the new generation processors like intel or amd or processors on smartphones what equipment is needed?
?
Congrats ! good work and spirit, thank you for sharing this !
What is this chat application he is using at 13:23 ?
I would say, IRC. There are a lot of clients for it, especially under linux.
looks like Irssi a command line interface irc application
It’s weechat
Awesome video, very informative! I was trying to reproduce this challenge without the help of ChipWhisper, however I noticed that every time the serial connection is open, there's tons of noisy spikes in the power trace, did you experienced similar situation? Thanks!
It has been a long time. But I think I saw stuff like that too. Did you connect your measurement directly in between the VCC line to the chip?
Did you ever try HackTheBox?
@LiveOverflow Eine Frage, hast du als Bachelor TI oder normal info studiert?
Ich würde deinen Master als E-techniker vielleicht in Betracht ziehen und wollte fragen, ob der überhaupt zur Wahl steht :)
“Angewandte Informatik” als duales Studium. IMO total egal was du machst. Hauptsache es motiviert dich über die Studieninhalte hinaus dich damit zu beschäftigen und du hast Spaß!
LiveOverflow Danke :)
Naja, ich bin mir manchmal unsicher ob Informatik nicht besser als E Technik gewesen wäre, vor allem als ich deine Videos gefunden hab ^^'.
2:02 your computer good?
Holy shit, 325 dollars for a board like that?
I can't even afford IDA (nor binary ninja, nor hopper), and I do reversing challenges with objdump and radare like some poor fuck, I have probably spent about 50 bucks total on electronics and necessary tools as a student, I find this amount unfathomable.
I understand, I was a student once too. Now I'm lucky to work a nice job and these things become affordable. And I also now understand why they cost that much. I still can't quite afford a full IDA license, but binary ninja, hopper and similar tools are very affordable now.
Good tools are worth a lot, but you can still learn a ton without them. To be honest I can't even use them to their full potential. Keep learning and in a few years, when you get out of school, you have great prospects in finding a good job because you are ahead of the people your age. And then you can buy the toys too :)
Thanks for the encouraging words. However I don't consider 100 dollars to be very affordable :( I could pay that, but it'd make a real dent on my quality of life for a long while. Sometimes I wish I won the "security lottery" and found a bug worth a few k$, as that would greatly impact me.
To be fair, the Chip Whisperer does have a pretty nice (and not cheap) Spartan-6 FPGA on it, plus Colin O'Flynn put a lot of work into developing both the hardware and software for this tool.
As someone who just chose his Uni for his CS Masters: Why TU B? Isn’t the HU the better choice? I chose another Uni entirely though
The honest reason is, that I was lazy regarding the bureaucracy at university, so I went to the Uni where some friends went to. so they can tell me which forms to fill out.
Arduino nano ist doch ein 328p, der 3,3v kann. Außer die Einstellungen der fuses lassen ihn erst später starten. Ein Versuch, diese mit isp zu bearbeiten wäre dann denkbar.
I love your channel, though you make me look like a super noob and you look like some technical God. Amazing, always impressed. Super geek I wish I was as impressive :)
these videos man, love em even tho its hard sometimes- keep learning mate :-)
Great video, but all that level converter stuff wouldnt have really been necessary with an arduino. Just put a voltage divider betwenn arduino tx and Chip whisperer rx, and for the other way ardound you have to do nothing because arduinos usually still detect anything around 3v as "high"
Nice work. Haha I feel your pain. You had me laughing several times. Can relate. Cheers!
LoL this logic analyzer issue you were having reminds me of an issue I had trying to get the CRC code to work on a chip I am testing... It turns out the c to python conversion was wrong in the sense that I had to take into account the variables were not 16 bits, so I had to mask everywhere I could to get it to work... took my almost a whole day testing every possible thing to figure out this was the issue lol... I should've just programmed an arduino with the original CRC calculation function and hard code it from the start (which was what I did)... The moral of the story is: the more you fiddle with things the higher the chances of you making dumb shit, so always verify what you are doing before moving on...
I think I'll stick to software for now :P Good job you didn't give up and succeeded to ph0wn the challenge
8:58 a programmers lifr
you had me at "completely fucking wrong"
Ich denke mal du studierst IT Sicherheit oder bist fertig damit? Wenn ja auf welcher Uni denn?
Ok Berlin hätte bis zum Ende warten sollen :D
so AES is shit ?
all sandisk flashdrives using AES 128bit can be decrypted this way ?
so there's not much difference if you use AES 128bit or 1024 ?
wow wow ... better than Mr. Robot Series .. well done
You did it!!
Hello, Im a researcher from BGU and I would like to contact you, is it possible ?
you just did
WOOHOO ! :)
I'm trying to do CPA on some microcontroller and I would like to DM you and ask you some questions :D
🧠 killing my brain
Have you done a video on bypassing 'Control Flow Guard ' just an idea keep up the
good work mate :)
+Muhaa Haloa nope, not yet. But I'm sure eventually I will reach that
What I feel when I watch this channels videos -> ruclips.net/video/FktI4qSjzaE/видео.htmlm10s
FYI you can use 12:10 instead.
No pain, no gain
Never forget to smash that Like Button guys!!!! Awesome videos bro.
dude you rock!
You're awesome.
Awesome.
FYI, all that level conversion you did was mostly pointless. you can easily take the 3v signal and put it into the 5v pin and should work just fine. as far as the other way around(5v to 3v) just a single series resistor should do the job. They also make ready to use logic level converters just for that purpose but I guess that was easier for you.
+OtakuSanel thanks! I never had done it before. I didn't wanna wait on new parts. Didn't try the other idea. I'm sure it was not great what I did, but it worked :D
As long as it works lol all that really matters. Just a bit more complicated than it needed to be. Is there a reason you went with that scope over the ds1054? 2 channels tends to be very limiting especially when you want to do any kind of communication protocol analysis. Granted there are other tools for that like a salae logic analyzer but still.
+OtakuSanel I have an 8 channel saleae for that reason. And the DS2072A can be jailbroken to have very high sample rate :)
the 1054z can as well and it's less than half the cost but twice the input channels! Unless you plan on working with RF woodoo magic I really don't see a reason why you would need such a high sampling rate. Is there any particular use for it or just wanted the fastest and that was within budget? Also be aware that the max sampling rate is ONLY achieved when you're using a single channel under certain modes. if you use the 2nd channel the rate gets divided in half as it's multiplexed or using high res modes or various other configurations it won't actually go that fast. You may also want to look into the buspirate, you may find a use for it.
+OtakuSanel I also got a buspirate :)
So I got buspirate, Saleae, busblaster, microcontrollers for a few more custom stuff, FPGA dev boards for even faster custom stuff and all I missed was a high sampling osci. And I had experience with it from university. So as I didn't have a lot of experience with other oscilloscopes I got the one I knew I would find helpful :)
But I agree, maybe I would never need that speed, and a 1054z or a new keysight would have matched my usage better :)
normal people: "wow side channel attack very cool"
me: "wait liveoverflow has an so? tell me more"
Seriously, this introduced me to a tool I hadn't heard of before and explained side-channel attacks in greater detail. Keep making these videos! But also when do we get to meet your SO
Uhhhhhh, Everything's going over my head.
ur a fucking god srsly!! hoooly shit what a smart fucking guy!! :O
That's why I never was hacking. I just don't have enough patience to figgle out with things.
Maybe it was only 100 points because wanted to have such a challenge in the CTF, but it is actually pay to win, so you do not get such a huge amount of points, if you have all the hardware and stuff.
respect. =)
mantap
RIP arduino 13:40
Soo AES is F#$! UP?!!!!
Yeah it was difficult, but you had never tried it before. You had no reference point so it involved a lot of frustrating trial and error. But see it from an experience HW attacker. It would be easily done in an hour.
so relatable xD
#thescakewasalie
Incredible sir!! You inspire me to dig more and more! Can we connect on social media!
Let's say the guy establishing the code gets unbelievably drunk, jams on the keyboard and thereby establishes the key with no memory. It seems to me that is secure....
This is AES. Fuck my life, too :))) I using sakura-g board :(
are you chinese?哈哈 你的声音听起来有点像
No, he's German.
bro remove capacitor
exc
Cwlite is better