Using ChipShouter on CW308 and its targets

Hello. Before I buy the expensive ChipShouter to try out some EMFI, is it actually possible to perform EMFI on the CW308 and the targets using ChipShouter? Or could it break the device? Are there some tutorials which will guide me through the idea behind EMFI and so on, just like CPA on the ChipWhisperer?

Yeah, it’s definitely possible to perform EMFI on CW308 targets. We don’t have any tutorials combining the two, but you should be able to work off of the clock/voltage glitch tutorials, since EMFI is similar.

Regarding target durability, EMFI has the potential to permanently damage devices. In practice, the likelihood of damaging a target depends on which target it is, in addition to what ChipSHOUTER settings you use. For example, STM32 devices have been extremely durable, while others are much more likely to brick.

If you want to try out some glitching before you commit to the ChipSHOUTER, you may want to try out our picoemp, as it’s much lower cost.


is there any tutorial on how to perform the EMFI using ChipSHOUTER then? Will it damage the chip itself or the whole CW308? I would like to attack the TC233 Aurix Target on CW308. How similar are the clock/voltage glitches to the EMFI? Can I just substitute the glitching part with ChipSHOUTER operations? Or is it more complex

The damage will be limited to just the target. EMFI is very similar to clock/voltage glitching, but with more glitch effects (e.g. SRAM corruption) and different search space parameters (coil voltage, xyz position, etc). Basically, you’ll still need to setup a glitch loop, test for success, etc. You can also use the ChipWhisperer to trigger the ChipSHOUTER. I’d recommend starting with the SMB Trigger Input section of the ChipSHOUTER user manual.