Comment by boznz
2 days ago
It is a very noisy 3.3V supply they are using, I wonder if they removed the decoupling caps on the supply and vcore pins before doing this.
2 days ago
It is a very noisy 3.3V supply they are using, I wonder if they removed the decoupling caps on the supply and vcore pins before doing this.
All decoupling caps were removed so the voltage fault injection could have maximum effect.
Thanks, makes a lot more sense now, I guess if Vcc was lower the effect would be more pronounced if anything, never really considered this as an attack vector, but looking online now it seems to well established, I'm surprised Microchip engineers didn't pick it up.
Another good trick is to replace the crystal with a bit stream.
If you can identify the cycle where the security bits are being read you can insert a runt pulse that is much faster than the norflash read time.