Mounting a low-cost laser bench

At the Donjon, we have a high-end laser bench of this type, and it has allowed us to carry out many security studies and exploratory attacks. The need to have a second laser bench led us to consider designing a simpler and less expensive one. Its accuracy would not need to be as high as the first bench and would be regarded as a complementary one. We reckoned that some vulnerabilities we had previously identified would also be reproduced easily with this lower-end setup, as the spot position does not need to be as precise in those cases.

Disclaimer

Warning: Before trying to reproduce any work described here or doing any experimental setup involving lasers, wear laser safety glasses and verify that the protection is suitable for safe experimentation for that laser wavelength. Also, check that co-workers in the room are protected as well.

The laser source

The first component to obtain is the source of light emission: the laser diode. The most common and approved solution for performance and efficiency is the one retailed by ALPhANOV, and now by its spin-off, Aérodiode.

This part is the most expensive one on this bench. It is not easy to consider alternatives without experience in developing with laser sources.

We have reused a PDM2+. This module has the unique feature of having two sources of two / with different wavelengths (980 and 1064 nm) and can deliver short pulses of high power. It is fully packaged with standard FC/APC connectors for the fibre output and can be controlled through a serial port and our pypdm Python library.

A simpler model such as the PDM+ can be an alternative laser, according to the needs of attacks (power, timing, pulse duration, etc).

Optics

Now we need to simplify the optical component of the fibre output by replacing the microscopes.

Two possibilities arise:

• Get rid of optical elements. We attack directly with a bare output placed directly on the silicon die. But it involves careful handling of the fibre, which is very fragile.
• Use a collimator. This component permits to have a parallel beam out of the fibre. Depending on the precision of the collimator, the beam keeps a near-constant diameter for a dozen centimetres, permitting a comfortable work distance between the fibre and the device.

Collimator

The collimator model is chosen from the adjustable aspheric collimators range from Thorlabs, which is important because we need to set the distance between the tip of the fibre and the aspheric lens to adjust the divergence of the output beam. According to the collimator description, it is possible to make the beam converge. These collimators have standard female FC/APC sockets compatible with our fibre.

From this step onwards, we worked with a collimated laser beam. The wearing of laser safety glasses is mandatory.

Converging lens

Although the collimator can be adjusted to be slightly convergent, it was not good enough to get a clean focal spot.

A converging lens downstream of the collimator moves the focal plane at a chosen distance. The plano-convex LA1304-AB lens has a focal distance of 4 cm and an anti-reflective coating for wavelengths from 400 to 1100 nm. A holder is also necessary to set the lens next to the collimator.

Assembly

The holder for the collimator and lens was designed using FreeCAD and 3D-printed in PLA with a conventional 3D printer.

Observing the spot size

Current laser light is not in the visible spectrum, but by using a NIR Detector Card, we observed the size of the spot and compared it when using a calibrated focusing module (kindly lent by our friends at NinjaLab).

The NIR cards have crosshairs having lines 100 µm wide, and two concentric circles with diameters of approximately 1.6 mm and 7.3 mm.

The specifications of the focusing module say that at the focus point the spot size is under 10 µm, for a laser source with an output connected to a simple mode fibre.

We can see that in the two setups the size of the spots are identical.

This conclusion results from a simple image comparison. The size of the spot is usually characterized and calibrated using measurement devices. In this configuration, the spot size depends on the power provided by the laser and how the NIR detector card diffuses the resulting light.

Cage

It is best to isolate the experiment when the laser is activated to avoid the risk of unwanted glare being a safety hazards for people in the room. For this, we opted to mount a lightweight cage to cover the experiment. We wanted the cage to be easily and quickly placed and removed, and in addition, it also reduces dust accumulation on the setup.

Beams and panels

The box is comprised of aluminium structural beams for the frame and opaque black aluminium panels. It covers a 60 by 60 cm optical breadboard and is about 50 cm high.

As a future improvement, we plan to replace the front panel with a transparent one to be able to watch running experiments. This special transparent panel would, of course, filter light at the laser wavelength.

Design

The cage was first designed using FreeCAD (credits to Olivier Hériveaux). It has two identical halves:

• The back part is fixed to the breadboard, which the cables go through.
• A front part, which is removable, is inserted when experimenting.

Hinges may be installed in the future, depending on the final placement of the bench. Aluminium beams and panels make up the front panel and are light enough to be easily placed and removed using two handles.

Beams and assembly parts come from SystéAl, and the aluminium and polyethene panels from aladecoupe.com (both are French suppliers). Those two providers offer custom-made parts at a reasonable price. The threading of the beams for screw mounting was a little expensive, so we did it ourselves.

Interlock safety

The PDMs from ALPhANOV have an interlock protection. This feature prevents laser emission when the interlock safety circuit is open. For the diode to be active, the interlock BNC connector on the back of the equipment has to be shunted with a 50-ohm stub terminator.

A magnetic door opening detector, open by default, connected to a 50-ohm resistor, is used and placed on the beams of the two halves of the box. When the front half is removed, the switch opens disabling the shunt, and thus the laser diode. This ensures that if someone opens the cage, intentionally or not, the laser source turns off.

Grommets and cable entry

To ensure proper closure of the box, we installed two kinds of grommets on the back panel of the box.

One cable entry seal with a black nylon brush is used for 10-inch server racks, to temporarily pass large cables such as oscilloscope probes or motor connectors, and two thermoplastic elastomer grommets for more permanent cables such as the optical fibre, USB or SMA cables.

Brush seal cable pass-throughElastomer cable pass-throughFrom the inside

Motorization

XY (Z or focus?)

To automate the spatial scanning, we use actuators to move the laser spot over the silicon, to target various parts of the chip. As the converging lens has 4-cm focal distance, which can be slightly corrected over 10 mm using the adjustable collimator, a manual axis for the elevation is practical enough.

The motors do not need to be very precise; 10 µm accuracy is good enough, according to the observed size of the spot. The method of alignment presented later has this order of precision.

In our case, we already have a motorized Newport stage, but a simple CNC router should be sufficient.

Remote control

For greater convenience, we incorporated the ability to control positioning with remote controls into our software tools. A games controller or joystick greatly improves user comfort during the alignment process and gives the setup an entertaining retro-gaming look.

Visualization

Do we SWIR?

Laser attacks are monitored using a camera that captures images in the infrared range. These cameras have SWIR (Short-Wave Infrared) sensors and are advantageous mainly when observing through the silicon substrate. In addition, there must be an emitting light source at these wavelengths.

We do not want our bench used for reverse engineering so that we can stick to a basic camera. The laser spot is still visible if no infrared filter is present. It is like pressing the button of an IR TV remote control and seeing the LED flashes when recording it with the camera.

The best affordable camera that could be found for close inspection was the DinoLite microscope. The image quality is quite impressive. Some models have long working distances, and they are compatible with OpenCV for software image capture.

The downside is that the LEDs cannot be controlled on Linux and are systematically turned on. Luckily, they are mounted on a removable PCB ring.

Internal lighting

The LED ring removed from the DinoLite is placed on an articulated arm above the experiment to light up the inside when the box is closed. It is powered with a 5-volt external power supply for the experiments. The LEDs can be dimmed by changing the output voltage from 0 to 5 volts.

Camera placement and distortion correction

Contrary to the first laser bench, which combined an optical column integrating beam-splitting mirrors to align the camera, the IR light and the laser, here we placed the camera next to the focusing module close together.

As a result, the camera is tilted, and the laser spot does not appear at the centre of the image. A software image correction process has been developed to perform the computation by matrix transformation . It allows the user to track the position of an object when the camera is at four different positions.

For each step, we record the position in the camera view and the location of the positioners. The red circle and crosshairs are on the intersection of the wall and the roof of the Donjon logo, in each image.

Then, with these four pairs of coordinates, we have three corresponding displacements (and motor positions) and observed displacements (and view coordinates). A transformation matrix is computed and applied to the image.

In addition, this operation normalizes the scaling of the image. We can then take distance measurements.

Final assembly

There we are. The second bench is now mounted and ready to shoot! Stay tuned for the next posts on our future achievements.