-
Notifications
You must be signed in to change notification settings - Fork 45
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Problems Glitching nrf52832 #10
Comments
Hey. The nRF52832 is way harder then the nRF52840, i was able to glitch it and your timing at +7 ms is correct. I am not sure why nRF52832 is harder it could be that caps are needed to be removed |
Thank you for the quick response! |
I had to buy an oscilloscope (analog discovery 2) to get the right timing, but I was successful with an nRF52832. I tweaked the code to allow a delay up to 60 and used these settings:
It took something on the order of 6 hours but I eventually got a final
|
Wow Great job @bettse could you make a repo and upload your version? Also could you explain what and where you changed they code up. To help the community. Cheers. @bettse |
Had my change been any more significant, I absolutely would have forked and opened a PR. changing the width_max from '30' to '60'. |
@bettse thank you for the information! Cheers. |
@bettse hey looks about the same, what do you think? |
@bettse question did you change anything else? I have been letting the glitcher run for 24hrs, with no success. nRF52832 Delay start 8250 Power off delay 100 Width I changed it to 0 -60 I'm using a Are you using the same mosfet? I would appreciate your advice thank you.
|
Looks like the same mosfet. The glitch in your screenshot does look quite a ways before dip, but it's hard to be sure without a timescale. From what I read about glitching the nrf52832 there is a certain amount of luck involved. |
A general question to the ones succeeding in glitching the nrf: I have the Idea, that maintaining a constant temperature is crucial and that warmer temperatures help with glitching… |
My thermostat would have been near 72°F (Stop looking at me like that, I live in the US, this is how we measure temperature). I'm in a well insulated building, so I suspect it would be near that value if not slightly above. I look forward to a blog post on "glitching in the oven" 😆 . |
I found the following that might be useful:
I didn't need any increase in my glitch width, and I was using the same MOSFET module. Not sure how temperature would affect things, but it would have been around 22C/72F for me as well. |
@charliebruce wow thank you for the information mate. We all appreciate it and thank you for the help 🤗.
|
Thank you @atc1441 for this great tool and thank you @bettse for the parameters! With that I was able to glitch my nRF52832! Don't even have an oscilloscope (yet), but enough time ;)
Off topic: It would be great if the pulse width would be a configurable parameter |
Please check out the branch called PCB_Version. If i remember right i did add the option to setting more time. I did added it for sure just dont know if i ever published it That version has a different pinout. |
Yes, it seems like these caps (or other caps in the power circuit, if there are any) will keep the nRF52 powered way longer. I now have an oscilloscope and was able to confirm, that a power off delay of 100 is the bare minimum for my setup. Also, with cap C4 gone, I'm pretty sure the typical pulse width should be ok and modifying |
Tested once more with resoldered C9 so it seems C4 is enough to remove. Then i have a super reliable glitch after just a 1-30 seconds |
@atc1441 hey 👋 what perimeters are you using? I think it would be helpful to include the information for others. Mine are 8550 - 8700 |
@atc1441 can you share your timing settings? :) |
So, I removed C4, C9, C10 on a device based on the reference schematics. Chip Rev. is E (not fixed like G). I've tried various timing ranges, increased max_width=60 but have no luck yet :/ (No scope here, unfortunately) |
Can agree that the nrf52832 is harder to catch. |
Hmm, you mean for 24h in a loop? IOW testing multiple delays multiple times? I wonder if it would get better with even shorter glitches. |
Yes, the ESP32 was looping trough the set times, also since the temperature does also has an influence this does extend it in the end as well. |
I tried with only DEC1 cap (C4 in the ref schematics) removed and with the VCC cap (C9) and even C10 removed additionally. Did you remove the DEC4 cap as well? |
Dont remember exactly, but its worth a try. |
Finally..... JINOU has fallen \o/ Removing DEC1-4 was too much (voltage became extremely unstable), so I resoldered DEC2-3. One thing I noticed is that by increasing the glitch delay the voltage drop gets pushed ahead (iow delay between power on and drop increases as the glitch delay increases) until the glitch point suddenly is several hundred us past the voltage drop... Maybe that is what makes glitching the nrf52832 so hard. Oh, important detail: I glitched DEC4 Update: success on the other device through DEC4! |
Outch. Glad too early... the flash always only reads 42 00 00 23 .... o.O Another update: just glitch multiple times and retry. Flash dump will work at some point |
Check out my comment #10 (comment) The correct glitch point is right after that voltage drop. Timing is very much depending on multiple factors like 1) temperature 2) exact capacitance values (tolerances, trace lengths etc.) 3) attached peripherals 4) probably more. So, the only way to find the right timing is by trying on the specific device. |
Ah you're right, I read your comment but I misinterpreted it the first time 🤦. Now I see it. Temperature is quite cold (18°c) and previous successful glitch was indeed warmer (25°c). Maybe I should use a hair dryer to get the temps up 😆. Mmh so if it should be right after the voltage drop in my case the glitch delay should be between 5680 and 5900 I suppose. |
That might help
You can also try to glitch through DEC4 instead, where I had waaaaaay better results |
And by using |
Yep |
Also my chip dates from 2021 week 11 and according to the description below (source), and from what I've read the method is patched around November 2021. So I suspect my chip is still vulnerable 🤔🙏 |
You just can check the hardware revision, which is the first of the two letters in the build code (HP). For nRF52832 anything before G is vulnerable (G is the first fixed revision). For nRF52840 it's anything before E. |
Ah that's even better, mine is at |
I've been running the glitching on previously said timings yet no successful glitch after 24h 😢 I do still glitch using As you also noticed the power ( |
My first successful glitch had Maybe if glitching keeps failing I test the other PCB and see how that one behaves. |
So you mean you either had |
Yeah, right. Maybe I just remembered wrongly when reporting success here :/ I had tried various combinations |
Thanks! Seems to be between 5600 and 5700, I'll let it run for some time. 👍 |
Yeah, the "moving target" problem gets worse indeed. |
Finally, success! 🎉 Had the timings on 5600 - 5700 for some hours but no successful glitch. So thanks @c0d3z3r0 for the |
Nice, congrats! 🥇
Maybe, maybe not. Try out ;) Also, if you're curious, try adding back all caps and see if it still works on DEC4. Maybe removing caps isn't required at all with DEC4. (I haven't tried) |
Thanks! Will do, when I'm finished fixing this board. |
Well, that could also be a symptom from removing the caps |
Unfortunately it already stopped doing its thing before removing any of the caps 😞, but I continued anyway as I was more interested in getting the flash extracted as the nRF52832 was still responding. Probably the programming of the thing is somewhat limited and most likely it will halt if any of the auxiliary sensors is not responding. |
Ouch |
Thank you for this nice little SWD programmer GUI and the glitcher for the ESP32 :D
I am currently trying to glitch an nrf52832. I narrowed down the glitching width in the source code to 6-10us, as this should do the trick according to other researchers. I try to find the right timing for glitching the nrf52832 for quite some time now. Somehow I am either glitching at the wrong timing or just doing something wrong. Has anyone a hint for me? I recorded some scope recordings:
Where should the glitch be applied? I thought somewhere around +7ms in Zoom1/Zoom2 - is this correct?
The text was updated successfully, but these errors were encountered: