Chip Whisperer Husky scope.glitch.output = 'enable_only' and 'glitch_only' Oscilloscope reading do not match up

Hello,

We have been experimenting with how voltage fault injection with the Chip Whisperer Husky works. We would like to perform attacks on a cheap microcontroller, but before that we simply wanted to check how the crowbar attack parameters affect the signal.

Our setup is simple, we connect the crowbar output of the CW Husky to its own target power and ground pins, on a breadboard and then we read that power plane with an oscilloscope. So we have this very simple code running on the Husky:

import chipwhisperer as cw

scope = cw.scope()
target = cw.target(scope)

scope.clock.fpga_vco_freq = 800000000
scope.clock.clkgen_freq = 16E6
scope.glitch.enabled = True
scope.glitch.clk_src = 'pll'
scope.glitch.output = 'enable_only' #
scope.glitch.trigger_src = 'manual'
scope.glitch.arm_timing = 'after_scope'
scope.glitch.offset = 0
scope.glitch.width = 2128
scope.glitch.num_glitches = 1
scope.glitch.repeat = [3]
scope.glitch.ext_offset = [1]
scope.io.target_pwr = True
scope.io.glitch_hp = True
scope.io.glitch_lp = False

assert scope.glitch.mmcm_locked

for i in range(10):
    scope.io.vglitch_reset(0.5)
    scope.glitch.repeat=i+1
    scope.glitch.manual_trigger()

It produces the following oscilloscope picture, which is as expected (with the sweeps showing the smaller repeat value glitches)

PXL_20260423_1248186911190×893 145 KB

Next we only change the line:

scope.glitch.output = 'glitch_only' #enable_only

This was the reason why we set up all other parameters in the first place, since as we understand it, with enable_only most of them do not make a difference. But here we have an offset of 0 and a full width so we essentially expect the glitch_only version of the code to produce the same type of trace on the oscillosope.

Yet there is seemingly no glitch produced and no traces trigger the oscilloscope (having the exact same settings). We have tried to rationalize, but we could not understand why this is the case. We attempted to add a 10k Ohm resistor between the crowbar output and the target power to act as pull-up, but that did not yield any difference in the oscilloscope. We did also try using scope.glitch.width = 1000 which is less than 50% since we read that otherwise it wraps around. This will inevitably not produce the same trace as before, but we were expecting to still see at least something triggering our oscilloscope.

We are pretty certain that we would need to use the glitch_only approach to perform our further attacks so it will be crucial for us to understand why this behaves as it does.

glitch_only and enable_only will always produce very different results, as the max width of glitch_only is half a clock cycle and the minimum width of enable_only is a full clock cycle. I also don’t recommend connecting the crowbar directly to the target power. You’re unlikely to cause damage to your Husky unless you set a very high repeat value, but it’s difficult for the Husky’s glitch transistor to pull the target power down like this.

I highly recommend going through our fault injection labs with an actual target and observing using your oscilloscope there instead of what you’re doing.

Hi Alex,

Thank you for the quick reply. We’ve gone through the fault injection labs and also tried observing the glitch on the SAM4S target, but we still can’t see any glitch_only waveform on the scope.

Could you help us understand what we might be doing wrong, or suggest a minimal setup where the glitch_only pulse is actually observable?

Thanks!

Couple of things you can do:

1. use the Trigger/Glitch MCX port (scope.io.glitch_trig_mcx) to monitor the glitch output. This is the signal that drives the glitch MOSFETs. You can do this with no target attached.
2. use our Husky glitch demo notebook. In the notebook we set some specific glitch parameters and sweep the width and offset, but you can set the glitch parameters however you would like; the notebook shows how to use scope.LA to visualize the resulting glitch shape and timing.