• Welcome to Circuitbenders Forum.

Clock glitches ... another method to bend the clock

Started by catweazle, March 01, 2008, 01:22:50 AM

Previous topic - Next topic

catweazle

everybody has a lot of toys, keyboards and stuff that seems to be unbendable.
I find a possible method to bend all sorts of clock signals for all microcontroller based noise makers.

Idea comes from a paper about "Breaking Copy Protection in Modern Microcontrollers"
http://www.cl.cam.ac.uk/~sps32/mcu_lock.html

Here is a excerpt from the paper....

*******************************************************************************************
2. Non-Invasive attacks
The most widely used non-invasive attacks include playing around supply voltage and clock signal. Under-voltage and over-voltage attacks could be used to disable protection circuit or force processor to do wrong operation. For these reasons, some security processors have voltage detection circuit, but as a rule this circuit does not react to transients. So fast signals of various kinds may reset the protection without destroying the protected information.

Power and clock transients can also be used in some processors to affect the decoding and execution of individual instructions. Every transistor and its connection paths act like an RC element with a characteristic time delay; the maximum usable clock frequency of a processor is determined by the maximum delay among its elements. Similarly, every flip-flop has a characteristic time window (of a few picoseconds) during which it samples its input voltage and changes its output accordingly. This window can be anywhere inside the specified setup cycle of the flip-flop, but is quite fixed for an individual device at a given voltage and temperature. So if we apply a clock glitch (a clock pulse much shorter than normal) or a power glitch (a rapid transient in supply voltage), this will affect only some transistors in the chip. By varying the parameters, the CPU can be made to execute a number of completely different wrong instructions, sometimes including instructions that are not even supported by the microcode. Although we do not know in advance which glitch will cause which wrong instruction in which chip, it can be fairly simple to conduct a systematic search.
The various instructions cause different levels of activity in the instruction decoder and arithmetic units and can often be quite clearly distinguished, such that parts of algorithms can be reconstructed. Various units of the processor have their switching transients at different times relative to the clock edges and can be separated in high-frequency measurements ...

Other possible threat to secure devices is data remanence. This is the capability of volatile memory to retain information stored in it for some period of time after power was disconnected. Static RAM contained the same key for a long period of time could reveal it on next power on. Other possible way is to 'freeze' state of the memory cell by applying low temperature to the device. In this case static RAM could retain information for several minutes at -20&ordmC or even hours at lower temperature.
*******************************************************************************************

All a bit technical - to make it short:
instead of clocking a toy with a stable clock signal, a normal clock signal with sometimes  extremly short pulses.
Why not connect a cellphone or other high frequency device output at the clock input.
Or cooking/freezing it (peltier element) =)

I haven't tried it... but worth a try...