CW Lite - crowbar circuit question

I am using CW lite to test voltage glitching on an STM32G0 microcontroller. I’ve set up a really basic test circuit with 10 ohms shunt resistor, and the CW connected to the board via a coaxial cable. Currently I am able to glitch the target somewhat successfully, but I’d like to ask a few questions.

The picture below shows a capture of a glitch without the target being in the circuit. The glitch shape is fairly distinct.

The second image show the same glitch issued when the target is in place. No external components are added to the circuit:

Now the crowbar circuit cannot pull the rail to ground; that only happens at the end of the glitch. The MCU gets reset though. Here are my scope settings:

cwlite Device
fw_version = 
    major = 0
    minor = 50
    debug = 0
gain = 
    mode = high
    gain = 30
    db   = 24.8359375
adc = 
    state          = True
    basic_mode     = rising_edge
    timeout        = 2
    offset         = 0
    presamples     = 0
    samples        = 5000
    decimate       = 1
    trig_count     = 1040748980
    fifo_fill_mode = normal
clock = 
    adc_src       = clkgen_x1
    adc_phase     = 0
    adc_freq      = 99999996
    adc_rate      = 99999996.0
    adc_locked    = True
    freq_ctr      = 0
    freq_ctr_src  = extclk
    clkgen_src    = system
    extclk_freq   = 10000000
    clkgen_mul    = 25
    clkgen_div    = 24
    clkgen_freq   = 100000000.0
    clkgen_locked = True
trigger = 
    triggers = nrst
    module   = basic
io = 
    tio1         = serial_rx
    tio2         = serial_tx
    tio3         = high_z
    tio4         = high_z
    pdid         = high_z
    pdic         = high_z
    nrst         = high_z
    glitch_hp    = True
    glitch_lp    = False
    extclk_src   = hs1
    hs2          = clkgen
    target_pwr   = True
    tio_states   = (0, 0, 1, 0)
    cdc_settings = bytearray(b'\x00\x00\x00\x00')
glitch = 
    clk_src     = clkgen
    width       = 48.828125
    width_fine  = 0
    offset      = 10.15625
    offset_fine = 0
    trigger_src = manual
    arm_timing  = after_scope
    ext_offset  = 101
    repeat      = 100
    output      = enable_only

I’d like to know what could be causing that behavior, and if there’s a way for rectifying it. I will also use the topic for asking a few other things:

  • What is the difference between glitch_hp and glitch_lp, and more importantly, what factors should we concider when selecting one or the orher?
  • Can they be used simultaneously?

Thanks

That’s to be expected; see for example: GLITCHOUT waveform is not in square shape and doesn't fully drive the MOSFET

glitch_hp and glitch_lp control which of two MOSFETS are used to pull Vcc to ground; they can be used individually, or together. Maybe the schematic can help understand: https://github.com/newaetech/chipwhisperer/blob/develop/hardware/capture/chipwhisperer-lite-32bit/cw-lite-arm-main.pdf

Jean-Pierre

Hi Jean-Pierre,

Thank you for the clarification. I am actually more concerned about the fact that the Vcc rail is not pulled to ground in the beginning of the glitch in the second picture (with the MCU in place).

The glitch width is set to 100 * 1/100E6 = 1 uS. In the first picture (no MCU in circuit), we can see that in the beginning of the glitch the voltage rail is pulled to ground immediately, and in the end of the glitch there’s a distinct oscillation.

In the second picture, we see that the MOSFET tries to pull the rail to ground, but it only succeeds pulling it to about 2.2 volts, and the voltage then steadily decreases until the MOSFET releases the line; there’s that distinct oscillation again, where the voltage actually goes below 0 volts. I am not sure why the voltage is not pulled to ground in the beginning of the glitch. The only difference is that the MCU is in place - with no external capacitors.

I am thinking that, given that the glitch hardware cannot pull the Vcc rail to ground, all I am going to achieve is eventually reset the target when the voltage falls below 1.7 V, which is the MCU’s power-on reset threshold.

Also, can you please explain what is the difference bentween enable_only and glitch_only options for glitch.output, and how a decision between these should be made, when we’re doing voltage glitching.

With glitch_only, the glitch output is as determined by the offset and width settings, for the requested number of glitches (specified by repeat). So you get repeat glitch pulses.

With enable_only, the glitch output is a single continuous pulse of repeat clock cycles. The width and offset settings have no effect on the pulse shape.

As for the rest, how close to ground ChipWhisperer is able to pull Vcc will depend on the target. Even with no external capacitors, the target will be some internal capacitance, as will the cable you use. Just changing the cable can have a noticeable effect on the glitch.

Jean-Pierre