A lot of the ringing you're seeing on the scope will be due to using the ground flylead on the scope probe - for this sort of work you really need to use an ultra-short (
Thanks Mike, appreciate the suggestion! I have those short spring ground connectors for the scope. I’ll test that out to see how it looks. I was curious about the ringing but more concerned about the capacitor decay time so didn’t chase it.
One security protection against voltage glitch attacks is by manufacturing a void in only some of the layers of the PCB under the chip with a Schmitt trigger like circuit in it to provide hysteresis to the power to prevent an undervoltage condition; power only gets to the pin if it is high enough and is cut off completely when it drops. You then have to unsolder the pin in order to perform the glitch, making it impossible to glitch in the field when under a time constraint. This is particularly difficult if the chip is a BGA (many have a central area without pins) where you cannot access the power pin directly and have to unsolder the entire chip.
very nice progress. I guess the difference in wire length can also be viewed as an impedance mismatch between the chip whisperer output and the node you pull down, if they were matched the longer cables should mostly add delay but should not change the pulse shape. A little offtopic but I really like your "oscilloscope probe tip" like extensions for your power supply wires, they seem like a useful thing to have. Looking forward to see what comes next. Are the pulse parameters a "universal constant" for this type of meter or do you need to tweak it for each unit? Since most capacitors have like +-20% tolerance, which will alter the pulse shape, I would imagine, that you have to slightly tweak them each time.
Will be interesting to take a look at the bootloader once the factory flash contents is dumped. Though it might be encrypted, so you'll need to dump it from memory after boot if so.
Interesting Stuff! I've reverse engineered / repurposed some stuff myself in the past, but I'm mainly doing youtube video's on fixing electronic stuff these days.
It’s all related I feel, getting better at any aspect helps with the others. And it’s just fun and fulfilling figuring out how something works and then fixing it!
@@RECESSIM Totally agree. I used to love figuring out how things work. Those smart meters are a bit sinister how they can remotely disconnect. I wonder if people will create firmware so they are not as accurate at measuring in the usage in future..
I understand how glitching the processor during the serial I/O operation could reset a pointer and start it dumping program memory, but the I/O function is almost certainly looking for a null to terminate transmission and the program memory is certainly going to have a good number of zero bytes in it, so won't it stop prematurely?
@@RECESSIM I was assuming the application code was written in C, but perhaps not? Since it's a high reliability/security application it may be something like Ada that uses a length word instead of null termination.
It might be that the glitch is not resetting a value to zero, but perhaps all 1's instead, and if the value that got reset happened to be a "remaining count" value = eg. in code like: while (to_do > 0) { count=print_character(buf); buf+=count; todo-=count } - like what happens in _IO_new_file_write - then perhaps the glitch could result the observed behaviour?. It's really interesting watching the process of discovery here, and I'm impressed at the dedication shown to the cause!
This is insanely interesting! Trying to glitch the processor when it is initializing the JTAG lockdown should be worth a try. Automating the check as you did with the serial output should be possible. Would it help to increase the diameter of the glitch cable so that It can drain the internal capacitors faster / more precise?
I am excited to give that a try, if JTAG could be unlocked with a glitch it would be quite a find! Generally outside of decreasing wire length, or increasing wire gauge people just remove the decoupling caps on the target board which has the same effect. Could make the processor a little less stable though, I was trying to avoid any other mods to the meter.
@@RECESSIM If they connect wirelessly could they not just patch the firmware, they could be checking the firmware is authentic on a regular basis for all you know? microsoft did this with xbox360 - they patched the drive firmware with an update through either a game disk or online update, it did not stop the hackers "c4eva" as he already had a silver bullet for microsoft but just hope you are aware that this could be the case? HACKING IS NOT A CRIME 8-)
would it not be easier to hack fobs? here in england we have fobs for the poor where they go to a shop and pay for their fob to be updated with x amount of gas or electricity for a price, ive often wondered if you could somehow spoof data on the fobs to get free energy, gas?
all these videos are really cool mix of reverse engineering the jokes and the smart metres combined, this is jokes and love every video, even the new ones that are hacking related, the the reverse engineering and exploitation are really neat. Cool to think about how things are made to work and how to make them work in different way that is better for you :)
Fantastic work, skills like yours are so very valuable to the human race. It would be fabulous to see you break down and reveal the internals and preferably firmware of a UK smart meter.
@@RECESSIM British gas is probably the most prolific in the UK ATM. So that would be great but genuinely not sure how similar different meters here are at this stage. Thank you.
RU-vid recommended this video. After watching a couple videos in this series, I wonder if the "energy bridge" utility companies provide consumers to read their own meter with, would more easily give up it's secrets. mine apparently uses z wave networking. I had to "pair" the device to my meter. I wonder if the pairing process is vulnerable?
@@RECESSIMoh really? I actually had that on my watch list, but assumed it was just a generic robot movie like Wall-E or something. In that case, I will definitely move it to the top of my list.
Anyone want to start a pool if an exploit can be found to disconnect power? Battle Star taught me a great lesson. If you want to secure something don't put it on a network. If you can do it remotely, so can an attacker.
@@RECESSIM "TBSA-M does not address laboratory attacks in which devices are unpackaged and probed, or power analysis attacks in which the power consumption of the device is correlated with its processing activity to extract assets." That's your juicy bit, have fun mate!
WHAT IF a neighbor has weaponized your smart meter and the EC WONT listen and it is being used against you with MUCH pain in my head? it was changed by some guy in Feb with NO knowledge of the EC...PLS HELP???
@BitBangBytes on TikTok if you want to ask any questions. I’ll reply with short off the cuff videos. Easier than higher production quality for RU-vid. Could also try RU-vid Shorts if anyone finds those a good way to post cell phone vids for increased updates.
@@RECESSIM If the bootloader does an external memory access or sets any I/O pins, you could probably trigger off that. Assuming you want to glitch the transition after the bootloader has finished. Should be more deterministic than timing from reset.
So you actually do have the firmware now? Also, how can a puts() command print the entire firmware, I would expect it to stop once it finds a null character??
I am very close, not sure why the puts() doesn’t stop at a null when I glitch it, but it will loop through the entire flash multiple times. I let it run for an hour once and it seemed to end up in a tighter loop but still printing!
How did you know something like this could happen in the first place? You went looking for it and then it happened, I don't understand how this is possible without a full understanding of the mechanism. Normally when you insert randomness in a running computer program it will just crash.
@@CarloRoosen I have seen other attacks and read that you can insert some well controlled “randomness” and cause issues that don’t quite cause a crash, but cause unexpected things to happen. I experimented with this technique using a development board that uses the same processor and then moved on to the actual hardware I want to attack. Nothing is ever what people tell you it is… :)
@@RECESSIM Yes clear, I think I understand how you got to this point. The question remains, how is it even possible? After the glitch the processor is operating on its own. So there must be a state (registers & memory) in which useful things can happen not intended by the programmer. To me that is incredibly difficult to grasp. Like the monkeys typing Shakespeare thing. Anyway, I am looking forward to the next step.
Once you get it hacked, will you be doing any tests on the wireless capability of the meter? I would like to know if theres a way to shut the wireless off completely.
I’m hopeful that getting a copy of the firmware will answer questions like how the meters can be accessed remotely, how power can be turned on/off and how they could be disabled entirely.
@@RECESSIM 5 dollars a month...well worth it I think...it was on the wall where my bed was...I swear it was making me sick....tinnitus, cramps, and other minor things.