I’m trying to use the CWLITEARM in order to do the AES loop skip glitch attack. But however, it doesn’t work for any of the glitch_loc ranges from 300 to 340. I’ve tried to tweak the offset and width to no avail, increased the range of the glitch loc to far under and over 300 to no avail, since the key_guess always remains empty. I don’t know what I am doing wrong, since I did change the round variable to be volatile as well. Therefore it should be within the range of 300 to 340 according to the tutorial and other forum threads as well, but for me it doesn’t seem to be working. Could someone help me with it please?

My settings are:

width = 2.75
offset = -12


I still haven’t found out what’s going wrong, is it just not possible to perform the attack? There are some locations which lets key_guess have a single byte instead of being completely empty, but I doubt that’s the solution since according to the tutorial the full key should be returned. Is there anyone who might be able to help me please?

Are you able to see the target skipping to the last round in the power trace? That’s a much better way to determine if you’re getting the correct glitch.

No, unfortunately the power traces all essentially look the same, in another thread I saw how a glitched power trace looks like and also at what range it would be supposed to occur, unfortunately here it still doesn’t look like this even with these settings. It just looks like the regular power trace (c64’s one)

In that case, I’d recommend probably expanding your ext_offset search a bit, as different compiler versions can move the spot around quite a bit. For reference, I’m pretty sure when I originally
wrote up the tutorial, the correct glitch spot was much earlier (around 170)


For glitch_loc 165 the trace looks like this:


And this is what key_guess contains

(had to make 2 replies because I couldn’t put two images in one reply)

Is this supposed to happen? Because it seems like an incomplete glitch to me since not the whole key is guessed. I found this with ext_offset 31

For which width and offset values did you get this result? I’ve been using width 3 and offset -12 so far. I’m using the ChipWhisperer lite with the ARM target by the way.

Also, my ext_offset is usually the same as the glitch_loc by default, but for ext_offset = 31 I tend to get very consistent power traces like the one I just sent. When looking for other ext_offset values they’re usually the same power trace up until around 100, after which the trace is the same as normal AES execution.

It’s still not working for me, I do get a lot of glitches that give power traces which look a lot like the one I posted if I have ext_offset 31, but key_guess remains empty… I don’t really know how to further approach this problem and if the problem lies in the location, ext_offset, or both. Initially ext_offset is set to be the same value as the glitch_loc, am I supposed to look around this range or starting from 0? I seem to get very consistent glitches when I set ext_offset to 31 anyways, but the result is always the same.

I do recall that one being pretty tricky to glitch. If you’re not able to get it, I’d recommend just skipping ahead to 1_3, as that one is much easier on the glitching end and a more realistic attack, but is more complicated on the theory end.


Around what location would you advise looking with this one? I would still really like to complete it. And what other settings would you advise tweaking (e.g width or offset)?

Last time I did the lab, I got it to work with the settings from that other thread you linked.

I’d say tweak width/offset (maybe grab some other locations that worked well for fault101/lab 1). That 30 ext_offset sounds too early to be the right spot.