Problems Glitching nrf52832 #10
Comments
|
Hey. The nRF52832 is way harder then the nRF52840, i was able to glitch it and your timing at +7 ms is correct. I am not sure why nRF52832 is harder it could be that caps are needed to be removed |
|
Thank you for the quick response! |
|
I had to buy an oscilloscope (analog discovery 2) to get the right timing, but I was successful with an nRF52832. I tweaked the code to allow a delay up to 60 and used these settings:
It took something on the order of 6 hours but I eventually got a final
|
Wow Great job @bettse could you make a repo and upload your version? Also could you explain what and where you changed they code up. To help the community. Cheers. @bettse |
|
Had my change been any more significant, I absolutely would have forked and opened a PR. changing the width_max from '30' to '60'. |
|
@bettse thank you for the information! Cheers. |
|
It is very much like Pascal's
|
|
@bettse hey looks about the same, what do you think? |
|
@bettse question did you change anything else? I have been letting the glitcher run for 24hrs, with no success. nRF52832 Delay start 8250 Power off delay 100 Width I changed it to 0 -60 I'm using a
Are you using the same mosfet? I would appreciate your advice thank you.
|
|
Looks like the same mosfet. The glitch in your screenshot does look quite a ways before dip, but it's hard to be sure without a timescale. From what I read about glitching the nrf52832 there is a certain amount of luck involved. |
|
A general question to the ones succeeding in glitching the nrf: I have the Idea, that maintaining a constant temperature is crucial and that warmer temperatures help with glitching… |
|
My thermostat would have been near 72°F (Stop looking at me like that, I live in the US, this is how we measure temperature). I'm in a well insulated building, so I suspect it would be near that value if not slightly above. I look forward to a blog post on "glitching in the oven" 😆 . |
|
I found the following that might be useful:
I didn't need any increase in my glitch width, and I was using the same MOSFET module. Not sure how temperature would affect things, but it would have been around 22C/72F for me as well. |
|
@charliebruce wow thank you for the information mate. We all appreciate it and thank you for the help 🤗.
|
Thank you @atc1441 for this great tool and thank you @bettse for the parameters! With that I was able to glitch my nRF52832! Don't even have an oscilloscope (yet), but enough time ;)
Off topic: It would be great if the pulse width would be a configurable parameter |
|
Please check out the branch called PCB_Version. If i remember right i did add the option to setting more time. I did added it for sure just dont know if i ever published it That version has a different pinout. |
|
Was just glitching an nRF52832
|
|
Yes, it seems like these caps (or other caps in the power circuit, if there are any) will keep the nRF52 powered way longer. I now have an oscilloscope and was able to confirm, that a power off delay of 100 is the bare minimum for my setup. Also, with cap C4 gone, I'm pretty sure the typical pulse width should be ok and modifying |
|
Tested once more with resoldered C9 so it seems C4 is enough to remove. Then i have a super reliable glitch after just a 1-30 seconds |
|
@atc1441 hey 👋 what perimeters are you using? I think it would be helpful to include the information for others. Mine are 8550 - 8700 |
|
@atc1441 can you share your timing settings? :) |
|
So, I removed C4, C9, C10 on a device based on the reference schematics. Chip Rev. is E (not fixed like G). I've tried various timing ranges, increased max_width=60 but have no luck yet :/ (No scope here, unfortunately) |
|
Got a scope now. I successfully glitched a nrf52840 (makediary nRF52840 Micro Dev Kit, cap present) multiple times. However, nrf52832 seems to be a tough nut to crack. I have two different devices, which I didn't glitch successfully, yet:
This is what the JINOU looks like on the scope: CH1 VCC_nrf (trigger), CH2 DEC1, CH3 glitch signal Parameters:
|
|
Can agree that the nrf52832 is harder to catch. |
Hmm, you mean for 24h in a loop? IOW testing multiple delays multiple times? I wonder if it would get better with even shorter glitches. |
|
Yes, the ESP32 was looping trough the set times, also since the temperature does also has an influence this does extend it in the end as well. |
I tried with only DEC1 cap (C4 in the ref schematics) removed and with the VCC cap (C9) and even C10 removed additionally. Did you remove the DEC4 cap as well? |
|
Dont remember exactly, but its worth a try. |
|
Finally..... JINOU has fallen \o/ Removing DEC1-4 was too much (voltage became extremely unstable), so I resoldered DEC2-3. One thing I noticed is that by increasing the glitch delay the voltage drop gets pushed ahead (iow delay between power on and drop increases as the glitch delay increases) until the glitch point suddenly is several hundred us past the voltage drop... Maybe that is what makes glitching the nrf52832 so hard. Oh, important detail: I glitched DEC4 Update: success on the other device through DEC4! |
|
Outch. Glad too early... the flash always only reads 42 00 00 23 .... o.O Another update: just glitch multiple times and retry. Flash dump will work at some point |
|
Thanks for this great find! Unfortunately I trying to glitch another I've tried multiple timings, but the voltage drop seems to move between the glitch timings 3690 - 5680: When I choose glitch timings before 3690 and after 5680 I can clearly see that the glitch is to soon or late: Did anyone observe such a moving voltage drop, and to my understanding the glitch should have more success in the 5680 range than it would around 3690. As after 5680 the natural voltage drop seems to happen? |
Check out my comment #10 (comment) The correct glitch point is right after that voltage drop. Timing is very much depending on multiple factors like 1) temperature 2) exact capacitance values (tolerances, trace lengths etc.) 3) attached peripherals 4) probably more. So, the only way to find the right timing is by trying on the specific device. |
|
Ah you're right, I read your comment but I misinterpreted it the first time 🤦. Now I see it. Temperature is quite cold (18°c) and previous successful glitch was indeed warmer (25°c). Maybe I should use a hair dryer to get the temps up 😆. Mmh so if it should be right after the voltage drop in my case the glitch delay should be between 5680 and 5900 I suppose. |
That might help
You can also try to glitch through DEC4 instead, where I had waaaaaay better results |
|
And by using |
Yep |
|
Also my chip dates from 2021 week 11 and according to the description below (source), and from what I've read the method is patched around November 2021. So I suspect my chip is still vulnerable 🤔🙏 |
You just can check the hardware revision, which is the first of the two letters in the build code (HP). For nRF52832 anything before G is vulnerable (G is the first fixed revision). For nRF52840 it's anything before E. |
|
Ah that's even better, mine is at |
I've been running the glitching on previously said timings yet no successful glitch after 24h 😢 I do still glitch using As you also noticed the power (
|
Well, yeah, I was trying for hours and hours without success. Then switched to DEC4 and had damn reliable success within a hour of testing various timings :D Don't waste your time :P I wonder how bad flash reading are going to be if you got a successful one with that unstable power :/ Could be that dumping doesn't work at all, but that's just pure speculation. |
|
My first successful glitch had Maybe if glitching keeps failing I test the other PCB and see how that one behaves. |
I've now attached the glitch signal to |
Oops. You could try to resolder the DEC4 cap. I think I had seen that as well but... it was laaaate... so I don't remember well \o/ |
|
So you mean you either had |
Yeah, right. Maybe I just remembered wrongly when reporting success here :/ I had tried various combinations |
|
Ok re-soldered |
Yeah, that looks way better! It's difficult to estimate bc of the missing scale, but it should be a bit earlier, like so: You should start here, right before the drop: |
|
Thanks! Seems to be between 5600 and 5700, I'll let it run for some time. 👍 |
Yeah, the "moving target" problem gets worse indeed. |
|
Finally, success! 🎉 Had the timings on 5600 - 5700 for some hours but no successful glitch. So thanks @c0d3z3r0 for the |
Nice, congrats! 🥇
Maybe, maybe not. Try out ;) Also, if you're curious, try adding back all caps and see if it still works on DEC4. Maybe removing caps isn't required at all with DEC4. (I haven't tried) |
|
Thanks! Will do, when I'm finished fixing this board. |
Well, that could also be a symptom from removing the caps |
|
Unfortunately it already stopped doing its thing before removing any of the caps 😞, but I continued anyway as I was more interested in getting the flash extracted as the nRF52832 was still responding. Probably the programming of the thing is somewhat limited and most likely it will halt if any of the auxiliary sensors is not responding. |
|
Ouch |
Thank you for this nice little SWD programmer GUI and the glitcher for the ESP32 :D
I am currently trying to glitch an nrf52832. I narrowed down the glitching width in the source code to 6-10us, as this should do the trick according to other researchers. I try to find the right timing for glitching the nrf52832 for quite some time now. Somehow I am either glitching at the wrong timing or just doing something wrong. Has anyone a hint for me? I recorded some scope recordings:
Where should the glitch be applied? I thought somewhere around +7ms in Zoom1/Zoom2 - is this correct?
The text was updated successfully, but these errors were encountered: