Necessity of shunt resistors

Hello, I have been exploring the CW-Lite and have started looking into analyzing/attacking a third-party board, containing a Silicon Labs EFR32FG23 chip. I was hoping to get some clarification to the nature of the shunt resistor; when it should be used and the placement of it. Both when using the CW-Lite and when using an oscilloscope.

First, I have been looking into some schematics, supplied by NewAE, for target boards for the CW308 board(to clarify, I’m not using these target boards or the CW308):

Both on the nRF52840 board(target schematic) and the EFR32MG21 board(target schematic), a shunt resistor has been placed on the decoupling lines. My first assumption, and from what I’ve read online, is that these decoupling lines often are connected to rails that power CPU and digital logic, and that we use these lines as a place for measurement since we are interested in the power consumption of the digital logic/CPU. Is this correct? By using that assumption I drew a schematic of the nRF target board, seen below. How does this work? Now the shunt is in parallel with the digital logic, and I assume we want to be in series with it? Probably it is just my electronics knowledge that is a bit rusty.

Secondly, on a blog named LimitedResults, the writer attacked the same mentioned nRF board and a different EFM32 board. I was only allowed to add two links in my post, so sorry for not linking to his blog posts:

On both of these attacks, he connected his oscilloscope directly to the decouple lines, without inserting any shunt resistors, and seemingly getting pretty decent power traces. This goes against what I’ve read about in the forums posts here and “The HW Hacking Handbook”, seemingly that you need/should insert a shunt resistor. So my question here is, is the nature of the shunt resistor only to improve the traces? Would you have any idea why the shunt was not necessary in the LimitedResults attack? LimitedResults mentions that he uses an amplifier to improve his traces(I guess this is comparable to the Gain the CW-Lite have?).

Also, LimitedResults only uses his traces to know where he should glitch, not to do any DPA or CPA attacks which is what I’m interested in exploring.

Thanks!

Yeah, you need the shunt resistor to be in series with the supply. If you want to do power analysis on a target with an internal regulator, you should instead feed in your own supply, ideally a little higher than the regulator output voltage, putting a shunt between your supply and the decoupling pins. I’d recommend taking a look at the schematic for the STM32F2/4 boards, since those use an internal regulator. https://rtfm.newae.com/Targets/UFO%20Targets/Images/CW308T_STM32F_03.png

Without the shunt resistor in there, you’re relying on things like trace/internal reistance, capacitance, inductance, etc to give you a voltage differential. This works okay for some basic visual inspection, but not nearly as well for DPA/CPA.

Alex

Thank you for the quick response and helpful answer!

Only one thing I still don’t quite understand. On the schematics for the nRF52840 target board, https://github.com/newaetech/chipwhisperer-target-cw308t/blob/main/CW308T_NRF52840/NAE-CW308T-NRF52840_Schematic.PDF, the shunt resistor is connected to the some decouple lines, which I would presume would then be in parallel with the digital logic. Is this a mistake by NewAE, considering the shunt should be in series?

Looking at the schematic, the voltage would be fed into SHUNTH, pass through the shunt resistor and go into the decoupling pins, so it’s still in series. There’s other decoupling pins, so I’d guess those are on a separate domain from the ones we’re interested in. There is also a capacitor on DEC4, so maybe we’re only interested in DEC6 and the trace length between those two pins is enough to reduce its effect on power consumption?

@coflynn probably would have been the one to design the board, so maybe he can give some clarification.