Building the PicoEMP - Electromagnetic Fault Injection (EMFI) Tool

so i created something called pico emp, which is an

electromagnetic

fault

injection

tool

. You can see this nice safety shield on the high voltage side and it basically allows you to relatively safely insert high

electromagnetic

pulses into a device, so I'm going to use this trezor. bitcoin wallet that I have used in other examples, you can see that the case is a little bit open because I have been doing other things with it and what you can see is that it will show this serious failure detected message because it is actually detecting the de

fault

value. it's been inserted just like some of its protections that catch some of these strange faults and you can see here that I can reset it and all that and I'm doing this through the enclosure interestingly so there's a lot of interesting things with

emfi

and this works because The microcontroller is very close to the case of this one, so you can see that we usually place it right on top of the microcontroller and insert faults in a similar way or from behind.

Here you can see that I have enabled this Unofficial Firmware Detected message because it actually corrupted the sha firmware verification that occurs on boot, so you can cause errors without a full reboot, that is the true power of the glitch and the direction, um, so the device itself looks like this, uh, this green plate that I'll show you first because it has you. I can see those slots on the back so the shield is just a piece of plastic um hammond available on the market so you can buy it at Digikey and it fits to protect your fingers from the high voltage side and what I'm really .

I'm going to use is that the type of production boards are these red boards that will be lifted here, except if I lift the red board, I forgot the shield, so I messed up the paneling on this one, so I'm waiting for the next one. version but it's pretty much exactly the same, only the green ones were the ones I had first when I was doing a really quick prototype, um, so within that high voltage area you basically have some inputs that come in this case from a raspberry. pi pico, but you can drive them from an arduino or any other part of it, so there are these two transformers here, so you can see some windings if you go to the side, they are actually designed as flash, these type of high voltage transformers. use one to control a high voltage circuit here that charges this capacitor with a switch that discharges the capacitor through a resistor, so it's a little extra safety feature if you were to remove the shield, which of course you should never do or execute with it. with the shield off, there is a way to discharge the capacitor, so how much voltage are we talking about here?

If we look at this device, it has another thing that you should never do: try it live, but I added test points because you also want to be able to do it safely it's like abstinence education doesn't really work, so here we have a safe way to do it and you can see it's like 240 volts when we discharge it, it discharges on its own, part of this is due to the 10 mega ohm resistance of the dmm, but there is also a high resistance value in the circuit and we press the button to download, you can see the voltage drops so the recovery is not super fast and that's what you know. this is a low size, you saw, the size of those transformers, this is not a high power circuit, we have a high end device called chip sharder which is used as a transformer which weighs more than this entire device, but it works and the another thing is What I show here is the voltage output of the optocoupler that is used to provide feedback.

You can actually see there's a line, so there's an analog measurement capability. You would have to calibrate it and it's not very reliable because it's like a current transfer characteristic. an optocoupler that is not constant with anything, um, but it gives you go, no go information and you can potentially calibrate it, so there are many types of features built into this thing or function capability to give you an idea of ​​what the output here is a low inductance resistor that I'm going to connect to the output. Next I'm going to use a differential probe, so part of this setup came from developing the shoulder of the chip, the largest unit we sell.

And then there's quite a bit of construction experience that's also been worked into this, this really low cost one, so if I plug the differential probe into this, it'll allow me to test the voltages safely without there being some kind of ground loop. . Worrying about them, you know, for this design shouldn't be a problem, but since I already had the setup, why not? So if we click the shutter button, you can see here, it basically goes up to 250 volts, so 50 div per The second scale is not super fast, so change the time scale here. You know you don't want the time to increase too quickly on this output because that can add ringing if you're trying to make a low-cost device.

You don't want to have to add a lot of complex output circuitry to deal with that, so it works pretty well if we turn it on repeatedly, what we'll see is we'll actually see the voltage drop from the capacitor bank, so if I hold down the button It's basically every 100 milliseconds or so, it sends an output pulse, so what you can see is that if you try to do it that fast, it's not going to maintain that high output voltage, it doesn't have the capability that I showed before. when you could see the bank voltage drop, but that gives you an idea of ​​what it looks like.

Now, of course, that's just a resistance. Let's put an inductor in this thing. Let's put in a coil and see what it really looks like. so I put a coil on the output um and then I'm going to turn it off right now don't worry I'm not going to blow up the capacitor and I'm going to roughly test it to try to get the output so this is the points that go to the sma connector this is what it looks like, you know, right in the circuit, it's going to be a little bit less in the coil itself, um, if that's right, this is the old waveform, sorry if I trigger the pulse, uh, what are you going to do?

Look, here's the coil voltage and it looks pretty good, you know, I think it's actually pretty impressive for this simple, very low-cost device. It continues to rise to 200 volts. We are relatively narrow. It's being driven with a one millisecond wide pulse at the input to that gate drive transformer, so you saw what it looked like before, but it works relatively well and this is our output going to the coil. The coil itself limits how wide it can go depending on the size of the coil and things like that. That's the other interesting thing, so it was the output to the coil.

Let's look at the input to the transistor that was switching that capacitor to the coil. This is the real kind of magic of the whole thing. So q2 in this scheme is an igbt. I was lazy with the schematic, sorry, it shows a Mosfet symbol, but basically we need to generate a high voltage across that gate or, you know, a higher voltage like 12 volts, 15 volts, so use a transformer to couple the 3.3 volts up to 12 volts. This is what it looks like, so here's the warning: the scale is strange. I'll dip it to 5 volts in a second, but we're getting this nice spike that goes up to about 15 volts and stays at about 12 or so volts and this is key because for an igbt like a mosfet you want to prevent the gate from going high. too much, so the absolute maximum voltage is 30 volts, similar to large mosfet ratings, if you exceed that it will immediately destroy the device, so you have to be very careful if the circuit uses a zener to hold it, and the other thing with an igbt, it needs to go above 10 volts frequently, so if you're used to a mosfet thinking that 10 volts is the magic, we turn it up about, you could see it peaking at about 15, but if you look at 10, the right stuff is not fully saturated and not fully on at all the collector current, so that's where you need to go up the most to make sure that we're pushing the device into saturation during that initial dump on the end and the coil, um, so the coil itself I'm using these chip fragmenting probe tips that come with the larger chip fragmenting device.

You know they are going to be very expensive, more expensive than this

tool

alone, you can also wind your own coils, so there are some details in the pico emp repository. Oh right, we sell the chips with the chip card, but we also show you how to build some of your own if you're curious or use some off-the-shelf parts. you can combine the two, the other thing we're looking at to help make pico emp available is some sort of actual build kit and it would have the surface mount parts ready and you would have to solder the pico. itself and part of that is because of issues around compliance and things like that, so we can't really sell a complete tool, you know, at the low cost that we want, but we hope you enjoy, you know, seeing what you can do with a low cost device uh and build your own or look for the kit in the future and enjoy exploring electromagnetic fault

injection

and you can even make a board like that which is like a milled board to make your own as well Have fun anyway.