Attacking Spartan7

Hi Guys

I do have Spartan7 Dev board - SP701. It has current sense resistor (0.004) on VCCINT line. I measure with diff probe on this resistor.

I ported Spartan6 project to this board and it works fine.
AES is clocked 25MHz.

I receive such traces:

But I cannot crack a single byte with my setup.

Questions:

  1. Is such resistor enough for Power Analyst?
  2. How can I improve to crack something?

Hi,
I’m not familiar with this particular board, but likely the presence of decoupling capacitors is hindering the quality of your measurements. Also, the shunt resistor having a very small value will lead to more noise in your measurements. For comparison, our CW305 Artix7 board can be ordered with a shunt resistor of 0.1, 0.25, or 0.5 ohms.

Jean-Pierre

Will it work without decoupling capacitors and with bigger resistor?

I wish I could tell you but I haven’t used this board – maybe someone else has? Our CW305 was built to solve the problem that you’re trying to solve, so the best I can suggest is to study the CW305 schematic. I also don’t know anything about the MP5470 power management IC used by the Spartan dev board, and how it may be affected by the changes you may contemplate.
Jean-Pierre

Do you have any tips or things that you considered during CW305?
Is there a way that I can check if SP701 power supply is okay for running without decoupling capacitors?

3

Hello,

You may be able to remove the decoupling caps on the FPGA side. But the noise is likely coming from the switching supply itself - these boards normally have pretty beefy switching supplies!

On the CW305 we add a bunch of filtering in-front of the shunt resistor (which does’t make sense for the “normal” use-case, so it’s unlikely to have enough filtering on the SP701):

Removing the decoupling caps on the FPGA itself should give you an idea how strong the signal could look. Right now you are probably seeing almost fully just switching power supply noise.

However - you may find a magnetic field probe works better with the FPGA. I can’t guarantee it would remove the noise problem, but it naturally cuts out some low-frequency noise (switch-mode noise), and is less sensitive to just the voltage noise itself.

Hope this helps!

1 Like

I’ve tried with HProbe with big success, thanks a lot!

Can you give us more details on how you attacked the spartan 7 dev board ?
I’m actually trying to attack an ML605 with virtex-6 but there isn’t the 20 pin simple serial connector that sends the trigger and random data to encrypt et data expected. How did you bypass the 20 pin connector ?

I’ve build a new project in Vivado, copied all verilog files from spartan6 project, and created a new constrains file with pin mappings.

I used available PMOD header for clk_in, uart_tx, uart_rx and trigger.

The hardest part was to find pin suitable for clock line. I used package view in Vivado and I was checking all pins connected to pmods. For SP701 it’s PMOD3.

Then I used jump wires to connect it to chipwhisperer.

I’ve configured FPGA via JTAG.