Skip to content

Legacy

Jump to bottom
Carlos Alatorre edited this page Jun 4, 2026 · 1 revision

Legacy

FaultyCMD

FaultyCMD is a Python script to handle Faulty Cat serial interface to create automated pulses with the serial commands of the firmware.

This project has some files that deal with some features.

  • Modules - UART: These files create a UART class with the handler and connection to the serial port of the board.

  • Modules - ConfigBoard: These files contain descriptions and classes with the commands and the status of the board.

  • Modules - CmdInterface: This file handles the CLI commands to configure and start the fault injection process.

  • Modules - Worker: These files contain the logic to create the attack. In the start_faulty_attack function, it has the logic for the attack.

First steps

Note

You must have installed the latest pyhton release in your system.

To use it, follow the next steps:

  1. Download the faultycat/tools/faultycmd folder where are located the needed files.
  2. Open a command terminal in the folder downloaded and run the command pip install -r requirements.txt to install the necessary libraries.
  3. To run the FaultyCMD tool, you must send the command python faultycmd.py fault -c

With this we have a minimal commands to configure and start the faulty attack, the available commands are:

  • config : shows the current settings for the board.

  • exit : close the interface and exit the script.

  • help : show the available commands.

  • set : to change a setting. To know what options we can change and the command we use set ?

The syntax for changing a setting: set option value. For example: set time 2 (shortest format) or set pulse_time 2 (largest format).

  • start : use the start command to launch the fault injection, when finished we can reconfigure or start again the attack.

For further information, visit: faultycat/tools/faultycmd

Important

The pulse power cannot be changed.

Faulty Cat serial interface

Faulty Cat features a Serial interface for external configuration and trigger.

To check the available serial commands you first have to connect your board to your computer, open a Serial Monitor (Arduino IDE Serial Monitor) set the baudrate to 115200 bauds, and select New Line (NL) and Carriage Return (CR) feature. Send the letter “h” to display the help menu.

To send a command, it will be enough to write only the indicated letters between square brackets “[ ]”.

Here is a list of available commands and a brief description of each one:

Fault Injection

Command How it works
a Arms the device (electromagnetic pulse)
d Disarms the device (electromagnetic pulse)
p Executes the pulse (manual trigger)
en Enables timeout to automatically disarm the device (after a set elapsed time) if it is not being used. It will disarm itself after 60 seconds
dt Disables the timeout to automatically disarm the device (after a set elapsed time) if it is not being used. It will not disarm itself
fq Enables the Fast-trigger via GPIO0 (uses D0 for very fast and consistent triggering)
fc Fast Trigger Configuration
in Uses the Internal Pulse generator to control the EM pulse
ex Uses an External Pulse generator to control EM pulse insertion
cfg Configures the Fault Injection parameters

Glitcher

Command How it works
g Executes the glitch
gc Configures the Glitcher parameters
gs Shows the Glitcher status
ac ADC: Configure sampling
av ADC: View sampled data

JTAG / SWD Tools

Command How it works
j Scans JTAG chain
sw Scans SWD targets
pp Pulse test pins

System:

Command How it works
h Help (shows this menu)
t Toggles channels (0 - 7) for testing
s Shows the system status
r Resets the device
v Shows the firmware version

Faulty Cat extra features

  • HVPWM output pin to monitor the signal that drives the HV transformer.
  • HVPULSE pin to monitor/drive the pulse that executes the discharging process.
  • CHARGED pin to monitor the HV status.
  • Fast-trigger via GPIO0 (uses D0 pin for very fast and consistent triggering)
  • External HVP mode: use an external pulse generator (e.g., ChipWhisperer) to control EM pulse insertion.
  • Automatic disarm.

Writing a customized script

If you want to create a feature or modify some logic with an attack process, you need to modify the start_faulty_attack function.

def start_faulty_attack(self):
    try:
        self.board_uart.open()
        time.sleep(0.1)
        typer.secho("Board connected.", fg=typer.colors.GREEN)
        typer.secho("[*] ARMING BOARD, BE CAREFULL!", fg=typer.colors.BRIGHT_YELLOW)
        self.board_uart.send(self.board_configurator.board_commands.COMMAND_DISARM.value.encode("utf-8"))
        time.sleep(1)
        self.board_uart.send(self.board_configurator.board_commands.COMMAND_ARM.value.encode("utf-8"))
        
        typer.secho("[*] ARMED BOARD.", fg=typer.colors.BRIGHT_GREEN)
        time.sleep(1)
        typer.secho(f"[*] SENDING {self.pulse_count} PULSES.", fg=typer.colors.BRIGHT_GREEN)
        for i in range(self.pulse_count):
            typer.secho(f"\t- SENDING PULSE {i+1} OF {self.pulse_count}.", fg=typer.colors.BRIGHT_GREEN)
            self.board_uart.send(self.board_configurator.board_commands.COMMAND_PULSE.value.encode("utf-8"))
            time.sleep(self.pulse_time)
        
        typer.secho("DISARMING BOARD.", fg=typer.colors.BRIGHT_YELLOW)
        self.board_uart.send(self.board_configurator.board_commands.COMMAND_DISARM.value.encode("utf-8"))
        self.board_uart.close()
        typer.secho("BOARD DISARMING.", fg=typer.colors.BRIGHT_YELLOW)
    except Exception as e:
        typer.secho(f"Error: {e}", fg=typer.colors.BRIGHT_RED)

In this function we have some calls from the others files like ConfigBoard.py and UART.py.

  • UART.py
    • self.board_uart.open()
    • self.board_uart.send()
    • self.board_uart.close()
  • ConfigBoard.py
    • self.board_configurator.board_commands.COMMAND_DISARM.value
    • self.board_configurator.board_commands.COMMAND_ARM.value
    • self.board_configurator.board_commands.COMMAND_PULSE.value

In the ConfigBoard.py file, the class Commmands has the list of the available commands, depending on the logic you want is the command that you need, to call the value need to call as: self.board_configurator.board_commands.COMMAND_DISARM.value and encode to send to serial as bytes, so the final commands are: self.board_configurator.board_commands.COMMAND_DISARM.value.encode('utf-8')

How start_faulty_attack works

sequenceDiagram
    participant FaultyCMD
    participant Faulty Cat
    

    FaultyCMD->>Faulty Cat: Open serial COM
    FaultyCMD->>Faulty Cat: Send Disarm command
    FaultyCMD->>Faulty Cat: Send Arm command
    FaultyCMD->>Faulty Cat: Loop for n pulses
        loop Send the pulse and wait to send the next one
            FaultyCMD->>Faulty Cat: Send the Pulse
            FaultyCMD->>Faulty Cat: Wait the time between pulse
        end
    FaultyCMD->>Faulty Cat: End loop for
    FaultyCMD->>Faulty Cat: Send Disarm command
    FaultyCMD->>Faulty Cat: Close serial COM
Loading

Test Faulty Cat's functionality

EMFI

Note

This test was performed using a Raspberry Pi Pico running a simple code with an infinite counter and using the Arduino IDE's serial monitor. Nevertheless, it can be performed with different microcontrollers and codes.

We have added the reference code that the Raspberry board is running in the Releases section of this repository.

  1. Once the code is uploaded to the board, we can read the counter in the Arduino IDE's Serial Monitor.

  1. Place the inductor portion downward, and position the “business end” vertically to the MCU.
  2. Press the ARMING button while bringing the inductor closer to the microcontroller.
  3. Press the PULSE button once the CHG and HV LEDs are turned on.

As soon as the PULSE button is pressed, the count on the serial monitor should stop, forcing the user to perform a manual reset for the board to work again.

Voltage Glitching

Voltage Glitching is an exclusive feature of Faulty Cat V2.1. To test this feature, we used a simple counter code running on an Arduino UNO R3 board. The wiring between the two boards was set like this:

Connections
Arduino UNO R3 Faulty Cat
5V output pin Glitch pin
3.3V output pin Analog pin
GND GND

Using the Serial Terminal, we proceeded as below:

  1. Set the Glitcher parameters on the Faulty Cat.
  2. Read the ADC values before the Glitch.
  3. Execut the Glitch.
  4. Reading the ADC values after the Glitch.
Glitcher_and_ADC_monitor.mp4

As seen in the video, on the left side the Serial monitor shows the UNO R3 board running the counter and after sending the glitching signal the microcontroller resets itself, but there is no damage on the other components of the board.

JTAG/SWD Scanner

This feature is useful for identifying OCD (Open-Chip-Debugger) interfaces from test points, vias, component pads, or connectors on a target device. In this case, we used one of our development boards to detect its SWD pins.

The development board must be energized using 5V, despite its operating voltage is 3.3V, thus, we used an external power supply.

The wiring between the two boards was set like this:

Connections
Development board Faulty Cat
3.3V output pin Vref Pin
DIO GP0
CLK GP1
GND GND

Note

DIO and CLK could be connected to any GPX pin.

Note

SW7 must be set to the voltage reference used according with the target device. In this case, since we use the Vref pin, the SW7 is in the Vref position.

This picture shows how DIO and CLK are connected to GP0 and GP1:

And, this one shows how DIO and CLK are connected to GP2 and GP3:

Here is a video showing the test findings:

SWD_Scanner.mp4

Thank you for reading our Wiki!

Faulty Cat

Understanding Faulty Cat

How to update FaultyCat

FaultyCMD

FAQs

Clone this wiki locally