Help with Setting Trigger for Clock Glitch Attack on CW305 using CW1173

Julia_UC3M · May 7, 2025, 7:36am

Hello,

I’m trying to perform a clock glitch attack on the FPGA board CW305, using the capture board CW1173 ChipWhisperer-Lite.

In my Verilog project, I configured the circuit I’m attacking to have a trigger output, which I connected to FPGA pin T14 (assigned to tio_trigger in the constraints file). This pin is part of the 20-pin connector and corresponds to TIO4, as described here:
https://chipwhisperer.readthedocs.io/en/latest/Capture/20-pin-connector.html

This setup seems to be working. I also wired led1 to turn on when this pin is active, and this works correctly during debugging.

However, when I configure the clock glitch attack in Python, I’m unable to get the glitch to trigger based on this pin. Here’s the relevant portion of my Python code:

Specifically, I used the line:

scope.trigger.triggers = "tio4"

I got this from the following forum post:

Unfortunately, it doesn’t seem to have any effect. I don’t observe any glitches being triggered. Also, I couldn’t find detailed documentation on how to properly set the trigger pin using the Scope API on the CW documentation site. Could someone clarify the correct way to set the external trigger pin?

Additionally, the circuit I’m testing is a relatively slow finite state machine (FSM) that performs multiplications and additions across several stages on two inputs. If this type of circuit is not suitable for clock glitching attacks on an FPGA, I’d appreciate any feedback. Since there aren’t many tutorials available yet, I’m trying to start with a simple design to learn the basics of clock glitching.

Thanks in advance for your help!

jpthibault · May 7, 2025, 12:46pm

How are you configuring scope.glitch?

Any circuit should be vulnerable to clock glitching, unless it has explicit protections against it.

Protection can be very simple: e.g. using a PLL to clean up the glitchy clock.

Julia_UC3M · May 8, 2025, 7:40am

This is the configuration I used. Some lines are commented out because I tried different settings:

#Basic setup
scope.glitch.clk_src = "clkgen" # set glitch input clock

scope.glitch.output = "clock_xor" # glitch_out = clk ^ glitch
#scope.glitch.output = "clock_only" #no glitch

scope.glitch.trigger_src = "ext_single"
#scope.glitch.width = 40
#scope.glitch.offset = 10
scope.glitch.width = 25
scope.glitch.offset = 25
# We trigger from "tio4" input
scope.trigger.triggers = "tio4" 
scope.io.hs2 = "glitch"  # output glitch_out on the clock line
print(scope.glitch)

Let me know if you would like to see the full Python notebook or the Vivado project for the circuit I am targeting. I would be happy to share them if it helps.

jpthibault · May 8, 2025, 12:40pm

And how are the glitches getting triggered? With trigger_src set to “ext_single”, glitches won’t be issued unless the scope is armed: Scope API — ChipWhisperer Documentation