We present our process of defeating secure-boot within a modern
ARM-based IP Phone, Cisco 8861, using software defined radio and our
custom EMP generator as an illustrative vehicle to discuss the following
contributions:Dissection of a set of (yet undisclosed) vulnerabilities found in
Broadcom-implemented trust zone execution environments.Our recent advancements in real-time tracking of control-flow of
software running in modern embedded devices by the sensing and analysis
of involuntary electromagnetic emanations.Our novel electromagnetic fault injection (EMFI) techniques capable
of reliably and predictably altering computation of modern embedded
devices by controlled applications of electromagnetic pulses. We discuss
challenges and methods of achieving reliable control-flow modification
in modern 1Ghz+ processors.Discussion of hardware and software design of badFET, a low-cost
programmable electromagnetic pulse generator. It is our hope to release
badFET as an open-source project to democratize EMFI research. (badFET
is currently functional, but due to the nature of the device, it can
cause serious injury or death. We plan to open-source the EMP generator
portion of badFET if/when we build sufficient safety features into its
design.)