Jarrett Ranier Turns to 555 Timers to Dump Protected STM8 Firmware Through Voltage Glitching
Maker Jarrett Rainier has come up with an unusual solution to voltage glitching as a means of dumping otherwise-protected firmware from interesting devices: turning a pair of 555 timers into monostable pulse generators to glitch then dump an STM8.
"I first learned about [voltage glitching] in connection with the Chip Whisperer, which is an FPGA-based board with all the bells and whistles," Rainier explains. "It’s quite expensive, and like any other situation where you add an FPGA, very complicated. Naturally, that has elevated it to a level above what mere mortals can perform in the limited free time we have."
To perform voltage glitching — which forces a fault by either injecting additional voltage or starving the device of voltage at a specific time, causing it to skip operations — you need accurate timing. The Chip Whisperer handles that, and more, but there are other approaches - including using a microcontroller.
"The logical way to do this would be to use an external microcontroller to wait for the programmer to reset the system, wait a set period of time, and then trigger the output transistor to glitch the voltage rail," Rainier explains. "That’s boring! You know what else can do that? That’s right, a pair of 555s.
"[I used] two 555s set up as monostable pulse generators. The input is the RST line on the STM8 programmer. The first 555 then sets the delay. The second 555 sets the length of the output pulse. Both of these timings are controller by a different potentiometer. These then go to a MOSFET that dumps the energy stored in the internal voltage regulator cap."
After proving the concept, Ranier swapped the standard 555 timers for high-speed LMC555 variants — capable of a minimum pulse width of 10ns compared to 10µs for a standard 555 — and set about dumping firmware from an STM8. "It took about 45 minutes of fiddling with the knobs until all its secrets were unlocked," Ranier admits.
"I’d sweep the right knob the whole way, then tweak the left knob very slightly, then sweep the right knob again. It only really worked because the knobs only had to be within the right range for a very brief period of time. It only had to work once. Would this have been easier with a microcontroller? Oh yes, of course. But that’s not nearly as interesting."
Rainer's full write-up is available on his website, though source code and schematics have not yet been released.