Ir a contenido
ChipWhisperer - HuskyPlus
ChipWhisperer - HuskyPlus
ChipWhisperer - HuskyPlus

ChipWhisperer - HuskyPlus

€1,195.00 - €1,195.00
€1,195.00
€1,195.00 - €1,195.00
€1,195.00

The HuskyPlus is the industry standard tool for Side Channel Analysis and Fault Injection.

 

If you're reversing or auditing protected hardware, the HuskyPlus is the only tool you need.
En stock (🇪🇺 UE, 🇺🇸 EE. UU.)
Enviado
⏰ Realiza tu pedido en para envío en el mismo día
👉 Shipping calculated at checkout. Import duties may apply.

The ChipWhisperer HuskyPlus is the industry reference hardware auditing tool for side-channel power analysis and fault injection.

Side-channel Power Analysis and Fault Injection are typically used when target devices have no open interfaces or firmware protection.

Side-channel Power Analysis involves the passive capture of miniscule variations in a device's power usage, which allows for statistical analysis and the recovery of cryptographic secrets.

Fault injection is an active technique that precisely glitches a target's voltage or clock cycle to corrupt a single instruction. A correctly timed glitch can skip a password check, force a comparison to return the wrong answer, or bypass secure boot.

To be successful, side-channel attacks and fault injection require significant capture performance, injection with nano-second precision and extensive trigger events. Without reliable results are practically impossible.

The solution is the HuskyPlus. It is the most capable device in its class, is fully open-source, and comes with an extensive corpus of Python tooling, tutorials and reference material. These resources are complemented with extensive online training, suitable for all levels of experience.

  • 1
  • 2
  • 3
  • 4
  • 5

1. Nano-second capture precision

12-bit ADC sampling at 250MS/s (4 nano-seconds), locked to the target's own clock.

2. Voltage & Clock Glitching

Crowbar voltage glitches and sub-nanosecond clock glitches; repeatable bypasses and instruction skips.

3. Exhaustive Triggers

Multiple trigger types, including advanced multi-stage trigger sequences for highly complex scenarios.

4. Built-in Logic Analyser

65,552-sample digital capture alongside the analog trace. Visualise glitches and protocol activity in a single shot.

Device Specifications

  • ADC: 12-bit, 250 MS/s, synchronous to target clock
  • FPGA: Xilinx Artix-7 XC7A100
  • ADC Buffer: 327,828 samples
  • Streaming Mode: 20+ MS/s at 8-bit, unlimited capture length
  • Trigger Modes:
    • Digital edge / level
    • Analog level threshold
    • SAD analog pattern matching
    • UART byte match
    • Edge counter
    • Arm Trace (PC value, instruction match)
    • Trigger sequencing (up to 4 stages)
  • Glitching:
    • Crowbar voltage glitch (two transistor sizes)
    • Clock glitch (sub-nanosecond width)
    • Resolution independent of target clock
  • Logic Analyser: 65,552-sample digital capture
  • Target Programming: JTAG / SWD with FTDI-compatible mode
  • Connectors: SMA (measure, glitch, trigger), SMB (trigger / clock I/O), 20-pin target ribbon, USB-C host
  • Open Source: FPGA Verilog, microcontroller firmware, Python host code

What's included

  • 1x ChipWhisperer HuskyPlus
  • 1x CW313 baseboard
  • 1x SAM4S target board
  • 1x iCE40 target board
  • 1x CW308 to CW312 adapter
  • SMA cables
  • 20-pin cables
  • 20-pin connector breakout wires
  • 1x MCX to SMA adapter
  • 1x MCX to BNC adapter
  • 1x USB-C cable with USB-A adapter
  • Jumper wires and caps

Technical Resources

What is hardware hacking?

Hardware Auditing techniques can be grouped into two categories: Side-Channel Attacks (SCA) and Electro-magnetic Fault Injection (EMFI). Which technique you need depends a lot on the target device. If the chip is locked but you've got access to its power, clock and data lines - Side Channel Attacks would be possible and effective.

However, if the target is protected: hardened against side-channel attacks, or its power, clock and data lines aren't exposed, or you cannot modify the device: EMFI would be the best candidate.

Side-Channel attacks capture privileged data by using an unprotected or unexpected source. Imagine two people talking in a glass sound-proof room: lip-reading allows us to derive what is being said via the visual prompts - a "side-channel" - as opposed to hearing it, the "protected channel". In hardware, a common example is extracting encryption keys by monitoring micro-fluctuations in the power-consumption when the processor is calculating them.

Side-Channel attacks are not necessarily passive: side-channel extraction can be induced by glitching the target device: briefly spiking power or manipulating the target's clock line can evoke unexpected behaviour, which leads to leaks. In the contect of the glass room: turning off the lights or tapping on the glass may provoke a different behavior from the people talking - they may reveal different or unexpected information.

Electro-magnetic Fault Injection creates faults in a target system without touching it - by directing high-energy electro-magnetic pulses into the chip. These pulses can cause glitches and unexpected behavior. Timing glitches to match important chip processes can allow you to jump or bypass normal behavior - like password verification.

There are two approaches to EMFI: using ultra-precise, ultra-sensitive devices (such as the ChipSHOUTER) to create highly accurate, repeatable experiments. The second approach is to use a simple device designed to send large electrical pulses to cause unexpected behavior.

The FaultyCat wiki has extensive information on EMFI Glitching and what it can achieve - click here for more information.

Hardware Audit Lifecycle

Key to understanding hardware auditing is the lifecycle. Typically - the end goal is total device control - dumping firmware, bootloaders, or getting a root shell.

If your target device has no protection: you can concentrate on firmware extraction.
If the target is locked, you'll need to unlock it, typically via Side-Channel attacks and tools.
Likewise, if it's protected, you'll need to use EMFI to bypass protection, and then use Side Channel Attacks to unlock the target, before extracting firmware.

The following table provides a summary of the Hardware Audit Lifecycle.

Hardened Devices

Restrictions
Hardened Protection No exposed traces Cannot modify hardware
Approach
EMFI
Tools
ChipShouter FaultyCat
Hardened chip
Techniques
Fault Injection Non-invasive, non-destructive
Bit flips, register corruption Forced unexpected conditions
Routine & Instruction Skips Glitch into unauthorised code

Protected Devices

Restrictions
No open interfaces Firmware protection
Weaknesses
Exposed power rails Exposed clock rails
Approach
Side Channel Techniques
Tools
ChipWhisperer HuskyPlus
Protected chip
Techniques
Power Analysis For key + secrets extraction
Power Glitching Bypass protection routines
Clock Glitching Bypass protection routines

Unprotected Devices

Restrictions
Unlabeled interfaces Undocumented chip
Weaknesses
Security through obscurity
Approach
Pin Enumeration
Firmware Extraction
Tools
WHIDBoard MACOBox BusPirate
Unprotected chip
Techniques
Pin Enumeration Automatically detect lines
Logic Analyser Convert captures to data
Multi Protocol Support Connect with any interface
Auto Speed Detection Automatically detect speeds

ChipWhisperer Husky: Hands on

Get hands on with the ChipWhisperer Husky: Sniff Side-Channels, Insert Glitches, Extract Secrets.

Customer Reviews

Find the right tool

Describe what you need and our AI will recommend the best products.