In glitching there is a lot of practical knowledge that is either unwritten or in sparse, disconnected notes. As glitching practicioners, this knowledge seems obvious but is tantamount to beginners. Here I collect advice and wisdoms various people across the glitching/hacking community have regaled me. Hopefully, this can serve as a guide for any newcomers to the field or dabblers.
Target Acquired
With the desired target in hand or in mind, first thing to do is: research. Buy multiples (3-5 is a good rule of thumbn) of the target just in case, making sure to find the same version. Then try looking up the target on the internet with some keywords such as "exploit", "hacked", etc. With any luck, someone will have already cracked the target, or at least an integral component of it such as the microcontroller. Otherwise, congratulations (or condolensces?) the target is a new frontier, ripe for hacking.
Tutorial in Tandem
If there's a tutorial accompanying the results of a hack, then just follow that! Idk what more to say on that matter. Be warned that sometimes tutorials can be rather obtuse, with vague instructions or missing steps. This can result from assuming a certain level of knowledge from the reader. Anytine we come across these instruction gaps, we will document the steps we took to fill them.
Starting from Scratch
This is where things get tricky and experimental. As a good scientist, the first instinct is to simplify as much as possible: attempt to remove as many confounding variables. The following advice comes from in-person conversations with Travis Goodspeed, and also The Hardware Hacking Handbook.
- Find the datasheet for the target IC
The datasheet contains vital information about the target's normal operating clock frequency, temperature, and voltage ranges. Use these values to inform the glitch parameter ranges for testing.
- Try to find a development board/kit for the target IC
This type of board/kit has an unlocked version of the IC, allowing it to be flashed with new firmware/programs. This is a great place to start vulnerability hunting. Buy multiples (3-5 rule of thumb) because some of them will inevitably die in the quest, or cease being manufactured.
- If a dev board is not available, try to find just the target IC for sale
Ideally a dev board already exists, but sometimes it doesn't. In that case, finding only the target IC for sale is ok but will require some electrical engineering due to having to now also create the dev board from scratch. Usually the datasheet for an IC will have an example schematic for a bare bones setup board.
- Flash a simple program onto the IC
Write and compile a very simple program—-for example, a loop that prints "Hello World" 500 times or a nested for loop that counts up until 1000—-then flash that to the IC. Keeping the program very simple is good for postmortem analysis, otherwise it can be hard to tell where something went wrong. Turn on the board, connect to minicom (or similar), and watch the program run to verify it works.
Getting the Glitch
With the target prepared and simplified as much as possible (if at all), glitching can begin!
- Replace the power source
However the board is connected to power (barrel connector, USB, etc), replace it with a controllable power source like a DC power supply. This may require some soldering of wires. It is always good to have as much control over the setup as possible.
- Start removing decoupling capacitors
Turn off the board and desolder a decoupling capacitor. Turn on the board, connect to minicom, and watch the behavior. Repeat until the board only crashes on startup, then reattach the most recently removed decoupling capacitor to put the board back at a stable enough state. Making the board less stable than ideal makes it more suceptible to glitches.
- Inject more instability
Sometimes just removing the decoupling capacitors is not enough to destabilize the board to be glitch ready. Make the board uncomfortable by increasing or decreasing its temperature outside the normal operating range (see the datasheet), or slightly underpowering it (ex: giving it 2.9V instead of the specified 3.3V).
- Begin glitching
Now that the IC is slightly unstable, glitching can start. The easiest and most cost effective is either clock glitching or voltage glitching. With newer IC's, voltage glitching is more feasible as the clock is becoming internal to the IC and therefore unaccessible. However, older embedded systems usually have an external clock which can be used for clock glitching. Use the normal operating parameters from the datasheet to make an initial guess on the glitch parameters, potentially going outside that range +-10%. If initial glitch attempts with large parameter ranges are not even remotely effecting the board, then more instability may be needed (see above).