Time Table

Propose a new generalized precise Fault-Injection methodology, that can work against any micro-controllers.

The new methodology makes a precise Fault-Injection attack significantly easier, by eliminating the needs of implementing a custom application-level communication driver before an attack. Usually, such a driver is required to capture both a digital trigger and a success signal, and is also used to issue further commands after a successful glitch. Such a driver is vendor/chip dependent, and usually takes immense research/reverse/debug effort to implement.

The new method did everything by replaying legitimate communications, which are easily obtainable by capturing the communication between a new chip and an official debugger.

PoC: dumped firmware from RL78, a micro-controller used in PS4 and cars, used undocumented commands, bypassed On-Chip debug security ID and more. The attack is stable.

Implemented with a “Pico” micro-controller. All code is on the author’s github.