Different from traditional network security, hardware security, chip security, and radio security are important subdivisions of underlying network security. They are the true cornerstone of network security and an important part of national security. “Consolidate the foundation of underlying network security and build a strong network "Strong National Security Base" is another true portrayal of the importance of network security.
The game between hardware hackers and hardware security attackers and defenders will intensify in the future. However, due to its underlying sensitivity, closure, invisibility and other characteristics, related attack and defense penetration technologies, ideas, tools, and vulnerability results are rarely announced or disclosed to the outside world. For the same reason, Attack and defense penetration technologies, concepts, and methods that go deep into the bottom layer of hardware play an important role in future great power games, military electronic technology security, hardware security, chip security, industrial control security, Internet of Things security, Internet of Vehicles security, etc., and can even play a role in critical moments. The effect of "one or two moves a thousand pounds", its "lethality" and "threat power" cannot be ignored.
As the saying goes, "Know your enemy and know yourself, and you can fight a hundred battles without danger." This topic will unveil the mystery of "hardware hackers" and share the less popular but extremely important penetration technology of hardware security and chip security - chip security fault injection technology, and combine it with The internal structure of the chip, chip type, business attributes, firmware security, and CPU instruction operation mechanism are strongly related, giving a deep insight into the mysterious world of underlying chip security. In addition, this topic will also share the bottom-level scanning and penetration technology of radio security, through replay attacks, Three different technical principles, protocol reverse restoration and radio tracking, are used to crack and interfere with a certain penetration object. A negative case reminds everyone of the importance and necessity of wireless security.
Let us review Xue·7th Security Developer Summit (2023 SDC)"Chip Security and Radio Security Underlying Penetration Technology"< a i=2>'s wonderful content.
01
Speakers
【赵亚平–
Founder of Hunan Diwang Security & Head of Diwang Security Laboratory]
Holds an intermediate professional title in communication technology, loves and attaches great importance to the basic subjects of electronic technology and underlying network security. Starting from the most basic electronic technology, he has traditions such as hardware testing/integration/development, communication link/protocol design, embedded development, and assembly design. IT development experience. Relying on the R&D and application background of traditional basic disciplines, it seamlessly connects traditional network security, Internet of Things security, Internet of Vehicles security, industrial control security and other fields. He is good at gaining in-depth insights into the nature of information security from the perspective of the bottom layer of the network, especially in the subdivisions of hardware security, chip security, firmware security, communication security, and radio security. He has held important positions in a security agency, a listed company (Top 50 Chinese Private Enterprises in 2022), and a state-owned enterprise respectively as a senior expert in Internet of Vehicles security, a senior expert in industrial control IoT security, and the Chief Engineer of Automotive & Industrial Control Information Security.
02
Speech content
The following is the full text of the shorthand:
Hello everyone, I am Zhao Yaping from Hunan Internet Security.
Next, let’s start to look down on network security, because people in different industries may have different perceptions of the underlying security of the network. For example, for those who develop PC software, the bottom layer closest to them may be various APIs or SDKs or calls to third-party components.
For example, for those who develop operating systems, the bottom layer closest to them may be the calls to various drivers. If you go deeper, for driver developers, the bottom layer closest to them may be the configuration of registers and related timings of various chips inside.
If we go deeper, we will enter the topic we want to share today. The first is about the underlying penetration technology of chip security-fault injection technology. Let me explain here, because there are many penetration technologies at the bottom of the hardware/chip, typical ones include side channel attack DPA, wireless SPA, electromagnetic/laser injection, etc. The focus of our discussion today is fault injection technology.
Next, we will discuss the radio field, which is the bottom-level scanning and penetration technology of radio security. These two issues are viewed from the lowest level. First, let’s understand the relevant technical background. The very beginning is the cornerstone of security, because the underlying security is actually the real cornerstone of traditional network security or digital security, hardware security, and chip security.
If the underlying security is not done well, no matter how perfect your upper-layer application or your mechanism is, no matter how advanced your data confidentiality, integrity, and non-repudiation algorithms are, no matter how strong your identity authentication is, once the underlying layer has If it is missing, your security will still not be guaranteed and you will still be vulnerable to attacks from the bottom, so it is the real cornerstone of security.
And its technology is relatively closed. In the process of communicating with customers, it may be more about routine missed scanning and security detection. However, once exposed to this kind of underlying fault injection, ordinary customers may not care much about it. , but like those large enterprise customers, they attach great importance to this security. In addition to its own technical concept and its penetration concept, including its relatively closed penetration tools, another reason is that its tested objects are also relatively closed, because the object we inject is a chip or hardware, and generally its internal details It’s hard to see that manufacturers have set up many obstacles. So it is relatively closed.
At the same time, it is also relatively "de" SaaS cloud service-oriented, unlike traditional network security penetration. If a computer is connected to the Internet, it may launch an attack on the other party anywhere in the world. However, penetration testing such as the security of the underlying chip is relatively "going" to the cloud, and may not have a particularly large intersection with the cloud ( However, there will still be intersections in certain scenarios), and there are many localized features. This is also the main difference between software hackers and hardware hackers.
Then its testing tools and environment are relatively imperfect. We usually see and use a lot of missing scans and corresponding tools that may be more common, but this kind of fault injector that goes deep into the bottom layer, including the radio scanning and penetration that will be shared later. Yi, maybe people don’t come into contact with it too much.
In the future, as the awareness of the underlying security of the network increases, companies, universities, and the country have begun to pay more and more attention to this area. When interacting with many customers, the most common ones are routine missed scans, vulnerability mining, and security penetration testing and assessment. In addition, many customers have already done this type of fault injection security testing and penetration. After starting to exert force, the direction of the force is from both offense and defense dimensions at the same time. If the direction of penetration is the attack direction, they may exert force in the penetration direction of similar attack weapons, or they may exert force from anti-fault injection. The defense dimension exerts force.
Finally, there is the game between hardware hackers and hardware security attack and defense personnel, which will definitely become more intense in the future. In fact, similar fault injection penetration technology and concepts not only play a very important role in some of our civilian industries, but also are very important in the future game of great powers, especially in military electronics technology. Of course, they are also very important. Including our Internet of Things, Internet of Vehicles, and industrial control.
Then we started to discuss the fault injection technology of chip safety. Here, we use 8 questions to guide the discussion and share the topic.
The first is the definition of fault injection for chip safety. Different people may have different definitions. Our definition is this, which is to use specific devices or tools to send highly adjustable, Controllable and configurable specific fault injection signals.
Because we mainly describe chips or hardware, if it is for SQL injection, their tested object may be a SQL server. Our tested objects here include but are not limited to chips, hardware terminals, or may be a certain circuit or hardware. In terms of terminals, it is very broad, such as drones, smart door locks, mobile phones, robots, and other IoT devices that everyone can think of, including IoT gateways, collectors, and the like.
The fault signal sent must be specific, such as a glitch. If you send the glitch at the wrong time, it may not have any effect on the other party. If the parameters you send out, such as the voltage is too high or too low, it may not be able to achieve any results. , so it is a specific fault injection signal, which in turn affects some penetration testing behaviors of its integrity, availability, and confidentiality.
As for fault injection tools, there are currently many in the industry and the most common ones are professional hardware fault injectors. And the Tesla small coil (little black box) that was popular before is actually a similar kind of fault injection. Tool of.
Then go to a test of EMC in traditional industries, such as EFT transient and lightning surge tester. To a certain extent, it is actually a fault injector, but it is not the same as the dimension we are going to share today. The same thing is that the focus we want to share today is precise fault injection rather than blind injection.
Then go down to laser electron injection. For example, the recent Nobel Prize won an attosecond laser. In the future, this kind of laser injection will be even more powerful for fault injection or side channel attacks.
Then we will discuss the next 6 questions one by one. There are many features. We will focus on the blue words to discuss. The first is the high-risk 0day vulnerabilities, because the objects we test are generally chips or hardware. , if there is a problem once it is detected, it is basically very serious, or it is not detected, and once it is detected, the problem is very serious. For example, if a certain MCU chip is maliciously implanted with a certain Trojan, once detected, the vulnerability is actually very serious.
Then there is the closedness, sensitivity, and unpopularity. The so-called unpopularity means that people may not pay much attention to this area, or even if they are aware of this area, they feel that there is no need to make a fuss about this area. However, fault injection permeates It is extremely important, especially for customers with sensitive infrastructure. Then it is also a subset of side channel attacks. You may have often heard of side channel attacks. Strictly speaking, side channel attacks are divided into many subdivided tracks, but what we are discussing today is a subset of side channel attacks.
In addition, there is strong correlation with firmware security and precise fault injection and penetration. Put aside the concept of blind injection, because what we focus on today is accuracy. The reason why we emphasize accuracy is based on the firmware operation of the CPU or MCU. Therefore, a truly lethal fault injection will definitely be compared with the one that is used. The firmware of the test chip is strongly related, or it is strongly related to its instruction set operating mechanism, and then it will rely heavily on fault injection tools, and the human factor is also very large.
For example, if the same type of object is tested using the same tool, the results obtained by different people may be different. In addition, it is also a typical security field at the bottom of the network and has relatively high requirements for basic technical disciplines. Of course, other network security industries also have relatively high requirements for basic technical disciplines.
Another is that it may subvert certain perceptions. You may know that ROM values are generally read-only, but in our penetration field, ROM values may be rewritten. This will be further analyzed below, and we will discuss it next. What is its value, or what harm will it cause to customers when used in teams with malicious intentions?
The first thing is to provide a new type of chip security 0day vulnerability or backdoor mining method.
As we just mentioned, if a certain chip puts a 1k Trojan in a certain address segment, normal users will not be able to detect it. However, through penetration measures of hardware fault injection, if your fault injection is accurate, If so, it may overwrite its PC pointer value, or overwrite its stack value, or cause memory overflow, causing the firmware to jump to an unclear place unintentionally, once that place is within the buried Trojan range. , then as some peripheral states of its chip change, such as power consumption characteristics or serial port or other interface states will change - because his Trojan horse will definitely perform some actions when running, and the Trojan horse may be Dig it out.
Then the second one is to verify the reliability of the firmware security from another dimension at the bottom. For example, under normal circumstances if (a == 1), a permission to open the door is executed. If the developer has a strong security concept, he is programming Sometimes an additional layer of judgment conditions will be added, if( a == 1 && b == 2) , then in this case of firmware programming, it can be more effective against fault injection attacks, so it is also from another dimension The reliability of firmware security can be verified.
In addition, it allows traditional brute force cracking to be no longer limited by the computing power of the CPU and the complexity of the encryption algorithm. As I learned, many universities have begun to conduct chip fault injection vulnerability verification based on FPGA algorithms. Then it also provides a new unconventional low-level penetration path of RAM sensitive data stack overflow and buffer overflow.
For example, if you execute a memory copy instruction, if the value of the length is refreshed through fault injection at this moment when you are copying, then a memory overflow may occur, and the consequences will be very serious. Another one is to bypass identity authentication permissions and encryption and decryption algorithms. This is actually somewhat similar to brute force cracking.
The last one is to spread the penetration target from digital signal security to analog signal security. What you may often discuss is the security of some networks. It actually has a common feature, which is digital security. And for the chip fault injection we shared today, it has truly spread from the field of digital security penetration to analog signal security. field, that is to say, many IoT devices will collect analog signals and various analog sensors. However, this kind of analog signal is the most sensitive to glitches and the most feared. During the AD acquisition process, once there is a burr, if there is no effective algorithm or filtering mechanism to avoid it, it will easily have some adverse effects.
This is a classification definition for fault injection.
There are four main methods. The first is classified according to the contact method. This should be easy to understand, wired and wireless. If it is wired, various probe probes or test clips similar to the fault injector need to be connected to the device under test. If it is wireless, it will be similar to this kind of small black box, or even electromagnetic pulse weapons like sunspots, which are similar to this kind of wireless fault injection.
If divided according to the object of the chip under test, it is mainly divided into interface communication chips, logic gate control chips and arithmetic processing chips.
The blue fonts are the computing processing chips we will focus on today, including but not limited to CPU, MCU, DSP, FPGA, GPU, and then communication interface chips, including CAN bus, RS485, RS232, I2C, SPI and other peripheral devices Interface chips, according to the properties of fault injection signals, are divided into glitches, voltage fault injection, and clock fault injection. This clock actually includes this glitch power-down, so strictly speaking, the division between them is There are ambiguities that also include protocol fault injection.
According to the purpose of injection, it is divided into blind injection and precise fault injection. What we will focus on today is precision. How to implement precision? It is important to be able to send out a specific fault injection signal that is adjustable, controllable and configurable. Of course, this is just a feature of blind injection. I just "hit" the fault injection signal in casually without knowing what effect it will have. This is also a lot of testing. It is used in scenarios, but knowing and when it can be issued accurately is the key. This goes into our precise fault injection features.
I'm using words here conservatively. To achieve absolute accuracy, there may be some big-name manufacturers in the world that can do it, but I'm still not sure. We just say it's relatively accurate.
For accurate implementation, a high-speed triggering mechanism through hardware interrupts and signal linkage is the most suitable to achieve this accuracy. Everyone knows that triggering interrupts means that once a certain interrupt signal comes, the conditions for fault injection can be implemented.
Then there are three levels here. The most powerful level can reach this instruction cycle level. I also hope that domestic manufacturers can do this. Under normal circumstances, fault injection can be accurate to the function level, that is, it can be located. When you execute a certain function, put this fault injection signal in. If you can enter the instruction set while ensuring the function level - because all functions are composed of instructions, but every instruction It is composed of instruction cycle levels. For example, a certain instruction may be divided into three machine cycles. So there are three levels here. Our core purpose is not to damage, fly, or reset the opponent's equipment or chips through fault injection. What we hope most is to accurately penetrate its key business - similar to a basketball game. , the purpose is not to commit a flagrant foul, but to ensure accurate blocks.
We now officially enter the principle of fault injection. First, let’s take a look at the internal pictures of the MCU.
The reason why we understand this picture is that practitioners at the bottom of the network have a habit of knowing it as much as possible. Through the internal anatomy pictures, our fault penetration personnel can at least get one piece of information. Through this picture, we can know the approximate location where the fault injection effect may be best, so this picture still has a certain value.
This is an early ROM internal structure diagram.
This picture is very critical. The core of the benchmark discussed below is centered around it. Our ultimate goal - for example, if we want to change its ROM value, in fact, the word lines and bit lines here ultimately reflect its instruction machine code. In other words, what we most hope to do is to refresh and change its bit value through precise injection, which is called a bit fault in a later patent.
Let’s take a brief look, this is EEPROM.
It is also connected to the core bus of the chip directly or indirectly in the chip. Under the operation mechanism of a series of pipelines, the trigger chip will eventually respond to the word line or bit line.
This is a very classic 6-tube RAM unit circuit. We also hope that its bit value, two bit values, and even its trigger value can be changed when it is finally injected.
Here we first briefly understand the internal structure of these three chips.
Next is the technical feasibility analysis.
Why can we succeed in fault injection? Let’s briefly analyze it technically. The first one is that the chip is highly integrated. Under the same material, the capacitance between transistors, especially the bypass of each transistor unit to ground. The capacitance is very low, which creates conditions for fault injection, especially glitch injection.
Because if a glitch is injected normally, its pulse width varies with the tools of different manufacturers and can reach the picosecond and nanosecond level. For this nanosecond level glitch pulse, it is easy to penetrate and couple into the chip.
The second is the existing ESD protection devices, which are difficult to protect against this kind of fault injection. You may know that many devices have protective components on the periphery, such as surge protection, TVS tubes, and even ESD protection. device.
You can take a look at the ESD basic device technical indicators (shown in the picture above) of the first-tier American brand Littex. The response rate of its ESD protection device. In the picture on the left, it is 200 microseconds. What does it mean?
For example, it takes 200 microseconds to absorb a voltage of 100 volts down to 10 volts. The picture on the right may respond faster. If the voltage absorption of 100 volts is reduced to 30 volts, it takes 17 microseconds. However, our glitch fault injection is at the picosecond and nanosecond level, so these two ESD The guard that protects basically has no effect on fault injection signals.
Then the third one is low power consumption. Nowadays, many chip manufacturers are focusing on low power consumption design. For us fault injection penetration parties, this is actually good news, and it will be easier to inject. Why? Because low power consumption means low voltage, for example, a traditional chip may require 5V power supply, but now it becomes 3.3, 1.8 or even 1.2V. A low-voltage processor means that its threshold level is lower, with a high level of 80 %. If the power supply is 3 volts, the high-level threshold may be 2.4 volts. The lower the threshold level, the lower the requirements for the glitches we inject.
The fourth pipeline instruction architecture, this PC pointer pipeline operation mechanism is more suitable for this kind of fault injection. Fault injection triggers its PC pointer and stack overflow value, which is very suitable for this kind of injection penetration testing, including FPGA. Although it is not that Pipeline running architecture, but it is also suitable for this.
The fifth is the general lack of software algorithms and hardware protection circuits that resist fault injection. It will be mentioned below that there are already specialized chip companies that have applied for patents specifically for this kind of hardware protection circuit that resists fault injection. Because the cost is very high, ordinary chips may be resistant to fault injection, especially professional anti-fault injection without corresponding reserves.
The last one is the exposure of sensitive and fragile pins. Users or manufacturers may not be able to guarantee that many key chip positions will not leak. This is its feasibility.
And then talk about its challenges.
If the feasibility just mentioned is discussed from the perspective of "spear", now let's take a look at the "shield" of chip manufacturers. The first one is professional ESD filtering and protection circuit. What they are most afraid of is filtering, including ESD. Although it may not be able to protect against the ESD just discussed, it does not rule out that there are even some higher-end ESD protection devices with higher sensitivity that can absorb your burrs.
Then there is the write protection and read protection of the chip. It may not be able to inject a simple injection, because it has special write protection and read protection circuits.
In addition, self-locking and atomic operation mechanisms are all implemented based on hardware circuits. To a certain extent, they are also effective in resisting fault injection.
Then there is the targeted optimization of the instruction set. For example, if your instruction set is not well designed, after a certain bit is changed, it can easily become another instruction set. If the other instruction set has an impact on your existing business, it will actually also It is easy to cause harm.
Moving forward to professional algorithms, this may be easy to understand. Through hashing and signature algorithm mechanisms, like the canary attack mentioned earlier, its effective defense is to calibrate it before pushing it into the stack and popping it out. Calculate the verification results when they are pushed into the stack, and then calculate and proofread them when they go out. This is actually very effective for fault injection.
Finally, ASIC hardware circuits that are resistant to fault injection are the most terrifying. Let’s focus on this below.
This is a patent specifically applied for by Samsung. We also have similar patents in China. This patent is very special. Its name is called a device including safety logic and a method of operating the device. The background technology is a bit difficult to pronounce, so I won’t read it. Here is a brief summary of 4 points. They call this kind of fault injection a latent fault. The patent talks about latent faults, which are specific types of faults. And latent faults are difficult to be discovered by existing people and things. At the same time, latent faults It has been likened to a silent malfunction that can trigger multiple failures, causing the device to experience severe performance failures.
Then a typical example is the bit fault in the storage area. If you are interested in this, you can download this patent online. It is very professional. From the comparison signal, trigger signal, and delay signal, it is completely effective in preventing glitches from fault injection. It is very professional.
The injection process first places a professional fault injector on a designated position of the object under test. This position may be an IO pin, POWER pin, communication interface pin of the object under test, or its clock, The configuration pin depends on the specific chip or hardware. And because we want to achieve precise triggering, we will introduce its trigger signal and give it to a professional fault injector. Once a specified message or a certain message is received, When a button is pressed, an interrupt is triggered to implement fault injection.
In short, the purpose of interrupt triggering is that we need to achieve accurate injection, hoping to achieve the expected technical goals, that is, we hope to be able to accurately and dynamically rewrite its ROM value, and then be able to rewrite the contents of its designated register, RAM interval value, and PC pointer value. And its stack and pop pointer values. If converted into business goals, we hope to achieve our business goals through these technical goals, such as chip vulnerability and Trojan mining, permission bypass, sensitive information reading, identity authentication bypass, etc.
This is the signal diagram we actually injected into a certain industrial control equipment before (shown in the figure below). You can see that the picture on the left is plus 100 volts, and the picture on the right is -100 volts. This is a single burr.
This picture shows common mode burrs and differential mode burrs (shown in the picture below), because during actual injection, we hope to insert them in two different positions. These two positions can be corrected at the same time, or at the same time. Negative burrs can also be struck one positive and the other negative. The main purpose here is to punch in the burrs in a targeted manner according to the design type of PNP or NPN in the chip.
This is the power-down injection of fault injection (shown in the figure below). For power-down injection, the time can also be configured. For example, I can power down a certain chip for 1 microsecond, or let it power down. 100 microseconds.
For precise protocol trigger injection, in many cases, if we want to achieve precise triggering, we need to capture its specific message. For example, for a certain device, I input 123456 through the network or serial port. It may be a business of password verification. , even if the entered password is wrong, the device will execute a password verification function after receiving 123456. When you send 123456 to the object under test, the fault injection device can also receive it. Then at this time, configure the specified delay and then input the fault injection signal.
So a good fault injection device actually has multi-protocol collection functions. The following pictures are for Ethernet, RS232, UART, RS485, CAN bus, and LIN bus protocol trigger injection. For example, if you press the car window, the ECU controller may send a LIN bus message. Then, when the fault injector captures the message, it delays the specified time (nanosecond-level accuracy) through continuous depth testing. The purpose is to ensure that it is synchronized with the key functions of the control device under test.
This is for edge triggering, because many times there may be no protocol. For example, if you press this button, from a circuit perspective, it changes from high level to low level, or low level to high level, so this is It is also a triggering mechanism for the edge.
This is NFC wireless contactless communication, and the purpose is the same. By grabbing the specified contactless NFC protocol message, and then delaying the specified time to send the corresponding fault signal.
Next, let’s take a look at the MCU fetch timing analysis, which is also very important. Under normal circumstances, it may be from high-level language to assembly language and then to machine code. Then the machine code and further down are what we focus on. This uses the MCU51 core as an object of its instruction fetch analysis.
Take a brief look, there are several key points. The first is the 12MHZ oscillator. For every single cycle or double cycle, there is a key trigger signal inside the chip, which is the ALE signal. The ALE signal is generated by the oscillator. It is marked above. 1234 moments (as shown in the figure above), for example, for single-cycle single-byte machine code. For this instruction, the injection is obviously effective at time 1, followed by empty reading.
If we inject clock power-down into a chip or device, for example, at time 1, let it power-down early. What is the purpose? The purpose is to artificially change the frequency of the crystal oscillator to allow ALE to arrive early, because its ALE signal is achieved through the frequency division of the oscillator. Powering off a few pulses in advance will cause ALE to arrive early, and the early arrival of ALE will cause the single Byte or double-byte cycle instruction machine code read ahead. One consequence of reading in advance is that the instruction decoder and register data may not be ready yet, and the corresponding RAM, such as IO or RAM value, has not yet received the trigger signal, so if you read in advance, the error will be read. result.
Let’s focus on this picture (as shown below). It mainly has two architectures, one is Harvard and the other is von Neumann’s. Fault injection focuses on several areas. The first is the user's RAM area. As mentioned just now, we hope to be able to accurately rewrite the RAM value in fault injection. Even if it cannot be done accurately, we hope to be able to rewrite the function in a coarse range, which can have a positive impact on its business. Influence.
At the same time, for the user CODE area, that is, the FLASH area or the RAM area, when injecting it, it will cause a bit failure. Once a failure occurs, its instruction set will change. For example, it is originally a data transmission type, and it may Become a jump type. Then it is assumed that there will be a Trojan lurking area. If we accidentally rewrite the PC pointer value randomly at this time, assuming it jumps to the first address of that function, then some different phenomena will occur in the object being tested. The far right is its c code or assembly code machine code.
Take the simplest example, if(password == 0x36), and then execute these two statements, the assembly code is like this, and the machine code is like this. For example, the machine code 7898 on the far right is a single-cycle two-byte instruction. When the device executes the 7898 machine code, the chip internally responds to the bit signal or word signal of this address. Operation, if we change its bit value at this moment, normally 98h may be assigned to r0, but it may become ff and assigned to r0. The series of judgments below are all wrong, so this These are some of the consequences that fault injection may cause.
Here are the caveats. The beginning is the white box penetration concept, just like traditional network penetration, the first is sniffing, but we may first understand the chip model, data sheet, and what its business is for, and then sniff. It makes corresponding data backups. Because it is very likely that you will damage the chip. Many chips may have a self-locking mechanism, so back up the corresponding data before infiltration.
In addition, there is zero interference with the side channel bypass. Because the wires are installed from the side, the normal operation of the existing equipment will not be affected as much as possible during the installation.
Risk notification - When we connect with customers and do in-depth testing, we should give customers feedback on some risks as much as possible.
The principle of minimizing burr injection is not to directly apply burrs of hundreds of volts at the beginning, as a sudden snap may damage the equipment.
Finally, be cautious and calm.
This is a demonstration for a certain demo board (as shown in the picture below).
This demonstration is mainly based on a trigger mechanism of RS232 and a fault injection accurately implemented on a demo board. The general function is as follows. Under normal circumstances, this demo version has a serial port echo function. That is, I use the debugging assistant of this PC to send 123456 to the serial port, and then it will return 123456 to the PC. Then the wiring is connected like this (as shown in the figure below). When the serial port debugging assistant sends it to the serial port, the fault injector can also receive it. Then the fault injector puts the glitch signal on the receiving end of the chip, and then injects the fault. The trigger signal of the instrument is configured.
When 64 1s are received, the demo board can receive it, and the fault injector can also receive it. This debugging assistant is sent in a loop every 200 milliseconds.
The environment has been set up in advance. Now set the parameters, set its trigger message, and set its delay time to 202 milliseconds. This is because after the demo board receives it every 200 milliseconds, it may have about two CPU execution time in milliseconds.
The reason why the first few seconds are not locked is because although the PC sends in a cyclical manner every 200 milliseconds, it may have a random delay of 1 to 2 milliseconds.
Okay, let's take a look at another field. Radio is also very important. Regarding radio, we mainly discuss it from the bottom link layer. As for the encryption, decryption and authentication mechanisms of the upper application layer, we will not discuss it today.
The first is this tool. It is difficult for a clever woman to make a meal without rice. For radio scanning and penetration, this tool will definitely be used. Unlike other previous tools, you can simply install a software on your PC and miss the scan. You must rely on an independent peripheral hardware device, which we call a radio scanning penetrator.
At present, there are mainly two types of radio penetration meters, one is SDR, which is an open source software-defined radio, and the other is a radio specifically designed for hardware, which is generally used in high-performance situations in the military industry.
SDR software-defined radio has such a feature. The hardware may have been prepared by the manufacturer. We only need to do software programming, which will rely heavily on the computing power of the CPU, such as algorithm efficiency and memory performance, because it relies on software. To encode and decode.
As for hardware HDR, its main features are less CPU intervention, strong stability and reliability, and its transmission rate and decoding efficiency are very high.
Next, we will focus on the processing of IQ's orthogonal signals. We will not discuss the corresponding development tools, such as labview, gruradio or matlab. We will not discuss it at all, and we will not even discuss its development language. This is a very classic picture (as shown below). Traditional radio transmission is simply violent. A long time ago, the corresponding modulation signal and the carrier signal were directly multiplied and then sent out.
But IQ modulation is different. It moves the modulation signal and carrier signal to 90 degrees respectively, changing sin into cos, and then adds them separately to directly send out the radio frequency signal in a single sideband.
Then the key technical indicators are two aspects: hardware and algorithm. The first is spectrum coverage, radio frequency distortion, etc. Generally speaking, we look at it from the perspective of R&D personnel. For users, they may rarely be exposed to these properties. It also includes the bandwidth of its channel. Under normal circumstances, different bandwidths vary in different scenarios. The bandwidth here is not like the bandwidth used for Internet access at home. The wider the better. Depending on the actual scenario, the narrower the bandwidth, the better. , the narrower means your incoming signal is purer. Including baseband signal filtering performance, signal gain control (AGC and MGC).
Then the linearity and accuracy of the baseband signal...especially the sampling rate of the baseband signal, to a certain extent, can directly determine the performance of this scanning penetrant.
Next is its driving algorithm. This performance is actually very important. It is mainly reflected in the software layer. These are some key points of radio security, namely spectrum security.
The other one is modulation security and coding security. This technology is also very important. A good and excellent modulation and demodulation technology can effectively prevent co-channel interference attacks, especially in baud rate and its code rate transmission. This It reflects its technical strength.
The design of communication security is somewhat similar to traditional security, so I won’t go into details.
This is a reverse analysis of the wireless signal of a certain car model (as shown in the figure below). You can see that when the car key presses the lock button, it has 4 frames, and the interval between each frame is about 4 milliseconds. The picture on the left is an enlarged picture of the first frame. You can see that it is basically a cyclic ASK modulation. If it is decoded, it is basically 101010 according to NRZ decoding. The picture on the right is its partial enlargement, 433.75 MHz, its encoding method is ASK 100% demodulation, and its baud rate is 2.8kbps. During the test, we found that it was not stable. The picture below is the most original picture of its baseband signal.
Finally, we end our sharing with a video. The first demonstration is the tracking video. This is the radio scanning penetrant. This is the signal capture window. When I press the t1 key, the penetrator will send the corresponding information to this window.
Press the lock button. The above prompt indicates that t1 has been tracked. The 1010 below is actually consistent with the 4-frame picture we analyzed just now. This is the key of t2. You can see that the fingerprint of t2 has also been tracked. Now add distractions into the mix. There was no interference when looking for a car at first. Press the car search button and the car will call. Then the interference command for the t1 key is issued, which means that if t1 presses the car search button again, it should not be found.
This ends my sharing, thank you.