Hey today I got my CW-Lite and I did the “Quickstart-Guide” but what’s the next step?
Can I do the basic and advanced tutorials with the CW-Lite?
I don’t have another target device.
I would appreciate your help!
My next step was running through the tutorials with the notduino target, which required some modifications. If you’re running with the builtin xmega target, you should be able to compile and run through some of the tutorials. I think that an update to those tutorials is coming soon, but in the meantime it doesn’t hurt to try. The code is stored under hardware/victims/firmware and requires the AVR toolchain to be installed. You’ll have to modify the makefile or specify the MCU and F_CPU in the make commandline. MCU should be atxmega16a4, and F_CPU should be set to match whatever you have in the CLKGEN Settings under OpenADC - otherwise you’ll never get the thing to communicate. If you’re having trouble getting a working serial connection, solder header pins to the TXD, RXD, 3V3 and GND holes on the XMEGA target board, and then connect those pins to a 3.3V USB serial cable/adapter. Then you can try connecting to it with various baud rates to see if anything happens.
The tinysecureboot tutorial has a pre-built .hex file for the atmega-328p, so that won’t work unmodified. I don’t know how easy it is to compile, but I ran into other problems getting that to work even on the notduino target. I haven’t gone through any of the advanced tutorials, but at first glance it seems likely that they’ll work - you just have to make sure that you compile with the right MCU and that you adjust the compile-time clock settings so that the target is set to receive clock from the CWL and knows what frequency it’s running at.
If you’re wondering where the XMEGA programmer is, you can run an XMEGA setup script under project/example scripts. Alternatively, do this:
In the “General Settings” tab, set “Scope Module” to be ChipWhisperer/OpenADC.
Next, in the “Scope Settings” tab, under “OpenADC Interface” set “connection” to “ChipWhisperer Lite”
Now, under the tools menu you’ll see the CW-Lite XMEGA Programmer and CW-Lite AVR Programmer menu options.
I can see why it was done this way, but it’s certainly not intuitive as interfaces go.
Once you get comfortable building, testing, and hacking code on the XMEGA target, the next step would be to break apart the board and try it on something else. For example get a few $2 3.3V arduino clones on eBay. You could buy/build the differential probe described in the docs, or have a simple probe where you connect the “measure” SMA connector to a target, with ground connected directly and 3V3 connected through a resistor. It looks like the notduino target board uses a 100Ω resistor.
Hope this helps!
Thanks a lot! Very helpful 
No problem.
I’d like to take back my suggestion about attacking an off-the-shelf arduino though. It’s very hard to access the clock signal, and without that, measurements seem very noisy. I also tried putting an atmega328p on a breadboard and interfacing that with the CWL - it’s sorta working, but again the measurements are a little noisy so the attack doesn’t complete. If I manage to get that working I’ll post a howto.
Back from DEFCON, so will be working on the updated tutorials now! This will let you work through everything else (bootloader, PIN code, attacks, etc).
As another note: if you want to attack a micro on a breadboard, just some notes:
Check out this old whitepaper I wrote, page 14 has details of how to add appropriate filters on the power supply lines: media.blackhat.com/ad-12/O’Flyn … ynn-WP.pdf
It should work like that anyway, I haven’t tested it yet but can do so!
Colin - thanks for the paper. I’ll take a look. Meanwhile, I’ve documented my progress so far here:
https://github.com/microcontroller/cwl-projects/wiki/Breadboard-Notduino
It seems to work well enough on the basic AES attack.
Awesome work! Thanks for keeping it updated, very happy to see people experimenting more with this