Page 2 of 2

Re: H-Field Probe

PostPosted: Wed Aug 19, 2015 9:31 pm
by coflynn
Awesome! Yeah that waveform looks to have some "peaks" which is a good sign!

The H-Field probe is a little more "magic" as the waveform doesn't look nice an repeatable like it does with the shunt. But the data is there underneath the noise, so you just have to trust the math to get it out ;-)

Re: H-Field Probe

PostPosted: Fri Aug 28, 2015 4:28 am
by aldaya
@chocolate, could you share the attack performance using the h-probe ?

Re: H-Field Probe

PostPosted: Fri Sep 11, 2015 1:11 pm
by chocolate
@aldaya, I don't have the attack performance for the capture in my last post, so I quickly did a new capture, which doesn't seem as pretty as the old waveform but still managed to extract all bits of the key except one. I'm guessing attack performance would depend on how well you can avoid noise.

New capture waveform and its performance attached.

Re: H-Field Probe

PostPosted: Wed Mar 29, 2017 7:13 am
by heelydavid
Thank you for share your Idea on particular topic

Re: H-Field Probe

PostPosted: Mon Jun 05, 2017 3:45 am
by ICRaidder
Is someone can re-upload picture ? Seems all attachements pictures are broken in this thread.
Can be usefull as there is no H-Probe tutorial on Wiki !

Thanks

Re: H-Field Probe

PostPosted: Tue Jun 06, 2017 3:57 am
by ICRaidder
Ok i will upload picture, i successfully done the AES Xmega with H-Field Probe.

All works perfect, and i am been able to recovery keys ( random ) with more trace around ( 400-500 ).

Now need to check, if can lower trace number by spotting better area on Xmega.

Will upload picture about the Setup + config used ( Step by step )

For people who want to try and stuck with some details....

Re: H-Field Probe

PostPosted: Tue Jun 06, 2017 11:07 am
by coflynn
Oops - looking at fixing the forum, glad you had success! There is actually a newer H-Probe "tip" (not in the full tutorial section) at https://wiki.newae.com/H_Probe_Usage . Maybe we should be linking that into the tutorila section too then?

Re: H-Field Probe

PostPosted: Tue Jun 06, 2017 1:27 pm
by coflynn
Fixed attachments - thanks for catching! Moved the forum a few weeks ago and I thought those were working, but I guess not...

Re: H-Field Probe

PostPosted: Fri Aug 10, 2018 8:05 am
by Hello Friend
Sorry to necromancer this thread - I couldn't find many resources about how to practically do this, so I'd like to leave a contribution that hopefully helps someone someday.

I'm using a perfboard ATMega328p target with a PicoScope 2206B, an H-Field Probe and LNA (the ones from the newae store). I found the trick was to maximise the SNR by maximising the difference of average measured magnetic field between when the device is on, and when the device is off:
Image
and when the device is on:
Image
The setup is the h-field probe approximately 25% from the top of the ATmega328p target - it runs through an LNA, through a feed through terminator and then to the scope.
Image

Tremendously oversampling helped as well: I used 128MS for a 16Mhz target, resulting in an extremely clean result from correlation via hamming weight of first round sbox result (yes, I know, not all the bytes are there :P). The thinking behind this is that I can't synchronise with my target's clock, so I just need to get enough detail to compensate.

You can clearly see the rounds of AES consistently across a larger number of samples:
Image
And the correlation result, based on the hamming weight of the sbox output of the first round:
Image