Hi everyone,
I managed to attack an external target board in power glitch with the CW308 & CW-Lite.
But know I would like to make injection independently from “trigger_how()” & “trigger_low()” tags. To perform glitch in this way, I will use the manual glitch triggering.
Indeed, as I can see in the documentation “ext_offset” argument isn’t more usable in that case.
–About scope usage in manual glitch mode–
Is this API is still available in manual glitch mode ? Because I still use these part of code after triggering my glitch but the scope doesn’t seem to see anything.
Here is my part of code used :
target.write("g\n")
ret = scope.capture()
val = target.simpleserial_read_witherrors('r', 4, glitch_timeout=10)
scope.io.glitch_hp = False
scope.io.glitch_hp = True
scope.io.glitch_lp = False
scope.io.glitch_lp = True
Here is the result it returned after each loop tour
WARNING:ChipWhisperer Scope:Trigger not found in ADC data. No data reported!
ERROR:ChipWhisperer Scope:Received fewer points than expected! 0 vs 5000
I checked that I generate the glitch thanks to my personal scope and that’s the case.
I would like to trigger the glitch on precise timeout but I didn’t find something in the documentation
–Timer triggering injection–
As I’m using manual glitch mode, I was wondering if there is some tips to accurately (~ nanosecondes to microseconds) delay after manual relaunching code (such as RESET or/and “g” letter in case of glitch loop) ?
The purpose is to replace “ext_offset”.
Thanks to your return !
Unfortunately this isn’t possible - you’re going to have a massive amount of jitter, likely in the order of seconds, introduced by the various layers between the Python code and your target. I’d recommend staying with ext_single output and instead triggering on the nRST or serial TX pins.
Alex
I’d recommend staying with ext_single output and instead triggering on the nRST or serial TX pins.
Yes, thank you, it’s a good idea in that case.
However, I was wondering if there’s a way to introduce several glitches separately during the same execution? (for example with ext_offset = 7 and ext_offset = 15). It would really help me.
Bad news: no.
Good news: this exact feature is being added to CW-Husky right now.
@jpthibault I believe I found a way to overcome this difficulty.
But I have to be sure “ext_continuous” works as I think it works.
If I enable the module to work with “ext_continuous” mode, how should I have to put my tags in the following code ? (I would like to glitch the “cnt1” counter, then the “cnt2” counter in the same execution)
for (i = 0; i < 50; i++){
for (j = 0; j < 50; j++){
cnt1++;
}
}
for (i = 0; i < 100; i++){
for (j = 0; j < 100; j++){
cnt2++;
}
}
Both ext_single and ext_continuous require a trigger.
With ext_single, once the trigger event occurs, we wait scope.glitch.ext_offset cycles and then activate the glitch for scope.glitch.repeat cycles.
With ext_continuous, once the trigger event occurs, we wait scope.glitch.ext_offset cycles and then activate the glitch until the trigger is no longer active.
Both ext_single and ext_continuous require a trigger.
Indeed, but I found a solution to provide to TIO4 which is the default trigger glitch module pin.
With ext_single , once the trigger event occurs, we wait scope.glitch.ext_offset cycles and then activate the glitch for scope.glitch.repeat cycles.
Yup
With ext_continuous , once the trigger event occurs, we wait scope.glitch.ext_offset cycles and then activate the glitch until the trigger is no longer active.
Indeed, but “ext_offset” is not a mandatory option.
What I would like, it’s to glitch many times for the same code embedded code execution. As with the CW-Lite glitch module I can’t insert many separated glitch for a single code execution, I will proceed different. I will use another real-time board clock as the same speed of the frequency glitch module and trigger a pin at different moment. Obviously, the pin will be linked on TIO4. In fact, from this other board, I will provide the trigger input waited by the glitch module.
From that, I just have one question. How to use “ext_continuous” glitch mode ? It’s the reason I provide an example, to well understand all my possibilities.
And so, from the example in my last message, do those modifications work ?
(I would like to glitch 2 times for a single execution)
trigger_high(); // signal coming from my other board
for (i = 0; i < 50; i++){
for (j = 0; j < 50; j++){
cnt1++;
}
}
trigger_low() // I cut the glitch module just after having enable it
trigger_high() // same as below
for (i = 0; i < 100; i++){
for (j = 0; j < 100; j++){
cnt2++;
}
}
trigger_low() // same as below
Is it feasible with “ext_continuous” mode ?
Thanks to your return !
I reply to my own post. Indeed it’s possible to trigger many times in the same code execution thanks to “ext_continuous” glitch mode.