Looking to get into fault injection for your reverse engineering projects, but don’t have the cash to lay out for the necessary hardware? Fear not, for the tools to glitch a chip may be as close as the nearest barbecue grill.
If you don’t know what chip glitching is, perhaps a primer is in order. Glitching, more formally known as electromagnetic fault injection (EMFI), or simply fault injection, is a technique that uses a pulse of electromagnetic energy to induce a fault in a running microcontroller or microprocessor. If the pulse occurs at just the right time, it may force the processor to skip an instruction, leaving the system in a potentially exploitable state.
EMFI tools are commercially available — we even recently featured a kit to build your own — but [rqu]’s homebrew version is decidedly simpler and cheaper than just about anything else. It consists of a piezoelectric gas grill igniter, a little bit of enameled magnet wire, and half of a small toroidal ferrite core. The core fragment gets a few turns of wire, which then gets soldered to the terminals on the igniter. Pressing the button generates a high-voltage pulse, which gets turned into an electromagnetic pulse by the coil. There’s a video of the tool in use in the Twitter thread, showing it easily glitching a PIC running a simple loop program.
To be sure, a tool as simple as this won’t do the trick in every situation, but it’s a cheap way to start exploring the potential of fault injection.
Thanks to [Jonas] for the tip.
Use a solenoid to fire the igniter and a 555, you should be able to have timing control
Good thinking cowboy! Brilliant solution
These were used throughout the 90s in UK to obtain free electricity from a home consumer meter.
Cool! Can you provide a bit more detail?
You used a plastic fob to put credit on in a local shop or special hole in the wall like an atm. it had a few embedded contacts at the end and you took this home and plugged it into your electricity meter.
The enterprising customer would just stick a cheap watch screwdriver into the fob hole on the meter and then use one of these Piezo igniters from a lighter or similar and every ‘click’ would give them a random amount of credit on the meter. Oddly enough the amount was random between meters but nearly always the same value on the same meter.
I always thought it was an urban legend, did it actually work? Is there any (technical or not) litterature around that?
I used to use these in the 80s to get free credits on arcade games , just click it near a metal coin slot and boom , random number of free credits.
Back in the days of vinyl there was a product called zerostat that was basically a grill lighter in a pistol grip with an emitter tip at the end of the barrel. Slowly squeezing the grip near the album before playing was supposed to remove all surface static. Squeezing the grip hard released a fearsome spark. Rumor was that zerostat could give you free arcade games, but the one time I saw someone try it, it completely scrambled the machine’s internal logic or memory. It just started showing random shapes, colors, letters on the display.
I bought one! The crystal directly translates electrical impedance to mechanical impedance! If you leave the output terminal “open” to the air the trigger is very hard to pull (giga-ohm load from the terminal to the handle which acts as the return/ground), but if you short the output terminal to the handle the handle is very easy to pull and almost moves freely. If they weren’t so expensive I would cut it open to get a look at the crystal.
In 1987, I smoked and had one of those nonrefillable piezoelectric butane lighters from which I scavenged its igniter when the butane ran out. We were building some equipment for the FAA and it was in the dry winter months I (and others) noticed that sometimes when someone touched the front panel, the equipment would reset — the whole thing — the EPLD based front panel and all 4 processor boards. I decided to test my igniter by discharging it on the front panel’s painted aluminum and WHACK, the system reset! I showed my boss and he first got angry at me then took the igniter then went over and tested it on all 3 systems in the lab. Each one reset EVERY time. He ask if he could “keep” my igniter, and then gave it to the lead digital engineer and said: “find a way to stop this thing from resetting our equipment QUICK”. We ended up adding shielding to the 40 conductor cable harness from the front panel to the system chassis and added some additional bypass caps on a few boards. He later used that to demonstrate to the FAA that our equipment wouldn’t reset with that igniter, but our competition’s equipment reset every time (but we already won the contract before that). Subsequently, the FAA added an “igniter” (i.e. spark) tests to future equipment specs.
These things will always easily find poor grounding and/or poor isolation or bypassing (which should include both a small and larger capacitor in addition to any bulk filters). What we found in our case was that the newer power supervisor chips we used had hair triggers and responded to very short (nsec) pulses if they weren’t filtered adequately, which was a good thing compared to older generation devices that didn’t use these.
I remember being fascinated as a kid when I discovered that snapping one of these grill igniters near my Electronic Battleship game would cause it to power on.
I wonder what kind of peak current these things can produce. They have pretty high internal resistance, but the piezo stack can produce 10kv or more, so you might get into the amp peak range.
How would you measure this? A resistor in series and a scope could result in burned electronics. :-/
Look out Colin O’Flynn
Cool! The glitching somehow fixed the spelling mistake in his source code!
I just built one of these and it works great! I programmed an arduino with a heartbeat and some comparisons and I was able to get a comparison to fail after only a couple of tries. Most of the time it just resets the chip.
I found that adding a spark gap (as big as possible where it will still arc) improved the performance tremendously.