Identifying VCC Core, and other fun questions!

#1

I’ve had heaps of fun with the chipwhisperer (and poking hardware in general) so far! I’m currently trying to voltage glitch a router board I’ve got lying around, and I’ve got a few questions:

  • Firstly, is there a general approach to identifying core voltage? My approach so far has been visually inspecting the target, and manually probing each point while the device is powered on, and then trying against things that look like a core voltage - but this seems like lots of guesswork. Is there a better way to do this?
  • Secondly, I’m monitoring the (alleged!) core voltage and when I trigger a glitch event, shorting it to ground, I get the following trace:

This looks like to me that I’m not sinking enough power during the glitch event - and the decoupling capacitors on the board are doing their job as intended. Is this a fair interpretation (is this enough information to indicate this?)

  • Thirdly, what properties should I look for in a MOSFET which make it “good for glitching”? I’m assuming activation time, a convenient threshold voltage and a suitable maximum drain/source voltage?

Thankyou in advance :smiley:

#2

Hello,

#1 - there isn’t a good way when you’re lacking documentation. I did something similar with my android test (eprint.iacr.org/2016/810.pdf). Sometimes it’s a bit of a hassle as you might have multiple core voltages the same (like VCC_DDR, VCC_CORE, and VCC_PLL say). Only one of those is actually going to be useful, the others will give you error.

#2 - this is a pretty good signal I think! It may not drop to ground, but that nice big spike after is useful. That looks like my R-Pi waveforms for example.

#3 - getting fast is good. Low gate charge means it will take less current to switch the MOSFET on/off, but normally lower gate charge is coupled with a smaller MOSFET. So it’s a bit of a trade off. If you’re ordering some off digikey it might be worth getting an assortment and just see which ones work best for you. But you really need that fast switching of high currents, so often the really high-current ones are way slower.

Good luck, glad you’ve been enjoying it!

#3

One thing I’ve done is map out all the voltage nets (you need to remove the target chip from the board, so it might be easier to get a second board you don’t mind destroying). Once you have a map of the different nets and their corresponding pins, you can use some heuristics for narrowing down the search. Start with nets that cover the greatest number of pins to the least. Look for nets that “surround” the chip. Look for nets where the majority of the pins are closer to the center of the chip (power distribution is easier this way). Also consider the technology node of the chip (if you’re not sure, look at the manufacture date and find what technology node is prevalent). The lower the gate size, the lower Vcc core will be. For example, you won’t find many phones after 2014 that uses 3.3V for the main processor.