Close
0%
0%

PicoGlitcher

A dirt-cheap hardware to carry out voltage glitching attacks against microcontrollers with a Raspberry Pi Pico

Public Chat
Similar projects worth following
This project is intended to make fault injection attacks against microcontrollers accessible for hobbyists and to introduce the topic of voltage glitching. The software offers an easy entry point to carry out your own attacks against microcontrollers, SoCs and CPUs. With the provided and easy to use functions and classes, fault injection projects can be realized quickly.

Voltage glitching attacks are usually done with expensive hardware such as the ChipWhisperer Pro or Husky. However, for most of the attacks a Raspberry Pi Pico and a few other components are required. In order to achieve the best results, a circuit board was developed to combine the best of both worlds: cheap, easy to use and powerful.

Update: Please contact me if you want to build a PicoGlitcher yourself. If you are from Germany, I can send you the unpopulated first version PCB for 5€ (excluding shipping), or the PCB (version 1.1) with SMD components already soldered on for 25€. If interested, a complete PicoGlitcher build with all relevant components soldered on, is 35€ (excluding shipping).

Update 2: Many thanks to Troed Sångberg who successfully built a PicoGlitcher. For his built, he made a parts list on Mouser which you can find in the project files.

Introduction

Voltage glitching attacks are a class of hardware attacks that exploit the vulnerability of electronic systems to sudden and brief changes in their power supply voltage. By intentionally introducing these abrupt voltage changes, or "glitches," attackers aim to disrupt the normal operation of the target device, causing it to malfunction in a controlled manner. This can result in the bypassing of security measures, corruption of data, or unintended execution of code. Voltage glitching is particularly relevant in the context of embedded systems, such as microcontrollers and smart cards, which are commonly used in secure applications including payment systems, access controls, and IoT devices.

The core concept behind voltage glitching is to induce faults at precise moments during the execution of critical operations within the device. These faults can lead to outcomes such as skipping security checks, extracting secret keys, or gaining unauthorized access to protected functions. The success of a voltage glitching attack relies on careful timing and an understanding of the target device's behavior under different power conditions. Attackers often use specialized equipment to generate and control these glitches with high precision, making this technique both sophisticated and powerful.

Previously featured projects

Glitching has been previously described on Hackaday for example here (everything you didn't know you need to know about glitching attacks) or here (Apple Airtags hacked and cloned with voltage glitching). The latter even describes attacking an Apple Airtag with a Raspberry Pi Pico and a mosfet. 

Existing hardware

Usually these attacks are carried out by expensive hardware such as the ChipWhisperer Pro, the ChipWhisperer Husky, or the devices from Riscure. As these devices are typically very expensive (several hundred Euros), they are not accessible for the hobby hacker. The ChipWhisperer Husky is even more inaccessible for hobby hackers since it has long shipping times up to several weeks.

The PicoGlitcher

It turns out, however, that voltage glitching attacks can easily be performed with cheap and available hardware like the Rapberry Pi Pico and some other components. The sampling rate of the Raspberry Pi Pico is fast enough to enable attacks against most common microcontrollers like the ESP32 or STM32 processors. To gain more insight into voltage glitching attacks and using only cheap components, the PicoGlitcher was born.

The hardware required for the PicoGlitcher involves, of course, a Raspberry Pi Pico and additional components for precise voltage control and monitoring. Specifically, it includes a power supply capable of switching the target on and off, and crowbar transistors that can switch up to 66 amps. The design of the voltage glitching stage of the PicoGlitcher is exactly the same as found in the ChipWhisperer Pro. Furthermore, the board provides several different voltages to supply all kinds of different target boards. A built-in level shifter translates between the fixed voltages of the Raspberry Pi Pico and the voltage levels of the target board. 

Glitches must be placed very precisely. The PicoGlitcher is able to trigger on various external events. For example, a rising or falling edge could be used to start the timers. Additionally, the PicoGlitcher can sniff on a UART communication...

Read more »

Project_Sep13_0320AM.xls

Mouser BOM (thanks to Troed Sångberg!)

ms-excel - 24.00 kB - 09/13/2024 at 08:24

Download

  • September 3 2024: PCB updates

    Matthias Kesenheimer2 days ago 0 comments

    First of all, the design of the PicoGlitcher is good and I have not found any major flaws yet. The PicoGlitcher works.

    However, I have noticed that some of the PCB markings are hard to read, and some are even missing. The component placement is also not optimal, so I decided to update the PCB files. Soldering the small SMD components by hand was difficult (for me at least), so I decided to give PCB manufacturing with component placement a try.

    I made a few changes to the design files, picked all the components from JLCPCB via the Assembly Parts Lib and uploaded the new gerber files. In order to automatically generate the BOM and the component placement file (CPL) in Fusion360, I used the library jlcpcb-eagle. With the gerber, the BOM and the CPL files ready, I was finally able to submit my order to JLCPCB. All the relevant files can be found on my github page. 

    I was surprised at how easy the whole procedure was. The JLCPCB parts library is huge and if an exact part is not available, there is always an alternative. What's more, every step of the process is easy to understand. The component placement is displayed in an online tool that allows you to check that all the components have been placed correctly. Manufacturing and shipping was fast. I received my order within ten days.

  • July 8 2024: PicoGlitcher in operation

    Matthias Kesenheimer08/05/2024 at 19:01 0 comments

    Here you can see a video of a running glitching campaign. The target gets reset, a glitch is emitted and the status of RDP is checked.

  • July 8 2024, later this day: Glitches!

    Matthias Kesenheimer08/05/2024 at 18:53 0 comments

    I am practiced in doing fine soldering work, but soldering the selected SMD components was nevertheless challenging. In the end, however, the soldering work was successful. The PicoGlitcher is working as expected and I am able to glitch targets. For a test if everything works, I ran a glitch against an STM32F4 microcontroller. Although RDP level 1 was activated, the target responds with an "ACK" after a few attempts when accessing the flash memory in bootloader mode.

    The PicoGlitcher v1 actually works!

  • July ​8 2024: Assembly

    Matthias Kesenheimer08/05/2024 at 18:46 0 comments

    All the parts have finally arrived and I can now assemble the circuit boards. The boards look amazingly well made, all the tracks are perfect and there are no visible faults. The black boards stand out really nice.

  • May 31 2024: Components are arriving

    Matthias Kesenheimer05/31/2024 at 19:34 0 comments

    Most of the components for assembling the PicoGlitcher hardware have arrived. I am still waiting for the PCBs...

  • May 30 2024: Successful glitches

    Matthias Kesenheimer05/31/2024 at 19:29 0 comments

    During the last days I refined the software and I added example scripts to attack ESP32 and STM32 processors.

    The library works and is able to produce reliable glitches. First I tried to reproduce results that were previously published by Sec-Consult. In this scenario the read-out protection (RDP) of STM32 microcontrollers is attacked during the bootloader stage. If a glitch is successful, the RDP level can be reduced and thus the internal flash memory be dumped. The above figure shows a successful glitching campaign. On the x-axis the glitch delay in nanoseconds is shown. This is the time between the trigger and the point in time were the glitch is set. The y-axis shows the duration of the glitch (length) in nanoseconds. The longer this time is, the more aggressive is our glitch and the target is more likely to fail. 

    Points in green and yellow are expected behavior or communication errors (not shown in the plot). Magenta and red points are successful glitches and successful memory dumps. With this setup we reach a success rate of about 0.2% which is considered good.

    Since the PicoGlitcher hardware is not ready yet, the attack was made in this case with the ChipWhisperer Pro.

  • May ​23 2024: PCB design

    Matthias Kesenheimer05/31/2024 at 18:55 0 comments

    The design of the PCB has been finished and the boards are being produced. Next step is to order the electronic components and to assemble the boards. Shipping of the PCBs is expected to be in mid June. Hence, there is a bit of time to finish the software until then.

  • May 11 2024: Project start

    Matthias Kesenheimer05/31/2024 at 18:50 0 comments

    Coding starts by forking the project from raelize. The code from raelize is already a good starting point, however, to my taste there are lacking some features. For example, the library from raelize only supports the ChipWhisperer Husky which is a good but expensive device. I wanted to use this library with cheaper hardware. So I had to build my own.

    Moreover, the database functionality of the original project could be improved and I made several improvements to better handle the glitching campaigns. Now my fault-injection-library is an independent project with more than 90 commits, example codes, schematics and PCB design files.

View all 8 project logs

Enjoy this project?

Share

Discussions

balu.2019 wrote 08/20/2024 at 17:04 point

Great Project, any updated BOM list (168 ohm) resistors not available, any replacement for that

  Are you sure? yes | no

Matthias Kesenheimer wrote 2 days ago point

Thank you. You can use 150Ω resistors instead. I updated the design files.

  Are you sure? yes | no

Twisted wrote 08/11/2024 at 22:45 point

Great project but where on earth are you sourcing 168Ω resistors from? They seem non-existent.

  Are you sure? yes | no

Matthias Kesenheimer wrote 2 days ago point

Thanks. Yes you are right. I replaced the resistors with 150Ω resistors in the updated project. The exact value is not that important for these resistors.

  Are you sure? yes | no

Adam wrote 08/07/2024 at 20:55 point

Thanks for the upload of this project I can't wait to make it! (PCB ordered),  do you have an updated BOM list as some of the parts are not very easy to find or make out what the values are supposed to be.

  Are you sure? yes | no

Matthias Kesenheimer wrote 08/09/2024 at 06:46 point

Dear Adam,
another contributor currently works on a component list on Mouser. If you give us some time to sort out any issues, we can publish this list here.

  Are you sure? yes | no

Adam wrote 08/09/2024 at 20:02 point

thank you I'll keep an eye out,   in the mean time i have been attempting to find the parts on Farnell.  , i have so many modules to try this on. very existing. and well done!

  Are you sure? yes | no

Matthias Kesenheimer wrote 2 days ago point

Hey Adam,

the updated BOM can be found in the "files" section of this project. Also a more recently updated BOM with JLCPCB Part numbers can be found on my github page: https://github.com/MKesenheimer/fault-injection-library/blob/master/schematics/pico-glitcher-v1.1-BOM.xlsx

  Are you sure? yes | no

Adam wrote a day ago point

Thank you! 😊 although I think there might be somthing abit wrong, when I upload the BOM jlcpcb, it would appear to add 50 of each part making 5 pcbs thosands and thousands in cost. Is there a figure of each part which can be added too the BOM list?

  Are you sure? yes | no

Matthias Kesenheimer wrote a day ago point

Hmm, that's weird. There is no number of items in the excel sheet. The number is calculated automatically by the number of PCBs you want to produce.

  Are you sure? yes | no

Hasukyryo wrote 06/24/2024 at 07:50 point

Good time friend, great project, a tool that promises many expectations.

  Are you sure? yes | no

Similar Projects

Does this project spark your interest?

Become a member to follow this project and never miss any updates