Hi everyone ,this is the first time using the chipwhisperer.
Recently, I want to do a research about the VCC-glitch. I have a few problem:
(1) : The tutorial allows us to temporarily ground the Artix power rails, which means I need to cut the usb power off? (I only connect usb to CW305 to provide the power)
(2)In the condition of connecting the usb, after I connect the SMAs to X3&X4 and connect the 20pin to CW-LITE(2-part version), I find the error during running the Fault 2_1 tutorial
Nope, you do everything as normal. The ChipWhisperer has a MOSFER near the glitch connector that pulls the target voltage to ground.
You’ll want to connect to X3, not X4, as the latter has an amplifier between the Vcc pin and the SMA connector. This error is because you’re trying to program the CW305 as if it was an XMega. Try skipping the program_target().
This error is caused by the target’s trigger not going high. Similar to an oscilloscope, we need a trigger for the glitch to activate after arming the ChipWhisperer. How is your target setup to communicate? SimpleSerial is all UART based, so it may or may not be what you’re looking for here.
Jupyter’s setup like an interactive Python. It’s fine to edit blocks to remove things you don’t want to run or to skip them entirely.
A few links that might be useful for you, if you haven’t seen them yet:
We recently released a “how to” for running side channel attacks on the CW305: http://media.newae.com/appnotes/NAE0010_Whitepaper_CW305_AES_SCA_Attack.pdf. It’s somewhat focused on CPA attacks on AES; however, I believe sections 2 (glitching is actually pretty similar in how it’s setup, it just the trigger causes a mosfet to pull the target Vcc low instead of triggering the ADC), 3, and 8 would be useful as well.
I try to connect the target to the capture in order that section 3 mention.
But still Stuck in this tutorial.
If I just try to see the glitch effect on my target not trying to break the cryptographic algorithm, which steps do I need to do ?
I am rookie jupyter python user.
Thank a lot to your help!
This is my hardware connecting.(measure to X4) (glitch to X3)
Have a way for the Python to trigger the CW305 to do the operation you want (in this case the TRNG). For example, for AES running on a microcontroller, the sending of the plaintext triggers the microcontroller to do an AES encryption on that plaintext.
As the operation you’re interested in is starting, the CW305 will need to set a trigger pin high to trigger the glitch module on the ChipWhisperer
Have some sort of feedback to be able to determine glitch success
On the software side you need to do the following:
Connect to the ChipWhisperer (scope = cw.scope()). For a default CW305 configuration, typically calling scope.default_setup() (see readthedocs for what this does) should be sufficient.
Connect to the target. The CW305’s bitstream is stored in volatile memory, so you’ll probably have to program the CW305 on startup: target = cw.target(scope, cw.targets.CW305, bfile='/path/to/bitstream', force=True)
Do some setup on the CW305. Typically the following is sufficient, assuming you only need one clock on FPGA pin N13:
target.vccint_set(1.0) #set target voltage to 1.0V
# Setup only PLL1 to output
# run PLL1 at 10 MHz:
# 1ms is plenty of idling time
target.clkusbautooff = True
target.clksleeptime = 1
Setup the glitch module:
scope.glitch.clk_src = "target" # set glitch input clock
scope.glitch.output = "glitch_only" # glitch_out = glitch
scope.glitch.trigger_src = "ext_single" # glitch only after scope.arm() called
scope.io.glitch_lp = True
Once you’ve got all the setup done, you need to make a glitch loop. This will look something like:
import chipwhisperer.common.results.glitch as glitch
gc = glitch.GlitchController(groups=["success", "reset", "normal"], parameters=["width", "offset", "ext_offset"])
gc.set_range("width", 5, 48)
gc.set_range("offset", -49.8, 49.8)
gc.set_range("ext_offset", 5, 20)
for glitch_setting in gc.glitch_values():
scope.glitch.offset = glitch_setting
scope.glitch.width = glitch_setting
scope.glitch.ext_offset = glitch_setting
scope.arm() #arm the glitch module
#---do whatever you need to to get the target to start the desired operation
ret = scope.capture()
# determine glitch success
I want to ask how to make my target to trigger the CW-LITE glitch module?
Is mean use one of tio1~4?? If is ,How to do it in practice?
Because I don’t find any trigger the glitch module in the tutorial, I am very appreciate your help!
I believe any of TIO1-4, as well as nRST can be used as a trigger pin, but TIO4 is the default (for the target triggering the ChipWhisperer). Also, the trigger for the glitch module is always rising edge. In lab 1_1/lab 2_1, the glitch firmware on the target is triggered to run by sending it "g\n" over UART. Once the microcontroller receives that, it sets pin TIO4 high, does its loop calculation (which in your case would be the TRNG), then sets the trigger pin low.
I try to setup my .xdc file and verilog design to make the trigger pin(tio4) be high when I need it.
But my glitch control still was “WARNING:root:Timeout in OpenADC capture(), trigger FORCED”
I think it means my target(CW305) didn’t send the trigger to CW-lite through the 20-pin,right?
Is it necessary to use the method you mention below? Because I only have the TRNG module in my design,don’t have usb_module,registers.v…
I find some problems in my experiment. I observe the glitch modules working from the jupyter notebook.
But my design doesn’t perform any response, I want to use oscilloscope to observe if the glitch really happen.
Where can I connect my probe to the CW305? I try to use SMA to connect to oscilloscope, but the size is different from the oscilloscope and the X4 on the CW305.
When I do some experiments, I met some problems：
1，I set the trigger as the 250KHz ,and the parameters are “ext_single”,“clkgen(25E6 HZ)”,“enable_only”,“repeat=25”. The ideal result I want to see is 1us glitch per 4us ,but actually what I observe on the oscilloscope is nothing.(I use scope.default_setup() for my setting)
2， When I change the “ext_single” to “ext_continuous”, I see some glitch sequences which were trigged per 0.01s (not meet my trigger’s frequency)
3， when I do the experiments with small width glitch and high frequency triggers(about 25MHz) with “ext_single” , I also cannot observe anything on the oscilloscope.
For ext_single, the glitch will only fire after scope.arm() is called. I’m guessing based on your parameters there that your loop with scope.arm() never runs, so this is probably expected. ext_continuous will fire the glitch without needing scope.arm() to be called.
You’re probably running into the same issue as above. That being said, this is definitely too high of a frequency to be glitching at. enable_only pulls the voltage low for a full clock cycle and repeat repeats the glitch, so glitching above 1MHz doesn’t make any sense.
This one I’m not too sure on. Maybe try reducing repeat or increasing clkgen_freq?
@Alex_Dewar So all I want to do is setting the glitch parameters(width,offset,ext_offset), and trig it at specific frequency , and wanting the LITE to deliver the vcc glitch at that frequency.
please tell me how to edit my python code,and my trigger 's behavior is like the clock.(01 change at the
The new version of my python code,but the problems in last time weren’t solved.