Misunderstanding about voltage fault injection parameters

Hi everyone,

I met some difficulties to success voltage fault injection on some target STM32F3 and STM32L5. I tried many things but each time there is no success.

But I think the best way to optimize the parameters at the origin of the glitch is to well understand them.

If I summarize correctly, when we generate the glitch, 4 parameters come into play:

  • if I well understand “scope.glitch.repeat” represents the number of glitch on one clock period
  • then, for me “gc.set_range(“width”, x, y)” represents the glitch length on a clock period
  • “gc.set_range(“offset”, x, y)” and “gc.set_range(“ext_offset”, x, y)” I don’t really know what it means because in the “memory dump tutorial” we don’t use “ext_offset” while in the “check_password turorial” we use the “ext_offset” parameter…

Could you please, explain me, what corresponds “offset” and “ext_offset” ? Then, which element (CW308 or CW1173) generate each of them ? Then, what level correspond the values (x, y) for the parameters “ext_offset” and “offset” ?

Then you very much for your feedback !


scope.glitch.repeat is how many times the glitch will be repeated on subsequent clock cycles. If repeat is set to 3, glitches will be inserted on clock cycles 0, 1, and 2.

scope.glitch.width is the length of the glitch as a % of the glitch clock cycle.

scope.glitch.offset is a an offset of the glitch as a % of the glitch clock cycle.

scope.glitch.ext_offset is an offset of a full clock cycle. So if you set it to 10, the glitch will happen 10 clock cycles after the trigger goes high.

The memory dump tutorial does use ext_offset. It’s the primary thing we are searching for that tutorial.


Hi Alex,

Thanks to your response, It allows me to understand the purpose of each parameters.

But now, I just would like to see the glitch waveform. From my hardware settings, I used a T-adaptor to bring glitch and signal on the CW308. How can I do on Jupyter to capture for example the ten first glitch waveforms ?

Have a nice day !

The waveform should be accessible via scope.get_last_trace(). You might need to play around with ADC gain and trace length stuff: https://chipwhisperer.readthedocs.io/en/latest/api.html#chipwhisperer.scopes.OpenADC.adc.

That being said, I’d recommend an oscilloscope if you have one. The ChipWhisperer is AC coupled and designed for small signal stuff, so it’s not the best for viewing large swings on VCC.


Hi Alex,

Maybe it’s a silly question but I was wondering on which clock (target or scope) voltage glitchs are generated.

Because with my actual configuration, I know the clock of the scope and the target are the same but if I decided to put a higher frequency to my scope, on which clock the glitchs would be generated ?

Have a nice day and thanks again !