CW521 Ballistic Gel¶

The CW521 is an Electro-Magnetic Fault Injection (EMFI) target. It is specially designed to help you understand fault injection patterns for a given tip.

It uses a large SRAM chip as a target, which has a relatively simple layout. This lets you understand how much of a given chip you are corrupting.

USB Control Specifications¶

Feature	Notes/Range
USB	USB 2.0 High Speed
VendorID	0x2B3E
ProductID	0xC521
Interfaces	Vendor
WCID (Windows 10 automatic driver installation)	✅ (firmware >= 2.0)

Firmware¶

The microcontroller has two methods of loading data onto the SRAM chip:

Raw - This method requires the user to generate the SRAM data on their computer, then send it to the Ballistic Gel. The onboard SAM3U microcontroller will write this data to the SRAM as it is received. Then, once the user indicates that glitches have been inserted, the SAM3U can send the data back to the user for verification.
Seed - This method requires the user only to send a 32-bit seed value to the Ballistic Gel. The SAM3U will use this seed in a 32-bit XOR shift algorithm to generate pseudo random memory to write to the SRAM. Once glitches have been inserted, the user can either request a full memory read, which can be verified by using the same seed and algorithm used to generate the memory, or a byte level error report generated by the SAM3U.

Due to firmware and software optimizations, the raw method is roughly the same speed as the random seed method. As such, the raw method is recommended.

Python Library¶

The Ballistic Gel has an open source Python library that handles USB communication with the Ballistic Gel, available via Github. The Github repository also contains a simple application showcasing the Python API. It does the following:

Downloads a pattern to the SRAM chip
Waits for fault injection.
Uploads SRAM chip contents and determines corrupt location.
Graphs map of physical SRAM locations.

The Python library is available on https://github.com/newaetech/ChipSHOUTER-ballisticgel