newaetech/chipshouter-picoemp newaetech/chipshouter-picoemp

  • Stars
    star
    428
  • Rank 101,470 (Top 2 %)
  • Language
    C
  • Created almost 3 years ago
  • Updated 3 months ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
newaetech/chipshouter-picoemp
github

newaetech

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Why not run micropython on your EMFI tool?

ChipSHOUTER-PicoEMP

CC BY-SA 3.0

The PicoEMP is a low-cost Electromagnetic Fault Injection (EMFI) tool, designed specifically for self-study and hobbiest research. Under the safety shield it looks like this:

You can see some details of the design in the Intro Video.

Thanks / Contributors

PicoEMP is a community-focused project, with major contributions from:

Background

The ChipSHOUTER is a high-end Electromagnetic Fault Injection (EMFI) tool designed by Colin at NewAE Technology. While not the first commercially available EMFI tool, ChipSHOUTER was the first "easily purchasable" (even if expensive) tool with extensive open documentation. The tool was not open-source, but it did contain a variety of detailed description of the design and architecture in the User Manual. The ChipSHOUTER design optimization focused in rough order on (1) safe operation, (2) high performance, (3) usability, and finally (4) cost. This results in a tool that covers many use-cases, but may be overkill (and too costly) for many. In additional, acquiring the safety testing/certification is not cheap, and must be accounted for in the product sale price.

The PicoEMP tries to fill in the gap that ChipSHOUTER leaves at the lower end of the spectrum. This PicoEMP project is not the ChipSHOUTER. Instead it's designed to present a "bare bones" tool that has a design optimization focused in rough order of (1) safe operation, (2) cost, (3) usability, (4) performance. Despite the focus on safety and low-cost, it works suprisingly well. It is also not sold as a complete product - you are responsible for building it, ensuring it meets any relevant safety requirements/certifications, and we completely disclaim all liability for what happens next. Please only use PicoEMP where you are building and controlling it yourself, with total understanding of the operation and risks. It is not designed to be used in professional or educational environments, where tools are expected to meet safety certifications (ChipSHOUTER was designed for these use-cases).

As an open-source project it also collects inputs from various community members, and welcomes your contributions! It also has various remixes of it, including:

  • TODO link to people's remixes.

Building a PicoEMP

The PicoEMP uses a Raspberry Pi Pico as the controller, inspired by @nezza using it for the debug-n-dump tool. You could alternatively use an Arduino or another microcontroller. You basically just need a few things:

  1. PWM output to drive HV transformer.
  2. Pulse pin to generate a pulse.
  3. Status pin to monitor the HV status.

You have two options for building the PicoEMP: (1) total scratch build, or (2) easy-assemble build.

Scratch Build

The PCB is mostly one layer. Original versions of it were milled on a Bantam PCB mill, and the final 'production' version is designed to still allow this simple milling process. You can find details in the gerbers folder, including Bantam-optimized files which remove some of the smaller vias (used for the mounting holes), and require you to surface-mount the Raspberry Pi Pico. Here was 'rev3' of the PCB with a few hacked up tests:

If you've got time you can order the "real" PCBs from the gerbers as well.

The BOM and build details are described in the hardware folder. If you cannot find the plastic shield (the upper half of Hammond 1551BTRD is used), you can find a simple 3D-printable shield as well. The official shield is low-cost and available from Digikey/Mouser/ Newark so you can purchase alongside everything else you need.

IMPORTANT: The plastic shield is critical for safe operation. While the output itself is isolated from the input connections, you will still easily shock yourself on the exposed high-voltage capacitor and circuitry. NEVER operate the device without the shield.

Easy-Assemble Build

The Easy-Assembly build uses a "mostly complete" SMD board, which you need to solder a Raspberry Pi Pico, switches, and through-hole headers. Currently it's available only on the NewAE Store. We're working to get this listed on Mouser for much cheaper worldwide shipping (the NewAE store doesn't get great rates & due to issues with Canada's postal system for international shipments quotes mostly via DHL).

Programming the PicoEMP

You'll need to program the PicoEMP with the firmware in the firmware directory. You can run other tasks on the microcontroller as well.

Building the EM Injection Tip (Probe / Coil)

You will also need an "injection tip", typically made with a ferrite core and some wires wrapped around it. You can see examples of such cores in the ChipSHOUTER kit. The following shows a few homemade & commercial tips:

You can make your own from suitable SMA connectors, magnet wire, and a ferrite core material. See the injection_tips folder for more examples and details on building the probes.

Reader Note: Please submit your own examples with a pull-request to this repo, it would be great to have more examples of probe geometries

You can find additional examples of homemade cores in research papers such as:

  • A. Cui, R. Housley, "BADFET: Defeating Modern Secure Boot Using Second-Order Pulsed Electromagnetic Fault Injection," USENIX Workshop on Offensive Technologies (WOOT 17), 2017. Paper Link. Slides Link.
  • J. Balasch, D. Arumí and S. Manich, "Design and validation of a platform for electromagnetic fault injection," 2017 32nd Conference on Design of Circuits and Integrated Systems (DCIS), 2017, pp. 1-6. Paper Link.
  • J. Toulemont, G. Chancel, J. M. Galliere, F. Mailly, P. Nouet and P. Maurine, "On the scaling of EMFI probes," 2021 Workshop on Fault Detection and Tolerance in Cryptography (FDTC), 2021. Paper Link. Slides Link.
  • LimitedResults. "Enter the Gecko," 2021. Blog Link

Useful References

If you don't know where to start with FI, you may find a couple chapters of the Hardware Hacking Handbook useful.

You can see a demo of PicoEMP being used on a real attack in this TI CC SimpleLink attack demo.

Using the PicoEMP

The general usage of the PicoEMP is as follows:

  1. Press the "ARM" button. The red "ARMING" led will come on instantly telling you it's trying to charge the high voltage.
  2. The red "HV" led will come on after a few seconds saying it is charged to "some voltage".
  3. Place the probe tip overtop of the target.
  4. Press the "Pulse" button.

You can see more examples of this in the Intro Video.

You can even use the Raspberry Pi Pico to attack a Raspberry Pi "regular"! Here's a demo hitting a RSA signature on a Raspberry Pi (the demo code taken from Colin's Remoticon 2021 Talk):

WARNING: The high voltage will be applied across the SMA connector. If an injection tip (coil) is present, it will absorb most of the power. If you leave the SMA connector open, you will present a high voltage pulse across this SMA and could shock yourself. Do NOT touch the output SMA tip as a general "best practice", and treat the output as if it has a high voltage present.

The full ChipSHOUTER detects the missing connector tip and refuses to power up the high voltage, the PicoEMP does not have this failsafe!

About the High Voltage Isolation

Most EMFI tools generate high voltages (similar to a camera flash). Many previous designs of open-source EMFI tools would work well, but exposed the user to high voltages. This was fine provided you use the tool correctly, but of course there is always a risk of grabbing the electrically "hot" tool! This common design choice happens because the easiest way to design an EMFI tool is with "low-side switching" (there is a very short mention of these design choices as well in my book if you are curious). With low-side switching the output connector is always "hot", which presents a serious shock hazard.

PicoEMP gets around this problem by floating the high-voltage side, meaning there is no electrical path between the EMFI probe output and the input voltage ground. With the isolated high voltage output we can use the simple "low-side switching" in a safe manner. Some current will still flow due to the high-frequency spikes, so this isn't perfect, but it works well enough in practice (well enough you will shock yourself less often).

The caveat here is for this to work you also need to isolate your gate drive. There are a variety of solutions to this, with the simplist being a gate drive transformer (GDT). The PicoEMP uses the transformer architecture, with some simplifications to further reduce BOM count.

More details of the design are available in the hardware folder.

Hipot Testing for Validating Isolation

Easy-assemble builds have been subject to a hipot test. This test validates the isolation exists, and has not been compromised by things like leftover flux on the PCB.

This test applies a high voltage (1000V) from the SMA connector pads to the low-voltage signals shorted together. The test is done at 1000V DC, with test passing if LESS than 1 uA of current flows over the 60 seconds test duration. Note this limits is far lower than most industry standard limits.

Technical Differences between ChipSHOUTER and PicoEMP

The main differences from a technical standpoint:

  • ChipSHOUTER uses a much more powerful high voltage circuit and transformer (up to ~30W vs ~0.2W) that gives it almost unlimited glitch delivery, typically limited by your probe tip. The PicoEMP is slower to recover, typically ~1 to 4 seconds between glitches.

  • ChipSHOUTER has a larger internal energy storage & more powerful output drivers.

  • ChipSHOUTER has a controlled high-voltage setting from 150V to 500V. PicoEMP generates ~250V, there is some feedback but it's uncalibrated. NOTE: The PicoEMP allows some control of output pulse size by instead controlling the drive signal. This is less reliable (more variability in the output), but meets the goal of using the lowest-cost control method.

License

This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 International License.

ChipSHOUTER is a trademark of NewAE Technology Inc., registered in the US, European Union, and other jurisdictions. PicoEMP is a trademark of NewAE Technology Inc.

More Repositories

1

chipwhisperer

ChipWhisperer - the complete open-source toolchain for side-channel power analysis and glitching attacks
C
1,073
star
2

chipwhisperer-jupyter

Interactive ChipWhisperer tutorials using Jupyter notebooks.
Jupyter Notebook
216
star
3

ChipSHOUTER

ChipSHOUTER® - The Electromagnetic Fault Injection (EMFI) Platform By NewAE Technology Inc. Repo holds API, documentation, and examples.
125
star
4

phywhispererusb

PhyWhisperer-USB: Hardware USB Trigger
C
82
star
5

chipwhisperer-husky

C
77
star
6

chipwhisperer-target-cw308t

ChipWhisperer CW308 UFO Target Hardware Files
HTML
29
star
7

chipjabber-basicbbi

A Basic BBI Tool - So Simple, But So Good!
Jupyter Notebook
25
star
8

ChipShover

ChipSHOVER is an XYZ table & driver, with open-source firmware for the controller.
Python
22
star
9

chipwhisperer-tutorials

Exported ChipWhisperer Tutorials - Used for Building Documentation
17
star
10

chipwhisperer-lint

ChipWhisperer-Lint is an open source implementation of our automated leakage detection tool.
Python
17
star
11

naeusb

USB library for ChipWhisperer devices
C
14
star
12

ChipWhisperer-Test-Results

HTML
13
star
13

CANoodler

CANoolder: CAN to 3.3V logic level interface. Dumb. Cheap. Simple. Pick 3.
13
star
14

ChipJabber-Unplugged

ChipJabber-Unplugged does new-school attacks with old-school logic.
C++
12
star
15

DesignStartTrace

Adding trace to DesignStart for easier side-channel analysis on the CW305 target. Also supports PhyWhisperer.
VHDL
12
star
16

sonata-pcb

Design files and associated documentation for Sonata PCB, part of the Sunburst Project
ANTLR
12
star
17

chipwhisperer-tvla

Jupyter Notebook
11
star
18

chipwhisperer-husky-fpga

FPGA design and test files for ChipWhisperer-Husky.
Verilog
10
star
19

wiki.newae.com

This is a GIT syncronization of https://wiki.newae.com
9
star
20

chipwhisperer-target-mpc5748g

CW308T-MPC5748G Example Firmware
C
8
star
21

secure-CAN-demo

Implementation of secure CAN network in "Power Analysis and Fault Attacks against Secure CAN: How Safe Are Your Keys?".
C
7
star
22

CW305-Arm-DesignStart

Instruction and files for porting Arm DesignStart to CW305.
C
7
star
23

chipwhisperer-vagrant

Vagrant stuff to build chipwhisperer virtualbox image
Python
7
star
24

chipwhisperer-target-cw313

CW313 ChipWhisperer Design Files
6
star
25

ChipArmour

ChipArmourer helps you build secure firmware resistant against fault injection attacks.
C
6
star
26

ChipSHOUTER-python

Python API for ChipSHOUTER
Python
5
star
27

newae-mcuboot-demo

Bootloader that uses Chip Armor
C
5
star
28

ChipSHOUTER-ballisticgel

ChipSHOUTER Ballistic Gel
C
5
star
29

chipwhisperer-contest-2021

5
star
30

ches2023notebooks

Notebooks and traces for CHES 2023 ECC tutorial
Jupyter Notebook
4
star
31

cwlint-demo-aes-arm

CW-Lint running against ARM Implementation of AES with various builds possible.
Python
4
star
32

cw310-bergen-board

CW310 - Kintex FPGA ('Bergen Board') Target
VHDL
3
star
33

tracewhisperer

VHDL
3
star
34

sonata-rp2040

rp2040 firmware for Sonata
C
3
star
35

SideChannelLive

SideChannel Live
2
star
36

chipwhisperer-datasets

Interface to Side-Channel Analysis Dataset
2
star
37

chipwhisperer-minimal

Minimal chipwhisperer that only supports the CW310
Python
2
star
38

fpga-common

FPGA design elements used across multiple projects.
SystemVerilog
2
star
39

securecan_automotive_demo

C
1
star
40

chipwhisperer-examples

ChipWhisperer Examples (mostly sample traces)
Python
1
star
41

phywhisperer-common

Files common to phywhisperer projects.
Verilog
1
star
42

chipwhisperer-target-cec1702

Firmware to modify EFUSE bits in CEC1702
C
1
star
43

ChipSHOUTER-target-simple

The CW322 Simple EMFI Target
C
1
star