Introduction to Power Glitching and PMICs

Power glitching, a potent form of fault injection, has emerged as a critical technique in hardware security research. By momentarily disrupting the power supply to a computing device, attackers can induce transient faults in processor operations, potentially leading to security bypasses, privilege escalation, or even cryptographic key extraction. In the context of Android devices, the Power Management Integrated Circuit (PMIC) is the central nervous system for power distribution, making it an prime target for precise fault injection attacks.

This article delves into advanced techniques for power glitching on Android, focusing specifically on directly manipulating PMIC registers. Unlike traditional power glitching methods that involve external hardware cutting power lines, direct PMIC control allows for highly localized, nuanced, and software-defined voltage manipulations, offering a new dimension of precision and stealth in fault injection.

Understanding Android PMIC Architecture

A PMIC is a highly integrated chip responsible for managing all power functions within a mobile device. This includes voltage regulation for various system components (CPU, GPU, memory, peripherals), battery charging, power sequencing, and power state transitions (sleep, awake). Common PMICs found in Android devices include Qualcomm’s PM8XXX series, MediaTek’s MT63XX, and others from companies like Samsung or Dialog Semiconductor.

Key functions of a PMIC relevant to fault injection:

• Voltage Regulators: Buck/Boost converters and Low-Dropout (LDO) regulators supply precise voltages to different power rails (e.g., V_core for the CPU, V_mem for RAM).
• Communication Interface: Most PMICs communicate with the Application Processor (AP) via standard serial interfaces like I2C or SPI. These interfaces are used by the kernel’s power management drivers to configure the PMIC’s operation.
• Register Map: Each PMIC has an extensive register map that defines its operational parameters, including voltage output settings, current limits, and power state configurations.

The ability to write to these registers directly is the foundation of advanced PMIC-based fault injection.

Identifying and Accessing PMIC Registers

Direct PMIC register manipulation requires root access to the Android device and, ideally, knowledge of the specific PMIC’s datasheet or the kernel’s PMIC driver implementation. Without public datasheets, reverse engineering the kernel source code (if available) or analyzing device tree overlays (`.dtb` files) is crucial to identify PMIC I2C/SPI addresses and the register offsets that control specific voltage rails.

Software-level Access via I2C/SPI

On a rooted Android device, the Linux kernel exposes I2C and SPI buses as character devices, typically under /dev/i2c-* or /dev/spi-*. With appropriate permissions (often requiring a custom kernel module or direct kernel patching), these can be used to communicate with the PMIC.

Example: Discovering I2C devices

adb shellsu -c

        
        
        

            

                
            
            

                
Android Mobile Specs & Compare Directory
                
Are you researching mobile hardware properties, processor SoCs, GPU chipsets, or RAM configurations? Access our complete specs catalog to compare up to 5 devices side-by-side!
                Compare Devices Specs →