#### The Forgotten Threat of Voltage Glitching: A Case Study on Nvidia Tegra X2 SoCs

Otto Bittner\*§, Thilo Krachenfels\*§, Andreas Galauner<sup>†</sup>, Jean-Pierre Seifert\*<sup>‡</sup>

\* Technische Universität Berlin, Chair of Security in Telecommunications † Independent Researcher ‡ Fraunhofer SIT

§ These authors contributed equally to this work



FDTC 2021

# Outline

- 1. Motivation & Threat model
- 2. Voltage glitching Background
- 3. Attack recipe
- 4. Attack steps and results
- 5. Conclusion

# Motivation

- Complex SoCs used in safety-critical applications
- Physical access by an attacker often possible
- Vendors must consider device tampering



# Threat Model

- Voltage fault injection (FI) around for more than 20 years
- Can be used to influence the device
  - Corrupt of data values
  - Skip security checks
  - Enter protected code paths
- Commercial SoCs are often not protected against such

attacks (e.g., Nintendo Switch hack)

# Background: Voltage Glitching

- Idea: Over- or undervolting supply voltage
- Here: Undervolting using a Crowbar circuit
  - Short circuit of voltage rail and ground
- DUT operated out of the rated supply voltage levels
- Errors in the computation occur



# Attack Overview



# Voltage FI Recipe

Recipe for FI identified in this work:

- Step 1 Determining the feasibility of FI
- Step 2 Identifying the FI target and a success indicator
- Step 3 Finding a trigger signal
- Step 4 Finding glitch parameters
- Step 5 Generating target payload

# Voltage FI Recipe

Recipe for FI identified in this work:

- Step 1 Determining the feasibility of FI
- Step 2 Identifying the FI target and a success indicator
- Step 3 Finding a trigger signal
- Step 4 Finding glitch parameters
- Step 5 Generating target payload

# Step 1: FI Feasibility – Code Execution X2 Boot Flow

- Separate boot processor: BPMP
- Two privilege levels
- BootROM  $\rightarrow$  Root of trust
- MB1  $\rightarrow$  Update mechanism
- MB2  $\rightarrow$  Device initialization



#### Step 1: FI Feasibility – Code Execution Build Custom MB2

- Setup Cross Compilation Toolchain
- Find correct base address rbasefind
- Study TRM  $\rightarrow$  UART & GPIO output

#### Step 1: FI Feasibility – Hardware Preparation Basic Fault Injection Setup

- Control PC  $\rightarrow$  Parse X2 traffic
- FPGA  $\rightarrow$  Control glitch, reset X2
- $X2 \rightarrow DUT$
- Uses Thomas Roth's chipfail-glitcher<sup>1</sup>



#### Step 1: FI Feasibility – Hardware Preparation Crowbar Circuit





#### Step 1: FI Feasibility – Hardware Preparation Measurement Setup



#### Step 1: FI Feasibility – Hardware Preparation Power Domains

- Multiple power domains
- MB1 receives config: BCT
- BCT can change PMIC configs
- Lots of comments!

```
# CFG Version 1.0
     # This is the empty CFG files for PMIC rail configuration
     # This contains the PMIC commands in MB1.
    #define TEGRA18x MB1 POWER RAIL GENERIC 1
 4
     #define TEGRA18x MB1 POWER RAIL CPU
                                          2
 5
     #define TEGRA18x MB1 POWER RAIL CORE
                                           3
     #define TEGRA18x MB1 POWER RAIL SRAM
                                           4
    #define TEGRA18x MB1 POWER RAIL GPU
                                          5
 8
    #define TEGRA18x MB1 POWER RAIL MEMIO
 9
     #define TEGRA18x MB1 POWER RAIL THERMAL CONFIG 7
10
     #define TEGRA18x MB1 POWER RAIL SHUTDOWN CONFIG 8
11
     #define TEGRA18x MB1 POWER RAIL MAX 9
12
13
14
     # ....
15
16
     pmic.core.3.block-count = 3;
17
18
    # 1. Set 950mV voltage.
19
     pmic.core.3.block[0].type = 2: # PWM Type
20
    pmic.core.3.block[0].controller-id = 5; #GP PWM6
21
    pmic.core.3.block[0].source-frq-hz = 102000000; #102MHz
22
23
     pmic.core.3.block[0].period-ns = 2600; # 384K is period.
    pmic.core.3.block[0].min-microvolts = 710000;
24
     pmic.core.3.block[0].max-microvolts = 1150000;
25
    pmic.core.3.block[0].init-microvolts = 950000;
26
    pmic.core.3.block[0].enable = 1;
27
```

#### Step 1: FI Feasibility – Hardware Preparation Power Domains – Identified Voltage Rails



### Step 1: FI Feasibility – Proof of Concept

- Run fault-sensitive code in MB2
- Three independent counters
- Expected Result: !100 100 1000\n

```
void tightly_coupled_loops(){
volatile int ctr = 0;
for(int i = 0; i < 100; i++){
for(int j = 0; j < 100; j++){
for(int j = 0; j++){
```

#### Step 1: FI Feasibility – Proof of Concept Success!

- Code is glitchable
- Other examples in paper

(jump out of loop, change branch dir.)

| Offset (us) | Pulse Length (us) | Response               |
|-------------|-------------------|------------------------|
| 0           | 11.05             | '!100 - 100 - 12375\n' |
| 0           | 11.06             | '!100 - 100 - 10134\n' |
| 0           | 11.07             | '!100 - 100 - 10158\n' |
| 0           | 11.08             | '!100 - 100 - 10153\n' |
| 0           | 11.09             | '!100 - 100 - 10251\n' |
| 0           | 11.10             | '!100 - 100 - 10142\n' |

# Voltage FI Recipe

- Step 1 Determining the feasibility of FI 🗸
- Step 2 Identifying the FI target and a success indicator
- Step 3 Finding a trigger signal
- Step 4 Finding glitch parameters
- Step 5 Generating target payload

#### Step 2: FI Target and Success Indicator X2 Boot Flow

- MB2: Unprivileged
- MB1: Encrypted & Signed
- BootROM: Read-protected?



#### Step 2: FI Target and Success Indicator BootROM Readability

- Most of BootROM is non-readable
- including: NVBOOT\_IROM\_SECRET\_STORAGE
- 1 kilobyte of data is readable

#### Step 2: FI Target and Success Indicator BootROM Reversing

#### Leaked Source Code on GitHub $\rightarrow$ X1 (T210) and X1+ (T214)

#### backup-organization/mariko-bootrom nvboot/core/startup/boot0c.c

- 11 //#include "arbpmp\_atcmcfg.h"
- 12 #include "arsecure\_boot.h"
- 13 #include "project.h"
- 14 #include "nvboot\_hardware\_access\_int.h"
- C Showing the top match Last indexed on Mar 27

Ø zerospace-nx/switch-bootroms

bootroms/mariko-t214-bootrom/nvboot/core/bpmp/nvboot\_bpmp.c

- 41 //#include "arscratch.h"
- 42 #include "nvrm\_drf.h"
- 43 //#include "arbpmp\_atcmcfg.h"
- 44 //#include "armiscreg.h"
- 45 //#include "artsa.h"

C Showing the top match Last indexed on Apr 23

#### Step 2: FI Target and Success Indicator BootROM Reversing

- Hidden UART Bootloader
- Deactivated using fuses
- No security checks
- Highest privilege

#### Step 2: FI Target and Success Indicator Software Target

| is_fam: | returns 0   |      |
|---------|-------------|------|
| is_ppm: | returns 0   |      |
| success | desired bra | anch |

| 1  | push {    | fp, lr}      |
|----|-----------|--------------|
| 2  | bl is     | fam          |
| 3  | cbz r0    | , is not fam |
| 4  |           |              |
| 5  | is fam or | ppm:         |
| 6  | bl        | is_ppm       |
| 7  | cbnz      | r0, exit     |
| 8  | b         | success      |
| 9  |           |              |
| 10 | is not fa | m :          |
| 11 | bl        | is ppm       |
| 12 | cmp       | r0, #0       |
| 13 | bne       | is fam or pp |
| 14 |           |              |
| 15 | exit:     |              |
| 16 | pop       | {fp, pc}     |
|    |           |              |

#### Step 2: FI Target and Success Indicator Software Target

| is_fam: | returns 0     |      |
|---------|---------------|------|
| is_ppm: | returns 0     |      |
| success | : desired bra | anch |



#### Step 2: FI Target and Success Indicator Success Indicator

After entering desired branch:

| 1 | <pre>NvBootUartSetupStack();</pre>                               |  |
|---|------------------------------------------------------------------|--|
| 2 | <pre>PromptMsg = "\n\rNV Boot T186 WXYZ.HIJK\n\rFail\n\r";</pre> |  |
| 3 | <pre>NvBootUartInit(param 1,(int *)0x0);</pre>                   |  |
|   | <pre>NvBootUartPollingWrite(PromptMsg,0x1a,&amp;sStack64);</pre> |  |

# Voltage FI Recipe

- Step 1 Determining the feasibility of FI
- Step 2 Identifying the FI target and a success indicator 🗸
- Step 3 Finding a trigger signal
- Step 4 Finding glitch parameters
- Step 5 Generating target payload

# Steps 3 and 4: Glitching the target

Success #2!

- Entered UART Bootloader with:
  - Offset: 2.6338 ms

Pulse: 11.32 µs

• Repeatable within < 10 seconds

# Voltage FI Recipe

- Step 1 Determining the feasibility of FI 🗸
- Step 2 Identifying the FI target and a success indicator 🗸
- Step 3 Finding a trigger signal 🗸
- Step 4 Finding glitch parameters 🗸
- Step 5 Generating target payload

# Attack Overview - Revisited

| Device Under Test      | Goal                           | Outcome                                                                                |
|------------------------|--------------------------------|----------------------------------------------------------------------------------------|
| <image/> <text></text> | Leak Read-Protected<br>BootROM | Privileged Code Exec.<br>Leaked Decryption<br>Keys<br>Leaked Read-Protected<br>BootROM |

# Conclusion

- Manufacturers should not forget attacks that are around for more than 20 years
- Do not ship debug bootloaders unprotected against reactivation via fault injection
- Implement glitching detection/countermeasures



Preprint: https://arxiv.org/abs/2108.06131

# References

- [1] <u>https://i.ytimg.com/vi/1tWqlM8uULc/maxresdefault.jpg</u> (15.08.21)
- [2] <u>https://docs.nvidia.com/jetson/archives/l4t-archived/l4t-3231/Tegra%20Linux%</u> 20Driver%20Package%20Development%20Guide/images/image2\_6.png (15.08.21)
- [3] Nvidia Corp., Technical Reference Manual Nvidia Parker Series SoC, v1.0p (Jun. 2017)

# Thank you for your attention!