Update: Now selling on tindie!

Update 2: Many thanks to Troed Sångberg who successfully built a PicoGlitcher. For his built, he made a parts list on Mouser which you can find in the project files.

Introduction

Voltage glitching attacks are a class of hardware attacks that exploit the vulnerability of electronic systems to sudden and brief changes in their power supply voltage. By intentionally introducing these abrupt voltage changes, or "glitches," attackers aim to disrupt the normal operation of the target device, causing it to malfunction in a controlled manner. This can result in the bypassing of security measures, corruption of data, or unintended execution of code. Voltage glitching is particularly relevant in the context of embedded systems, such as microcontrollers and smart cards, which are commonly used in secure applications including payment systems, access controls, and IoT devices.

The core concept behind voltage glitching is to induce faults at precise moments during the execution of critical operations within the device. These faults can lead to outcomes such as skipping security checks, extracting secret keys, or gaining unauthorized access to protected functions. The success of a voltage glitching attack relies on careful timing and an understanding of the target device's behavior under different power conditions. Attackers often use specialized equipment to generate and control these glitches with high precision, making this technique both sophisticated and powerful.

Previously featured projects

Glitching has been previously described on Hackaday for example here (everything you didn't know you need to know about glitching attacks) or here (Apple Airtags hacked and cloned with voltage glitching). The latter even describes attacking an Apple Airtag with a Raspberry Pi Pico and a mosfet. 

Existing hardware

Usually these attacks are carried out by expensive hardware such as the ChipWhisperer Pro, the ChipWhisperer Husky, or the devices from Riscure. As these devices are typically very expensive (several hundred Euros), they are not accessible for the hobby hacker. The ChipWhisperer Husky is even more inaccessible for hobby hackers since it has long shipping times up to several weeks.

The Pico Glitcher

It turns out, however, that voltage glitching attacks can easily be performed with cheap and available hardware like the Rapberry Pi Pico and some other components. The sampling rate of the Raspberry Pi Pico is fast enough to enable attacks against most common microcontrollers like the ESP32 or STM32 processors. To gain more insight into voltage glitching attacks and using only cheap components, the Pico Glitcher was born.

The hardware required for the Pico Glitcher involves, of course, a Raspberry Pi Pico and additional components for precise voltage control and monitoring. Specifically, it includes a power supply capable of switching the target on and off, and crowbar transistors that can switch up to 66 amps. The design of the voltage glitching stage of the PicoGlitcher is exactly the same as found in the ChipWhisperer Pro. Furthermore, the board provides several different voltages to supply all kinds of different target boards. A built-in level shifter translates between the fixed voltages of the Raspberry Pi Pico and the voltage levels of the target board. 

Glitches must be placed very precisely. The Pico Glitcher is able to trigger on various external events. For example, a rising or falling edge could be used to start the timers. Additionally, the PicoGlitcher can sniff on a UART communication and trigger if a specific word is sent.

To summarize:

The Software

The corresponding software, the "fault-injection-library", is a Python library specifically designed to perform fault injection attacks on microcontrollers. To set it up, clone the repository, create a virtual environment, and install the necessary dependencies using pip. The Raspberry Pi Pico is used for executing these attacks, and the required MicroPython scripts must be uploaded to the device. Example scripts for performing attacks and analyzing results are provided, demonstrating how to manipulate target devices by injecting precise voltage glitches.

The fault-injection-library also supports the ChipWhisperer hardware (Pro and Husky). So if you have access to these tools, you can use this library to perform fault injection attacks.

For more details, visit the GitHub page.

New features added to hardware revision 2

A new multiplexing stage has been added to the Pico Glitcher, which makes it possible to switch quickly between several voltages. This method is called multiplexing voltage glitching and is mainly used where crowbar glitching leads to too many crashes or uncontrollable errors. The multiplexing method can be assumed to be less invasive.

The software for controlling the multiplexing stage is extremely flexible and a vast number of voltage profiles with countless parameterizations can be generated, as can be seen above. Up to four different voltage steps can be parametrized and utilized.


Schmitt Trigger inputs

The trigger inputs have also been reworked. These inputs are particularly useful for noisy logic signals, as the noise can be easily suppressed by the adjustable Schmitt Trigger. If, for example, the signal oscillates or is disturbed in any other way, this disturbances can be cut off by selecting a suitable threshold.