Hello
i still didnt understand why glitch output mode ( glitch_only ) totaly reset cpu even if repeat is just 1 , but enable_only with a high repeat values can glitch cpu , and reset only sometimes ( .repeat too high , or something else related to heat , countermeasures …etc
Also i notice on cw pro (1200) .glitch_lp do nothing , by checking the pcb i noticed only 1 mosfet IRF7807Z
Apologies for the delay- between BlackHat trainings and vacations we’ve been lightly staffed.
Glitching can feel like black magic and there is no formula for it; this is why our glitch notebooks have you sweep a range of glitch parameters to find good ones. Sounds like you’re able to glitch your target – great!
glitch_lp doesn’t “do nothing”, but it can be less useful depending on the target. Again, with glitching it’s never one-size-fits-all. See When to use LP or HP glitch configuration.
no problem , understood
tnx , yes i am able to glitch , but cant fine tune the glitch ,{ same param where glitch happen do nothing in next glitch ), also small repeat value do nothing ( even removed most of caps from power rail ) , tried offset ,width , repeat
but if is possible provide me with time formula of glitch : repeat , width , offset
tnx again
it is possible that you have previously cooked the lp transistor, I have already burned it a few times in my cwlite and replaced it.
does your target have a clock synchronised to the chipwhisperer? If not, you shouldn’t bother with glitch_only parameters at all and should always use enable_only method for voltage glitches.
but enable_only with a high repeat values can glitch cpu > in the enable_only option the repeat parameter sets (the width of the voltage glitch) and the ext_offset parameter sets the delay for starting the glitch from the trigger reference point. In your case, using this method, using very wide glitches, you probably discharge the capacitors more. You should not proceed this way and you should remove these capacitors.
Quite often I use an external logic analyzer between the cwlite fpga and the gate of the lp/hp mosfett transistors, thanks to which I can see whether the glitch activation signal was sent to the transistor gate. I have diagnosed a burnt lp transistor more than once