I cannot glitch by clock in Part 1, Topic 2

ddd · December 12, 2021, 9:26am

Hello,

I am challenging the chipwhisperer tutorial of fault injection
Part 1, Topic 2: Clock Glitching to Bypass Password

I have completed the clock glitch in Topic1 and got the following results.
(The coordinates are below.)

glitch

[[7.8125, -48.046875],
 [7.8125, 48.046875],
 [16.015625, -48.046875],
 [23.828125, 48.046875],
 [32.03125, -48.046875],
 [32.03125, 48.046875],
 [48.046875, -48.046875],
 [48.046875, 48.046875],
 [3.90625, 3.90625],
 [7.8125, -48.046875],
 [16.015625, 48.046875],
 [35.9375, -48.046875],
 [39.84375, 48.046875],
 [44.140625, -48.046875],
 [48.046875, -48.046875]]

Next I tried Topic2, but the glitch did not succeed.
I think the range of the glitch is correct, but what is the problem?

Sorry for the rudimentary question, but please let me know the hints.

I am using chipwhisperer XMEGA,
windows 10
and the follow is the glitch code used in Topic2

Thank you

from importlib import reload
import chipwhisperer.common.results.glitch as glitch
from tqdm.notebook import tqdm
import re
import struct
    
gc.set_range("width", 46, 49.8)
gc.set_range("offset", -46, -49.8)
gc.set_range("ext_offset", 11, 31)
step = 1
gc.set_global_step(step)
scope.glitch.repeat = 1
reboot_flush()
broken = False

for glitch_settings in gc.glitch_values():
    scope.glitch.width = glitch_settings[0]
    scope.glitch.offset = glitch_settings[1]
    scope.glitch.ext_offset = glitch_settings[2]
    
    if scope.adc.state:
        print("Trigger still high!")
        gc.add("reset", (scope.glitch.width, scope.glitch.offset, scope.glitch.ext_offset))
        reboot_flush()
        
        scope.arm()
    target.simpleserial_write('p', bytearray([0]*5))

    ret = scope.capture()
        # True : timeout
        # False : no timeout

    val = target.simpleserial_read_witherrors('r', 1, glitch_timeout=10)

    if ret == False:
        if val['valid'] is False:
            gc.add("reset", (scope.glitch.width, scope.glitch.offset, scope.glitch.ext_offset))
        else:
            if val['rv'] == 1: #for loop check
                broken = True
                gc.add("success", (scope.glitch.width, scope.glitch.offset, scope.glitch.ext_offset))
                print(val['payload'])
                print(scope.glitch.width, scope.glitch.offset, scope.glitch.ext_offset)
                print("🔑", end="")
            else:
                gc.add("normal", (scope.glitch.width, scope.glitch.offset, scope.glitch.ext_offset))
print("Done glitching")

antragoudaras · December 13, 2021, 7:09am

I believe what is wrong with your code is that you check for val[‘vr’] which is always zero, which is demonstrated earlier ,when applying the correct password. Instead you should try to check the val[‘paylod’][0] value.
I used the following glitch settings
gc.set_range(“width”, -15, 49)
gc.set_range(“offset”, -44, 49)
gc.set_range(‘ext_offset’, 33, 64)

Also even if you get a valid value from target.simpleserial_read_witherrors, remember to check if the val['payload] is None as shown in the code I Wrote below:
else:
if val[‘valid’] is False:
gc.add(“reset”, (scope.glitch.width, scope.glitch.offset, scope.glitch.ext_offset))
# plt.plot(scope.glitch.width, scope.glitch.offset, ‘xr’, alpha=1)
# fig.canvas.draw()
else:

        if val['payload'] is None:
            continue

        if val['payload'][0]:
            gc.add("success", (scope.glitch.width, scope.glitch.offset, scope.glitch.ext_offset))
            print(val['payload'])
            print(scope.glitch.width, scope.glitch.offset, scope.glitch.ext_offset)
            print("🐙", end="")
        else:
            gc.add("normal", (scope.glitch.width, scope.glitch.offset, scope.glitch.ext_offset))

P.S. I am also targeting the XMEGA
Kind regards, Antonios

Nuliel · January 27, 2022, 10:16pm

Hello,
I’m also on the part 1 topic 2 and I found a glitch when I modified simpleserial-glitch.c and ext_offset: I’ve commented out trigger_high and trigger_low except in the password function. Note also that I also changed ext_offset and I found a glitch on ext_offset = 6, and I use the STM32F3 target.

osok · February 7, 2022, 7:44pm

@ddd

I’m testing against the XMega and also found the glitch after expanding the ranges. I used
gc.set_range(“ext_offset”, 0, 45)
if PLATFORM == “CWLITEXMEGA”:
gc.set_range(“width”, -40, 45)
gc.set_range(“offset”, -40, 45)

and it was found after some 150,000 or so glitches. I got no results until that. After which I started seeing resets and the such.

I re-ran the test twice and nothing a second time. I changed the settings to a smaller range after better understanding that ext_offset is the clock cycle since trigger. I made the size and offset only positive and extended the range of ext_offset. Now I get many hits for success.

gc.set_range(“width”, 1, 45)
gc.set_range(“offset”, 1, 2)
gc.set_range(“ext_offset”, 0, 200)

The ext_offset can be much lower, like 75 instead of 200 and the width can be 10 instead 45 for an upper limit.