Following on from my earlier successes with glitching, I have continued investigating various methods to induce faults in hardware. One less-talked-about method is EM fault injection, which relies on using a capacitor discharge to create a temporary magnetic field, which can influence the state of transistors (and other electronics).
My test device is not complete – I have built the hardware, but I do not yet have the components I need to drive it with something programmable. However, this is a lot of fun, and thus worth writing about.
WARNING: This post involves high-voltage capacitors. Do not fuck with them. Also, this may be not clear in legality depending on where you live: always act in accordance with the laws and statues of your land. Be safe, be ethical, leave no trace behind.
There is some limited previous literature on this topic, mostly in academia:
The best practical reference I can find to this is by Risecure, which sells a commercial EM glitching workstation [?].
This is similar to the voltage glitching technique described in a previous post: however, instead of diverting a power supply, this uses a temporary strong magnetic field to induce unexpected electrical activity, affecting the state of various components (e.g. a transistor). This can be expressed in the following diagram:
This is the same as how a coil gun works: that is, by generating a strong temporary magnetic field, you can “throw” a projectile “through” a coil. The device we will build is effectively a less powerful version of a typical coil gun, as the intent is not actually to throw a projectile, but to induce faults in hardware otherwise implemented securely.
Implementation – Coilguns 101
I started off by purchasing two FujiFilm “QuickSnap” disposable cameras last week. These are popular in Australia, and can be purchased from camera stores, convenience stores and apparently Officeworks. I disassembled the case, making sure not to enable the flash functionality, and to discharge the capacitors:
You can safely discharge this by touching both ends with a piece of metal (don’t touch the metal directly). If you did it right, you should see and hear a spark.
Once this is done, bend the capacitor away from the flash bulb, and then let’s get soldering:
- The red box is the “flash enable” switch, which is activated with a toggle switch on the front of the camera case. Solder this closed (as if this were permanently enabled).
- The blue box is the “flash trigger” switch, which is a contact switch that turns on when you press the shutter. Solder this closed (as if you were always pressing the camera trigger).
- The maroon box is the flash bulb contacts. Desolder the flash bulb, and in it’s place, solder 2 pieces of wire, which we’ll leave unconnected for now.
If you have trouble desoldering the flash bulb, try washing the existing connection with solder flux first, then melting some lead solder “onto” it: the existing blob of solder should insta-melt (possibly because the lead lowers the melting point of whatever the fuck that is?). Poke it with a piece of desoldering braid to “soak up” the blob of solder.
Now, take a portion of enameled wire / winding wire, and loop it around something a few times. I started off with a matchstick, like this:
At this point, you can begin testing the device. Remember those two wires we left disconnected in the last step? Connect one to one end of your coil, and leave the other free. We will discharge the capacitor by connecting the free end of the coil to the free wire from the flash bulb terminal.
Charge your capacitor by inserting the battery, as per the original battery installation (the short end of the battery enclosure corresponds to the negative terminal no the battery itself). You should hear a soft whining sound, followed by a red LED slowly lighting up – it’s next to the capcitor. When this is lit, charging is complete.
Then, position your coil close to something ferromagnetic (I used a screw), and complete the circuit (without touching any conductive surfaces). You should see (and hear) another spark where you complete the circuit, and the screw should move, indicating glorious success.
The next step is to induce a fault in an arduino microcontroller. For this step, I used a Freetronics Eleven (https://www.freetronics.com.au/products/eleven), but anything you have lying around should do. Position your coil above the MCU:
Then, begin a counting loop on your target device, and begin trying to induce faults. There is no science to this: too many factors come into play (strength of magnetic field, duration, positioning of coil, orientation of coil, etc). In doing this, I was never able to induce a meaningful fault, but I could cause the device to crash:
Emboldened by what appeared to be a success, I continued experimenting with this technique, I continued experimenting with this.
Glitching Rig Improvements
I proceeded to improve my test setup, by modularising the device – I wanted the device to be portable, as well as plug and play: I should be able to add or remove capacitors, to adjust the strength of the magnetic field generated.To do this, I desoldered the original capacitor (as well as battery pack), and soldered header cables onto everything, so I could use a breadboard to adjust portions of the device:
The final glitching device looks like this – in this configuration, we have wired up two capacitors in parallel for additional power, and the coil is replaced with an entire spool of 0.25mm wire.
I also experimented with the configuration of the coil in relation to the device, and I found the following configuration to produce the most reliable glitches:
Similar to regular glitching, this process is unreliable, but I was able to produce some crashes semi-consistently, as well as some interesting effects, like the below:
Next Steps/ Thoughts
The implications of this are significant – while unreliable, this allows us to attack hardware when only limited interaction is possible (e.g. it’s in a difficult-to-reach setup). We can simply point our coil / antenna at it, discharge a capacitor though it. Several factors hold us back:
- Capacitors have a charge time, and are the limiting factor in how many tries per minute we get, regardless of how well we automate everything else. Given that glitching is already imprecise, our success rate will be low by definition (so this puts this technique somewhat in the “for fun” territory without serious investment, I think).
- The variety of coils possible is immense – there doesn’t seem to be a single guide on how to build a glitching coil (I hear 20 turns around a needle?), different people have different methods.
- This is a fine line between glitching and irrepairably bricking a device. The amount of things that could go wrong is tremendous, and this is less “controlled” than voltage glitching, which is confined to denying power for a portion of a clock cycle, generally against a single component.
The next steps of this project are to wait for the arrival of an optocoupler and a thyristor – these should allow the use of a programmable device to charge the device (a regular mosfet should work) as well as to trigger the coil safely. A power MOSFET may be needed for fast switching “off” of the coil as well, but that can just be a lift-and-shift in place of the thyristor.
I am keen to hear of other people’s successes or failures with this technique. If you’ve experimented with this, and had some success, please do let me know – I’m keen to learn how I can improve this setup to more reliably generate glitches, and use them “meaningfully” no less.
Have a safe and ethical week!