{"id":19065409,"url":"https://github.com/newaetech/chipshouter-picoemp","last_synced_at":"2025-04-04T08:06:59.020Z","repository":{"id":38400762,"uuid":"435303098","full_name":"newaetech/chipshouter-picoemp","owner":"newaetech","description":"Why not run micropython on your EMFI tool?","archived":false,"fork":false,"pushed_at":"2024-08-28T13:09:25.000Z","size":6112,"stargazers_count":553,"open_issues_count":15,"forks_count":64,"subscribers_count":20,"default_branch":"main","last_synced_at":"2025-03-28T07:04:16.160Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/newaetech.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-12-05T23:22:55.000Z","updated_at":"2025-03-28T02:32:11.000Z","dependencies_parsed_at":"2022-09-19T04:40:55.623Z","dependency_job_id":"1e3a3b47-c4c4-4671-b33c-66d8bdc0a599","html_url":"https://github.com/newaetech/chipshouter-picoemp","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/newaetech%2Fchipshouter-picoemp","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/newaetech%2Fchipshouter-picoemp/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/newaetech%2Fchipshouter-picoemp/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/newaetech%2Fchipshouter-picoemp/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/newaetech","download_url":"https://codeload.github.com/newaetech/chipshouter-picoemp/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247141297,"owners_count":20890626,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-09T00:49:50.100Z","updated_at":"2025-04-04T08:06:58.995Z","avatar_url":"https://github.com/newaetech.png","language":"C","funding_links":[],"categories":["Hardware Tools","Testing Tools"],"sub_categories":["Fault Injection","Fault Injection - Glitching and Side Channel Analysis"],"readme":"# ChipSHOUTER-PicoEMP\n\n[![CC BY-SA 3.0][cc-by-sa-shield]][cc-by-sa]\n\n![](hardware/picoemp-red.jpeg)\n\nThe PicoEMP is a low-cost Electromagnetic Fault Injection (EMFI) tool, designed *specifically* for self-study and hobbiest research. Under the safety shield it looks like this:\n\n![](hardware/picoemp.jpeg)\n\nYou can see some details of the design in the [Intro Video](https://www.youtube.com/watch?v=nB5arJi-tVE).\n\n## Thanks / Contributors\n\nPicoEMP is a community-focused project, with major contributions from:\n* Colin O'Flynn (original HW design, simple Python demo)\n* [stacksmashing](https://twitter.com/ghidraninja) (C firmware for full PIO feature-set)\n* [Lennert Wouters](https://twitter.com/LennertWo) (C improvements, first real demo)\n* [@nilswiersma](https://github.com/nilswiersma) (Triggering/C improvements)\n\n## Background\n\nThe [ChipSHOUTER](http://www.chipshouter.com) is a high-end Electromagnetic Fault Injection (EMFI) tool designed by Colin\nat [NewAE Technology](http://www.newae.com). While not the first commercially available EMFI tool, ChipSHOUTER was the first\n\"easily purchasable\" (even if expensive) tool with extensive open documentation. The tool was *not* open-source, but it\ndid contain a variety of detailed description of the design and architecture in the\n[User Manual](https://github.com/newaetech/ChipSHOUTER/tree/master/documentation). The ChipSHOUTER design optimization focused in rough order on (1) safe operation, (2) high performance, (3) usability, and finally (4) cost. This results in a tool that covers many use-cases, but may be overkill (and too costly) for many. In additional, acquiring the safety testing/certification is not cheap, and must be accounted for in the product sale price.\n\nThe PicoEMP tries to fill in the gap that ChipSHOUTER leaves at the lower end of the spectrum. This PicoEMP project is *not* the\nChipSHOUTER. Instead it's designed to present a \"bare bones\" tool that has a design optimization focused in rough order of (1) safe\noperation, (2) cost, (3) usability, (4) performance. Despite the focus on safety and low-cost, it works *suprisingly* well. It is also\n*not* sold as a complete product - you are responsible for building it, ensuring it meets any relevant safety requirements/certifications,\nand we completely disclaim all liability for what happens next. Please **only** use PicoEMP where you are building and controlling it\nyourself, with total understanding of the operation and risks. It is *not* designed to be used in professional or educational environments,\nwhere tools are expected to meet safety certifications (ChipSHOUTER was designed for these use-cases).\n\nAs an open-source project it also collects inputs from various community members, and welcomes your contributions! It also has various remixes of it, including:\n\n* TODO link to people's remixes.\n\n## Building a PicoEMP\n\nThe PicoEMP uses a Raspberry Pi Pico as the controller, inspired by @nezza using it for the debug-n-dump tool. You could alternatively use an Arduino or another microcontroller. You basically just need a few things:\n\n1. PWM output to drive HV transformer.\n2. Pulse pin to generate a pulse.\n3. Status pin to monitor the HV status.\n\nYou have two options for building the PicoEMP: (1) total scratch build, or (2) easy-assemble build.\n\n### Scratch Build\n\nThe PCB is *mostly* one layer. Original versions of it were milled on a Bantam PCB mill, and the final 'production' version is designed\nto still allow this simple milling process. You can find details in the [gerbers](hardware/gerbers) folder, including Bantam-optimized files\nwhich remove some of the smaller vias (used for the mounting holes), and require you to surface-mount the Raspberry Pi Pico. Here was\n'rev3' of the PCB with a few hacked up tests:\n\n![](hardware/design_notes/img/proto_rev3_hackedup.jpeg)\n\nIf you've got time you can order the \"real\" PCBs from the [gerbers](hardware/gerbers) as well.\n\nThe BOM and build details are described in the [hardware](hardware) folder. If you cannot find the plastic shield (the upper half of Hammond\n1551BTRD is used), you can find a simple 3D-printable shield as well. The official shield is low-cost and available from Digikey/Mouser/\nNewark so you can purchase alongside everything else you need.\n\n**IMPORTANT**: The plastic shield is critical for safe operation. While the output itself is isolated from the input connections, you will still **easily shock yourself** on the exposed high-voltage capacitor and circuitry. **NEVER** operate the device without the shield.\n\n### Easy-Assemble Build\n\nThe Easy-Assembly build uses a \"mostly complete\" SMD board, which you need to solder a Raspberry Pi Pico, switches, and through-hole headers. Currently it's available only on the [NewAE Store](https://store.newae.com/chipshouter-picoemp). We're working to\nget this listed on Mouser for much cheaper worldwide shipping (the NewAE store doesn't get great rates \u0026 due to issues with Canada's postal system for international shipments quotes mostly via DHL).\n\n### Programming the PicoEMP\n\nYou'll need to program the PicoEMP with the firmware in the [firmware](firmware) directory. You can run other tasks on the microcontroller\nas well.\n\n### Building the EM Injection Tip (Probe / Coil)\n\nYou will also need an \"injection tip\", typically made with a ferrite core and some wires wrapped around it. You can see examples of such cores in the ChipSHOUTER kit. The following shows a few homemade \u0026 commercial tips:\n\n![](hardware/injection_tips/examples/tips-sma.jpg)\n\nYou can make your own from suitable SMA connectors, magnet wire, and a ferrite core material. See the [injection_tips](hardware/injection_tips)\nfolder for more examples and details on building the probes.\n\n*Reader Note: Please submit your own examples with a pull-request to this repo, it would be great to have more examples of probe geometries*\n\nYou can find additional examples of homemade cores in research papers such as:\n\n* A. Cui, R. Housley, \"BADFET: Defeating Modern Secure Boot Using Second-Order Pulsed Electromagnetic Fault Injection,\" USENIX Workshop on Offensive Technologies (WOOT 17), 2017.  [Paper Link.](https://www.usenix.org/conference/woot17/workshop-program/presentation/cui) [Slides Link.](https://github.com/RedBalloonShenanigans/BADFET)\n* J. Balasch, D. Arumí and S. Manich, \"Design and validation of a platform for electromagnetic fault injection,\" 2017 32nd Conference on Design of Circuits and Integrated Systems (DCIS), 2017, pp. 1-6. [Paper Link.](https://upcommons.upc.edu/bitstream/handle/2117/116688/bare_conf.pdf)\n* J. Toulemont, G. Chancel, J. M. Galliere, F. Mailly, P. Nouet and P. Maurine, \"On the scaling of EMFI probes,\" 2021 Workshop on Fault Detection and Tolerance in Cryptography (FDTC), 2021. [Paper Link.](https://ieeexplore.ieee.org/abstract/document/9565575) [Slides Link.](https://jaif.io/2021/media/JAIF2021%20-%20Toulemont.pdf)\n* LimitedResults. \"Enter the Gecko,\" 2021. [Blog Link](https://limitedresults.com/2021/06/enter-the-efm32-gecko/)\n* C. Gaine, J-P. Nikolovski, D. Aboulkassimi, J-M. Dutertre. \"New probe design for hardware characterization by ElectroMagnetic Fault Injection,\" EMC Europe 2022 [Paper Link.] (https://hal-cea.archives-ouvertes.fr/cea-03657852/file/article_archivesouvertes.pdf)\n* \n### Useful References\n\nIf you don't know where to start with FI, you may find a couple chapters of the [Hardware Hacking Handbook](https://nostarch.com/hardwarehacking) useful.\n\nYou can see a demo of PicoEMP being used on a real attack in this [TI CC SimpleLink attack demo](https://github.com/KULeuven-COSIC/SimpleLink-FI/blob/main/notebooks/5_ChipSHOUTER-PicoEMP.ipynb).\n\n## Using the PicoEMP\n\nThe general usage of the PicoEMP is as follows:\n\n1. Press the \"ARM\" button. The red \"ARMING\" led will come on instantly telling you it's trying to charge the high voltage.\n2. The red \"HV\" led will come on after a few seconds saying it is charged to \"some voltage\".\n3. Place the probe tip overtop of the target.\n4. Press the \"Pulse\" button.\n\nYou can see more examples of this in the [Intro Video](https://www.youtube.com/watch?v=nB5arJi-tVE).\n\nYou can even use the Raspberry Pi Pico to attack a Raspberry Pi \"regular\"! Here's a demo hitting a RSA signature on a Raspberry Pi (the demo code taken from Colin's [Remoticon 2021 Talk](https://github.com/colinoflynn/remoticon-2021-levelup-hardware-hacking/tree/master/rpi-glitching)):\n\n![](hardware/demo.jpg)\n\n**WARNING**: The high voltage will be applied across the SMA connector. If an injection tip (coil) is present, it will absorb most of the power. If you leave the SMA connector open, you will present a high voltage pulse across this SMA and could shock yourself. Do NOT touch the output SMA tip as a general \"best practice\", and treat the output as if it has a high voltage present.\n\nThe full ChipSHOUTER detects the missing connector tip and refuses to power up the high voltage, the PicoEMP does not have this failsafe!\n\n## About the High Voltage Isolation\n\nMost EMFI tools generate high voltages (similar to a camera flash). Many previous designs of open-source EMFI tools would work well, but [exposed the user to high voltages](https://github.com/RedBalloonShenanigans/BADFET). This was fine provided you use the tool correctly, but of course there is always a risk of grabbing the electrically \"hot\" tool! This common design choice happens because the easiest way to design an EMFI tool is with \"low-side switching\" (there is a very short mention of these design choices as well in my [book](https://www.nostarch.com/hardwarehacking) if you are curious). With low-side switching the output connector is always \"hot\", which presents a serious shock hazard.\n\nPicoEMP gets around this problem by floating the high-voltage side, meaning there is no electrical path between the EMFI probe output and the input voltage ground. With the isolated high voltage output we can use the simple \"low-side switching\" in a safe manner. Some current will still flow due to the high-frequency spikes, so this isn't *perfect*, but it works well enough in practice (well enough you will shock yourself less often).\n\nThe caveat here is for this to work you also need to isolate your gate drive. There are a variety of [solutions to this](https://www.analog.com/en/technical-articles/powering-the-isolated-side-of-your-half-bridge-configuration.html), with the simplist being a gate drive transformer (GDT). The PicoEMP uses the transformer architecture, with some simplifications to further reduce BOM count.\n\nMore details of the design are available in the [hardware](hardware) folder.\n\n### Hipot Testing for Validating Isolation\n\nEasy-assemble builds have been subject to a hipot test. This test validates the isolation exists, and has not been compromised by things like leftover flux on the PCB.\n\nThis test applies a high voltage (1000V) from the SMA connector pads to the low-voltage signals shorted together. The test is done at 1000V DC, with test passing if LESS than 1 uA of current flows over the 60 seconds test duration. Note this limits is *far* lower than most industry standard limits.\n\n### Technical Differences between ChipSHOUTER and PicoEMP\n\nThe main differences from a technical standpoint:\n\n* ChipSHOUTER uses a much more powerful high voltage circuit and transformer (up to ~30W vs ~0.2W) that gives it\n  almost unlimited glitch delivery, typically limited by your probe tip. The PicoEMP is slower to recover, typically ~1 to 4 seconds between\n  glitches.\n\n* ChipSHOUTER has a larger internal energy storage \u0026 more powerful output drivers.\n\n* ChipSHOUTER has a controlled high-voltage setting from 150V to 500V. PicoEMP generates ~250V, there is some feedback but it's uncalibrated.\n  **NOTE**: The PicoEMP allows some control of output pulse size by instead controlling the drive signal. This is less reliable (more variability\n  in the output), but meets the goal of using the lowest-cost control method.\n\n## License\n\nThis work is licensed under a [Creative Commons Attribution-ShareAlike 3.0 International License][cc-by-sa].\n\n[cc-by-sa]: http://creativecommons.org/licenses/by-sa/3.0/\n[cc-by-sa-image]: https://licensebuttons.net/l/by-sa/3.0/88x31.png\n[cc-by-sa-shield]: https://img.shields.io/badge/License-CC%20BY--SA%203.0-lightgrey.svg\n\nChipSHOUTER is a trademark of NewAE Technology Inc., registered in the US, European Union, and other jurisdictions.\nPicoEMP is a trademark of NewAE Technology Inc.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnewaetech%2Fchipshouter-picoemp","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnewaetech%2Fchipshouter-picoemp","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnewaetech%2Fchipshouter-picoemp/lists"}