06-09, 17:30–18:00 (America/New_York), Grand Salon
You probably wouldn't consider power analysis & fault injection being a required skill set for your oven repair person. But when your oven is actively lying to you and not just broken, a new type of repair is needed beyond just replacing a heating element. This talk starts from a common complaint: how a range of Samsung ovens show you only the set temperature, and the actual temperature varies widely (and is often incorrect). Using an attack combining power analysis & fault injection the code protection of the Toshiba TMP91FW series microcontrollers used in the controller is bypassed using a ChipWhisperer-Husky, which allows recovery of the oven firmware. From there the firmware is reverse engineered, and new functions are added to output the internal measured temperatures & control signals for analysis. This allows us to definitely demonstrate that the reason our thanksgiving turkey took so long to cook: an inflexible control system that cannot enable the heater long enough. Finally as a proof of concept, a patched version of the firmware improves how quickly it can recover, and is demonstrated cooking a souffle (all while displaying the actual oven temperature, also fixing one of the other common complaints). The documentation and tools are helpful for others repairing these ovens, hopefully diverting them from become waste.
This talk uses side-channel power analysis to recover the user password which protects certain features on the Toshiba TMP91FW (and related) microcontrollers, and a clock glitching attack to bypass a second protection flag mechanism that prevents flash memory read-out. A variety of Python tools to assist with working with the microcontrollers are also released as part of this work.
Reverse engineering the microcontroller is demonstrated, which uses a disassembler from an old development platform. Binary patching of the firmware is also discussed, which allows the addition of monitor code into the oven controller.
A second version of the oven controller which uses a newer RL78 microcontroller is also discussed, but this variant of the control board does not have firmware protection enabled, and thus does not require the same level of attack. Reverse engineering of the second version is discussed as well, again with the goal of improving the oven performance.
This work is useful for repair of defective ovens which require replacement or reprogramming of the main microcontroller (without the expense or waste of replacing the entire control board). The talk focuses on how reverse engineering can be used for e-waste reduction, an important part of the fight for the right to repair.
Colin O'Flynn started the ChipWhisperer project to bring power analysis & fault injection tooling to everyone, and also co-authored the Hardware Hacking Handbook.