Findus (aka the fault-injection-library) is a toolchain to perform fault-injection attacks on microcontrollers and other targets. This library offers an easy entry point to carry out fault-injection attacks against microcontrollers, SoCs and CPUs. With the provided and easy to use functions and classes, fault-injection projects can be realized quickly with cheap and available hardware.
Findus supports the ChipWhisperer Pro, the ChipWhisperer Husky and the PicoGlitcher. More information about the ChipWhisperer Pro and the ChipWhisperer Husky can be found on https://chipwhisperer.readthedocs.io/en/latest/index.html.
- Purchasing the Pico Glitcher
- Documentation
- Installing findus
- Updating the Pico Glitcher firmware
- Installing from source
- Test the functionality of your Pico Glitcher
- UART Trigger
- More Examples
- Analyzer
- Star History
Only a Raspberry Pi Pico and a few other components are required to use this software. However, in order to achieve the best results, a circuit board was developed that was adapted directly for the fault-injection-library.
The board consists of a Raspberry Pi Pico, two level shifters for in- and outputs with any voltage, and glitching transistors that can switch up to 66 amps. A multiplexing stage to quickly switch between up to four different voltage levels was added in revision 2.
There are several connection options for different voltage sources, from 1.8V, 3.3V to 5V.
The Pico Glitcher can also be supplied with any external voltage via VCC_EXTERN.
To power the target board, it is supplied with power via the VTARGET connection.
The output of this voltage source can be controlled via software, i.e. the target can be completely disconnected from power by executing the power_cycle_target() command.
This allows a cold start of the target to be carried out in the event of error states that cannot be eliminated by a reset.
The Pico Glitcher can be purchased from the tindie online store: https://www.tindie.com/products/faulty-hardware/picoglitcher-v21/. If you have questions or special requests, please feel free to contact me.
The documentation of the source code and how to use the library and the hardware can be found on https://fault-injection-library.readthedocs.io/.
If you just want to get started quickly and don't want to bother with the source code of findus, findus can be installed via pip. The findus library can be found on https://pypi.org/project/findus/ and can be installed locally in a Python environment using the following command:
mkdir my-fi-project && cd my-fi-project
python -m venv .venv
source .venv/bin/activate
pip install findusInstall the optional RD6006 python bindings if you have a RK6006 or a RD6006 power supply from Riden:
pip install rd6006This external power supply can be used optionally to supply the target with power. It is possible to control the RD6006 power supply via the findus library using the power supply's USB interface. Suitable functions for this are implemented in the findus library. Don't worry if you don't have this power supply. The Pico Glitcher can also supply the target with voltage.
Now you can use findus:
python
>>> from findus import Database, PicoGlitcher
...The next step is to copy an existing glitching script and to adapt it to your needs. Start by copying https://github.com/MKesenheimer/fault-injection-library/blob/master/example/pico-glitcher.py. More example projects are located at https://github.com/MKesenheimer/fault-injection-library/tree/master/projects.
See examples for more information how to use findus and the Pico Glitcher.
Your Pico Glitcher should come with the latest firmware already installed. If not, follow the following procedure to update the software on the Pico Glitcher.
Download the MicroPython firmware from https://micropython.org/download/RPI_PICO/. Unplug the Pico Glitcher from your computer, press and hold the 'BOOTSEL' button on the Raspberry Pi Pico and connect it back to your computer. The Raspberry Pi Pico should come up as a flash-storage device. Copy the MicroPython firmware ('RPI_PICO-xxxxxxxx-vx.xx.x.uf2') to this drive and wait until the Raspberry Pi Pico disconnects automatically. More information about setting up the Raspberry Pi Pico can be found here.
Skip this step, if you already installed findus previously.
If you want to make sure that the libraries to be installed do not collide with your local Python environment, use a virtual environment. Set it up by generating a new virtual environment and by activating it:
python -m venv .venv
source .venv/bin/activateAfter these steps we have to install findus (aka fault-injection-library). Make sure to have pip installed.
pip install findusIf everything went well, you should have the upload script available for execution in your command-line environment.
Connect the Pico Glitcher to your computer and check which serial device comes up:
ls /dev/tty*Take note of the device path. Next upload the Pico Glitcher firmware and the specific configuration for your Pico Glitcher hardware version (either config_v1/config.json or config_v2/config.json) via the following command:
cd .venv/lib/python3.12/site-packages/findus/firmware
upload --port /dev/tty.<rpi-tty-port> --files AD910X.py FastADC.py PicoGlitcher.py \
PulseGenerator.py Spline.py <config-path>/config.jsonYour Pico Glitcher should now be ready to perform fault-injection attacks.
If you want to get involved in the development or to have access to all the resources of this repository, clone the findus library:
git clone --depth 1 --recurse-submodules \
https://github.com/MKesenheimer/fault-injection-library.gitInstall the findus and the optional rd6006 library:
cd fault-injection-library
pip install .
cd rd6006
pip install .Then:
cd findus/firmware
upload --port /dev/tty.<rpi-tty-port> --files AD910X.py FastADC.py PicoGlitcher.py \
PulseGenerator.py Spline.py <config-path>/config.jsonThe next step is to copy an existing glitching script and to adapt it to your needs.
Start by copying fault-injection-library/example/pico-glitcher.py. More example projects are located at fault-injection-library/projects.
The following setup can be used to test the Pico Glitcher.
- Connect 'TRIGGER' input with 'RESET'.
- Between 'GLITCH' and 'VTARGET', connect a 10 Ohm resistor (this is the test target in this case).
- Optionally connect channel 1 of an oscilloscope to 'RESET' and channel 2 to 'GLITCH'.
Next, run the test script pico-glitcher.py located in fault-injection-library/example:
cd example
python pico-glitcher.py --rpico /dev/<rpi-tty-port> --delay 1000 1000 --length 100 100You should now be able to observe the glitches with an oscilloscope on the 10 Ohm resistor. Measure the expected delay and glitch length with the oscilloscope.
- Connect 'TRIGGER' input to 'RX' and 'TX' of a USB-to-UART adapter
- Between 'GLITCH' and 'VTARGET', connect a 10 Ohm resistor (this is the test target in this case).
- Optionally connect channel 1 of an oscilloscope to 'RESET' and channel 2 to 'GLITCH'.
Next, run the test script pico-glitcher-uart.py located in fault-injection-library/example:
cd example
python pico-glitcher-uart.py --rpico /dev/<rpi-tty-port> --target /dev/<target-tty-port> --delay 1000 1000 --length 100 100You should now be able to observe the glitches with an oscilloscope on the 10 Ohm resistor. Measure the expected delay and glitch length with the oscilloscope.
More examples can be found on https://fault-injection-library.readthedocs.io/en/latest/examples/# or under fault-injection-library/projects.
During your glitching campaign, run the analyzer script in a separate terminal window:
analyzer --directory databasesThis spins up a local web application on http://127.0.0.1:8080 which can be used to observe the current progress.
