A. Introduction
Electromagnet Fault Injection (EMFI) is a fault injection technique for conducting physical attacks against integrated circuits. An attacker can use electromagnetic fault injection to bypass cryptographic algorithms, hardware-provided security and anti-tamper features, software security features and even empirically determine the layout of an integrated circuit on a silicone die.

B. Types of fault Injections
- power glitch.
- clock glitch.
- laser.
- EMFI.

C. How Fault Injection techniques attack a device
- Control the width of a clock cycle.
- Flip Bits in RAM or Flash Memory.
- Modify bits to enable chip-set features such as JTAG.
- Control program flow by skipping over machine instructions.

D. Advantages of EM Fault Injection
- Touch-less - Typically requires zero hardware modifications to the target.
- EM Fault Injection has very small spacial resolution and affects on target.
- Clock and Power fault injection affect much or all of the target hardware.
- Getting started in EM Fault Injection can be practically free.

E. Previous Work and accomplishments
- Defeat ARM-based TrustZone secure-boot implementations - including "specific" commercial tablets.
- Joe Grand's Trezor One Hardware Wallet.
- Modify individual bytes within AES calculations on small microprocessors and FPGAs.

F. Safety.
- High Voltage is always flowing through an EMFI probe tip.
- EMFI devices remain "charged" even after powered down.

G. Equipment
EMFI device (Basic attacks)
- PiezoElectric BBQ grill lighter ($8 USD)
- NewAe PicoEMP - very low end. ($60 USD)
- Faulty Cat ($130 USD)
- EMFI Blaster - ($200 USD)
- NewAE ChipShouter - ($4,800 USD)

EMP Probe Tips
- Typically home-brewed
- Spatial Resolution - very narrow "surgical" resolution to wide-beam resolution.
- Number and diameter of wire loops, wire thickness and shape of ferrite material.
- Magnetic fields are polarized depending on coil winding direction.

EMFI Target (Basic targets)
- NewAE Ballistic Gel to characterize a EMP Probe - Shipped with NewAE ChipShouter.
- EMFI Target. Readily available clone of NewAE Ballistic Gel.
- Arduino boards.
- STM32.
- FPGA - Xilinx Spartan 6 and Ultrascale+
- Bitcoin Wallets.

Optional Advanced Equipment
- Unused 3D Printer or hobby CNC Router.
- Side-channel monitoring equipment.
- ChipWhisperer.
- H-Probe.
- Oscilloscope.
- X-Y Plotter (reproducing vulnerable locations on chip, scanning the silicone fabric).
- JTAG.

H. EM Fault Injection Fault Timing and Synchronization
- Random EM Fault Injection timing. Great to see if susceptible to EM.
- Utilize side-channel analysis tools - to trigger EM Injection.
- Setup mock hardware that utilizes same chip-set and add GPIO trigger code to determine boot process timing.

I. EM Fault Injection Use Cases
Bypassing software security checks.
- Bypassing RSA boot image integrity checks.
- Manipulation of AES algorithm rounds.

Random Number Generator Entropy reduction
- Attack external Random Number Generator chips.
- Timed EM Pulse Injection prior or during random number generation.
- Timed EM Pulse Injection of random number prior to it's actual use.

Proprietary Integrated Circuit Recon via X-Y Scanning
- Map out locations of SRAM, Flash Memory and Register Banks
- Determine integrated circuit locations that are susceptible/resistant to EM Fault Injection.

J. Video Demonstrations - Personal research
- Modification of Arduino Atmega2560 Register set at run time.
- Reducing "Randomness" entropy of external FIPS 140-3 Compliant Random Number Generator chip data.

K. What's Next ?
- Currently working on EM Injection manipulation of OPTEE/TrustZone for ARM AARCH64 software.
- Unfortunately under a vendor's non-disclosure agreement.
- Legally present this work in the near future.