Glitch Connection Setup


#1

Hi,
I have been trying to perform glitching attacks under a system but after successfully connecting everything and having the target device running on the CWLite Clock I found out the CW303 CLK shorted with GND, any idea why have this happened?

The modifications I made can be seen on the following diagram dropbox.com/s/dvts2muhgknt1 … p.png?dl=0 :

  1. Cut the line on the target to remove the pcb clock source and soldered a wire to the CW303 R72 so both share the same clock signal. The input target tolerates up to 5V.
  2. I connected both boards CW303 and Target GNDs
  3. Connected Measure/Glitch input to the Target VCC

After successfully running the Target with this modification when I went back to program the CW303 XMEGA so I could trigger some process on the target system I realized that the UART wasn’t working and check the Clock signals, OK on the CWLite Side but ugly (Amplitude 700mV) on the Xmega PIN37. It turns out that the pin37 is now shorted with GND.

Was something wrong with my setup?

Cheers!


#2

It’s not totally clear to me what you have set up here. Do you have a 2-part ChipWhisperer Lite? In your diagram, is the “glitching target” the XMEGA that’s on the CW303 board? If so, you should be able to glitch the XMEGA without any changes - the glitch input is already connected to the target’s power supply. I don’t think that you need to short out R72 to make any of this work.

Basically, you should be able to follow the steps in https://wiki.newae.com/Tutorial_A3_VCC_Glitch_Attacks#Hardware_Setup, except that you’ll need to connect your CW-Lite to the target (through a 20-pin cable and 2 SMA cables).


#3

Thanks for the reply!

I apologize for not being clear enough. The setup is actually the following:

CW-LITE ==> CW303 ==> DEVICE

I didn’t connect the CW-LITE directly to the DEVICE since to actually being able to trigger the glitching I need to perform some operations over a specific protocol. So I connecter the Glitch/Measure ports directly to the Device and I got the TH2 signal and shared between the CW303 and DEVICE without any isolation, which might have been the problem, I guess.


#4

Aha, you’re using the CW303 to control a separate board. I get it now…

It sounds like there’s something wrong with the clock input on the target. Maybe you’re trying to clock the CW303’s XMEGA while the target isn’t powered? A clock magnitude of 700 mV suggests that there’s a diode clamp limiting the voltage.

As a side note, Micah Scott did something similar with Wacom tablets as her target. She had to make her own version of the CW303, but that’s only because she needed a USB link from the XMEGA. If you want some inspiration, you can see her video here: https://youtu.be/TeCQatNcF20


#5

Thank you, for your reply!

The problem is actually on the CW303 itself. After disconnecting from the Target device, the clock input on the CW303’s xmega is shorted with GND, not sure how this happened thou.

Yeah I looked at her setup and noticed the buffer she used to isolate the Clock from her control board. Since I ruined my CW303 I am building my own version based on her design, let’s hope I do it right this time.

Cheers


#6

Sorry to hear about your CW303 - make sure it gets a proper burial…

Good luck with your custom board!