The iCEstick Glitcher is a simple voltage glitcher for a Lattice iCEstick Evaluation Kit.
This glitcher is based on and inspired by glitcher implementations by Dmitry Nedospasov (@nedos) from Toothless Consulting and Grazfather (@Grazfather).
This glitcher implementation demonstrates how the code read protection (CRP) of NXP LPC-family microcontrollers can be bypassed as presented by Chris Gerlinsky (@akacastor) in his talk Breaking Code Read Protection on the NXP LPC-family Microcontrollers at REcon Brussles 2017.
- Lattice iCEstick Evaluation Kit
- Analog switch, for instance MAX4619
- Power supply (2 externally supplied voltages required), for instance Rigol DP832
The iCEstick Glitcher can be downloaded and built using the SymbiFlow toolchain in the following way:
git clone https://github.com/SySS-Research/icestick-glitcher.git
cd icestick-glitcher
make
make prog
virtualenv glitching
source glitching/bin/activate
pip install -r python/requirements.txt
The following two images show a working test setup for the iCEstick Glitcher.
The iCEstick Glitcher is used via the Python command tool iCE iCE Baby Glitcher.
$ python ice-glitcher.py --help
██▓ ▄████▄ ▓█████ ██▓ ▄████▄ ▓█████ ▄▄▄▄ ▄▄▄ ▄▄▄▄ ▓██ ██▓ ▄████ ██▓ ██▓▄▄▄█████▓ ▄████▄ ██░ ██ ▓█████ ██▀███
▓██▒▒██▀ ▀█ ▓█ ▀ ▓██▒▒██▀ ▀█ ▓█ ▀ ▓█████▄ ▒████▄ ▓█████▄▒██ ██▒ ██▒ ▀█▒▓██▒ ▓██▒▓ ██▒ ▓▒▒██▀ ▀█ ▓██░ ██▒▓█ ▀ ▓██ ▒ ██▒
▒██▒▒▓█ ▄ ▒███ ▒██▒▒▓█ ▄ ▒███ ▒██▒ ▄██▒██ ▀█▄ ▒██▒ ▄██▒██ ██░ ▒██░▄▄▄░▒██░ ▒██▒▒ ▓██░ ▒░▒▓█ ▄ ▒██▀▀██░▒███ ▓██ ░▄█ ▒
░██░▒▓▓▄ ▄██▒▒▓█ ▄ ░██░▒▓▓▄ ▄██▒▒▓█ ▄ ▒██░█▀ ░██▄▄▄▄██ ▒██░█▀ ░ ▐██▓░ ░▓█ ██▓▒██░ ░██░░ ▓██▓ ░ ▒▓▓▄ ▄██▒░▓█ ░██ ▒▓█ ▄ ▒██▀▀█▄
░██░▒ ▓███▀ ░░▒████▒ ░██░▒ ▓███▀ ░░▒████▒ ░▓█ ▀█▓ ▓█ ▓██▒░▓█ ▀█▓░ ██▒▓░ ░▒▓███▀▒░██████▒░██░ ▒██▒ ░ ▒ ▓███▀ ░░▓█▒░██▓░▒████▒░██▓ ▒██▒
░▓ ░ ░▒ ▒ ░░░ ▒░ ░ ░▓ ░ ░▒ ▒ ░░░ ▒░ ░ ░▒▓███▀▒ ▒▒ ▓▒█░░▒▓███▀▒ ██▒▒▒ ░▒ ▒ ░ ▒░▓ ░░▓ ▒ ░░ ░ ░▒ ▒ ░ ▒ ░░▒░▒░░ ▒░ ░░ ▒▓ ░▒▓░
▒ ░ ░ ▒ ░ ░ ░ ▒ ░ ░ ▒ ░ ░ ░ ▒░▒ ░ ▒ ▒▒ ░▒░▒ ░▓██ ░▒░ ░ ░ ░ ░ ▒ ░ ▒ ░ ░ ░ ▒ ▒ ░▒░ ░ ░ ░ ░ ░▒ ░ ▒░
▒ ░░ ░ ▒ ░░ ░ ░ ░ ░ ▒ ░ ░▒ ▒ ░░ ░ ░ ░ ░ ░ ▒ ░ ░ ░ ░ ░░ ░ ░ ░░ ░
░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░
░ ░ ░ ░░ ░ ░
iCE iCE Baby Glitcher v0.5 by Matthias Deeg - SySS GmbH
A very simple voltage glitcher implementation for the Lattice iCEstick Evaluation Kit
Based on and inspired by voltage glitcher implementations by Dmitry Nedospasov (@nedos)
and Grazfather (@Grazfather)
---
usage: ./glitcher.py [-h] [--start_offset START_OFFSET] [--end_offset END_OFFSET] [--start_duration START_DURATION] [--end_duration END_DURATION] [--offset_step OFFSET_STEP] [--duration_step DURATION_STEP] [--retries RETRIES]
optional arguments:
-h, --help show this help message and exit
--start_offset START_OFFSET
start offset for glitch (default is 100)
--end_offset END_OFFSET
end offset for glitch (default is 10000)
--start_duration START_DURATION
start duration for glitch (default is 1)
--end_duration END_DURATION
end duration for glitch (default is 30)
--offset_step OFFSET_STEP
offset step (default is 1)
--duration_step DURATION_STEP
duration step (default is 1)
--retries RETRIES number of retries per configuration (default is 2)
The configuration of a voltage glitching attack can be changed via different command line arguments, for example:
python ice-glitcher.py --start_offset 5400 --end_offset 5430 --start_duration 10 --end_duration 25 --retries 3
This demo video exemplarily shows how the code read protection (CRP) of an NXP LPC1343 chip can be bypassed by using a voltage glitching attack in order to dump the flash memory containing the firmware.
- Lattice iCEstick Evaluation Kit
- Breaking Code Read Protection on the NXP LPC-family Microcontrollers
- Toothless Arty-Glitcher
- NXP LPC1343 Bootloader Bypass (Part 1) - Communicating with the bootloader
- NXP LPC1343 Bootloader Bypass (Part 2) - Dumping firmware with Python and building the logic for the glitcher
- NXP LPC1343 Bootloader Bypass (Part 3) - Putting it all together
- Grazfather's glitcher for the iCEBreaker FPGA board
- Glitching the Olimex LPC-P1343
Use at your own risk. Do not use without full consent of everyone involved. For educational purposes only.