PicoEMP / Low Cost EMFI

coflynn · December 22, 2021, 4:58pm

As a short announcement thread - we’ve been working on a low-cost EMFI tool, which we pushed designs for on GITHub. It’s still somewhat beta and the firmware needs work to be “useful”, but it may be interesting for this forum:

You can find design files up here: GitHub - newaetech/chipshouter-picoemp: Why not run micropython on your EMFI tool?

It was inspired a bit after my Remoticon talk - which included a RSA demo on the Raspberry Pi Model 3 B+: GitHub - colinoflynn/remoticon-2021-levelup-hardware-hacking: Colin O'Flynn's Hacakday talk at Remoticon 2021 support repo. . So now you can use a R-Pi Pico to attack a R-Pi Model 3 B+!

Azbeen · November 9, 2022, 12:55pm

Hello,
I bought a picoemp and the simple CW322 EMFI target. The picoemp seems working well after the arming and pulse generation, but the target seems not be impacted by the pulse generation. I connected an oscilloscope on the J3 connector but the signal is not as “clean” as the one presented in the video Building the PicoEMP - Electromagnetic Fault Injection (EMFI) Tool - YouTube. Do you have any suggestion to troubleshoot it?
Thanks

coflynn · November 9, 2022, 1:19pm

Hi @Azbeen - a lot of this comes down to the coil itself. When I’m using these I actually unwind a few turns from the inductor, cut & re-tin the wire, and use that.

You can even just unwind a few turns to reduce the inductance - the default inductor that comes with it is a little “high” on inductance IMO. A big part of using it is just experimenting with the inductor - see the github page at chipshouter-picoemp/hardware/injection_tips at main · newaetech/chipshouter-picoemp · GitHub for more examples.

I suspect the difference on the waveform you are seeing is 100% just the tip/coil. The waveform is changed more by the coil than it is by drive characteristics/settings (this is the case on the bigger ChipSHOUTER too - you are limited by coil dynamics more than you are by the drive strength).

Marco · November 24, 2022, 4:28pm

Hi @coflynn,
I’m experimenting with my newly purchased PicoEMP on my ChipWhisperer targets (XMEGA and STM32F303) and I haven’t been able to induce any faults or glitches so far, so I would like to follow the advice you gave in your previous message by changing the injection tip.
What would be good inductors to buy for making new injection tips? Any part number would be greatly appreciated. I saw that in the PicoEMP demo video you use the 4mm ChipSHOUTER tip to easily glitch a Trezor One. Which inductor is that tip made from?

Also, when shopping for inductors, is there any electrical characteristic to pay special attention to in order to avoid damaging the PicoEMP (for example, a minimum DC resistance)?

Thanks
Marco

fridgyylife · December 10, 2022, 7:26pm

Hi i am building my own picoemp and was wondering if anybody knows of any working substitutes for
1,RGT16BM65DTL,Q2. Any help would be greatly appreciated. Current lead time is 340 days everywhere. Thanks

coflynn · December 10, 2022, 8:24pm

According to the parts sub issue, IKD15N60RC2ATMA1 may work. I was going to try it out as we also need to sub that part on another run, will report back.

coflynn · December 11, 2022, 7:14pm

FYI I tested the sub (IKD…) today - seems OK. Yellow is RGT16BM65DTL, blue is IKD15N60RC2ATMA1. Some differences in shape but a nice rising edge still. May see slightly different effects, will do some more testing.

chipquik · December 10, 2023, 2:19pm

Hello coflynn i have question , i already build PICOEMP and it not works (not charging HV capacitor) i use different parts:

KNOWN SUBS:

D2: US1J-13-F (NOT TESTED YET)
Q3/Q4: PMV37ENEAR
J1: 142-0701-801

I used IRLML0060TRPbF instead of AO3422 and US1J-13-F instead of MURA160T3G also HV transistor i used IKD15N60RC2ATMA1 instead of RGT16BM65DTL - do you know what i did wrong ? , have you checked US1J-13-F is it works ?
Regards