Hello everibody,
trying to glitch the JN5169 using CW Husky on the line after the voltage regulator, but it seems that something is really unclear to me. The target has this code, a double for is executed and the output is sent via serial line:
Which is translated to (similar to the openrisc ASM):
The main part of the glitching code is:
scope.glitch.repeat = 5
offsets = np.arange(0, 2000, 20)
repeats = 5
crashes = 0
faults = 0
for offset in tqdm(range(len(offsets))):
scope.glitch.ext_offset = offsets[offset]
for i in range(repeats):
scope.io.glitch_lp = False # only using the 'low power' glitch mosfet
scope.io.glitch_hp = False
time.sleep(1)
# Reset the target and flush the serial
target.flush()
scope.io.nrst = 'low'
time.sleep(0.05)
scope.io.glitch_lp = True # only using the 'low power' glitch mosfet
scope.io.glitch_hp = False
scope.io.nrst = 'high'
time.sleep(0.05)
scope.arm()
ret1 = scope.capture()
ret = target.read(num_char=20,timeout=200)
x = ret.split(' ')
if ret1:
print('Timeout - no trigger')
if x[0] != "loop":
crashes += 1
print("crash_" + ret)
else:
f1 = int(x[1])
f2 = int(x[2])
f3 = int(x[3])
if f3 != 100000:
faults += 1
print('Fault?!' + str(f1) + ' ' + str(f2) + ' ' + str(f3) + '-' + str(scope.glitch.ext_offset))
total = len(offsets)*repeats
print("\nTotal # attempts:", total)
print("Total # faults: %d (%f%%)" % (faults, (faults/total)*100))
print("Total # crashes: %d (%f%%)" % (crashes, (crashes/total)*100))
The strange is that the result is thisone:
| Offset | Final count |
|---|---|
| 80 | 100001 |
| 120 | 100002 |
| 260 | 100005 |
| 300 | 100006 |
| 340 | 100007 |
| 380 | 100008 |
| 420 | 100009 |
| 460 | 100010 |
| 600 | 100013 |
| 640 | 100014 |
| 680 | 100015 |
| … | … |
How it’s possible that I’m getting these results? It doesn’t make sense to me. Also if I can glitch the counter k or j, it doesn’t make sense that the final value increment in this way.
On “Fault 1_1 - Introduction to Clock Glitching” I saw that: “On CW-Husky, glitch offset and width are specified in number of phase shift steps, whereas on CW-Lite/Pro, they are specified in percentage of clock period. The code provided below sets appropriate starting ranges for each case. Run help(scope.glitch) to understand this better.”
I will figure out better how the Husky is manage the glitching values in the nexts days, but anyway I cannot undestand how I’m getting these values.
Any idea?
The glitch in some way is done correctly (red line is the trigger, blue line is the VCC after the regulator):
inode