There’s a little more background around all of this that I should’ve explained. It’s all for a talk I’m giving. Originally, I was just going to mention/explain side channel and fault injection attacks and not demo them.
Haha, it’s not so much about being sexy as it is about not modifying the DUT. To do power analysis or power glitching, I’d need to modify the PCB (which I’ve done in other hacks). In both cases, I’d start by removing the bypass caps around the microcontroller until it starts to misbehave, then solder one back on. For power analysis, I’d solder a low resistance shunt resistor in line with VCC to the microcontroller.
For this talk, I wanted to avoid that and keep it a little more approachable. Not everyone has SMD soldering experience, lol.
Absolutely… I do have a Chip Whisperer, and yes, I have used it successfully to do differential power analysis and timing in exactly that way. After the fault injection with the EMP, I plan on writing more code to use a PIO to measure the time between sending the \r and receiving the response to find the password because…
No, I didn’t. The DUT is a knockoff cheapo thing made overseas, and I honestly don’t expect a response from the vendor. What I did do was unsolder the flash chip and read it out using the BP. (BTW, that’s how I found this awesome community - see Bus Pirate 5 resetting itself, causing storage corruption).
Once I had read it out, I dd’d out the bootloader and reverse engineered it in Ghidra. (The vendor did their own really, really bad code for the password*). So I actually know the password, and have gone on the pwn the thing and find other vulns…
That was going to be the main point of the talk, but after being on this forum with @ian, @henrygab, @grymoire, @electronic_eel, and others, I’ve kind of pivoted my talk into more of “Hey Blue Teamers - it doesn’t take a nation-state with unlimited resources and time to perform these attacks! I was able to do them all with a Bus Pirate 5!” (When threat modeling in the ICS and IoT/IIoT world, every project team says “Those are unreasonable attacks, it would take so much resources…” Ugh).
Lol, I think my talk is going to be half what I originally outlined and half love letter to the BP 
Thanks again for all of the support and help!
Matt
====
Holy cow, the password code the vendor implemented is bad! Unlimited retries, no penalty (wait time, etc.) for wrong attempts, a stack buffer overflow, and yes; they are using strcpy() to test for correct password (no hashing). When I was a security engineer I would’ve ripped that dev team a new one for all of that. Once I went Red Team, I just drooled over that kind of thing 