1. Understanding Faulty Cat
Faulty Cat can be energized using the USB-C connector or three AA alkaline batteries (1.5V per battery). If both power supplies are available, the USB-C power supply is prioritized. Use the SW2 (ON/OFF) to turn on/turn off the board.
Important
Faulty Cat does not have a battery charger, so it is not capable of charging the batteries from the holder.
The bootloader mode is useful when your board is not behaving as expected and you need to re-upload the code to it. To update/restore the firmware, follow these steps:
- Download the .uf2 file for the latest version from the Releases section inside this repository.
- Press and hold the BOOT button, then turn on the board using SW2.
- Once connected, release the BOOT button. A file manager window should emerge, displaying the contents of the RP2040 chip.
If the window does not open, double-click the "RPI-RP2" device in the
File Explorer > This PC > Devicesand drives section, and the necessary window will open.
- Drag and drop the .uf2 into the RPI-RP2 device window. The device window will close, and the STA LED will turn on.
The RP2040 MCU is responsible for all the Faulty Cat's logical processes: reading inputs, processing information, and updating the outputs, according to the sequence. However, the main firmware is not stored in the internal SRAM memory, it is stored in the W25Q16JV QSPI external Flash. Then, both devices are steadily communicating.
An optocoupler (LDA111STR) confirms the charge status of the high voltage section. If the device is already charged (~240V), this optocoupler sends a digital signal to the RP2040 MCU, and the CHG LED is turned on.
Two transformers help with transforming (elevating) the voltage that will be stored in a 0.47uF capacitor, being able to store up to 630V. A transformer can not work using DC, so PWM signals are used to produce the electromagnetic field in the primary coil windings.
Finally, the antenna concentrates the magnetic flux in a smaller area to execute the glitch.
Electromagnetic fault injection (EMFI) is a type of side-channel attack that uses a strong electromagnetic field to induce faults in an integrated circuit (IC). The objective of EMFI is to ultimately inject a voltage onto the structure of the die itself. This can cause both persistent changes—such as bit flips in a register or SRAM—or temporary errors in reading voltage levels. With EMFI this is done with a quickly changing magnetic field.
Electromagnetic fault injection (EMFI) is performed by generating a localized short-duration high-intensity electromagnetic pulse that induces currents within internal chip circuitry.
The “business end” of these tools uses some form of a coil in combination with a high permeability material, normally a ferrite. This ferrite is designed to concentrate the magnetic flux in a smaller area, making it possible to flip bits in part of the memory without crashing the entire device.
Glitching attacks can simultaneously impact all stages of a CPU pipeline, including instruction fetch, decode, execution, memory accesses, and write back.
| Faulty Type | Potential Effects |
|---|---|
| Skipping of instructions | By skipping them, the affected software can be coerced into “failing open” or executing unintended or insecure code paths. |
| Incorrect data fetch | Leads to an uncontrolled subset of bits in the read word being flipped, or the entire word being read as all zeros or ones. When security-critical data is corrupted in this way, the affected software may fall back to a less secure state. |
| Incorrect instruction fetches or decodes | Leads to the evaluation of the wrong instruction by the ALU and later pipeline stages. |
| Failed writeback | This can cause the register or memory state to not be updated based on the executed instruction. |
To properly inject a fault, the experimenter must tune several parameters, namely the 1) injection signal, 2) the probe spatial location, and 3) temporal synchronization.
Fault effects are reproducible with a low ratio; meaning that if a fault has been achieved, it will be achieved again with the same parameters but only for a small ratio of the fault injections.
The ChipSHOUTER is a high-end Electromagnetic Fault Injection (EMFI) tool designed by Colin at NewAE Technology. While not the first commercially available EMFI tool, ChipSHOUTER was the first "easily purchasable" (even if expensive) tool with extensive open documentation. The tool was not open-source, but it did contain a variety of detailed description of the design and architecture in the User Manual. The ChipSHOUTER design optimization focused in rough order on (1) safe operation, (2) high performance, (3) usability, and finally (4) cost. This results in a tool that covers many use-cases, but may be overkill (and too costly) for many. Additionally, acquiring the safety testing certification is not cheap, and must be accounted for in the product sale price.
The FaultyCat tries to fill in the gap that ChipSHOUTER leaves at the lower end of the spectrum.
This FaultyCat project is not the ChipSHOUTER. Instead it's designed to present a “bare bones” tool that has a design optimization focused in rough order of (1) safe operation, (2) cost, (3) usability, (4) performance. Despite the focus on safety and low-cost, it works suprisingly well. It is also not sold as a complete product - you are responsible for building it, ensuring it meets any relevant safety requirements/certifications, and we completely disclaim all liability for what happens next.
The main differences from the technical point of view:
- ChipSHOUTER uses a much more powerful high-voltage circuit and transformer (up to ~30W vs. ~0.2W) that gives it almost unlimited glitch delivery, typically limited by the probe tip. The PicoEMP is slower to recover, typically ~1 to 4 seconds between glitches. Faulty Cat has a faster recovery.
- ChipSHOUTER has a larger internal energy storage & more powerful output drivers.
- ChipSHOUTER has a controlled high-voltage setting from 150V to 500V. PicoEMP generates ~250V, and
- Faulty Cat uses a low-power high voltage circuit using only 3xAA batteries and can generate ~200V.
- PicoEMP includes a Raspberry Pi Pico and Faulty Cat uses only the RP2040 MCU.
- Faulty Cat has been tested in the laboratory and ensures that it will cause your chip to fail, and its use is safe as long as the instructions and recommendations are followed.
- Faulty Cat is similar to PicoEMP and ChipSHOUTER, but Faulty Cat is a low-cost all-in-one with a battery holder mounted on the board, making it easier to use.
Electronic Cats holds no responsibility for any unauthorized use of the tool or any resulting damages. You are in charge of developing it and making sure it complies with any necessary safety standards or certifications. We assume no responsibility for what happens after that. Please only use FaultyCat if you are creating and managing it yourself, and you completely understand all the hazards. It is not intended for use in settings like work or school, where equipment is required to adhere to safety regulations.
Thank you for reading our Wiki!