197
edits
Changes
Jump to navigation
Jump to search
m
Minor improvement + added RECESSIM media from yt.
=====Internal ROM=====
When your traget chip has an built-in ROM and the chip is locked you are out of luck trying to easily read the firmware in most cases.<br>
Here is were it comes handy to know of different methods widely used to attack these chips in order to retrive the firmware for later static analysis or even live debugging.
::* 1. Decapsulation
:::;- [https://www.youtube.com/watch?v=T1rRgb9N9s4 [[RECESSIM video:]] Nitric Acid and Microscopes. Decapsulating IC's.]
::* 2. Bootloader hacking
:::;- [https://0xinfection.github.io/reversing/reversing-for-everyone.pdf Great resources on reserve engineering]
::* 3. Fault injection & Glitching Attacks
:::;- VCC glitching (Crowbar Circuits)
::::: [https://www.youtube.com/watch?v=IOD5voFTAz8 [[RECESSIM video:]] Hacking into a Locked Microchip - Reverse Engineer shows you how it's done.]
::::: [https://eprint.iacr.org/2016/810.pdf Example paper 1. Fault Injection using Crowbars on Embedded Systems.]
::::: [https://arxiv.org/pdf/1903.08102 Example paper 2. Injecting Software Vulnerabilities with Voltage Glitching.]
