Tutorial First Glitch
This tutorial walks you through performing a power glitching attack on an Arduino Uno R3. You will prepare the target hardware, connect it to Glitchy, upload vulnerable code, and execute an attack that bypasses a security check.
- Time: ~45 minutes
- Difficulty: Beginner
-
Prerequisites:
- Completed Tutorial: Getting Started
- Glitchy board connected via WiFi
- Web interface accessible
| Item | Purpose |
|---|---|
| Arduino Uno R3 | Target device |
| Wire (22-24 AWG) | Power connections to bypass capacitor |
| Male-to-male jumper wires | Signal and ground connections |
| USB cable for Arduino | Programming the target |
| Soldering equipment | Recommended but optional |
We need a good connection to the power input of the ATmega chip on the Arduino. Traditionally you would remove the bypass capacitor to make it easier to glitch, but this demo works fine with the capacitor left in place. What we do need to do is solder some wires to the capacitor so we can connect it to Glitchy's crowbar circuit.
Start by stripping and tinning the tips of your wires with a little bit of solder. This makes it easier for the wire to adhere to the capacitor terminals.
Next, locate the power bypass capacitor on your board. For the Uno R3 it is between the headers and the chip.
Now solder the wires to the capacitor. While wire colors don't technically matter, it helps to follow convention: red for positive and black for negative/ground. We need to keep track of which is which when we connect to the Glitchy. The positive terminal is on the left side of the image and the ground is on the right.
If you cannot solder, you can use jumper wires connected to the 5V and GND header pins on the Arduino. This method:
- Is less reliable due to the higher resistance connection
- May take more attempts to get a successful glitch
- Works for learning purposes
Connect jumper wires to:
- 5V header pin (red)
- GND header pin (black)
The soldering method is still recommended if you have the ability to do so, as it provides a lower resistance connection directly to the chip's power pins.
We need to connect the power wires to the crowbar FET (Field Effect Transistor) on the Glitchy. This FET is a high-current electrical switch that we can turn on and off very quickly to briefly short the power to the Arduino. The goal is to short it just long enough to make the Arduino's CPU misread data, but not so long that we cause a full reset.
Connect the two wires you soldered (or your jumper wires) to Glitchy's Glitch screw terminals:
- Red wire (positive) to the terminal marked +
- Black wire (negative/GND) to the terminal marked -
We need to connect the Arduino's GND to the Glitchy's GND. This common ground is needed to effectively switch the FET and to create a common voltage reference for the trigger and detection signals between the two boards. Use a male-to-male jumper wire between the GND header pins on both boards.
Next we need to connect the signal wires between the boards. These two signals simulate something like a keypad and an electronic lock:
- Pin 11 is the "enter key" — Glitchy drives this pin to tell the Arduino to check the password
- Pin 12 is the "unlock" signal — the Arduino drives this pin high when the glitch succeeds, and Glitchy monitors it to detect success
| Glitchy Pin | Arduino Pin | Purpose |
|---|---|---|
| 11 | 11 | Enter key (trigger) |
| 12 | 12 | Unlock detection (success) |
The hardware is all hooked up. Now we need to load the target code onto the Arduino. You will need the Arduino IDE for this step.
If you need help setting up the Arduino IDE, see the Arduino environment setup guide: Arduino Setup
- Make sure you have cloned the Glitchy repo from GitHub
- Open the Arduino IDE
- Navigate to
Code/Target Examples/Target_Glitch/and openTarget_Glitch.ino - Select Tools > Board > Arduino Uno
- Select the correct port under Tools > Port
- Click the upload button (right arrow). You should see a "Done uploading" message at the bottom of the window.
Once uploaded, the built-in LED on pin 13 should turn on. This LED gives us a visual indicator of the system state:
- LED ON (solid): System is locked — this is the normal state
- LED flickering: The Arduino is resetting — the glitch pulse was too long
- LED OFF (stays off): The glitch likely succeeded
Let's look at the code we just uploaded and understand what we are trying to do.
// Defining Pins here
#define ENTER_KEY_PIN 11
#define LOCKED_LED_PIN 13
#define UNLOCKED_LED_PIN 12
//Globals
bool g_button_state = false; // variable for reading the pushbutton status
volatile bool g_unlocked = false; //volatile so that the optimizer doesn't remove the code since it is always false
void setup() {
// initialize pin registers
pinMode(LOCKED_LED_PIN, OUTPUT);
pinMode(UNLOCKED_LED_PIN, OUTPUT);
pinMode(ENTER_KEY_PIN, INPUT);
}
void loop() {
// read the state of the pushbutton value:
g_button_state = digitalRead(ENTER_KEY_PIN);
//Check to see if button is pressed and we should evaluate the unlocked variable.
if (g_button_state == HIGH) {
if(g_unlocked)
{
//unlocked is always false, should never go here unless we successfully glitch
unlock_system();
}
} else {
// Show locked
digitalWrite(LOCKED_LED_PIN, HIGH);
digitalWrite(UNLOCKED_LED_PIN, LOW);
}
}
//The function that should never get called
void unlock_system()
{
digitalWrite(LOCKED_LED_PIN, LOW);
digitalWrite(UNLOCKED_LED_PIN, HIGH);
//Stay here forever
while(true);
}The main loop waits for the enter key signal and then checks a variable to see if the system should be unlocked:
if (g_button_state == HIGH) {
if(g_unlocked)
{The key thing to notice is that g_unlocked is set to false and is never set to true anywhere in the code:
volatile bool g_unlocked = false;Under normal operation, unlock_system() should never execute. But we want to trick the CPU into bypassing this check.
When Glitchy fires a glitch at precisely the right moment:
- Glitchy drives the enter key pin HIGH
- The CPU reads
g_unlockedfrom memory - Our glitch briefly shorts the power, corrupting the read operation
- The CPU misinterprets the corrupted data as
true - The branch is taken and
unlock_system()is called
When unlock_system() is called, the locked LED turns off, the unlock pin goes HIGH, and Glitchy detects the success. This simulates bypassing a real-world security check like a PIN verification, secure boot, or authentication.
Open the web interface at http://192.168.4.1 and navigate to the Glitch page using the navigation bar at the top.
On the left side of the Glitch page, you will see the test parameters form:
| Parameter | Description | Suggested Start Value |
|---|---|---|
| Start Length (ns) | Delay before first glitch attempt | 15 |
| End Length (ns) | Maximum delay to try | 1000 |
| Step Delay (ns) | How much to increase the delay each step | 10 |
| Delay Between Attempts (ms) | Pause between glitch attempts | 100 |
| Attempts Per Length | How many times to try at each delay value | 3 |
- Enter your parameters and click Run Test
- Glitchy begins the attack sequence. For each step it:
- Pulses the enter key pin HIGH
- Fires a short glitch (briefly shorting the Arduino's power)
- Checks if the unlock pin went HIGH
- If no success, waits and adjusts the timing, then repeats
- It will repeat each glitch duration the specified number of times, then increase the delay slightly and try again
The right side of the page shows the test status. You will see a spinning animation while the test runs, with the current attempt number and delay value displayed.
Keep an eye on the Arduino's built-in LED while the test runs:
- If you see the LED flickering, Glitchy is causing resets — the glitch pulse is too long. Try reducing your End Length.
- If the LED turns off and stays off, you likely got a successful glitch.
When Glitchy detects a success (the unlock pin goes HIGH), it stops the test and shows the result:
It is not an exact science and there will be some variability in what works each run. You may need to run the test multiple times or adjust your parameters.
- Verify power connections — is 5V reaching the Arduino?
- Check the ground connection between both boards
- Confirm the target code was uploaded successfully
- If soldering failed, try the no-solder method with jumper wires
The glitch pulse is too long, causing full resets instead of data corruption.
Fix: Reduce the End Length parameter. Try 500ns instead of 1000ns.
The timing window is being missed.
Try:
- Increase Attempts Per Length to 5 or 10
- Decrease Step Delay to 5ns for finer resolution
- Widen the range (lower Start Length, higher End Length)
- Check for loose connections — a poor connection to the bypass capacitor makes glitching much harder
You just:
- Prepared a target device for a hardware attack
- Connected the glitching circuitry
- Configured and executed an attack
- Successfully bypassed a security check that should never have passed
This demonstrates a real attack technique used against:
- Secure boot implementations
- PIN and password verification systems
- License validation checks
- Cryptographic operations
- Experiment with parameters: Try different timing ranges to understand the attack window
- Try power analysis: Tutorial: First Power Analysis
- Learn the theory: Explanation: Glitching Theory
- Build your own targets: Tutorial: Custom Targets
- Explanation: Glitching Theory — How voltage glitching works
- Explanation: Circuit Design — How the crowbar FET circuit works
- How To: Troubleshoot — Common issues and solutions