โก NullSec Glitch
March 7, 2026 ยท View on GitHub
โก NullSec Glitch
Voltage Glitching & Fault Injection Toolkit
Hardware fault injection for secure boot bypass, key extraction, and firmware dumping
๐ฏ Overview
NullSec Glitch automates voltage glitching attacks against embedded systems. It controls glitch parameters (timing, voltage, duration) to induce faults in target microcontrollers โ bypassing secure boot, extracting encryption keys, and dumping read-protected firmware.
โก Features
| Feature | Description |
|---|---|
| Voltage Glitcher | Precise VCC glitching with nanosecond timing control |
| EMFI Module | Electromagnetic fault injection support |
| Clock Glitcher | Clock signal manipulation attacks |
| Parameter Sweep | Automated voltage/timing parameter space exploration |
| Trigger System | GPIO, UART, and pattern-based glitch triggers |
| Success Detector | Automatic detection of successful fault conditions |
| Campaign Manager | Long-running glitch campaigns with progress saving |
๐ง Supported Hardware
| Glitcher | Type | Status |
|---|---|---|
| ChipWhisperer Lite/Pro | VCC + Clock | โ Full |
| ChipWhisperer Husky | VCC + Clock | โ Full |
| PicoGlitcher | VCC | โ Full |
| Custom MOSFET (GPIO) | VCC | โ Full |
| NewAE CW305 | FPGA Target | โ ๏ธ Beta |
๐ Quick Start
# Install
pip install nullsec-glitch
# Auto-detect glitcher hardware
nullsec-glitch detect
# Run a voltage glitch sweep
nullsec-glitch vcc --target stm32 \
--voltage-range 0.8-1.5 --step 0.01 \
--width-range 10ns-500ns --step 5ns \
--trigger uart --pattern "bootloader"
# Monitor for successful glitch
nullsec-glitch campaign --config stm32_readout.yaml --max-attempts 50000
# Extract firmware after successful glitch
nullsec-glitch dump --interface swd --output firmware.bin
๐ฏ Common Attack Scenarios
| Target | Goal | Technique |
|---|---|---|
| STM32 RDP | Bypass read-out protection | VCC glitch during boot |
| ESP32 Secure Boot | Skip signature verification | Clock glitch |
| nRF52 APPROTECT | Disable debug protection | VCC glitch + SWD |
| ATECC608 | Key extraction | EMFI |
| Secure Boot Chain | Skip hash verification | Timing glitch |
๐ Related Projects
| Project | Description |
|---|---|
| nullsec-jtag | JTAG/SWD debugging & extraction |
| nullsec-sdr | Software-defined radio toolkit |
| nullsec-uart | UART console discovery & interaction |
| nullsec-linux | Security Linux distro (140+ tools) |
โ ๏ธ Legal
For authorized hardware security testing only. Destructive testing may permanently damage target devices.
๐ License
MIT License โ @bad-antics
Part of the NullSec Hardware Security Suite