Hello NewAE team,
I am a hardware security researcher working on an automotive SRS module recovery project. The
target is an Infineon AURIX TC332LP-32F (SAK-TC332LP-32F200F-AA, TQFP-80, TC3xx family,
ASIL-D) where the UCB_DBG password (256-bit, PW0-PW7 at 0xAF402500) has been lost. This is a
legitimate recovery case for owned hardware.
We have already attempted:
- 500K VDD glitch attempts with RP2040 + BSS138 (insufficient current, ~100mV drop)
- 1.5M clock glitch attempts on XTAL1 pin with RP2040 @250MHz (jitter ±10ns)
- EMFI with a commercial tool (likely shielded by module housing)
Boot ROM timing mapped empirically: active zones at T+515us (pre-UCB decision) and T+603us
(UCB_DBG password check loop, 3.1us pattern with 0.30us sub-pattern per 32-bit word).
Questions:
- Is the CW-Husky voltage glitch module capable of inducing sufficient VDD_CORE perturbation
on an ASIL-D TriCore with lockstep enabled? - Does anyone have experience with TC3xx fault injection? We know the TC233LP has an
official CW308T target — are TC3xx defenses substantially different? - Would the analog waveform trigger be useful to track the 603us zone even with thermal
drift between resets?
Thank you for any guidance.