Hi Alex,
Despite changing to a shorter SMA cable, I still did not manage to VCC glitch the F0 board using 7.37MHz.
The length of SMA cable does, however, affect the results.
60cm SMA Cable that came with the CW1200 kit
15cm SMA from CWLite 2-piece version
Any suggestions?
Regards,
Melvin.
Hi Melvin,
I’d recommend focusing your glitching more around the area before the target crashes and using a finer width. Typically, you won’t get glitches in areas where you mostly see crashes. I’m not sure if you’ve tried this already either, but it may be worth trying each setting more than once (you may see glitches happen under 20% of the time with your best settings). There’s also a high power glitch setting that might be better in your case.
Alex
Hi Alex,
Thanks for the tips.
Just to share, I kinda obtained similar glitch plot when I was working on the xmega target last month. Interestingly enough, I managed to glitch it at one of the boundaries, i.e. just before it crashes and reset, but it required glitch repeat = 21 (● ̄(エ) ̄●)
Lucky shot I guess.
This technique doesn’t seem to work on the STM32 F0 and F3 boards though (⌣_⌣”)
Regards,
Melvin.
Hi Alex,
Can I check what’s your UFO board settings, e.g. Jumpers, Switches S1-S8, LDOs, etc.?
Thanks.
Regards,
Melvin.
Hi Melvin,
My CW308 settings are as follows:
J1 is set to J5-VREF
J3 is set to HS2/OUT
EXT_DC SWITCH is set to ON
VCC3.3 and VCC1.2 are both on
J14 is jumpered with the two pins closest to the target board
That should be it.
Alex
Hi Alex,
If it’s not too much of a hassle, could you take a photo of your CW308?
Just wanted to make sure that we are on the same page when we say VCC3.3 and VCC1.2 are both on.
Thanks again.
Regards,
Melvin.
Hi Melvin,
When I say, VCC3.3 and VCC1.2 are on, I mean the LEDs for them are on. I can take a picture of my CW308 setup, but it might be a few days.
Alex
Hi Alex,
Just to check, are you running the CW308 on a separate power supply, i.e. external DC, or is the Chipwhisperer supplying power to the CW308? I’m asking because you shared previously that EXT_DC SWITCH is set to ON, so I would assume CW308 is powered by an external DC supply. If that was the case, it wouldn’t matter is VCC3.3 and VCC1.2 were on or off because the LEDs 8 and 11 would have lit anyway XD
Regards,
Melvin.
Hi Melvin,
The CW308 was powered through the ChipWhisperer. If there’s no external DC power, the value of the EXT-DC switch doesn’t actually matter.
Alex
Hi Alex,
Previosly you wrote that:
"Had some time to try glitching on the F3 and I may have found some settings that work on 7.37MHz:
Width 20.7 to 22.7
Offset (-19.1) to (-19.9)
I’m not sure what glitch setup you’re on, but give those a try. Also, my F3 board doesn’t have C5, C6, C7, and C8."
The frequency 7.37 MHz set’s on CLKGEN?
I try to do glitch-attack when CW308 with STM32F3 has external quartz 7.37 MHz, CLKGEN setting on 35*7.37 MHz and with you’re pointed width and offset on glitch_infinite().
Am I do right?
Can you send the VCC osciloscope capture how you’re impulse seems?
Nik
Hi Nik,
I’ve found those settings work with specifically with a ChipWhisperer Lite with the new revision FET (T4 on the back of the board near the glitch port reads 56U). The target was running at 7.37MHz and the glitch port was connected to the CW308 via a 15cm SMA cable.
I should be able to send a picture of the glitch a bit later.
Alex
Hi Alex,
Thank’s for your anser! Which frequency of CLKGEN? Does it 35*7.37 MHz or just 7.37MHz?
I try to do it with CW1200. I have very short SMA-connect (near 5 cm).
Nik
Hi Nik,
The clock frequency is just 7.37MHz.
I’ve only tested glitching with the Lite/ARM and the Lite/CW308_STM32F3. Glitching was very different between them. Results were also very different between using a 15cm SMA cable and a 30cm SMA cable, so unfortunately, my settings might not help you much.
Alex
Hi Alex, Hi Melvin!
I found glitch parameters fot the STM32F3 with CW308.
With short coax connector (near 3 cm) parameter it is:
width = 19%
offset = -21%
After changing coax cable to 60 cm coax cable I’ve lost my glitch. But I found that he has another parameters:
width = 33%
offset = -37%
While I tryed to find my lost glitch, seems I found a few things how to find glitch quickly:
In my example. STM32F3 reloading near pulse width 34%. Than I start My attacks with range of width (29, 33) and offset (-49, 49). And found 33% and -37% respectively.
By the way. When I’m change the cable length, the width of overload target changes too. With 3 cm it was near 20-21%. With 60 cm it was near 33-34 %. And probability of glitch from 90% has come to 45%. I think it is because cable has induction-capacitance losses which doing more worses fronts of VCC impulse. But I can wrong.
Hope this can help for someone.
Nik.
Hi Nik,
Thanks for sharing your results and observations.
Can I just check if “with short coax connector (near 3 cm) parameter it is: width = 19%, offset = -21%” was for glitch1() or glitch_infinite()? And this worked with setup scope.glitch.repeat=10? Was it done with low power glitch or high power glitch?
Also, was your CW308 powered by ext dc power supply?
Regards,
Melvin.
Hi Alex,
Just to check, did you use an Auxiliary module to reset the target automatically after each glitch attempt?
If yes, could you share the delay (in ms) that you have used?
Thanks.
Regards,
Melvin.
Hi Melvin,
I don’t typically reset the target unless I have to. Typically a sleep of 0.1 seconds is sufficient. We actually have a setup to automatically build the tutorials now and throw them on Read the Docs, so if you’d like to take a look they’re available here. This one uses the CWLite Arm 1 part board.
Alex
Hi Alex,
Is this running on the V5?
Regards,
Melvin.
Yup, this is v5.
Alex
