Error inPA_HW_CW305_1-Attacking_AES_on_an_FPGA attack

Hi,
I’m trying to run the PA_HW_CW305_1-Attacking_AES_on_an_FPGA attack. I’m at the trace capture step and am getting this error:
AssertionError Traceback (most recent call last)
Input In [8], in <cell line: 17>()
26 print(“Failed capture”)
27 continue


Any advice appreciated.
Thanks,
Michael

Hi Michael,

Can you try adding target.simpleserial_write('k', key) in the line after cipher = AES.new...?

Alex

Hi Alex,
Doing that didn’t make any difference. Same error. I wonder if there’s something wrong with the way I set things up. ?

Thanks,
Michael

Hi Michael,

Just to confirm, is everything default here? The check that’s failing here is that the encryption gives the correct result. Also, can you tell me what shunt resistor value is on your CW305 (R2, between the two SMA connectors, just the numbers on the resistor is fine).

Alex

Hi Alex,
Yes, all defaults. I didn’t change anything out of the box the board came from and I checked and believe it’s setup correctly. I looked and I see resistors R27 and R31 as in below picture (in between those gold SMas) but no R2. It’s really hard to see what the numbers on the resistor are.


Thanks,
Michael

Sorry wrong image. This is the right onw

I’m curious about your second-last screenshot, what are you showing here? Are you using our default CW305 AES bitfile or did you re-build it?
Jean-Pierre

sorry that was a totally unrelated screen shot. I copy/pasted the wrong image. Please ignore

Can you run this? It will verify whether we can read/write FPGA registers reliably:

import random
for i in range(100):
    k = []
    for b in range(16):
        k.append(random.randint(0,255))
    target.fpga_write(0xa, k)
    for j in range(10):
        readback = list(target.fpga_read(0xa, 16))
        assert k == readback

R27 is the shunt resistor. If you can’t read its markings, can you get its value from a multimeter?

Finally, are you running the FPGA at the default 10 MHz?

Thanks for all the assistance. I will not have access to my hardware for a week or so. I’ll pick back the effort then and follow up with answers.
Michael

Hi,
I ran the code in a cell just below the one with the incorrect encryption error. Result:


I measured the R27 shunt resistor with a meter and got essentially 0 ohms
I’m not sure how to check if it’s running at 10Mhz but certainly didn’t deliberately change anything. Finally the two vo

Sent before I finished. Finally, the two board’s LEDs look like below. Is that how they should look?
Thanks,
Michael

I can’t tell from the picture- two LEDs (one red, one green) between the FPGA and the SMA connector should be flashing in a pattern (red one a bit faster than the green one), and the red LED next to the Atmel part should also be flashing.

Since that additional test fails, we know there is a problem with writing to and/or reading from the FPGA.
Could you re-run this modified version, to see if it fails straight away, and how:

import random
for i in range(100):
    k = []
    for b in range(16):
        k.append(random.randint(0,255))
    target.fpga_write(0xa, k)
    for j in range(10):
        readback = list(target.fpga_read(0xa, 16))
        assert k == readback, 'failing at i=%d, j=%d\nwrote=%s\nread =%s' % (i,j,k,readback)

Nothing else will work well unless we fix this. One possibility is the clock. If you run scope.clock you should get:

adc_src       = extclk_x4
adc_phase     = 0
adc_freq      = 40001724
adc_rate      = 40001724.0
adc_locked    = True
freq_ctr      = 10000431
freq_ctr_src  = extclk
clkgen_src    = system
extclk_freq   = 10000000
clkgen_mul    = 2
clkgen_div    = 1
clkgen_freq   = 192000000.0
clkgen_locked = True

In particular, scope.clock.freq_ctr should be approximately 10e6, since earlier in the notebook you would have set the CW305’s on-board PLL to 10e6:
target.pll.pll_outfreq_set(10E6, 1)
So one possibility is that this PLL isn’t working correctly.

Can you confirm that you’re running the unmodified AES target bitfile from your ChipWhisperer installation?

Next, what version of CW are you running? (run cw.__version__). The latest is 5.6.1.

What’s the firmware version running on your CW305? Run target.fw_version_str. Latest is 0.53.0

Finally, what does target.get_fpga_buildtime() return? (this likely won’t make sense since reading/writing the FPGA doesn’t seem to work, but I’m curious).

Yes, Red LED near Atmel flashing. And red LED near SMA flashing faster than green one.

Result of new code:

scope.clock looks similar to what you posted
image

I have not intentionally modified the bitfile.
CW version: 5.6.1
firmware version: 0.51.0–Does it need to be upgraded to 0.53?
`target.get_fpga_buildtime() returns: 10/7/2020, 13:43
Thanks!
Michael

I don’t think this should matter but can you update the CW305 FW as per:

I upgraded the firmware and something a bit puzzling. I ran this
image
and get version 62
But then I re-ran the AES attack and it still says 0.51

image

Or does this mean I upgraded the Lite Board but not the CW305?

Yes that’s likely what happened- the notebook I pointed to has a cell which updates the scope firmware with scope.upgrade_firmware() (“scope” = CW-Lite/Pro/Nano); what you want is the one which mentions the 305 and has the target.upgrade_firmware() command. Sorry if this was unclear.