2. Get Started
FaultyCMD is a Python script to handle Faulty Cat serial interface to create automated pulses with the serial commands of the firmware.
This project has some files that deal with some features.
-
Modules - UART: These files create a UART class with the handler and connection to the serial port of the board.
-
Modules - ConfigBoard: These files contain descriptions and classes with the commands and the status of the board.
-
Modules - CmdInterface: This file handles the CLI commands to configure and start the fault injection process.
-
Modules - Worker: These files contain the logic to create the attack. In the start_faulty_attack function, it has the logic for the attack.
Note
You must have installed the latest pyhton release in your system.
To use it, follow the next steps:
- Download the faultycat/tools/faultycmd folder where are located the needed files.
- Open a command terminal in the folder downloaded and run the command
pip install -r requirements.txtto install the necessary libraries. - To run the FaultyCMD tool, you must send the command
python faultycmd.py fault -c
With this we have a minimal commands to configure and start the faulty attack, the available commands are:
- config : shows the current settings for the board.
- exit : close the interface and exit the script.
- help : show the available commands.
-
set : to change a setting. To know what options we can change and the command we use
set ?
The syntax for changing a setting: set option value. For example: set time 2 (shortest format) or set pulse_time 2 (largest format).
- start : use the start command to launch the fault injection, when finished we can reconfigure or start again the attack.
For further information, visit: faultycat/tools/faultycmd
Important
The pulse power cannot be changed.
Faulty Cat features a Serial interface for external configuration and trigger.
To check the available serial command you first have to connect your board to your computer, open a Serial Monitor (Arduino IDE Serial Monitor) set the speed to 115200 bauds, and select New Line (NL) and Carriage Return (CR) feature.
Send the word “help”, then you will see the following:
To send a command, it will be enough to write only the indicated letters between square brackets “[ ]”.
Here is a list of available commands and a brief description of each one:
- [a]: arm the device.
- [d]: disarm the device.
- [p]: execute the pulse.
- [en]: enable timeout to automatically disarm the device (after a set elapsed time) if it is not being used. It will disarm itself after 60 seconds.
- [di]: disable the timeout to automatically disarm the device (after a set elapsed time) if it is not being used. It will not disarm itself.
- [f]: enable the Fast-trigger via GPIO0 (uses D0 for very fast and consistent triggering).
- [fa]: Fast Trigger Configuration. Default: delay_cycles=0, time_cycles=625
- [in]: use the Internal Pulse generator to control the EM pulse.
- [ex]: use an External Pulse generator to control EM pulse insertion.
- [c]: configure pulse time and pulse power. Default: pulse_time=5, pulse_power=0.012200
- [t]: toggle GP1
- [s]: show the Device Status (armed, charged, timeout, and HVP).
- [r]: reset the Faulty Cat.
- HVPWM output pin to monitor the signal that drives the HV transformer.
- HVPULSE pin to monitor/drive the pulse that executes the discharging process.
- CHARGED pin to monitor the HV status.
- Fast-trigger via GPIO0 (uses D0 pin for very fast and consistent triggering)
- External HVP mode: use an external pulse generator (e.g., ChipWhisperer) to control EM pulse insertion.
- Automatic disarm.
If you want to create a feature or modify some logic with an attack process, you need to modify the start_faulty_attack function.
def start_faulty_attack(self):
try:
self.board_uart.open()
time.sleep(0.1)
typer.secho("Board connected.", fg=typer.colors.GREEN)
typer.secho("[*] ARMING BOARD, BE CAREFULL!", fg=typer.colors.BRIGHT_YELLOW)
self.board_uart.send(self.board_configurator.board_commands.COMMAND_DISARM.value.encode("utf-8"))
time.sleep(1)
self.board_uart.send(self.board_configurator.board_commands.COMMAND_ARM.value.encode("utf-8"))
typer.secho("[*] ARMED BOARD.", fg=typer.colors.BRIGHT_GREEN)
time.sleep(1)
typer.secho(f"[*] SENDING {self.pulse_count} PULSES.", fg=typer.colors.BRIGHT_GREEN)
for i in range(self.pulse_count):
typer.secho(f"\t- SENDING PULSE {i+1} OF {self.pulse_count}.", fg=typer.colors.BRIGHT_GREEN)
self.board_uart.send(self.board_configurator.board_commands.COMMAND_PULSE.value.encode("utf-8"))
time.sleep(self.pulse_time)
typer.secho("DISARMING BOARD.", fg=typer.colors.BRIGHT_YELLOW)
self.board_uart.send(self.board_configurator.board_commands.COMMAND_DISARM.value.encode("utf-8"))
self.board_uart.close()
typer.secho("BOARD DISARMING.", fg=typer.colors.BRIGHT_YELLOW)
except Exception as e:
typer.secho(f"Error: {e}", fg=typer.colors.BRIGHT_RED)In this function we have some calls from the others files like ConfigBoard.py and UART.py.
- UART.py
- self.board_uart.open()
- self.board_uart.send()
- self.board_uart.close()
- ConfigBoard.py
- self.board_configurator.board_commands.COMMAND_DISARM.value
- self.board_configurator.board_commands.COMMAND_ARM.value
- self.board_configurator.board_commands.COMMAND_PULSE.value
In the ConfigBoard.py file, the class Commmands has the list of the available commands, depending on the logic you want is the command that you need, to call the value need to call as: self.board_configurator.board_commands.COMMAND_DISARM.value and encode to send to serial as bytes, so the final commands are: self.board_configurator.board_commands.COMMAND_DISARM.value.encode('utf-8')
sequenceDiagram
participant FaultyCMD
participant Faulty Cat
FaultyCMD->>Faulty Cat: Open serial COM
FaultyCMD->>Faulty Cat: Send Disarm command
FaultyCMD->>Faulty Cat: Send Arm command
FaultyCMD->>Faulty Cat: Loop for n pulses
loop Send the pulse and wait to send the next one
FaultyCMD->>Faulty Cat: Send the Pulse
FaultyCMD->>Faulty Cat: Wait the time between pulse
end
FaultyCMD->>Faulty Cat: End loop for
FaultyCMD->>Faulty Cat: Send Disarm command
FaultyCMD->>Faulty Cat: Close serial COM
Thank you for reading our Wiki!