iCEstick Glitcher

The iCEstick Glitcher is a simple voltage glitcher for a Lattice iCEstick Evaluation Kit.

This glitcher is based on and inspired by glitcher implementations by Dmitry Nedospasov (@nedos) from Toothless Consulting and Grazfather (@Grazfather).

This glitcher implementation demonstrates how the code read protection (CRP) of NXP LPC-family microcontrollers can be bypassed as presented by Chris Gerlinsky (@akacastor) in his talk [Breaking Code Read Protection on the NXP LPC-family Microcontrollers](Breaking Code Read Protection on the NXP LPC-family Microcontrollers) at REcon Brussles 2017.

Hardware Requirements

• Lattice iCEstick Evaluation Kit
• Analog switch, for instance MAX4619
• Power supply (2 externally supplied voltages required), for instance Rigol DP832

Software Requirements

• Python 3
• pylibftdi
• sty
• yosys
• nextpnr-ice40
• Project IceStorm Tools

Test Setup

The following two images show a working test setup for the iCEstick Glitcher.

Demo

This demo video exemplarily shows how the code read protection (CRP) of an NXP LPC1343 chip can be bypassed by using a voltage glitching attack in order to dump the flash memory containing the firmware.

References

• Lattice iCEstick Evaluation Kit
• Breaking Code Read Protection on the NXP LPC-family Microcontrollers
• Toothless Arty-Glitcher
• NXP LPC1343 Bootloader Bypass (Part 1) - Communicating with the bootloader
• NXP LPC1343 Bootloader Bypass (Part 2) - Dumping firmware with Python and building the logic for the glitcher
• NXP LPC1343 Bootloader Bypass (Part 3) - Putting it all together
• Grazfather's glitcher for the iCEBreaker FPGA board
• Glitching the Olimex LPC-P1343

Disclaimer

Use at your own risk. Do not use without full consent of everyone involved. For educational purposes only.