Dirt Cheap Hacking Tools Blog

glitchy

The final #glitchy prototype is on the way from Shenzhen, along with an early #ESP32anza prototype and some other delights.

We had to give up the ghost on galvanic glitching in order to keep the BOM low enough to still sell it in the $20-30 range.

That is okay! We replaced the NPN+Relay circuits with N-Channel MOSFETs similar to what the Hextree Faultier uses. This works out because NAND flash bootloader glitching uses ground, and most everything out there is an active low reset.

Between that and replacing the discontinued digital pot, and many other roadblocks, it has been a long and difficult journey. We are finally approaching completion of the #glitchy project and cannot wait to make it available to you, the “valued” “customer”.

ITS HAPPENING! GLITCHY!

After years of thinking and slightly fewer years of iterating through different microcontrollers and wasting thousands of dollars, the #glitchy is finally nearing completion! Now that it's finally so close, it seems wise to offer a detailed description of what the Glitchy is and what it does.

Glitchy is an automated bootloader flash glitch attack tool.

It consists primarily of:

  • SAMD21 microcontroller
  • MCP4017 digital pot
  • 2x Reed Relay

The device provides a header which exposes pins for:

  • Target Flash D0
  • Target MCU D0
  • Target RESET
  • Target RESET_ACTIVE (GND/Vcc)
  • Target UART RX
  • Target UART TX
  • Target GND

Glitchy provides functionality like:

  • optional automatic detection of target baudrates using both Edge Timing ABR and Caveman ABR
  • accepting user terminal-provided baudrates for target UART by default – simple operation
  • detect bootloader flash read operations via monitored target UART
  • automatically actuate galvanic fault injections using the target's own GND or VCC
  • moderate injections with up to 5Kohm adjustable series resistance
  • manual glitch mode wherein the galvanic RESET and GLITCH are controlled in the UART interface via key chords
  • fully in-UI customizable and saveable settings, including trigger, success, and failure strings, post-success payloads, pulse timings, and more
  • simple terminal-based and web-serial based UIs
  • easy flashing for updates and settings configuration via web-serial and UF2

Glitchy is simple to use! It has a USB C port, and 2.54mm pin headers. It goes great with Dirt Cheap Probes! Stay tuned for PCB previews and more.

What is even if the point of this?!

I do this attack a lot at play and at work, and usually i do it with a little digital pot and push button on a breadboard. this is faster and easier. this attack is so simple, it should be like the command injection of hardware attacks. Tools like the Faultier are making higher speed glitching more accessible, and tools like the PicoEMP and FaultyCat are making EMFI-based attacks more accessible. I want to make a tool that will make this attack accessible to anyone with $20.

I hope to make it available as soon as possible, either via pre-order on https://www.dirtcheaphackingtools.com or some sort of crowdfunding. Feel free to tell me how you feel about this.

Diffuse Tactics, Democratize Access. Hack The Planet.