Info
This document is part of an original submission for the RP2350 Hacking Challenge.
For more detailed and up-to-date content, refer to “Laser Fault Injection on a Budget: RP2350 Edition”.
Laser Driver Board
Overview
Laser fault injection requires short, high-power light pulses to be transmitted.
A custom board has been designed for this purpose. While designing such a board was not overly complicated, finding a suitable laser diode turned out to be more challenging. The Laser Driver Board
Schematics and an interactive BOM are available from the Electronic Schematics & Interactive Renders Page. The Laser Driver Board, mounted to the Fault Injection Platform
Architecture
The architecture of the Laser Driver Board is outlined below.
flowchart TB
A{{USB Connector}} <--> B(USB to I2C Bridge)
B -->|Configure| C(Digital Potentiometer)
B -->|Trigger| E
C .-> D(High Voltage Power Supply Circuit)
D .-> E(Pulse Generator Circuit)
E .-> F(Laser Diode)
G{{Pin Header}} -->|Trigger| E
F -->|Current Sense| H{{SMA Connector}}
The board is powered and configured from a USB port. The host computer connected to this port can be used to:
- Configure the output level of a high-voltage (up to \(75V\)) power supply. This high supply is needed for the pulse generator circuit to operate.
- Manually send laser pulses.
However, because USB cannot be used for anything time-critical, laser pulses can also be generated from a simple pin header connector. This connector is connected to the FPGA board during the attack.
An SMA connector can be used to monitor the shape and intensity of the current pulses passing through the laser diode.
Pulse Generation Principle
A simplified version of the pulse generation circuit is outlined below. Simplified Pulse Generator Circuit
The capacitor C is first charged from the high-voltage power supply. To trigger a current pulse through the laser diode, the switching element SW is closed.
The current response is close to the one observed with a typical RLC circuit. The value of R is chosen to ensure the response of the circuit is critically damped.
C and L can be fine-tuned to change the duration of the pulse, while the high-voltage level can be used to set the peak current.
Unfortunately, this means changing the pulse duration is only possible by soldering new components to the board.
The values that have been used to successfully exploit the RP2350 are:
- \(R = 1.4 \Omega\)
- \(L = 33 nH\)
- \(C = 60 nF\)
Note that the resistor should be able to handle high current pulses. After having destroyed several resistors, I ended up using Vishay’s CMB 0207 family.
The selected Theoretical shape of the laser current pulses, for various power supply voltage levelsRLC values result in the following theoretical current pulses.
Laser Diode Sourcing
Finding a suitable laser diode was challenging. It turns out high-power \(1064nm\) laser diodes are difficult to find and expensive!
After a few unsuccessful attempts with low (\(<300mW\)) parts, I contacted a manufacturer on Alibaba and was able to order, for about €300, 5 pieces of a part rated for \(3W\). The datasheet for this part is available here.
This datasheet clearly states that the maximum operating current is \(3.8A\). Based on the current curves shared above, it’s very obvious the part is used well above its rating.
However, even after several thousand pulses, I don’t think I have damaged these diodes yet! This could be because the current pulses are short enough.
This surprising result matches the observation of the Continuous wave laser diodes enable fast optoacoustic imaging paper:
We investigated whether continuous wave (CW) laser diodes, which are available in visible and near-infrared regions, can be good optoacoustic light sources when overdriven with a peak current >40-fold higher than the CW absolute maximum.
Last update: November 24, 2024