scanlime:015 / Glitchy Descriptor Firmware Grab

To understand a program, it helps to see it first. This episode is all glitching and USB, turning a chip’s environment against it to slurp out hidden code.

Get the source and play along:

The tool I use here is the ChipWhisperer. I’m not being paid or anything, I’m just a fellow hardware engineer who likes the tool and extended it a bit. Learn more about Colin’s project at:

Please consider supporting me on Patreon so I can keep making these vids!

AVRFID 1.1 Firmware

AVRFID Tag PrototypeI don’t normally write bloggy posts on every version of every source file I check in, but every so often an older project sees some more activity, and I love the opportunity to revisit software I wrote years ago. Sometimes I wonder why I wrote such-and-such thing that way and oh my god what an ugly hack. But usually it’s just refreshing to think about a problem I haven’t thought about in a while.

The AVRFID was a quick but rather unique project, back from when I was on a bit of a 125 kHz RFID binge culminating in the design, construction, and installation of a proxcard reader for my garage door. While I was fidgeting around with such things, it occurred to me that you could (using a whole host of dirty tricks) convince a general-purpose 8-bit microcontroller like the AVR to function as a passive RFID tag.

Since then, I received a couple patches:

  • Luke Koops improved the FSK modulation for HID tags, so that the resulting waveform is much more regular.
  • Cesar Fernandez described the HID card format in more detail, and implemented a parity calculation. The 45-bit code is actually composed of four distinct fields:
    • A 20-bit manufacturer code or header, constant for all HID cards.
    • An 8-bit site code, unique to the particular security installation.
    • A 16-bit unique ID. These are often printed in decimal on the back of the card, and they seem roughly sequential.
    • An odd parity bit, covering the other 44 bits.

I didn’t have my RFID gear handy, so Cesar was kind enough to verify it with his official HID reader. So I stamped a new version number on it. If you’re interested in building your own HID card emulator, there is now a much better chance it will actually work with your reader 🙂