Impacts on Repeatability of Voltage Glitch Attacks

Hello i´ve connected my own target to the Chip Whisperer Lite and i had successfull glitch attacks. After that i attack the target always with the same parameters (width: 8.0, offset: 5.6, ext_offset: 2.0, repeat: 3) to find out if the attack is repeatable. Now the glitch attack is not always successfull, sometimes i had to run the attack 9 times and sometimes it is succesfull after 2000 attacks. What can be reasons that the attack is not stable? Is this normal and can i make the statement that the attack is stable within ~2000 attempts.
I´ve synchronized the clock for the Glitch Module between my target and the CW, but not for the ADC i don´t use the Measure Pin, does the trigger for the glitch attack (IO4) also need a synchronization?

I use these settings:
grafik

Thanks and best regards

Maybe your glitch parameters are not optimal. Do you get any successes at other nearby points?

That’s fine, scope.glitch.clk_src = "target" is what matters.

What’s your target clock frequency? CW isn’t meant to work beyond 105 MHz. Just asking because I see a 150MHz there. If your target clock is 150 MHz, this could be a reason for unreliable glitching.

Yes i also get successes at nearby points. What can i do to find optimal glitch parameters, use the width_fine, offset_fine parameter or find completely other parameters?
My target runs with 48 MHz.

I also observed that the first glitch success each day when i start the PC needs a long time (about 5 hours) and after that glitch successes come in 20 to 40 min intervals. Could the temperature also effect the stability? I have only tested/observed this for 3 days and i have no equipment like a thermal camera.

I think it’s not so much that the temperature affects the stability of the target and/or ChipWhisperer, but that as the silicon temperature rises, internal propagation delays of logic signals inside the silicon change. On the ChipWhisperer side, this can slightly alter the characteristic of the glitch shape. On the target, this can alter the susceptibility to glitches.

Jean-Pierre

1 Like

Ok thanks yes the changed propagation delay could be a reason (Good point).
To my first reply: How can i find optimal glitch parameters, use the width_fine, offset_fine parameter or find completely other parameters? Or play around with resistors and capacitors like on the STM32F303 target (PCB section) in order to change the glitch shape?

Thanks and best regards

I wish I could give you a simple answer, but unfortunately there’s no such thing. The search space is huge… even the length of your SMA cable will affect results! Patience is definitely required.

Having said that - If you can change the target firmware, then start with the simple loop code that some of our tutorials use. This more or less takes the ext_offset parameter out of the equation.

With regards to resistors and caps: have a look at your glitch shape and levels on an oscilloscope. It may be that if you reduce capacitance, then you can get a effective glitches with a smaller repeat. I would probably not bother with width_fine unless you have fairly sharp glitches.

Colin and Jasper’s book has some more advice on how to approach the large search space.

1 Like

Thanks again. I already thought that there is no simple answer. I have also been able to make 26 successful attacks. (is already quite good). I will continue to work with your tips and be patient to find the optimal parameters. :sunglasses:

Best regards Rik

2 Likes