A lot of the ringing you're seeing on the scope will be due to using the ground flylead on the scope probe - for this sort of work you really need to use an ultra-short (
Thanks Mike, appreciate the suggestion! I have those short spring ground connectors for the scope. I’ll test that out to see how it looks. I was curious about the ringing but more concerned about the capacitor decay time so didn’t chase it.
One security protection against voltage glitch attacks is by manufacturing a void in only some of the layers of the PCB under the chip with a Schmitt trigger like circuit in it to provide hysteresis to the power to prevent an undervoltage condition; power only gets to the pin if it is high enough and is cut off completely when it drops. You then have to unsolder the pin in order to perform the glitch, making it impossible to glitch in the field when under a time constraint. This is particularly difficult if the chip is a BGA (many have a central area without pins) where you cannot access the power pin directly and have to unsolder the entire chip.
Will be interesting to take a look at the bootloader once the factory flash contents is dumped. Though it might be encrypted, so you'll need to dump it from memory after boot if so.
very nice progress. I guess the difference in wire length can also be viewed as an impedance mismatch between the chip whisperer output and the node you pull down, if they were matched the longer cables should mostly add delay but should not change the pulse shape. A little offtopic but I really like your "oscilloscope probe tip" like extensions for your power supply wires, they seem like a useful thing to have. Looking forward to see what comes next. Are the pulse parameters a "universal constant" for this type of meter or do you need to tweak it for each unit? Since most capacitors have like +-20% tolerance, which will alter the pulse shape, I would imagine, that you have to slightly tweak them each time.
Interesting Stuff! I've reverse engineered / repurposed some stuff myself in the past, but I'm mainly doing youtube video's on fixing electronic stuff these days.
It’s all related I feel, getting better at any aspect helps with the others. And it’s just fun and fulfilling figuring out how something works and then fixing it!
@@RECESSIM Totally agree. I used to love figuring out how things work. Those smart meters are a bit sinister how they can remotely disconnect. I wonder if people will create firmware so they are not as accurate at measuring in the usage in future..
@@RECESSIM If they connect wirelessly could they not just patch the firmware, they could be checking the firmware is authentic on a regular basis for all you know? microsoft did this with xbox360 - they patched the drive firmware with an update through either a game disk or online update, it did not stop the hackers "c4eva" as he already had a silver bullet for microsoft but just hope you are aware that this could be the case? HACKING IS NOT A CRIME 8-)
would it not be easier to hack fobs? here in england we have fobs for the poor where they go to a shop and pay for their fob to be updated with x amount of gas or electricity for a price, ive often wondered if you could somehow spoof data on the fobs to get free energy, gas?
I understand how glitching the processor during the serial I/O operation could reset a pointer and start it dumping program memory, but the I/O function is almost certainly looking for a null to terminate transmission and the program memory is certainly going to have a good number of zero bytes in it, so won't it stop prematurely?
@@RECESSIM I was assuming the application code was written in C, but perhaps not? Since it's a high reliability/security application it may be something like Ada that uses a length word instead of null termination.
It might be that the glitch is not resetting a value to zero, but perhaps all 1's instead, and if the value that got reset happened to be a "remaining count" value = eg. in code like: while (to_do > 0) { count=print_character(buf); buf+=count; todo-=count } - like what happens in _IO_new_file_write - then perhaps the glitch could result the observed behaviour?. It's really interesting watching the process of discovery here, and I'm impressed at the dedication shown to the cause!
Fantastic work, skills like yours are so very valuable to the human race. It would be fabulous to see you break down and reveal the internals and preferably firmware of a UK smart meter.
@@RECESSIM British gas is probably the most prolific in the UK ATM. So that would be great but genuinely not sure how similar different meters here are at this stage. Thank you.
This is insanely interesting! Trying to glitch the processor when it is initializing the JTAG lockdown should be worth a try. Automating the check as you did with the serial output should be possible. Would it help to increase the diameter of the glitch cable so that It can drain the internal capacitors faster / more precise?
I am excited to give that a try, if JTAG could be unlocked with a glitch it would be quite a find! Generally outside of decreasing wire length, or increasing wire gauge people just remove the decoupling caps on the target board which has the same effect. Could make the processor a little less stable though, I was trying to avoid any other mods to the meter.
Anyone want to start a pool if an exploit can be found to disconnect power? Battle Star taught me a great lesson. If you want to secure something don't put it on a network. If you can do it remotely, so can an attacker.
@@RECESSIM "TBSA-M does not address laboratory attacks in which devices are unpackaged and probed, or power analysis attacks in which the power consumption of the device is correlated with its processing activity to extract assets." That's your juicy bit, have fun mate!
all these videos are really cool mix of reverse engineering the jokes and the smart metres combined, this is jokes and love every video, even the new ones that are hacking related, the the reverse engineering and exploitation are really neat. Cool to think about how things are made to work and how to make them work in different way that is better for you :)
RUclips recommended this video. After watching a couple videos in this series, I wonder if the "energy bridge" utility companies provide consumers to read their own meter with, would more easily give up it's secrets. mine apparently uses z wave networking. I had to "pair" the device to my meter. I wonder if the pairing process is vulnerable?
@@RECESSIMoh really? I actually had that on my watch list, but assumed it was just a generic robot movie like Wall-E or something. In that case, I will definitely move it to the top of my list.
@@RECESSIM If the bootloader does an external memory access or sets any I/O pins, you could probably trigger off that. Assuming you want to glitch the transition after the bootloader has finished. Should be more deterministic than timing from reset.
@BitBangBytes on TikTok if you want to ask any questions. I’ll reply with short off the cuff videos. Easier than higher production quality for RUclips. Could also try RUclips Shorts if anyone finds those a good way to post cell phone vids for increased updates.
So you actually do have the firmware now? Also, how can a puts() command print the entire firmware, I would expect it to stop once it finds a null character??
I am very close, not sure why the puts() doesn’t stop at a null when I glitch it, but it will loop through the entire flash multiple times. I let it run for an hour once and it seemed to end up in a tighter loop but still printing!
How did you know something like this could happen in the first place? You went looking for it and then it happened, I don't understand how this is possible without a full understanding of the mechanism. Normally when you insert randomness in a running computer program it will just crash.
@@CarloRoosen I have seen other attacks and read that you can insert some well controlled “randomness” and cause issues that don’t quite cause a crash, but cause unexpected things to happen. I experimented with this technique using a development board that uses the same processor and then moved on to the actual hardware I want to attack. Nothing is ever what people tell you it is… :)
@@RECESSIM Yes clear, I think I understand how you got to this point. The question remains, how is it even possible? After the glitch the processor is operating on its own. So there must be a state (registers & memory) in which useful things can happen not intended by the programmer. To me that is incredibly difficult to grasp. Like the monkeys typing Shakespeare thing. Anyway, I am looking forward to the next step.
WHAT IF a neighbor has weaponized your smart meter and the EC WONT listen and it is being used against you with MUCH pain in my head? it was changed by some guy in Feb with NO knowledge of the EC...PLS HELP???
Once you get it hacked, will you be doing any tests on the wireless capability of the meter? I would like to know if theres a way to shut the wireless off completely.
I’m hopeful that getting a copy of the firmware will answer questions like how the meters can be accessed remotely, how power can be turned on/off and how they could be disabled entirely.
@@RECESSIM 5 dollars a month...well worth it I think...it was on the wall where my bed was...I swear it was making me sick....tinnitus, cramps, and other minor things.
A lot of the ringing you're seeing on the scope will be due to using the ground flylead on the scope probe - for this sort of work you really need to use an ultra-short (
Thanks Mike, appreciate the suggestion! I have those short spring ground connectors for the scope. I’ll test that out to see how it looks. I was curious about the ringing but more concerned about the capacitor decay time so didn’t chase it.
With enough di/dt it becomes near impossible to avoid without differential probes.
Really enjoying this series! Keep it up.
Glad you enjoy it!
Amazing work. Been following for a while but am eager at how close you're getting.
I'm eager too! Will see what I can figure out this weekend.
Nice bling! A JTAG connection would be amazing :)
One security protection against voltage glitch attacks is by manufacturing a void in only some of the layers of the PCB under the chip with a Schmitt trigger like circuit in it to provide hysteresis to the power to prevent an undervoltage condition; power only gets to the pin if it is high enough and is cut off completely when it drops. You then have to unsolder the pin in order to perform the glitch, making it impossible to glitch in the field when under a time constraint. This is particularly difficult if the chip is a BGA (many have a central area without pins) where you cannot access the power pin directly and have to unsolder the entire chip.
love these videos
Dude I love these videos so much !! Great and easy to understand videos. Just wish they weren't spaced out so much
I’m trying to balance crippling perfectionism with increased frequency of posting. 😀 Glad you enjoy them!
Will be interesting to take a look at the bootloader once the factory flash contents is dumped.
Though it might be encrypted, so you'll need to dump it from memory after boot if so.
Definitely want to get the boot loader!
Love watching the work go into this, well done keep it up!
Appreciate that
very nice progress.
I guess the difference in wire length can also be viewed as an impedance mismatch between the chip whisperer output and the node you pull down, if they were matched the longer cables should mostly add delay but should not change the pulse shape.
A little offtopic but I really like your "oscilloscope probe tip" like extensions for your power supply wires, they seem like a useful thing to have.
Looking forward to see what comes next.
Are the pulse parameters a "universal constant" for this type of meter or do you need to tweak it for each unit?
Since most capacitors have like +-20% tolerance, which will alter the pulse shape, I would imagine, that you have to slightly tweak them each time.
Sweet. Thanks for taking the time to do this. Can’t believe you don’t have more likes
Interesting Stuff! I've reverse engineered / repurposed some stuff myself in the past, but I'm mainly doing youtube video's on fixing electronic stuff these days.
It’s all related I feel, getting better at any aspect helps with the others. And it’s just fun and fulfilling figuring out how something works and then fixing it!
@@RECESSIM Totally agree. I used to love figuring out how things work. Those smart meters are a bit sinister how they can remotely disconnect. I wonder if people will create firmware so they are not as accurate at measuring in the usage in future..
@@BuyitFixit The world is a crazy place, who knows what creative things might come about… 😀
when you finally get this done your smart meter will be an antique! I enjoy watching though 8-)
The greatest gift they can give me is a new one to hack!
@@RECESSIM If they connect wirelessly could they not just patch the firmware, they could be checking the firmware is authentic on a regular basis for all you know? microsoft did this with xbox360 - they patched the drive firmware with an update through either a game disk or online update, it did not stop the hackers "c4eva" as he already had a silver bullet for microsoft but just hope you are aware that this could be the case? HACKING IS NOT A CRIME 8-)
would it not be easier to hack fobs? here in england we have fobs for the poor where they go to a shop and pay for their fob to be updated with x amount of gas or electricity for a price, ive often wondered if you could somehow spoof data on the fobs to get free energy, gas?
I understand how glitching the processor during the serial I/O operation could reset a pointer and start it dumping program memory, but the I/O function is almost certainly looking for a null to terminate transmission and the program memory is certainly going to have a good number of zero bytes in it, so won't it stop prematurely?
That’s what I would have assumed to, but it must be causing a different issue because it’ll loop through the ENTIRE flash multiple times.
@@RECESSIM I was assuming the application code was written in C, but perhaps not? Since it's a high reliability/security application it may be something like Ada that uses a length word instead of null termination.
@Arpad Toth printf is able to print numbers in hex using the %X or %x format string.
It might be that the glitch is not resetting a value to zero, but perhaps all 1's instead, and if the value that got reset happened to be a "remaining count" value = eg. in code like: while (to_do > 0) { count=print_character(buf); buf+=count; todo-=count } - like what happens in _IO_new_file_write - then perhaps the glitch could result the observed behaviour?. It's really interesting watching the process of discovery here, and I'm impressed at the dedication shown to the cause!
@@gunderd It's beyond obsession at this point, like chasing my holy grail! :)
Fantastic work, skills like yours are so very valuable to the human race. It would be fabulous to see you break down and reveal the internals and preferably firmware of a UK smart meter.
🙏 Any specific make/model of meter?
@@RECESSIM British gas is probably the most prolific in the UK ATM. So that would be great but genuinely not sure how similar different meters here are at this stage. Thank you.
This is insanely interesting!
Trying to glitch the processor when it is initializing the JTAG lockdown should be worth a try. Automating the check as you did with the serial output should be possible.
Would it help to increase the diameter of the glitch cable so that It can drain the internal capacitors faster / more precise?
I am excited to give that a try, if JTAG could be unlocked with a glitch it would be quite a find!
Generally outside of decreasing wire length, or increasing wire gauge people just remove the decoupling caps on the target board which has the same effect. Could make the processor a little less stable though, I was trying to avoid any other mods to the meter.
This is underrated channel❤
Anyone want to start a pool if an exploit can be found to disconnect power? Battle Star taught me a great lesson. If you want to secure something don't put it on a network. If you can do it remotely, so can an attacker.
There's a 78 page document DEN 0083 from ARM that actually explains their device are susceptible to glitches ;)
@@TradieTrev This right here is why making videos and getting comments is AWESOME! Looks like I have my weekend reading lined up 😈
Indeed, only a matter of time. 15 years is a LONG time to expect a device to remain secure
@@RECESSIM "TBSA-M does not address laboratory attacks in which devices are unpackaged and probed, or power analysis
attacks in which the power consumption of the device is correlated with its processing activity to extract assets." That's your juicy bit, have fun mate!
all these videos are really cool mix of reverse engineering the jokes and the smart metres combined, this is jokes and love every video, even the new ones that are hacking related, the the reverse engineering and exploitation are really neat. Cool to think about how things are made to work and how to make them work in different way that is better for you :)
Thanks for commenting! Glad you enjoy them. 😁
RUclips recommended this video. After watching a couple videos in this series, I wonder if the "energy bridge" utility companies provide consumers to read their own meter with, would more easily give up it's secrets. mine apparently uses z wave networking. I had to "pair" the device to my meter. I wonder if the pairing process is vulnerable?
That 1uF capacitor may be too large a value for your setup. Try a 100pf capacitor first.
Amazing work!
So exciting! Reminds me of early 360 days...
What movie is featured at 3:10? I like all your other taste in movies, but don't recognize that one, even though you've used it multiple times.
Short Circuit, 1980’s movie that arguably had the biggest influence on my interest in electronics and robotics.
@@RECESSIMoh really? I actually had that on my watch list, but assumed it was just a generic robot movie like Wall-E or something.
In that case, I will definitely move it to the top of my list.
I live my life 100 nanoseconds at a time
Time on the grid moves at a much faster pace...
Awesome video and great work!
Thanks for watching!
The slight variation in uC startup time after reset might be an oscillator or PLL waiting to lock?
That’s what I’m thinking too, it’s something that’s settling and can vary slightly each time
@@RECESSIM If the bootloader does an external memory access or sets any I/O pins, you could probably trigger off that. Assuming you want to glitch the transition after the bootloader has finished. Should be more deterministic than timing from reset.
This is super interesting, too bad I don't understand anything :-)
@BitBangBytes on TikTok if you want to ask any questions. I’ll reply with short off the cuff videos. Easier than higher production quality for RUclips.
Could also try RUclips Shorts if anyone finds those a good way to post cell phone vids for increased updates.
Don't give up
✊🏽
What is the movie clip shown at 3:04 ?
Short Circuit - 80’s Robot movie
@@RECESSIM Ahh, thank you. Number Five is alive! :)
✌🏻
So you actually do have the firmware now? Also, how can a puts() command print the entire firmware, I would expect it to stop once it finds a null character??
I am very close, not sure why the puts() doesn’t stop at a null when I glitch it, but it will loop through the entire flash multiple times. I let it run for an hour once and it seemed to end up in a tighter loop but still printing!
How did you know something like this could happen in the first place? You went looking for it and then it happened, I don't understand how this is possible without a full understanding of the mechanism. Normally when you insert randomness in a running computer program it will just crash.
@@CarloRoosen I have seen other attacks and read that you can insert some well controlled “randomness” and cause issues that don’t quite cause a crash, but cause unexpected things to happen. I experimented with this technique using a development board that uses the same processor and then moved on to the actual hardware I want to attack. Nothing is ever what people tell you it is… :)
@@RECESSIM Yes clear, I think I understand how you got to this point. The question remains, how is it even possible? After the glitch the processor is operating on its own. So there must be a state (registers & memory) in which useful things can happen not intended by the programmer. To me that is incredibly difficult to grasp. Like the monkeys typing Shakespeare thing. Anyway, I am looking forward to the next step.
Also, you should have more viewers ;)
WHAT IF a neighbor has weaponized your smart meter and the EC WONT listen and it is being used against you with MUCH pain in my head? it was changed by some guy in Feb with NO knowledge of the EC...PLS HELP???
Once you get it hacked, will you be doing any tests on the wireless capability of the meter? I would like to know if theres a way to shut the wireless off completely.
I’m hopeful that getting a copy of the firmware will answer questions like how the meters can be accessed remotely, how power can be turned on/off and how they could be disabled entirely.
they gonna be scared as hell
Had my smart meter removed.
They make you pay extra per month?
@@RECESSIM 5 dollars a month...well worth it I think...it was on the wall where my bed was...I swear it was making me sick....tinnitus, cramps, and other minor things.
$5 for peace of mind is well worth it
So in other words, smart meters are no good?
☠️☠️☠️😭☠️😭🤣👍
Can't wait til an exploit is eventually found for millions of meters. Could be a wild time. Huge bills, no bills, no power... Weee
😜😜😜💦👍
I got Tinnitus from being too close to my smart meter