GlitchBob LPC

Voltage glitching automation tool to break protection on NXP LPC microcontrollers.

The glitch circuit can be controlled by a Raspberry Pi Pico or other low-cost development board.

TODO

These are issues identified in the prototype:

• Add bypass caps to all ICs.
• Add pull-up resistor to 74LVC1G3157 switch input.
• Add pull-down resistors to 74LVC2G66 switch inputs.
• Move target closer to I/O header to reduce the trace length for the oscillator I/O.
  • Shorter traces have lower impedance and will be capable of faster clock frequency (up to target max, e.g. 12 MHz).
• The potentiometer polarity is swapped.
  • 0v should be fully counterclockwise, and +VCC should be fully clockwise.
• The potentiometer is upside down.
  • Rotate the footprint 180 degrees.
• No good place to put the rubber feet.
  • Move through-hole components or find smaller feet.
• Still has some wasted surface area with traces spread out.
  • Change 8-pin header pinout to optimize routing.
  • Move traces closer together to prevent ground plane islands.
• R3 is a bit too close to the serial port.
  • Move R3 so it is more easily reachable for assembly.

And this is a wish-list for improvements:

• Replace 8-pin header with Raspberry Pi Pico header footprint.
• Add a 7-segment display for glitch-voltage display and other info.
  • 7-Segment driver can be inexpensively built with:
    • 74LVC244 or 74HC244 - Octal buffer/line-driver.
    • 74LV4052 or 74HC4052 - 4-channel analog multiplexer/demultiplexer.
    • LTC-5723HR - 4-digit 7-segment display with common cathode.
• Optional ADC for potentiometer measurement.
  • Using Raspberry Pi Pico's ADC for target voltage up to 3.3v VRL.
  • A standalone ADC will allow a second power rail for the target voltage, e.g. up to 5v VRL with TLA2021 - 12-bit ADC, I²C.
• Replacing the analog potentiometer with a digital encoder + DAC can allow finer adjustment of the glitch-voltage.
  • No ADC is required with this setup.
  • Fully software-controlled; E.g. allows ignoring rotations while automated search is running.
  • Example components:
    • PEC12R-4215F-S0024 - Contact incremental encoder with switch, 2-bit quadrature code, 24 pulses per rotation.
    • 1106 Knob for encoder, black and blue.
    • MCP47CVB21 - 12-bit DAC, I²C.
  • Encoder switch can be used to change the sensitivity.
    • Debounce in software.
    • Operation is software controlled. E.g. push to switch to next in a list of two or more settings, push-and-hold to start automated search, etc.
    • Sensitivities are software controlled. E.g. 0.25v per pulse, 0.01v per pulse, etc. As low as VRL/4096 (limited by DAC resolution).