New Video from @BlackHatOfficialYT: EMFI Injection on GD32F407 Microcontroller
This content is an AI-generated summary. If you encounter any misinformation or problematic content, please report it to cyb.hub@proton.me.
In this video, Jonathan Anderson and Thanos Kanakis from Trend Micro's advanced security research team discuss electromagnetic fault injection (EMFI) on the GD32F407 microcontroller from GigaDevice. They share their experiences, methods, and results from this complex and technical research. The video begins with an introduction to EMFI injection, a technique used to disrupt the normal operation of a microcontroller to bypass its security mechanisms. Jonathan and Thanos explain why they chose this particular component, partly due to its presence in the Autel Maxi charger, a target device during a car hacking event organized by Trend Micro ZDI.
Thanos then presents the hardware used, including the PicoEMP, an open-source device capable of generating electromagnetic pulses. They modified a CNC machine to precisely position the PicoEMP above the target microcontroller. The setup also includes a programmable power supply to measure the component's current consumption and a managed USB hub to restart the components in case of malfunction. One of the crucial aspects of EMFI fault injection is the need for precise triggering and deterministic timing.
Jonathan and Thanos emphasize the importance of controlling and monitoring various parameters, such as the supply voltage (VCC), the distance between the probe and the component, and the power of the pulse. They explain how they mapped the sensitive areas of the microcontroller using a spiral approach, starting with strong pulses to identify points of influence, then adjusting the parameters to obtain exploitable results. They also discuss the importance of ARM fault status registers, which can provide valuable information about the exact location of the fault in the code, helping to calibrate the fault point.
They share practical tips for optimizing the fault rate, such as minimizing the PicoEMP charge time and quickly classifying fault results. After months of work and around 10 million fault attempts, they successfully bypassed the microcontroller's read protection (RDP) and extracted the firmware. However, they encountered hardware faults when reading the flash memory, leading to a second attack involving injecting a "knop slide" into the RAM and a hardware reset to execute a dump routine. They also discovered a simple bypass by copying the code into the RAM and setting the program counter (PC) to the RAM, allowing the component to function freely and disclose the flash memory.
This discovery highlights the importance of testing all edge cases and not relying solely on the component's specifications. Jonathan and Thanos offer several practical tips for those interested in EMFI fault injection. They recommend thoroughly documenting tests, monitoring the fault rate, and using lab tools to validate results. They also emphasize the importance of not getting discouraged by the brute-force nature of fault injection and staying persistent. In conclusion, this video provides a detailed and technical overview of EMFI fault injection, with practical tips and valuable insights for security researchers. It demonstrates that even with hardware protections, vulnerabilities can be exploited with persistence and advanced techniques. For more information, watch the full video: https://www.youtube.com/watch?v=gktZDgY-3cY