The FaultyCat is the "bump key" of hardware auditing. It sends high-energy electro-magnetic pulses into target devices, which can cause them to glitch. often revealing encryption keys, bypassing security checks or resetting protection mechanisms.
When starting a hardware audit - the FaultyCat should be the first tool you reach for: it can be used to quickly check if the target device is protected, and if not, glitch it to reveal secrets or bypass protection.
Built on the foundations on an open-source product (the PicoEMP) - the FaultyCat has extra functionality, but remains economical, easy-to-use and safe. Version 2.2 adds extended functionality.
It's portable and self-contained - it's powered by 3xAA batteries - so you're never caught short. The onboard RapsberryPi controller is fully accessible and programmable by the user for custom functionality.
1
2
3
4
5
1. Direct Voltage glitching
Precisely glitch and spike signals such as reset or voltage to manipulate the target system
2. External Triggers
Trigger the FaultyCat manually or electronically device via dedicated pins. Use external triggers such as timers or sensors.
3. Voltage Triggers
Monitor the target's voltage levels and trigger at glitch at preset voltage levels. Allows for triggering glitches during critical phases, such as device boot.
4. Analog Input
Monitor and log analog data from the target; build a knowledge-base of actions and responses to make repeatable operations.
5. JTAG/JWD Scanner
Built-in JTAG/JWD Scanner finds and detects hidden JTAG/JWD pads to find undocumented debug interfaces.
Hardware Auditing techniques can be grouped into two categories: Side-Channel Attacks (SCA) and Electro-magnetic Fault Injection (EMFI).
Side-Channel attacks capture protected data by using an unprotected source. Imagine two people talking in a glass sound-proof room: lip-reading allows us to derive what is being said via the visual prompts - a "side-channel" - as opposed to hearing it, the "protected channel". In hardware, a common example is extracting encryption keys by monitoring micro-fluctuations in the power-consumption when the processor is calculating them.
Electro-magnetic Fault Injection creates faults in a target system with electricity, which can put the system in an unexpected state. For example - cutting or spiking a chip's power at the precise moment it's validating a security check can allow you to "skip" the check.
There are two approaches to EMFI: using ultra-precise, ultra-sensitive devices (such as the ChipSHOUTER) to create highly accurate, repeatable experiments. The second approach is to use a simple device designed to send large electrical pulses to cause unexpected behavior.
