Aaron Christophel Automates EMP Fault Injection Probing with a PicoEMP and a 3D Printer
Cleverly converted printer automates the probing process, taking the pain out of finding exactly where a chip is vulnerable to glitching.
Maker Aaron Christophel has been experimenting with electromagnetically-induced fault injection attacks — and to make the process more repeatable and easier to fine-tine, has converted a 3D printer into a controllable fault injection device.
"[This is] my very first experience with the PicoEMP," Christophel explains by way of introduction to his recent work, "it's basically fault injection via some high induction into, in this case, a microcontroller that has the lock bit set, and I try to unlock it to read its firmware."
Fault injection attacks do exactly what their name suggests: deliberately induce a fault state in the target device in order to see what happens, including being able to crash out of protection systems that prevent firmware dumping or overwriting. In Christophel's case, he's injecting faults via electromagnetic impulses using the Raspberry Pi Pico-powered PicoEMP — a handy device Colin O'Flynn designed for that specific purpose three years ago.
Initially, Christophel was using the PicoEMP like anyone else: setting it up in a clamp to push the tip against the target device while it operated. Success or failure in this kind of attack, though, is very dependent on which part of the chip you're targeting — and carefully moving the probe's position by hand soon got old.
The solution: the conversion of a 3D printer into an automated probing rig. "The target board is screwed on to the 3D printer," Christophel explains. "[It is] probing in every possible spot in the X, Y, and Z direction. It will start like at the corner, will go up and down the whole chip, and also will check for the distance to it [from the probe tip]."
"The closer it gets to the chip," Christophel explains, "every now and then the LED goes off — which means the glitch did trigger a reset of the chip. And should the LED ever light green, it is a successful glitch; this is also recorded on the PC, so afterward we have some results to say 'okay, where's the best spot to glitch for a reset or for the real glitch we want to see?'"
Christophel's experiments are detailed in the videos embedded above and on his YouTube channel; more information on the PicoEMP is available on GitHub.