Discussions of performing power analysis, techniques, implementations, etc. Does not need to use ChipWhisperer.
#408 by coflynn
Wed Aug 19, 2015 9:31 pm
Awesome! Yeah that waveform looks to have some "peaks" which is a good sign!

The H-Field probe is a little more "magic" as the waveform doesn't look nice an repeatable like it does with the shunt. But the data is there underneath the noise, so you just have to trust the math to get it out ;-)
#414 by aldaya
Fri Aug 28, 2015 4:28 am
@chocolate, could you share the attack performance using the h-probe ?
#432 by chocolate
Fri Sep 11, 2015 1:11 pm
@aldaya, I don't have the attack performance for the capture in my last post, so I quickly did a new capture, which doesn't seem as pretty as the old waveform but still managed to extract all bits of the key except one. I'm guessing attack performance would depend on how well you can avoid noise.

New capture waveform and its performance attached.
Attachments
performance.png
Attack performance
performance.png (26.2 KiB) Viewed 3989 times
newcapture.png
New waveform captured by H-probe
newcapture.png (26.61 KiB) Viewed 3989 times
#1406 by ICRaidder
Mon Jun 05, 2017 3:45 am
Is someone can re-upload picture ? Seems all attachements pictures are broken in this thread.
Can be usefull as there is no H-Probe tutorial on Wiki !

Thanks
#1417 by ICRaidder
Tue Jun 06, 2017 3:57 am
Ok i will upload picture, i successfully done the AES Xmega with H-Field Probe.

All works perfect, and i am been able to recovery keys ( random ) with more trace around ( 400-500 ).

Now need to check, if can lower trace number by spotting better area on Xmega.

Will upload picture about the Setup + config used ( Step by step )

For people who want to try and stuck with some details....
#1421 by coflynn
Tue Jun 06, 2017 11:07 am
Oops - looking at fixing the forum, glad you had success! There is actually a newer H-Probe "tip" (not in the full tutorial section) at https://wiki.newae.com/H_Probe_Usage . Maybe we should be linking that into the tutorila section too then?
#1424 by coflynn
Tue Jun 06, 2017 1:27 pm
Fixed attachments - thanks for catching! Moved the forum a few weeks ago and I thought those were working, but I guess not...
#2074 by Hello Friend
Fri Aug 10, 2018 8:05 am
Sorry to necromancer this thread - I couldn't find many resources about how to practically do this, so I'd like to leave a contribution that hopefully helps someone someday.

I'm using a perfboard ATMega328p target with a PicoScope 2206B, an H-Field Probe and LNA (the ones from the newae store). I found the trick was to maximise the SNR by maximising the difference of average measured magnetic field between when the device is on, and when the device is off:
Image
and when the device is on:
Image
The setup is the h-field probe approximately 25% from the top of the ATmega328p target - it runs through an LNA, through a feed through terminator and then to the scope.
Image

Tremendously oversampling helped as well: I used 128MS for a 16Mhz target, resulting in an extremely clean result from correlation via hamming weight of first round sbox result (yes, I know, not all the bytes are there :P). The thinking behind this is that I can't synchronise with my target's clock, so I just need to get enough detail to compensate.

You can clearly see the rounds of AES consistently across a larger number of samples:
Image
And the correlation result, based on the hamming weight of the sbox output of the first round:
Image

Who is online

Users browsing this forum: No registered users and 0 guests