FaultyCat: Fault Induction Through Electromagnetic Pulses

What is Faulty Cat?

Faulty Cat stands as a top-tier electromagnetic fault injection (EMFI) solution. EMFI is a recognized technique employed for modifying chip behavior to undermine its security. The majority of such attacks are directed at simple microcontrollers.

The design prioritization revolves around ensuring safe performance, affordability, ease of use, and efficiency. Despite the primary focus on safety and cost-effectiveness, its performance remains remarkably impressive.

WARNING:

The plastic shield is critical for safe operation. While the output itself is isolated from the input connections, you will still easily shock yourself on the exposed high-voltage capacitor and circuitry. NEVER operate the device without the shield.

⚠️ Disclaimer ⚠️

Electronic Cats holds no responsibility for any unauthorized use of the tool or any resulting damages. You are in charge of developing it and making sure it complies with any necessary safety standards or certifications. We assume no responsibility for what happens after that. Please only use Faulty Cat if you are creating and managing it yourself, and you completely understand all the hazards. It is not intended for use in settings like work or school, where equipment is required to adhere to safety regulations.

How does Faulty Cat work?

Many EMFI tools generate high voltages similar to a camera flash. Earlier open-source tools were effective but risky due to electric shock potential. This was due to a common design choice called “low-side switching, ” where the output is always active, posing a shock hazard.

Faulty Cat addresses this issue by isolating the high-voltage part, preventing direct electrical paths. This allows safe use of “low-side switching.” Some current still flows due to energy bursts, but it is practical enough.

Technical Differences between Faulty Cat, ChipSHOUTER, and PicoEMP

The main differences from the technical point of view:

• ChipSHOUTER uses a much more powerful high-voltage circuit and transformer (up to ~30W vs ~0.2W) that gives it almost unlimited glitch delivery, typically limited by the probe tip. The PicoEMP is slower to recover, typically ~1 to 4 seconds between glitches. Faulty Cat has a faster recovery.
• ChipSHOUTER has a larger internal energy storage & more powerful output drivers.
• ChipSHOUTER has a controlled high-voltage setting from 150V to 500V. PicoEMP generates ~250V, and Faulty Cat uses a low-power high voltage circuit using only 3xAA batteries and can generate ~200V.
• PicoEMP includes a Raspberry Pi Pico and Faulty Cat uses only the RP2040 MCU.
• The operation of the Faulty Cat has been tested in the laboratory and ensures that it will cause your chip to fail, and its use is safe as long as the instructions and recommendations are followed.
• Faulty Cat is similar to PicoEMP and ChipSHOUTER, but Faulty Cat is a low-cost all-in-one with a battery holder mounted on the board, making it easier to use.

Getting Starter with Faulty Cat

To start using Faulty Cat it is not necessary to upload any firmware to the board, Faulty Cat has a preload and ready-to-use firmware.

The only thing you need to start doing tests is your Faulty Cat and some microcontroller or chip that you can monitor its operation, in our case we will use a Raspberry Pi Pico board.

To demonstrate the operation of the board we upload a fairly simple sketch to our board, like an infinite counter. Then we can check what happens when Faulty Cat induces a discharge of electromagnetic pulses, will the chip of our Raspberry Pi Pico board be able to resist them?

Note: Remember to turn On the switch of the Faulty Cat.

In this case, we will use Arduino IDE, since it is a friendly interface and we can monitor the data through the serial port. So if you do not have the Arduino IDE, you can see how to install it following the guide below. If you have already installed the Arduino IDE or if you have another serial port viewer, you can skip this section.

How to install Arduino IDE?

Download Arduino IDE

The Arduino Integrated Development Environment – or Arduino Software (IDE) – contains a text editor for writing code, a message area, a text console, a toolbar with buttons for common functions, and a series of menus. The Arduino Software allows you to write programs and upload them to your board.

First, you will need to download and install the Arduino IDE, which you can find here available on different OS. If needed, specific instructions are mentioned here.

After installing the Arduino IDE, you should see the next window.

Prepare the test board

Once Arduino IDE and the test board package are installed, we will proceed to upload the code to the test board. The infinite counter code used for this example can be found in our repository: Releases · ElectronicCats/faultycat.

Once we have our code we will upload it as we would upload any other sketch, it is worth mentioning that this code is quite simple, so it can be used with other boards.

Step 1: Once the code is uploaded to the board, we can read the counter in the Arduino IDE's serial monitor.

When opening the serial port we will see the infinite counter which will indicate that our board is working correctly.

Step 2: Place the "business end"/antenna closer to the MCU.

Step 3: Press the “ARMING” button.

Step 4: Press the “PULSE” button once the “CHG” and “HV” LEDs are turned on.

Pressing the "PULSE" button should stop the count on the serial monitor, forcing the user to perform a manual reset to get the board working again.

Following these steps is how you can test any chip of your interest.

Testing Faulty Cat with serial port commands

Before you can use the commands you will need to configure your serial monitor, in our case, we are using the Arduino IDE. Open a new Arduino IDE window, connect Faulty Cat, and open our serial port.

Now, to set up the Serial Monitor we are going to adjust the communication speed to 115200 bauds, as shown below circled in a blue rectangle. Additionally, we are going to use the New Line (NL) and Carriage Return (CR) features as shown below circled in a red rectangle. These two settings are very important, without these settings the Faulty Cat will not recognize the commands.

To see the commands that the Faulty Cat supports, we must send the word “help” to the serial monitor.

To write each command, it will be enough to write only the indicated letters between square brackets “[ ]”.

Here is a list of available commands and a brief description of each one:

• a: Arm the device.
• d: Disarm the device.
• p: Execute the pulse.
• en: Enable timeout to automatically disarm the device if it is not being used. It will disarm itself after 60 seconds.
• di: Disable the timeout to automatically disarm the device if it is not being used. It will not disarm itself.
• f: Enable Fast-trigger via GPIO0 (uses PIO for very fast and consistent triggering).
• fa: Fast Trigger Configuration. Default: delay_cycles=0, time_cycles=625
• in: Use the Internal Pulse generator to control the EM pulse.
• ex: Use an External Pulse generator to control EM pulse insertion.
• c: Configure pulse time and pulse power. Default: pulse_time=5, pulse_power=0.012200
• t: Toggle GP1
• s: Show the Device Status (armed, charged, timeout, and HVP).
• r: Reset the Faulty Cat.

We will perform a test using only commands, in the same way, you must follow the steps of the previous example.

Step 1: Place the "business end"/antenna closer to the MCU.

Step 2: Send the command “a” to arm Faulty Cat.

Step 3: Send the command “p” to send a pulse once the “CHG” and “HV” LEDs are turned on.

When sending the command, the following response should appear

The "s" (status) command is very useful if your device is not visible to the naked eye, or you do not remember how you configured it. With this command, you can see the status of your device such as if it is armed, charged, or has activated the Timeout, and if HVP is internal. Entering the command should give you a response similar to the one below showing the current configuration.

You can configure the pulse time and power, which will help you perform tests with different parameters

An important fact: when resetting your board either through the reset “r” command or through the physical button to be able to communicate again with the Faulty Cat you must close and open the Serial Monitor again so that they are synchronized.

We hope this little guide will be very useful for you to get to know your Faulty Cat, we recommend you use the functions so that you understand how each one works.

Conclusion

This tutorial is intended to be a quick and practical guide on how you can use Faulty Cat, we recommend you to keep abreast of new updates and Faulty Cat content on Faulty Cat Wiki on Git-Hub.

Faulty Cat represents a cutting-edge solution in the realm of Electromagnetic Fault Injection (EMFI) tools. Its design prioritizes security, affordability, user-friendliness, and efficiency, making it a standout choice for those seeking to modify chip behavior for various purposes, including security testing.

Faulty Cat empowers individuals to explore and manipulate chip behavior responsibly, prioritizing safety and performance. As technology continues to advance, tools like Faulty Cat play a vital role in understanding and securing electronic devices.

And that's it! Faulty Cat helps you inject faults employing electromagnetic pulses.

Get yours at the Electronic Cats Store now!

If you have any queries, comments, or worries, reach out to us here: Contact Us.