Let’s see how to solve the “Fiesta” challenge from Riscure Embedded Hardware CTF 2016 using electromagnetic Fault Injection.
This challenge has some lore/story behind, and is specifically designed to be solved using Fault Injection techniques.
To solve the challenge I use exclusively my own Electromagnetic Fault Injector
Challenge and Solution
Upload the executable .hex to an arduino NANO, and let’s observe the serial output (19200 bauds), we observe the device is somehow “locked”.
Let’s bring our injector closer and cause some glitches:
And just like that with only 2 tries we obtain the Flag. With the first EM burst the CPU reset’ed, but at the second I obtained the solution: Easy peasy.
A later attempt produced a cleaner glitch.
FLAG: Why_4m_I_her3?A video proof. You can hear the “click” when the EM is being injected. Followed by the flag.
This challenge was previously solved in two ways. A methodical (and more involved) way, by doing power glitch fault injection, by live0verflow:https://www.youtube.com/embed/6Pf3pY3GxBM
Video featured in Hacking The 3DS part IV.
Later, Jullio de la Flora solved it by shorting the clock pins, causing a malformed clock signal. Even faster: