Recreating The “Stuck Throttle” Problem On A Toyota

A few years ago, Toyota was in the news for a major safety issue with a number of their passenger vehicles. Seemingly at random, certain cars were accelerating without concern for driver input, causing many crashes and at least 37 confirmed deaths. They issued recalls both for the floor mats which were reported to have slid forward to jam the accelerator pedal, but this didn’t explain all of these crashes. There was another recall for stuck throttles, which [Colin O’Flynn] demonstrates a possible cause for on his test bench.

While most passenger vehicles older than about 15-20 years controlled the throttle with a cable connected directly from the throttle body to the accelerator pedal, most manufacturers have switched to a fly-by-wire system which takes sensor input from the accelerator pedal and sends that position information to the vehicle’s computer which in turn adjusts the throttle position. This might be slightly cheaper to manufacture, but introduces a much larger number of failure modes to a critical system. Continue reading “Recreating The “Stuck Throttle” Problem On A Toyota”

Scrambling Pocket Calculators Made Easy With EMP Box V2

[Rostislav Persion] has for some time been interested in making small, portable EMP devices capable of interfering with nearby electronics. In these EMP devices, high voltage is used to create a portable spark gap generator, whose operation in turn creates electromagnetic pulses capable of resetting or scrambling nearby electronics such as pocket calculators.

Bridging adjacent holes narrows the spark gap, resulting in more frequent pulses.

His original EMP box designs relied on spark gaps constructed from metal screws threaded into a clear plastic insulator, but this newest design ditches fussy screw adjustments and relies on perfboard. By cutting out a single row of plated perfboard holes and soldering the high voltage terminals to each end, the empty holes in between form the essential parts of a spark gap.

It’s even adjustable: one simply bridges adjacent holes with solder to effectively decrease the gap. As for generating the high voltage itself, a DC voltage multiplier from Amazon takes care of that. Watch the device reset some calculators in the short video below.

Looking for high-voltage experiments that aren’t so sketchy? Get yourself a Van de Graff generator, some metal balls, and a little bit of oil, and make some art.

Continue reading “Scrambling Pocket Calculators Made Easy With EMP Box V2”

PicoEMP EMFI tool

Glitch Your Way To Reverse-Engineering Glory With The PicoEMP

Most of our projects are, to some extent, an exercise in glitch-reduction. Whether they’re self-inflicted software or hardware mistakes, or even if the glitches in question come from sources beyond our control, the whole point of the thing is to get it running smoothly and predictably.

That’s not always the case, though. Sometimes inducing a glitch on purpose can be a useful tool, especially when reverse engineering something. That’s where this low-cost electromagnetic fault injection tool could come in handy. EMFI is a way to disrupt the normal flow of a program running on an embedded system; properly applied and with a fair amount of luck, it can be used to put the system into an exploitable state. The PicoEMP, as [Colin O’Flynn] dubs his EMFI tool, is a somewhat tamer version of his previous ChipSHOUTER tool. PicoEMP focuses on user safety, an important consideration given that its business end can put about 250 volts across its output. Safety features include isolation for the Raspberry Pi Pico that generates the PWM signals for the HV section, a safety enclosure over the HV components, and a switch to discharge the capacitors and prevent unpleasant surprises.

In use, the high-voltage pulse is applied across an injection tip, which is basically a ferrite-core antenna. The tip concentrates the magnetic flux in a small area, which hopefully will cause the intended glitch in the target system. The video below shows the PicoEMP being used to glitch a Bitcoin wallet, as well as some tests on the HV pulse.

If you’re interested in the PicoEMP and glitching in general, be sure to watch out for [Colin]’s 2021 Remoticon talk on the subject. Until that comes out, you might want to look into glitching attacks on a Nintendo DSi and a USB glitch on a Wacom tablet.

Continue reading “Glitch Your Way To Reverse-Engineering Glory With The PicoEMP”

Is That An EMP Generator In Your Pocket Or Is My Calculator Just Broken?

Ah, what fond memories we have of our misspent youth, walking around with a 9,000-volt electromagnetic pulse generator in our Levi’s 501s and zapping all the electronic devices nobody yet carried with them everywhere they went. Crazy days indeed.

We’re sure that’s not at all what [Rostislav Persion] had in mind when designing his portable EMP generator; given the different topologies and the careful measurement of results, we suspect his interest is strictly academic. There are three different designs presented, all centering around a battery-powered high-voltage power module, the Amazon listing of which optimistically lists as capable of a 400,000- to 700,000-volt output. Sadly, [Rostislav]’s unit was capable of a mere 9,000 volts, which luckily was enough to get some results.

Coupled to a spark gap, one of seven different coils — from one to 40 turns — and plus or minus some high-voltage capacitors in series or parallel, he tested each configuration’s ability to interfere with a simple pocket calculator. The best range for a reset and scramble of the calculator was only about 3″ (7.6 cm), although an LED hooked to a second coil could detect the EMP up to 16″ (41 cm) away. [Rostislav]’s finished EMP generators were housed in a number of different enclosures, one of which totally doesn’t resemble a pipe bomb and whose “RF Hazard” labels are sure not to arouse suspicions when brandished in public.

We suppose these experiments lay to rest the Hollywood hype about EMP generators, but then again, their range is pretty limited. You might want to rethink your bank heist plans if they center around one of these designs.

Continue reading “Is That An EMP Generator In Your Pocket Or Is My Calculator Just Broken?”

Injecting Bugs With An Electric Flyswatter

Hardware fault injection uses electrical manipulation of a digital circuit to intentionally introduce errors, which can be used to cause processors to behave in unpredictable ways. This unintentional behavior can be used to test for reliability, or it can be used for more nefarious purposes such as accessing code and data that was intended to be inaccessible. There are a few ways to accomplish this, and electromagnetic fault injection uses a localized electromagnetic pulse to flip bits inside a processor. The pulse induces a voltage in the processor’s circuits, causing bits to flip and often leading to unintentional behavior. The hardware to do this is very specialized, but [Pedro Javier] managed to hack a $4 electric flyswatter into an electromagnetic fault injection tool. (Page may be dead, try the Internet Archive version.)

[Pedro] accomplishes this by turning an electric flyswatter into a spark-gap triggered EMP generator. He removes the business end of the flyswatter and replaces it with a hand-wound inductor in series with a small spark gap. Pressing the power button on the modified flyswatter charges up the output capacitor until the developed voltage is enough to ionize the air in the spark gap, at which point the capacitor discharges through the inductor. The size of the spark gap determines the charge that is built up—a larger gap results in a larger charge, which produces a larger pulse, which induces a larger voltage in the chip.

[Pedro] demonstrates how this can be used to produce arithmetic glitches and even induce an Arduino to dump its memory. Others have used electromagnetic fault injection to corrupt SRAM, and intentionally glitching the power supply pins can also be used to access otherwise protected data.

How To Test A B-52 Against EMP: Project ATLAS-I

Audacious times generate audacious efforts, especially when national pride and security are perceived to be at stake. Such was the case in the 1950s and 1960s, with the Space Race that started with a Russian sphere whizzing around the planet and ended with Neil Armstrong’s footprint on the Moon. But at the same time, other efforts were underway to answer big questions of national import, such as determining how durable the United States’ strategic assets were, and whether they could withstand the known effects of electromagnetic pulse (EMP), a high-intensity burst of electromagnetic energy that could potentially disable a plane in flight. Finding out just what an EMP could do to a plane would take big engineering and a large forest’s worth of trees.

Continue reading “How To Test A B-52 Against EMP: Project ATLAS-I”

Radio Apocalypse: The GWEN System

Recent developments on the world political stage have brought the destructive potential of electromagnetic pulses (EMP) to the fore, and people seem to have internalized the threat posed by a single thermonuclear weapon. It’s common knowledge that one bomb deployed at a high enough altitude can cause a rapid and powerful pulse of electrical and magnetic fields capable of destroying everything electrical on the ground below, sending civilization back to the 1800s in the blink of an eye.

Things are rarely as simple as the media portray, of course, and this is especially true when a phenomenon with complex physics is involved. But even in the early days of the Atomic Age, the destructive potential of EMP was understood, and allowances for it were made in designing strategic systems. Nowhere else was EMP more of a threat than to the complex web of communication systems linking far-flung strategic assets with central command and control apparatus. In the United States, one of the many hardened communications networks was dubbed the Groundwave Emergency Network, or GWEN, and the story of its fairly rapid rise and fall is an interesting case study in how nations mount technical responses to threats, both real and perceived. Continue reading “Radio Apocalypse: The GWEN System”