The PicoEMP is a compact, low-cost, open-source electromagnetic fault injector (EMFI) tool developed by Colin O’Flynn for researchers, hobbyists, and educators interested in hardware security. Unlike NewAE’s professional-grade ChipSHOUTER, PicoEMP is a bare-bones device designed to be safe, usable, and most importantly, affordable.
Built around the Raspberry Pi Pico, this device generates high-voltage pulses using a transformer circuit (originally for photographic flash charging) to discharge energy from a low-ESR ceramic capacitor into a custom-made coil tip, which creates an electromagnetic field capable of injecting a little bit of power to the internals of the processors such as registers and SRAM. This can be exploited to flip bits and test the robustness of embedded systems against such attacks.
ChipSHOUTER-PicoEMP specifications
- Main controller – Raspberry Pi Pico (RP2040 dual-core Arm Cortex-M0+ MCU @ up to 133 MHz)
- Purpose – Electromagnetic Fault Injection (EMFI) for testing embedded systems security
- Components
- High-voltage pulse generator circuit
- Transformer (repurposed from photographic flash units)
- Low-ESR, high-capacitance ceramic capacitor for energy storage
- User-supplied EMFI probe tip (typically a hand-wound coil)
- USB – Serial USB interface for triggering and control
- Pulse control – Adjustable recharge rate (faster than the original PicoEMP)
- Probes
- Large 4.7µH coil probe for wider EM field
- Smaller 6µH focused probe for localized attacks
- High Voltage System
- 220–230V charge stored on a 4.7µF HV capacitor
- Designed for rapid energy discharge
- Power
- Powered via micro USB (cable not included)
- Utilizes onboard voltage step-up for HV generation
- Dimensions – 116 mm x 40 mm
To work properly, this open-source electromagnetic fault injector requires a custom tip and a protective shield for safe usage. The design is open source, and all the main files, such as the design files, Gerber files, and other documentation, are available on Unprovable’s GitHub repository. While not as powerful as ChipSHOUTER, PicoEMP is ideal for learning, experimentation, and exploring fault injection vulnerabilities in microcontrollers and SoCs.
After checking the GitHub repo, I can see that the chipshouter-picoemp firmware supports both C and MicroPython implementations for the Raspberry Pi Pico. The C version comes with a serial-console-based interface with external trigger support, while the MicroPython version provides a simpler, button-based control without serial functionality.
The above image shows a setup for an electromagnetic fault injector (EMFI) test on a Raspberry Pi SBC using a PicoEMP device. The test targeted RSA cryptographic operations, resulting in various outcomes. 30% of attempts had no impact, 41% caused application crashes, and 24% successfully induced RSA faults. More information can be found in papers 1 and 2, which I found during my search for more information about the product.
The PicoEMP was designed a few years ago, but you can now order one from the Tindie store with either a 4.7uH or 6uH probe for $133.00. If you build your own tip, O’Flynn encourages sharing it with the community via a pull request to the PicoEMP project repository.
Debashis Das is a technical content writer and embedded engineer with over five years of experience in the industry. With expertise in Embedded C, PCB Design, and SEO optimization, he effectively blends difficult technical topics with clear communication
Support CNX Software! Donate via cryptocurrencies, become a Patron on Patreon, or purchase goods on Amazon or Aliexpress
