Getting multiple outlier traces in Lab 2_1B with CW Husky

Embedded Security
1

Hi, I just got a CW Husky and I’m having trouble with Lab 2_1B Power Analysis for Password Bypass:
It looks like I’m getting trace data but when looping over the different starting characters there seem to be more than one outlier trace.

Screenshot from 2024-11-01 09-12-13
Screenshot from 2024-11-01 09-12-131920×1572 163 KB

a diff = 200.973876953125
b diff = 8.554931640625
c diff = 201.120361328125
d diff = 200.453369140625
e diff = 200.125732421875
f diff = 200.62158203125
g diff = 200.98779296875
h diff = 57.1396484375
i diff = 201.669677734375
j diff = 201.0048828125
k diff = 200.736083984375
l diff = 8.414306640625
m diff = 8.871337890625
n diff = 8.3193359375
o diff = 8.453369140625
p diff = 8.229248046875
q diff = 8.54052734375
r diff = 199.622314453125
s diff = 8.826904296875
t diff = 200.06494140625
u diff = 200.155517578125
v diff = 199.726318359375
w diff = 199.7509765625
x diff = 8.260498046875
y diff = 8.615234375
z diff = 200.3095703125
0 diff = 199.6533203125
1 diff = 8.590087890625
2 diff = 7.882568359375
3 diff = 8.38134765625
4 diff = 200.297607421875
5 diff = 8.28515625
6 diff = 201.39501953125
7 diff = 8.7666015625
8 diff = 8.34716796875
9 diff = 8.536865234375

Which character’s trace has an outlier seems to vary with each run. The H trace difference is usually around 50 something or 220 so it is different from the others which are ~8 or ~200 but it looks like I’m getting some random noise on most of the traces.

Setup is (I also tried CW308_SAM4S with no difference):

SCOPETYPE = 'OPENADC'
PLATFORM = 'CWHUSKY' # 'CW308_SAM4S'
SS_VER = 'SS_VER_2_1'
%run "../../Setup_Scripts/Setup_Generic.ipynb"

Im on Ubuntu Linux and followed the Quick installation instructions Linux Installation — ChipWhisperer 5.7.0 documentation, except that I switched to the master branch since the default branch doesn’t seem to have the udev rules file in hardware/50-newae.rules as described there.

Not sure what I’m doing wrong, sorry if I’m overlooking something obvious, I’m new to this.

Any help would be greatly appreciated!

2

Have you compared your attack code to the solution?

3

I did try to run the solution .ipynb and also get the issue there, with slightly different results.

Screenshot from 2024-11-01 18-41-46
Screenshot from 2024-11-01 18-41-461920×1572 109 KB

Note that I had to add “SS_VER = ‘SS_VER_2_1’” in the setup options of the solution otherwise I’d always get Timeout in OpenADC capture(), no trigger seen! Trigger forced, data is invalid..

The final cell also doesn’t work and just seems to give a random result:

y
yl
yla
ylak
ylakd
4

Hmm, not sure what the issue could be then. The solution works for me.
It shouldn’t be necessary to set SS_VER, but either the default or SS_VER_2_1 are fine…

If you run the following, do you get “Access granted”?

reset_target(scope)
print(target.read())
target.write('h0px3\x00\n')
time.sleep(0.5)
print(target.read())
5

I do:

PASSWORD FAIL
*****Safe-o-matic 3000 Booting...
Aligning bits........[DONE]
Checking Cesium RNG..[DONE]
Masquerading flash...[DONE]
Decrypting database..[DONE]


WARNING: UNAUTHORIZED ACCESS WILL BE 
Access granted, Welcome!
6

Hmm, I tried looking at individual traces of the same request cw.plot(cap_pass_trace("x\n")[0:1000])
sometimes they look like this:

bokeh_plot
bokeh_plot2526×1894 601 KB

and sometimes like this:

bokeh_plot(1)
bokeh_plot(1)2526×1894 489 KB

or in the same plot:

bokeh_plot_overlay
bokeh_plot_overlay2526×1894 653 KB

they start out the same but start to diverge at the end.

trying in a loop and getting the difference:

import numpy as np
trace1 = cap_pass_trace("x\n")[0:1000]
for x in range(0, 100):
  trace = cap_pass_trace("x\n")[0:1000]
  diff = np.sum(np.abs(trace - trace1))

  print("{:1} diff = {:2}".format(x, diff))

0 diff = 30.346435546875
1 diff = 4.111083984375
2 diff = 30.052001953125
3 diff = 3.57275390625
4 diff = 3.726806640625
5 diff = 3.646484375
6 diff = 3.75390625
7 diff = 30.795166015625
8 diff = 3.751708984375
9 diff = 30.119140625
10 diff = 3.77392578125
11 diff = 3.86376953125
12 diff = 30.94970703125
13 diff = 30.366943359375
14 diff = 3.855712890625
15 diff = 3.71923828125
16 diff = 3.74853515625
17 diff = 3.69970703125
18 diff = 30.900146484375
19 diff = 30.825439453125
20 diff = 30.72314453125
21 diff = 30.712646484375
22 diff = 3.7470703125
23 diff = 30.985107421875
24 diff = 30.756591796875
25 diff = 3.80224609375
26 diff = 30.82421875
27 diff = 30.861572265625
28 diff = 30.8935546875
29 diff = 30.646484375
30 diff = 30.99072265625
31 diff = 3.815673828125
32 diff = 3.675537109375
33 diff = 30.611328125
34 diff = 30.8564453125
35 diff = 3.873291015625
36 diff = 30.878662109375
37 diff = 3.95654296875
38 diff = 30.713134765625
39 diff = 3.810546875
40 diff = 30.570068359375
41 diff = 3.741943359375
42 diff = 30.9423828125
43 diff = 30.78466796875
44 diff = 30.8447265625
45 diff = 3.65185546875
46 diff = 3.912353515625
47 diff = 3.760498046875
48 diff = 30.25390625
49 diff = 30.87890625
50 diff = 30.736328125
...

Looks like it randomly switches between the two for some reason.
I’ll try to do the whole setup on a Windows machine next to rule out any setup related issues.

7

It may be a compiler optimization issue, not an OS issue.
I think you’ve run into exactly this issue: SAM4S target weird behaviour with HUSKY

Sorry I didn’t think of it until now! If you switch to the CW develop branch, you’ll get the fix.

8

That fixed it, thank you for your help.