About Me

I'm an independent embedded systems engineer and hardware security researcher focused on fault injection, side-channel analysis (CPA, DPA), cryptographic fault attacks such as Differential Fault Analysis (DFA), and bypassing hardware security protections like read-out and access restrictions. I build custom low-cost tools to uncover vulnerabilities in wireless SoCs, MCUs, hardware cryptographic engines, and software cryptographic implementations. My work also covers secure embedded design, with a focus on practical hardware and firmware countermeasures against physical attacks. My background as an embedded hardware/software engineer, with experience designing firmware and hardware for connected devices, provides practical insight into system-level behavior across both software and hardware layers, which helps in analyzing and understanding real-world embedded security vulnerabilities.

Featured Research

• MSPM0G35xx Side-Channel Research Reference in Texas Instruments E2E Security Discussion – April 24, 2026

  Texas Instruments referenced the MSPM0G3507 Correlation Power Analysis (CPA) research in a security-related discussion on the official E2E forum, along with associated presentation material.

  Supporting material (TI internal presentation):
  MSPM0G350x AES DPA Presentation (PPTX)

  The material classifies MSPM0 devices into TI AES IP (MSPM0G3505/06/07, MSPM0G1505/06/07), which are directly related to the MSPM0G3507 device evaluated in the CPA research. In contrast, AESADV (Rambus IP) devices are listed as unrelated TI products, including MSPM0G3518/19 and related variants.

  Source: Texas Instruments E2E Forum discussion (April 24, 2026), TI representative post

• AES-128 Key Extraction on Texas Instruments MSPM0G3507 Hardware AES Engine – March 2026

  Using Correlation Power Analysis (CPA), the AES-128 key was extracted from the MSPM0G3507. Leakage mapping across all 10 AES rounds was performed with Reverse CPA, targeting register-write transitions that dominate switching activity during the final round. Capture was performed with a ChipWhisperer Nano, and analysis used the eShard scared library.

  To the best of the author's knowledge, this is the first publicly documented key extraction from this device. This research was not reported to Texas Instruments.

• AES-128 ECB/CBC/CTR Plaintext Recovery and Error Byte Diffusion via Voltage Fault Injection on Arm® TrustZone® CryptoCell 310 in Nordic Semiconductor nRF52840 SoC – 2024–2025

  Explored voltage fault injection on the Arm® TrustZone® CryptoCell 310 AES-128 engine in the Nordic nRF52840 SoC. The research demonstrates how controlled voltage glitches can lead to plaintext leakage in ECB, CBC, and CTR modes, offering insight into the impact of physical faults on hardware-based AES encryption.

  Reported on Nov 13, 2024. Publicly disclosed on Apr 11, 2025, in coordination with Nordic Semiconductor ASA.

  Read the Nordic Advisory here: Nordic Semiconductor Advisory - April 11, 2025.

Contact

Email:

LinkedIn: