Solving rhme fiesta from Riscure Hardware CTF 2016 with EM Fault Injection

Abstract

Let’s see how to solve the “Fiesta” challenge from Riscure Embedded Hardware CTF 2016 using electromagnetic Fault Injection.

This challenge has some lore/story behind, and is specifically designed to be solved using Fault Injection techniques.

Tools

To solve the challenge I use exclusively my own Electromagnetic Fault Injector

Challenge and Solution

Upload the executable .hex to an arduino NANO, and let’s observe the serial output (19200 bauds), we observe the device is somehow “locked”.

Let’s bring our injector closer and cause some glitches:

And just like that with only 2 tries we obtain the Flag. With the first EM burst the CPU reset’ed, but at the second I obtained the solution: Easy peasy.
 A later attempt produced a cleaner glitch.

FLAG: Why_4m_I_her3?A video proof. You can hear the “click” when the EM is being injected. Followed by the flag.

Other Solutions

This challenge was previously solved in two ways. A methodical (and more involved) way, by doing power glitch fault injection, by live0verflow:https://www.youtube.com/embed/6Pf3pY3GxBM
Video featured in Hacking The 3DS part IV.

Later, Jullio de la Flora solved it by shorting the clock pins, causing a malformed clock signal. Even faster:

@LiveOverflow that’s why the RHME2 FIesta challenge was worth only 100 points. ;D ahahaha it was a clock fault injection… pic.twitter.com/QOwjWNVhsl— Julio Della Flora (@jcldf) March 6, 2020

Leave a Reply