Hi,
I try to capture (for the first time) the power traces from a new chip.
I think my electrical setup is good but I still don’t get something that makes sense.
I’m wondering if I run the ADC fast enough (I don’t know the clock frequency on the target because it’s running a proprietary bootloader and uses an internal oscillator). I decided to clock the ADC at 100MHz but I get weird results. I may use the API the wrong way:
scope.default_setup()
print(scope.clock)
scope.clock.adc_src = "clkgen_x4"
scope.clock.clkgen_freq = 25000000
scope.clock.reset_dcms()
while scope.clock.clkgen_locked == False:
print("wait")
print(scope.clock)
This gives me:
adc_src = clkgen_x4
adc_phase = 0
adc_freq = 94368759
adc_rate = 94368759.0
adc_locked = True
freq_ctr = 0
freq_ctr_src = extclk
clkgen_src = system
extclk_freq = 10000000
clkgen_mul = 2
clkgen_div = 26
clkgen_freq = 7384615.384615385
clkgen_locked = True
wait
wait
....
wait
wait
adc_src = clkgen_x4
adc_phase = 0
adc_freq = 94368759
adc_rate = 94368759.0
adc_locked = True
freq_ctr = 0
freq_ctr_src = extclk
clkgen_src = system
extclk_freq = 10000000
clkgen_mul = 25
clkgen_div = 96
clkgen_freq = 25000000.0
clkgen_locked = True
As you can see the clkgen_freq parameter changed but not adc_freq. Sometimes it changes and shows the good value, sometimes something incoherent…
Any clue ?
Franck.
Hi Franck,
Try setting scope.clock.adc_src = "clkgen_x4" after you update the clock frequency. We cache some scope parameters and I think you’ve found a situation where we don’t read the actual value back when we should.
Alex
Moving scope.clock.adc_src = "clkgen_x4" doesn’t change anything.
However, I looked at the clock with an oscilloscope and the frequency is correct. Good enough for me.
I still can’t see any pattern in the trace.
Could it be that the sampling frequency is too low ?
Having a maximum sample rate at 105MSPS means we can only work on targets with a maximum frequency of 25MHz. Am I correct ? I guess the bootloader I’m working on runs way faster than that.
I didn’t pay attention at the running frequency of the targets used in the courses and other writeups using the CW but 25MHz seems to be very low…
(I’m a bit out of topic here sorry).
Franck.
Yeah, it might be that the sampling frequency is too low. We usually run targets at 7.37MHz and the ADC at 4x that. Honestly, the 4x doesn’t make as much of a difference as you’d think - you gain a lot more by having your ADC clock be synchronized with the target clock. If you look at Fig. 1 of this paper (https://eprint.iacr.org/2013/294.pdf), you can see that, at least for this CPA attack, a synchronous 7.37MHz clock outperforms something 10x as fast running asynchronously.
We do have the ChipWhisperer-Husky coming out (ChipWhisperer-Husky | Crowd Supply), which has a 200MS/s ADC, but I think fast ADCs tend to get very expensive very quick.
Alex
Thank you, interesting paper.
I see Colin and his associates have done a lot on the subject.
Every time I’m thinking about something I could do, there is a paper about it 
I guess I didn’t use the simplest target as a first real life experiment on power analysis.
Anyway, thanks for your help.
Franck.