Sorry to necromancer this thread - I couldn't find many resources about how to practically do this, so I'd like to leave a contribution that hopefully helps someone someday.
I'm using a perfboard ATMega328p target with a PicoScope 2206B, an H-Field Probe and LNA (the ones from the newae store). I found the trick was to maximise the SNR by maximising the difference of average measured magnetic field between when the device is on, and when the device is off:
and when the device is on:
The setup is the h-field probe approximately 25% from the top of the ATmega328p target - it runs through an LNA, through a feed through terminator and then to the scope.
Tremendously oversampling helped as well: I used 128MS for a 16Mhz target, resulting in an extremely clean result from correlation via hamming weight of first round sbox result (yes, I know, not all the bytes are there
). The thinking behind this is that I can't synchronise with my target's clock, so I just need to get enough detail to compensate.
You can clearly see the rounds of AES consistently across a larger number of samples:
And the correlation result, based on the hamming weight of the sbox output of the first round: