Skip to content

CW521 Ballistic Gel

The CW521 is an Electro-Magnetic Fault Injection (EMFI) target. It is specially designed to help you understand fault injection patterns for a given tip.

It uses a large SRAM chip as a target, which has a relatively simple layout. This lets you understand how much of a given chip you are corrupting.

USB Control Specifications

Feature Notes/Range
USB USB 2.0 High Speed
VendorID 0x2B3E
ProductID 0xC521
Interfaces Vendor
WCID (Windows 10 automatic driver installation) ✅ (firmware >= 2.0)


The microcontroller has two methods of loading data onto the SRAM chip:

  1. Raw - This method requires the user to generate the SRAM data on their computer, then send it to the Ballistic Gel. The onboard SAM3U microcontroller will write this data to the SRAM as it is received. Then, once the user indicates that glitches have been inserted, the SAM3U can send the data back to the user for verification.

  2. Seed - This method requires the user only to send a 32-bit seed value to the Ballistic Gel. The SAM3U will use this seed in a 32-bit XOR shift algorithm to generate pseudo random memory to write to the SRAM. Once glitches have been inserted, the user can either request a full memory read, which can be verified by using the same seed and algorithm used to generate the memory, or a byte level error report generated by the SAM3U.

Due to firmware and software optimizations, the raw method is roughly the same speed as the random seed method. As such, the raw method is recommended.

Python Library

The Ballistic Gel has an open source Python library that handles USB communication with the Ballistic Gel, available via Github. The Github repository also contains a simple application showcasing the Python API. It does the following:

  1. Downloads a pattern to the SRAM chip
  2. Waits for fault injection.
  3. Uploads SRAM chip contents and determines corrupt location.
  4. Graphs map of physical SRAM locations.

The Python library is available on