Get Your Glitch On With A PicoEMP And A 3D Printer

We’re not sure what [Aaron Christophel] calls his automated chip glitching setup built from a 3D printer, but we’re going to go ahead and dub it the “Glitch-o-Matic 9000.” Has a nice ring to it.

Of course, this isn’t a commercial product, or even a rig that’s necessarily intended for repeated use. It’s more of a tactical build, which is still pretty cool if you ask us. It started with a proof-of-concept exploration, summarized in the first video below. That’s where [Aaron] assembled and tested the major pieces, which included a PicoEMP, the bit that actually generates the high-voltage pulses intended to scramble a running microcontroller temporarily, along with a ChipWhisperer and an oscilloscope.

The trouble with the POC setup was that glitching the target chip, an LPC2388 microcontroller, involved manually scanning the business end of the PicoEMP over the package. That’s a tedious and error-prone process, which is perfect for automation. In the second video below, [Aaron] has affixed the PicoEMP to his 3D printer, giving him three-axis control of the tip position. That let him build up a heat map of potential spots to glitch, which eventually led to a successful fault injection attack and a clean firmware dump.

It’s worth noting that the whole reason [Aaron] had to resort to such extreme measures in the first place was the resilience of the target chip against power supply-induced glitching attacks. You might not need to build something like the Glitch-o-Matic, but it’s good to keep in mind in case you run up against such a hard target. Continue reading “Get Your Glitch On With A PicoEMP And A 3D Printer”

BBQ lighter fault injector

Blast Chips With This BBQ Lighter Fault Injection Tool

Looking to get into fault injection for your reverse engineering projects, but don’t have the cash to lay out for the necessary hardware? Fear not, for the tools to glitch a chip may be as close as the nearest barbecue grill.

If you don’t know what chip glitching is, perhaps a primer is in order. Glitching, more formally known as electromagnetic fault injection (EMFI), or simply fault injection, is a technique that uses a pulse of electromagnetic energy to induce a fault in a running microcontroller or microprocessor. If the pulse occurs at just the right time, it may force the processor to skip an instruction, leaving the system in a potentially exploitable state.

EMFI tools are commercially available — we even recently featured a kit to build your own — but [rqu]’s homebrew version is decidedly simpler and cheaper than just about anything else. It consists of a piezoelectric gas grill igniter, a little bit of enameled magnet wire, and half of a small toroidal ferrite core. The core fragment gets a few turns of wire, which then gets soldered to the terminals on the igniter. Pressing the button generates a high-voltage pulse, which gets turned into an electromagnetic pulse by the coil. There’s a video of the tool in use in the Twitter thread, showing it easily glitching a PIC running a simple loop program.

To be sure, a tool as simple as this won’t do the trick in every situation, but it’s a cheap way to start exploring the potential of fault injection.

Thanks to [Jonas] for the tip.

PicoEMP EMFI tool

Glitch Your Way To Reverse-Engineering Glory With The PicoEMP

Most of our projects are, to some extent, an exercise in glitch-reduction. Whether they’re self-inflicted software or hardware mistakes, or even if the glitches in question come from sources beyond our control, the whole point of the thing is to get it running smoothly and predictably.

That’s not always the case, though. Sometimes inducing a glitch on purpose can be a useful tool, especially when reverse engineering something. That’s where this low-cost electromagnetic fault injection tool could come in handy. EMFI is a way to disrupt the normal flow of a program running on an embedded system; properly applied and with a fair amount of luck, it can be used to put the system into an exploitable state. The PicoEMP, as [Colin O’Flynn] dubs his EMFI tool, is a somewhat tamer version of his previous ChipSHOUTER tool. PicoEMP focuses on user safety, an important consideration given that its business end can put about 250 volts across its output. Safety features include isolation for the Raspberry Pi Pico that generates the PWM signals for the HV section, a safety enclosure over the HV components, and a switch to discharge the capacitors and prevent unpleasant surprises.

In use, the high-voltage pulse is applied across an injection tip, which is basically a ferrite-core antenna. The tip concentrates the magnetic flux in a small area, which hopefully will cause the intended glitch in the target system. The video below shows the PicoEMP being used to glitch a Bitcoin wallet, as well as some tests on the HV pulse.

If you’re interested in the PicoEMP and glitching in general, be sure to watch out for [Colin]’s 2021 Remoticon talk on the subject. Until that comes out, you might want to look into glitching attacks on a Nintendo DSi and a USB glitch on a Wacom tablet.

Continue reading “Glitch Your Way To Reverse-Engineering Glory With The PicoEMP”