Matthias Kesenheimer's PicoGlitcher Turns a Raspberry Pi Pico Into a Python-Powered Fault Injector
Designed as a low-cost yet high-performance device for voltage glitching attacks, the PicoGlitcher can be built for under $33.
Maker Matthias Kesenheimer has designed a low-cost device for performing fault injection attacks via voltage glitching, driven by a Raspberry Pi Pico — and called, sensibly enough, the PicoGlitcher.
"Fault injection is a hacking technique where a system or a device is stressed in an unusual way," Kesenheimer explains. "In this particular case, the power supply to a microcontroller is to be interrupted for a very short time. Since a voltage glitch attack must be timed very precisely, FPGAs or dedicated hardware is usually used. In this case, however, the glitch is to be performed with a single and cheap Raspberry Pico."
The PicoGlitcher was developed during an effort to capture the flag in the RHME2 Fault Injection challenge, which requires the player to glitch out a Microchip ATmega328P microcontroller to reveal a secret string hidden in the firmware. "I connected the gate of a MOSFET to the glitch output, the source to ground, and a cable to drain," Kesenheimer explains. "I searched for a promising pin of the Atmega328p microcontroller on the Arduino board and touched the pin with the cable. After a few adjustments, the flag was visible on the terminal."
While the PicoGlitcher is far from the first device built to ease voltage-glitching attacks, it's one of the cheapest: Kesenheimer estimates the total cost at under €30 (around $33) including the Raspberry Pi Pico itself, yet it offers a range of features including a resolution below 10ns through a 125MHz trigger sampling rate, various trigger options, a software-controllable voltage output, and a Python library that interfaces with the device's MicroPython firmware to automate the attack process.
Kesenheimer isn't the only one using a Raspberry Pi Pico for fault injection work, either: earlier this week Aaron Christophel showed off experiments with Colin O'Flynn's Raspberry Pi Pico-powered PicoEMP, connected to a 3D printer for automated probing and ease of glitch reproduction, in which the device attacked a target chip using electromagnetic pulses (EMPs) rather than voltage glitching.
More information on the PicoGlitcher is available on Kesenheimer's Hackaday.io page and on his blog, while source code, schematics, and board design files are available on GitHub under the reciprocal GNU General Public License 3.