iCEstick Glitcher
The iCEstick Glitcher is a simple voltage glitcher for a Lattice iCEstick Evaluation Kit.
This glitcher is based on and inspired by glitcher implementations by Dmitry Nedospasov (@nedos) from Toothless Consulting and Grazfather (@Grazfather).
This glitcher implementation demonstrates how the code read protection (CRP) of NXP LPC-family microcontrollers can be bypassed as presented by Chris Gerlinsky (@akacastor) in his talk [Breaking Code Read Protection on the NXP LPC-family Microcontrollers](Breaking Code Read Protection on the NXP LPC-family Microcontrollers) at REcon Brussles 2017.
Hardware Requirements
- Lattice iCEstick Evaluation Kit
- Analog switch, for instance MAX4619
- Power supply (2 externally supplied voltages required), for instance Rigol DP832
Software Requirements
Test Setup
The following two images show a working test setup for the iCEstick Glitcher.
Demo
This demo video exemplarily shows how the code read protection (CRP) of an NXP LPC1343 chip can be bypassed by using a voltage glitching attack in order to dump the flash memory containing the firmware.
References
- Lattice iCEstick Evaluation Kit
- Breaking Code Read Protection on the NXP LPC-family Microcontrollers
- Toothless Arty-Glitcher
- NXP LPC1343 Bootloader Bypass (Part 1) - Communicating with the bootloader
- NXP LPC1343 Bootloader Bypass (Part 2) - Dumping firmware with Python and building the logic for the glitcher
- NXP LPC1343 Bootloader Bypass (Part 3) - Putting it all together
- Grazfather's glitcher for the iCEBreaker FPGA board
- Glitching the Olimex LPC-P1343
Disclaimer
Use at your own risk. Do not use without full consent of everyone involved. For educational purposes only.