DPA External Target

Hi guys,

I’ve spent ages Googling, lurking in this forum, and even flipping through whitepapers, and electronics 101 articles looking for any guidance for my question with no luck.

I’m keen to try DPA on an external target, on the ground line. And I have so many questions - apologies and thanks in advance.

  1. How do I connect this all safely? I.e. The few instructions I’ve found related to VCC readings and I have no idea how much of that is even applicable to ground readings. Please help a noob out. What do I connect and where? My target is a little pcb with a soic8 chip, powered from a CR battery, with no serial inputs etc. I have little touch points on the board labelled: gnd, dat, clk, vcc.

1a. Do I need a “reference ground” from the target to the chipwhisperer/probe supply even though I’m measuring a ground signal for analysis?

1b. How do I avoid a ground loop here (sorry if this question is really silly, but I’d hate to blow something up and am risk averse)? I understand I need to connect probes to each side of the shunt, may or may not need a third wire to “reference ground” (can this be anywhere on the target that has 0v?), and need to connect something to trigger the chipwhisperer measurements and hook up the clock signal, but I don’t know how to identify safe places to do that. I have a chipwhisperer powered from my laptop (can unplug laptop from wall if this matters?), the official probe power supply connected to mains, and the target device is an external PCB powered by 2x 3v CR batteries. If more details are required please let me know what those are and I’ll post them.

1c. Does the advanced breakout board play into this? If so, how? If not, what is it supposed to be for?

  1. Ground shunts. Do I need to use something actually labelled a ground shunt, or can I use any resistor?

2a. How do I know what size resistor to use?

If there was an easy-for-noobs-to-follow diagram that included basic things like a line drawn from a gnd pad to the chipwhisperer to the pc to the wall (or not if you’re supposed to unplug it!) showing at their most basic and simple forms, how to wire everything up for VCC DPA, then another for GND, then another for power glitching, etc that would be extraordinarily helpful for newbies like me to conceptualize the way the connections should go.

Thanks for putting up with my questions. I enjoy the chipwhisperer so far, it’s a great concept and the build quality seems solid. When I read the description and the emphasis on making side channel attacks feasible and accessible for everyone I felt like it would give me a good learning foundation in terms of using it on real-world examples (external boards), but I feel like there is a huge gap here and I’m slowly trying to address it. It’s really hard to understand what you need to skill up on just to apply the same sorts of techniques to a truly external device. I’m sure I’ll get there eventually, and big thanks to everyone who takes the time to read and respond =)

Edit to add: I bought the power analysis / glitching level 2 starter pack. Probes etc I am trying to use are all a part of this pack. I also bought a soldering iron, heat gun, a multimeter, and a bunch of other stuff.

I’m good with software and security, but hardware is currently a bit like black magic to me.

Hello,

Measuring from the ground line is the same sort of idea as measuring from Vcc. You’ll want to put a shunt resistor between the ground pin of the target and the ground of the rest of the circuit (preferably between the device and any decoupling capacitors). The best way to do this is probably to cut the trace between the gnd pin and the rest of the circuit and solder a resistor between the pin and ground somewhere else on the circuit. Alternatively, provided the total resistance doesn’t cause supply issues (10ohms on each input + shunt resistance), you could solder a shunt resistor onto the CW506 Differential Probe (R6) and use that as your shunt resistor.

Your measurement point is the ground pin of the device and the reference for the ChipWhisperer is the rest of the circuit’s ground. If you’re using the differential probe, you’ll want to measure across the shunt resistor (or if you’re using R6 as your shunt, measure across the cut ground trace). You’ll also want a ground reference for the ChipWhisperer (pin 2 on the 20 pin connector).

The advanced breakout board comes into play for the rest of the connections you need. Basically, the ChipWhisperer expects 3.3V logic for its I/O pins (trigger, clock, serial, etc.), so if your source for these lines uses different logic levels, you can use the advanced breakout board to translate the logic levels (https://wiki.newae.com/CW506_Advanced_Breakout_Board for more info). If you use the differential probe, you’ll also want to take a look at its wiki page (https://wiki.newae.com/CW501_Differential_Probe).

You should be pretty safe from blowing things up if you properly translate the voltage levels and put your ground in the right place.

At a minimum, you’ll need a clean rising or falling edge to trigger the ChipWhisperer and the clock signal for the device (the clock is technically optional since you can resync all the traces to your first one, but if you can get a clock signal into/out of the device it’s much easier). Check https://wiki.newae.com/CW1173_ChipWhisperer-Lite#20-Pin_Connector for the CWLite 20 pin connector pinout.

Any normal resistor should work as your shunt. Surface mounts will probably give you slightly better readings, but a regular through hole resistor will also work.

What size of resistor you want to use will depend on the power consumption of your target. The voltage drop across the resistor increases with the resistance, so larger value resistors will give you larger readings. Conversely, because the drop is bigger, you may run into issues with the voltage at the ground pin rising too high. It shouldn’t damage the device, but it may cause strange behaviour (skipping instructions, crashing, etc). Check the datasheet to make sure you have a healthy tolerance on the minimum supply voltage (voltage between the Vcc and Gnd pins of the target) at a typical operating current with the resistor you choose.

There should be a paper of an attack on an Arduino that uses a ground reference that I can probably dig up if need be.

Let me know if anything here is unclear,

Alex

Hi Alex,

Thank you very much for taking time out of your day to respond. I’ve taken a picture of a scribbled diagram which is my understanding of what you’ve posted / how I should connect things up. If you have a few seconds to sanity check my interpretation of your post that I would be extremely grateful. I’ve labelled everything I think is relevant the best I can, hopefully it’s all legible and makes sense.

I’ve uploaded it here: https://imgur.com/a/3ELoPAc

Thanks again!

Jay

You’ve got that almost exact.

Two things you’ll need to change are to connect the ground of the PCB to ground on the ChipWhisperer (pin 2) and to reduce the voltage on your trigger since the chips on the Advanced Breakout Board have max recommended voltage of 5.5V. If you already ran them like this, they’re very likely fine (the absolute max is 7V), but you should probably change it before continuing. The best way to do this is probably to make a resistor divider with two 10k resistors (you could even skip the Breakout Board and just use this. 3V is close enough to 3.3V that triggering should work fine).

One thing I forgot to ask about was the clock signal. Do you know the origin of the signal on the board (is it coming from a crystal oscillator, an output pin on the target, etc)? The ChipWhisperer expects a clean clock signal, so something like a crystal by itself won’t be sufficient.

Alex

Hi Alex,

I’ll add a wire to ground when I connect everything (haven’t done that yet, because I was hesitant until clarifying the above points). Thanks for that.

Re: the clock. The datasheets simply refer to it as an oscillator clock, I’m assuming this means crystal oscillator clock. Hopefully it is clean enough, I suppose if it’s not I’ll need to look into aligning the signals by the first rising edge captured or something of that nature.