Hardware Wallet Hacking: Glitching
When to use Hardware Hacking?
In some cases, password recovery alone isn’t enough. More so when dealing with hardware wallets that are damaged, PIN-locked, or unresponsive. In these situations, we deploy a range of advanced hardware hacking tools and techniques to extract data directly from the secure element or microcontroller. This process requires deep technical expertise, precise timing, and specialized equipment. It’s notable that mistakes when engaging in hardware hacking can destroy the wallet or permanently lock its contents as
What is involved?
One of the most critical methods we use is voltage glitching: a technique that momentarily disrupts the power supply to a chip at a precise moment to bypass authentication or trigger unintended behavior. To pull this off successfully, we rely on our own homegrown multiplexers and custom glitch injection boards. We use these in conjunction with with tightly timed scripts written for known vulnerabilities in STM32 and similar architectures. These methods can allow temporary or permanent bypass of PIN checks, key export blocks, or other protections baked into the wallet's firmware.
Glitching: Tools of the Trade for Hardware Wallet Attacks
Voltage glitching (also known as fault injection) is one of the few techniques available to bypass physical security on hardware wallets, secure microcontrollers, and embedded cryptographic elements. At Praefortis, we’ve used these techniques in extreme last-resort scenarios where no recovery phrase is available and traditional access methods are permanently blocked. Below is a breakdown of the essential equipment used for glitching attacks (note: this is not for the faint of heart or the ill-prepared).
1. Oscilloscope
A high-bandwidth oscilloscope is essential for characterizing the target device’s behavior during boot and identifying precisely when to inject the glitch. We recommend:
Bandwidth: At least 100MHz (ideally 500MHz+ for STM32/ARM targets)
Sampling Rate: Minimum 1 GSa/s
Trigger Features: Adjustable trigger hold-off and external triggering capabilities
Brands: Rigol, Siglent, Keysight
2. Glitching Platform
This is the brain of the operation and delivers precisely timed voltage dips or EM pulses to the target. Popular platforms include:
ChipWhisperer Lite / Pro – The gold standard for beginner-to-intermediate glitching and side-channel analysis
Glitcher Nano – Compact and powerful for simple low-cost setups
Custom-built Arduino or STM32-based glitchers – Viable with the right firmware and low latency
3. Power Delivery and Monitoring
Glitching often involves tampering with the VCC or RESET lines of the target. Clean power and monitoring are key:
Bench Power Supply – Adjustable voltage/current limits with fine resolution
Low ESR Capacitors – For local power rail stability
Current Sense Resistors or INA219 Sensors – To monitor target behavior during injection
4. Precision Clocking Tools
Controlling or synchronizing the target’s clock can increase the reliability of glitch timing:
External Clock Generator – Can override the target's internal oscillator
Frequency Synthesizers – Useful for fine-tuning clock speed to amplify vulnerability
5. Micromanipulators and Test Probes
Reliable probing of tiny test pads and traces is a must. A soldered connection can introduce delay or instability.
Pogo Pins – Non-invasive access to test points
Sharp Logic Analyzers (e.g., Saleae Logic) – For correlating events to firmware operations
Micromanipulator Arms – For precise placement of probes on QFN or BGA packages
6. Firmware Tools and Debugging
You need a way to observe bootloader behavior, UART output, or response to glitches:
SEGGER J-Link / ST-Link – For SWD or JTAG debugging
USB-to-Serial Adapters (FTDI/CH340) – For monitoring console output
Bus Pirate / Logic Analyzer – For sniffing UART protocols
7. Shielding and Protection
When working with glitching hardware, isolation is key to avoid frying your USB ports — or your wallet:
USB Isolators
Opto-isolators on GPIOs
Faraday Cages or EMI Shielding – To contain unintended RF leakage
8. Software Suite
Without the right software, your gear is just metal and silicon. You’ll need:
ChipWhisperer GUI / Python API
OpenOCD – For low-level debugging
Ghidra / IDA Pro – To reverse bootloader firmware and map function locations
Custom glitch scripts – To coordinate attack sequences and validate results
A Word of Caution
This is not plug-and-play work. Glitching requires patience, repetition, and a willingness to destroy a few boards along the way. It is closer to science than engineering where you are inducing failure in a deterministic system and hoping it fails in your favor. We’ve spent thousands of hours fine-tuning our glitching setups and workflows. If you’re attempting this solo, be prepared for an uphill battle.
Or, if you prefer results over theory, get in touch. Praefortis has the gear, the experience, and the scars to prove it.
Nanosecond Timing
Precise timing is everything in hardware fault injection. That's why we use oscilloscopes to analyze signal behavior, clock cycles, and voltage irregularities. By observing the waveform outputs of the device under attack, we can align our glitch pulses with the microcontroller's instruction pipeline. We also use tools like the SEGGER J-Link for JTAG/SWD debugging, which allows us to halt execution, read registers, and inspect memory if the device isn't locked down completely. In devices where the debug interface is still partially accessible, this can be the most surgical and effective way to pull secrets out safely.
These tools and techniques aren't guesswork. They are part of a methodical process we have refined across hundreds of cases. At Praefortis.us, we combine electrical engineering, firmware reverse engineering, and real-world recovery experience to perform hardware wallet extractions that would be impossible with software alone.
DIY Hardware Hacking vs. Professional Extraction
While DIY hardware hacking might seem appealing, the risks are enormous: one wrong pulse or solder bridge can permanently destroy access. We've handled hundreds of hardware wallet recoveries without ever losing a customer’s funds. We use calibrated tools, methodical extraction protocols, and secure key handling environments to ensure success where DIY often ends in permanent loss.
| Factor / Risk | DIY Attempt | Professional Recovery (Praefortis.us) |
|---|---|---|
| Required Equipment Cost | 💸 $15,000+ (glitcher, scope, debug tools) | ✅ Included in service |
| Technical Skill Level | ⚠️ Very High (EE + firmware + fault injection) | ✅ Team of specialists |
| Success Rate | ⚠️ Extremely low for non-experts | ✅ High — no customer wallet lost to date |
| Risk of Permanent Bricking | ❌ High (glitching at wrong moment) | ✅ Fully mitigated with staged testing |
| Oscilloscope Tuning & Timing | ⚠️ Requires sub-10ns precision tuning | ✅ Calibrated lab setups + automated triggers |
| Safe Key Extraction | ❌ Difficult (volatile memory issues) | ✅ Expert-controlled extraction flow |
| Debugging Interface Handling | ⚠️ Risk of locking down chip further | ✅ Custom J-Link scripts + forensic staging |
| Chip Removal / PCB Work | ⚠️ Requires micro soldering, reballing | ✅ Clean lab conditions + microscope soldering |
| Post-Recovery Handling | ❌ Often insecure (keys exposed) | ✅ Secure rekeying, signing, and cold transfer |
| Legal Chain of Custody | ❌ None | ✅ Full documentation for estate & fiduciary cases |
Why DIY Hardware Hacking Is Simply Not Worth the Risk
Attempting hardware wallet hacking on your own, whether it’s voltage glitching, EM fault injection, or even chip probing is a high-stakes gamble that demands professional grade tools, nanosecond-level timing, and deep expertise in electrical engineering and firmware. The margin for error is razor thin. A single mistimed glitch or incorrect solder joint can permanently brick a wallet or render its contents unrecoverable. Worse, missteps may lock down the chip indefinitely or expose sensitive data without access, the net result that of having compromised funds beyond repair.
These techniques also require more than just hardware, they demand controlled lab environments, calibrated oscilloscopes, precision JTAG debugging with tools like SEGGER J-Link, and a forensic grade workflow where mistakes aren’t an option. Without the infrastructure to contain and analyze glitches, or prevent EMI and leakage, a DIY attempt is far more likely to destroy the wallet than recover any keys. Industry research confirms this vulnerability; powerful side-channel and glitching attacks exist, but executing them reliably requires expertise few individuals can replicate.
Through Praefortis, you get expertise refined through hundreds of successful recoveries without ever losing a single customer wallet. Our team combines academic-grade hardware testing rigs with validated glitch injection workflows, controlled debugging with SEGGER and J-Link, and cleanroom soldering techniques. We work in secure, test-driven environments where every recovery is scripted, repeatable, and documented. When lives (or livelihoods) depend on it, this structured approach is not just better, it’s essential.