Electronic Cats
Faulty Cat
Faulty Cat
Couldn't load pickup availability
Faulty Cat is a high-end Electromagnetic Fault Injection (EMFI) tool a remix of the project ChipSHOUTER PicoEMP design optimisation focused in rough order on:
- safe operation
- high performance
- usability
- cost
This results in a tool that covers many use-cases, but may be overkill (and expensive) for many.
Electronic Cats have created this project in KiCad and looking for alternatives to some components, have left aside the Raspberry Pico board to use the RP2040 directly in the design. Tested in laboratory before going on sale, even so, it is a product that must be handled with care, read the instructions for use.
Please only use Faulty Cat when you have purchased it from us and control it yourself, with full knowledge of the operation and risks. It is not designed for use in professional or educational environments, where tools are expected to meet safety certifications.
IMPORTANT: The plastic shield is critical for safe operation. While the output itself is isolated from the input connections, you will still easily shock yourself on the exposed high-voltage capacitor and circuitry. NEVER operate the device without the
shield.
Programming the FaultyCat
You’ll need to program the Faulty Cat with the firmware in the firmware directory. You can run other tasks on the microcontroller as well.
Useful References
If you don’t know where to start with FI, you may find a couple chapters of the Hardware Hacking Handbook useful.
You can see a demo of PicoEMP being used on a real attack in this TI CC SimpleLink attack demo.
WARNING: The high voltage will be applied across the SMA connector. If an injection tip (coil) is present, it will absorb most of the power. If you leave the SMA connector open, you will present a high voltage pulse across this SMA and could shock yourself. Do NOT touch the output SMA tip as a general “best practice”, and treat the output as if it has a high voltage present.
The full ChipSHOUTER detects the missing connector tip and refuses to power up the high voltage, the PicoEMP does not have this failsafe!
About the High Voltage Isolation
Most EMFI tools generate high voltages (similar to a camera flash). Many previous designs of open-source EMFI tools would work well, but exposed the user to high voltages. This was fine provided you use the tool correctly, but of course there is always a risk of grabbing the electrically “hot” tool! This common design choice happens because the easiest way to design an EMFI tool is with “low-side switching” (there is a very short mention of these design choices as well in the book if you are curious). With low-side switching the output connector is always “hot”, which presents a serious shock hazard.
Faulty Cat gets around this problem by floating the high-voltage side, meaning there is no electrical path between the EMFI probe output and the input voltage ground. With the isolated high voltage output we can use the simple “low-side switching” in a safe manner. Some current will still flow due to the high-frequency spikes, so this isn’t perfect, but it works well enough in practice (well enough you will shock yourself less often).
The caveat here is for this to work you also need to isolate your gate drive. There are a variety of solutions to this, with the simplist being a gate drive transformer (GDT). The PicoEMP uses the transformer architecture, with some simplifications to further reduce BOM count.
More details of the design are available in the hardware folder.
Technical Differences between Faulty Cat and ChipSHOUTER and PicoEMP
The main differences from a technical standpoint:
- ChipSHOUTER uses a much more powerful high voltage circuit and transformer (up to ~30W vs ~0.2W) that gives it almost unlimited glitch delivery, typically limited by your probe tip. The PicoEMP is slower to recover, typically ~1 to 4 seconds between glitches.
- ChipSHOUTER has a larger internal energy storage & more powerful output drivers.
- ChipSHOUTER has a controlled high-voltage setting from 150V to 500V. PicoEMP generates ~250V, there is some feedback but it’s uncalibrated. NOTE: The PicoEMP allows some control of output pulse size by instead controlling the drive signal. This is less reliable (more variability in the output), but meets the goal of using the lowest-cost control method.
Tech Specs
| Microcontroller | RP2040 |
| Operating Voltage | 3.3 V |
| Input Voltage (recommended) | 5 V |
| High Voltage | ~240 |
| Supported Battery | Alkaline, 1.5 V |
| Length | 163 mm |
| Width | 51.6 mm |
Includes
- Inductor
- Cable USB-C
Links
Share
