<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>Emfi on Colin O'Flynn</title><link>https://colinoflynn.com/tag/emfi/</link><description>Recent content in Emfi on Colin O'Flynn</description><generator>Hugo</generator><language>en-ca</language><lastBuildDate>Sat, 18 Feb 2023 02:07:08 +0000</lastBuildDate><atom:link href="https://colinoflynn.com/tag/emfi/index.xml" rel="self" type="application/rss+xml"/><item><title>BAM BAM!! On Reliability of EMFI for in-situ Automotive ECU Attacks</title><link>https://colinoflynn.com/2020/11/bam-bam-on-reliability-of-emfi-for-in-situ-automotive-ecu-attacks/</link><pubDate>Sun, 08 Nov 2020 21:50:11 +0000</pubDate><guid>https://colinoflynn.com/2020/11/bam-bam-on-reliability-of-emfi-for-in-situ-automotive-ecu-attacks/</guid><description>&lt;p&gt;This post is a summary of some work on an accepted paper for ESCAR EU 2020. This work was demonstration on certain NXP chips &amp;amp; GM ECUs, but the idea of both the attack &amp;amp; understanding how portable results are is applicable across the entire domain.&lt;/p&gt;
&lt;p&gt;&lt;em&gt;&lt;strong&gt;NOTE TO CAR TUNERS: I won&amp;rsquo;t perform this for hire on your ECU,&lt;/strong&gt;&lt;/em&gt; &lt;em&gt;please don&amp;rsquo;t email me asking this.&lt;/em&gt; &lt;em&gt;&lt;strong&gt;The cost for me to do this type of work under hire would also be many times the HPTuners fee,&lt;/strong&gt;&lt;/em&gt; &lt;em&gt;and without any of of the actual tuning interface (I&amp;rsquo;m only attacking the bootloader, I never ever built a reflash tool that would be needed, yet alone the mapping work etc).&lt;/em&gt;&lt;/p&gt;</description></item><item><title>Glitching Trezor using EMFI Through The Enclosure</title><link>https://colinoflynn.com/2019/03/glitching-trezor-using-emfi-through-the-enclosure/</link><pubDate>Wed, 06 Mar 2019 15:13:45 +0000</pubDate><guid>https://colinoflynn.com/2019/03/glitching-trezor-using-emfi-through-the-enclosure/</guid><description>&lt;p&gt;As mentioned on the &lt;a href="https://blog.trezor.io/details-of-security-updates-for-trezor-one-firmware-1-8-0-and-trezor-model-t-firmware-2-1-0-408e59dc012"&gt;Trezor blog post&lt;/a&gt;, their latest security patch fixes a flaw I disclosed to them in Jan 2019. This flaw meant an attacker with physical access to the wallet can find the recovery seed stored in FLASH, and leave no evidence of tampering.&lt;/p&gt;
&lt;p&gt;This work was heavily inspired by the &lt;a href="http://wallet.fail"&gt;wallet.fail&lt;/a&gt; disclosure - I&amp;rsquo;m directly dumping FLASH instead of forcing the flash erase then dumping from SRAM, so the results are the same but with a different path. It also has the same limitations - if you used a password protected recovery seed you can&amp;rsquo;t dump that.&lt;/p&gt;</description></item></channel></rss>