I am trying to run VCC glitching attack against the target board based on the STM32F4 but I cannot observe glitch pulses on the oscilloscope.
The script I use:
import chipwhisperer as cw
import time
from tqdm import tqdm
scope = cw.scope()
target = cw.target(scope, cw.targets.SimpleSerial2)
time.sleep(0.05)
scope.default_setup()
time.sleep(0.05)
scope.io.nrst = 'low'
time.sleep(0.05)
scope.io.nrst = 'high_z'
scope.adc.samples = 2000
scope.adc.offset = 0
scope.adc.basic_mode = "rising_edge"
#scope.glitch.trigger_src = "ext_single"
scope.glitch.trigger_src = "ext_continuous"
scope.glitch.ext_offset = 700
scope.glitch.repeat = 5
scope.glitch.output = "enable_only"
scope.clock.reset_adc()
assert (scope.clock.adc_locked), "ADC failed to lock"
ktp = cw.ktp.Basic()
N = 1000
hex_key = "2b7e151628aed2a6abf7158809cf4f3c"
key = bytearray.fromhex(hex_key)
hex_plain = "6bc1bee22e409f96e93d7e117393172a"
hex_cipher = "3ad77bb40d7a3660a89ecaf32466ef97"
plain = bytearray.fromhex(hex_plain)
cipher = bytearray.fromhex(hex_cipher)
scope.io.glitch_hp = True
scope.io.glitch_lp = True
for i in tqdm(range(N)):
trace = cw.capture_trace(scope, target, plain, key)
if trace is None:
continue
target_cipher = trace[2]
if target_cipher != cipher:
print("Glitched")
scope.dis()
target.dis()
The idea of script is to run the capture_trace API so that to push the key, plaintext to trigger the GPIO4 line and then run the HW crypto engine.
My questions are:
- Is above script correct in terms of glitch insertion bound to the trigger event? What can be a reason I don’t see the glitches on the VOUT line on the CW308 UFO board?
- Does an event (“rising edge”) on the GPIO4 line also work for the glitch module to trigger a glitch?
- How does the
scope.glitch.ext_offsetrelate to the target clock cycles? Suppose, if I know that some event happens on the ADC’s 700’th sample point, should I usescope.glitch.ext_offset = 700in the script for that? In other words, is the glitch trigger delay bound to theadc_src(clkgen_x4/clkgen_x1)?