Laser Fault Injection is widely used in embedded security evaluations. Yet some attack classes - especially those requiring single-bit corruption in SRAM - depend on highly precise spatial faulting, while countermeasures often restrict the number of available attempts.

During the analysis of a cryptographic implementation, we needed insight into the physical layout of the target microcontroller’s SRAM to achieve this precision. Standard techniques such as photonic emission analysis did not reveal sufficient detail. We therefore repurposed Laser Fault Injection itself as a reverse-engineering method: by scanning the die and observing fault patterns, we reconstructed the spatial distribution of SRAM cells and mapped logical memory addresses to physical locations.

This reverse-engineered layout enabled reliable bit-level Laser Fault Injection attacks on the device. The work highlights how fault-injection techniques can support hardware reverse-engineering and provides practical knowledge for both security evaluators and researchers analyzing on-chip memory.