Android Hardware Reverse Engineering

DIY EM-Field Probes: Building and Calibrating for Android Side-Channel Attacks

By Antigravity Research Published May 29, 2026 ⏱️ 8 Min Read
Google AdSense Native Placement - Horizontal Top-Post banner

Introduction: Unveiling Secrets Through Electromagnetic Emissions

Electromagnetic (EM) side-channel attacks represent a powerful class of non-invasive techniques capable of extracting sensitive information, such as cryptographic keys, from electronic devices. Modern Android devices, despite their robust software security, are not immune to these physical attacks. By meticulously analyzing the EM radiation emitted during sensitive operations, attackers can discern patterns that correlate directly with the processed data. This article serves as an expert-level guide to building and calibrating custom EM-field probes, offering a cost-effective pathway into Android hardware reverse engineering and cryptographic key extraction research.

While commercial probes are available, constructing your own allows for specialization, deeper understanding of the underlying physics, and the flexibility to experiment with various geometries and materials tailored for specific targets, such-as the tightly packed components within an Android smartphone.

Understanding EM Emissions from Android Devices

Every electronic circuit, by its nature, generates electromagnetic fields. Fluctuations in current flow and voltage levels, particularly during data processing, propagate as EM waves. Cryptographic operations, which involve highly data-dependent computations, create unique EM signatures that can be observed and analyzed. Components like the CPU, memory, and cryptographic accelerators on an Android device emit these fields, often in the near-field region, making them accessible to specialized probes.

Key leakage mechanisms include:

  • Current Variation: Data-dependent current consumption, especially during XOR, AND, or ADD operations, leads to varying magnetic fields.
  • Voltage Fluctuations: Switching activity causes voltage drops across power rails, generating electric fields.
  • Clock Signals: The fundamental clock frequency and its harmonics are strong EM emitters, providing a timing reference for analysis.

EM Probe Design Principles and Materials

Effective EM probes for side-channel analysis are typically small, near-field antennas designed to pick up either magnetic (H-field) or electric (E-field) components of the EM field. For cryptographic attacks, H-field probes are generally preferred due to their ability to localize current flows and their inherent rejection of common-mode E-field noise.

H-Field Probe Construction

An H-field probe is essentially a small loop antenna. The magnetic field passing through the loop induces a voltage proportional to the rate of change of the magnetic flux (Faraday’s Law of Induction). The probe’s sensitivity, frequency response, and spatial resolution are critical design parameters.

Materials Required:

  • Enameled Copper Wire: 30-40 AWG (e.g., 0.1mm diameter) for winding coils.
  • Ferrite Core (Optional but Recommended): Small ferrite beads or rods (e.g., 2-5mm diameter) concentrate the magnetic field, improving sensitivity.
  • Coaxial Cable: RG-174 or similar miniature coaxial cable for connecting the probe to an amplifier/oscilloscope. Provides shielding.
  • BNC Connector: For connecting to measurement equipment.
  • Copper Foil or Braid: For electrostatic shielding of the probe coil (critical for H-field probes).
  • Insulating Material: Heat shrink tubing, epoxy, or hot glue for structural integrity and insulation.
  • Non-Conductive Handle: Acrylic rod or 3D-printed part.
  • Soldering Iron and Supplies.
  • Multimeter.
  • Oscilloscope or Software Defined Radio (SDR) with appropriate software (e.g., GNU Radio, inspectrum).
  • Low-Noise Amplifier (LNA): A wideband RF amplifier (e.g., 20-40 dB gain, 10 MHz – 1 GHz bandwidth) is crucial.

Step-by-Step Construction:

  1. Coil Winding:

    For a basic H-field probe, wind 5-10 turns of enameled copper wire tightly around a small ferrite bead (if using) or simply form a small air-core loop (e.g., 1-3mm diameter). Ensure the winding direction is consistent. Leave approximately 5cm leads on both ends.

          +-----+      +-----+      |     |      |     |     /  \    /  \     |    |=====|    |   |    |    |     ////      ////    |     |      |     |      +-----+      +-----+        (Ferrite Core with Coils)

  2. Prepare Coaxial Cable:

    Strip one end of the coaxial cable, exposing the inner conductor, dielectric, and shield. The inner conductor will connect to one end of your coil, and the shield to the other.

  3. Connect Coil to Coaxial Cable:

    Carefully scrape the enamel off the ends of your coil wires. Solder one coil end to the inner conductor of the coaxial cable. Solder the other coil end to the shield braid of the coaxial cable. This forms a balanced loop. Keep the connections as short as possible.

  4. Electrostatic Shielding:

    Wrap the entire coil assembly (including the initial part of the coaxial connection) with a single, non-overlapping layer of copper foil or braid. Critically, ensure this shield is electrically connected ONLY to the coaxial cable’s shield (ground) at one point. This creates a break in the loop, preventing it from acting as an E-field antenna. Use conductive tape or solder to secure the connection to the coaxial shield.

         Coil (Shielded)           +-----|---------------------------+     |                          |    (Copper Foil/Braid Shield)  |     |   ---SOLDER---            |     |   |          |            |     Inner-----(Loop)------Outer     |                               |     Conductor          Shield         ---------------------------------       Coaxial Cable Ground (one point connection)

  5. Encapsulation and Handle:

    Cover the entire probe tip with heat shrink tubing or epoxy for insulation and mechanical stability. Mount the probe onto a non-conductive handle for ease of manipulation. Solder the other end of the coaxial cable to a BNC connector.

Calibration Techniques for EM Probes

Proper calibration is paramount to ensure accurate and repeatable measurements. This involves characterizing the probe’s frequency response and spatial resolution.

Frequency Response Characterization

The probe’s sensitivity varies with frequency. To characterize this:

  1. Known Signal Source: Use a signal generator or a microcontroller (e.g., Arduino, ESP32) to generate a square wave or sine wave at various frequencies. For an Android focus, an MCU is ideal as it mimics the digital signals found on target devices.

    // Arduino example for generating a square wave on pin D2100void setup() {  pinMode(2, OUTPUT);  // Set pin 2 as an output}void loop() {  digitalWrite(2, HIGH);  delayMicroseconds(50); // 50us HIGH -> 10kHz square wave (50us HIGH, 50us LOW)  digitalWrite(2, LOW);   delayMicroseconds(50);}

  2. Measurement Setup: Place the probe at a fixed, close distance to the signal source. Connect the probe to your LNA, then to an oscilloscope or SDR.

  3. Sweep Frequencies: Generate square waves (which contain odd harmonics) or sweep sine waves across the desired frequency range (e.g., 10 MHz to 1 GHz). Record the probe’s output voltage amplitude or power spectral density at each frequency.

  4. Data Analysis: Plot the probe’s response (e.g., dBV or dBm vs. frequency) to understand its bandwidth and resonance points. This allows you to compensate for frequency-dependent effects during analysis.

Spatial Resolution Testing

Spatial resolution determines how precisely the probe can pinpoint the source of an EM emission.

  1. Fine-Pitched Test Board: Create a small PCB with very thin, parallel traces driven by distinct signals. Alternatively, use a known Android board and focus on a specific, isolated IC pin or trace.

  2. Precision Positioning: Manually (or ideally, with a micro-positioning stage) move the probe across the test board/device surface in small increments (e.g., 0.1-0.5mm). Record the output at each position.

  3. Mapping: Create a 2D map of the EM field strength. This helps visualize the probe’s effective sensing area and validate its ability to isolate specific emission sources.

Setting Up the Measurement Environment for Android SCA

To perform effective EM-field side-channel attacks on Android devices, a controlled measurement environment is crucial.

  • Faraday Cage/Shielded Enclosure: Minimizes external EM interference, allowing you to focus solely on the device’s emissions. A simple DIY solution can involve aluminum foil-lined cardboard boxes, but professional enclosures are ideal.
  • Low-Noise Amplifier (LNA): As EM emissions from microelectronics are often very weak, an LNA boosts the signal before digitization. Ensure the LNA has sufficient bandwidth for your target frequencies.
  • Digitization and Analysis:
    • Oscilloscope: A high-bandwidth digital storage oscilloscope (DSO) with FFT capabilities is excellent for real-time observation and initial spectral analysis.
    • Software Defined Radio (SDR): Devices like the HackRF One or USRP, coupled with software like GNU Radio, provide unparalleled flexibility for wideband signal capture and offline analysis. This is often preferred for long capture times and advanced demodulation.
  • Android Device Under Test: Prepare your Android device (e.g., rooted, custom ROM) to run specific cryptographic operations or benchmarks.

Practical Application: Observing Android Cryptographic Operations

Once your probe is built and calibrated, you can begin observing EM emanations from an Android device during cryptographic operations. This typically involves:

  1. Prepare Target: On the Android device, compile and run a simple C/C++ program that performs, for example, AES encryption repeatedly. Use adb push and adb shell to manage the executable.

    adb push crypto_benchmark /data/local/tmp/adb shell "chmod +x /data/local/tmp/crypto_benchmark"adb shell "/data/local/tmp/crypto_benchmark"

  2. Position Probe: Carefully place your EM probe close to known cryptographic hardware components (e.g., CPU, secure element) on the Android PCB. Use a microscope if available.

  3. Capture Data: Start the cryptographic benchmark on the Android device and simultaneously capture EM data using your oscilloscope or SDR. Look for recurring patterns that correspond to the start and end of encryption rounds.

  4. Analyze Waveforms: Look for power spikes, frequency shifts, or distinct patterns that change based on the input data or key bits. Tools like Inspectrum or custom Python scripts can help with advanced signal processing and correlation analysis.

Conclusion

Building and calibrating DIY EM-field probes is a rewarding and essential skill for anyone serious about hardware reverse engineering and side-channel analysis on Android devices. While challenging, the ability to custom-tailor probes for specific research objectives provides a unique advantage. This guide provides a foundation for creating effective tools to peer into the hidden world of electromagnetic emissions, laying the groundwork for advanced attacks like cryptographic key extraction. With practice and meticulous attention to detail, these DIY probes can become invaluable instruments in your hardware security toolkit.

Android Mobile Specs & Compare Directory

Are you researching mobile hardware properties, processor SoCs, GPU chipsets, or RAM configurations? Access our complete specs catalog to compare up to 5 devices side-by-side!

Compare Devices Specs →
Google AdSense Inline Placement - Content Footer banner
Tags: #Android Security #Cryptography #EM Probe #Hardware Reverse Engineering #Side-Channel Attack

Related Technical Guides

Mapping TrustZone APIs: Reverse Engineering the Interface Between Android Kernel and TEE Drivers

May 30, 2026

Qualcomm EDL Mode: The Ultimate Guide to Forensic Imaging & Data Extraction

May 29, 2026

The Ultimate Guide to TrustZone OS Firmware Extraction using JTAG/UART

May 29, 2026