Hello,
I read The Hardware Hacking Handbook, and in that book there is an exercise to hook an oscilloscope to an ATmega328P. The code running on that on microntroller:
sets a pin low
takes user input (a password)
sets the pin high
checks if the password is correct
repeats (loops and does same thing over again
The point of the exercise is to learn how to do an SPA attack. So, you hook an oscilloscope up, use one channel to trigger on the rising edge of the pin, and then on the other channel capture the waveforms and compare what they look like with the wrong password vs the right password.
So, the book shows that the waveforms should like like (whatâs on the left), and on the right is what I get:
However, in spite of spending many hours trying to figure out what settings I need to use, I cannot get my waveforms to look like that. Some information that I hope can help someone to guide me:
My probes have a little slider on it that says (1 and 10), I have them set to 1
I am triggering on Edge- Slope Rising, this seems to at least trigger when I want
Source channel 2 (this is the correct channel for my trigger)
AC coupling
0.0 delay
M 5.00 us
Both channels set to Probe 1x, and the switch on each probe also set to 1x
I have spent hours trying different settings, reading the ownerâs manual, reading blog posts, watching youtube videos so although it may not seem like it I have put some effort into getting this to work but so far have not succeeded in getting it to work nor understanding a lot about scopes.
Thank you for reading all this and for any help you may provide.
Hi Alex,
Thanks for the response! Iâm not sure for that particular image but I tried again here. The correct password is ilovecheese, so the left is when the password is correct and the right is when the password is wrong (iloveaaaaaa)
Welcome! That waveform actually looks good The specifics of the âspikesâ will look different, as it varies with your exact setup, what compiler version you had, etc. So you donât need to exactly copy that.
What you should do is compare between the two waveforms to see the âdifferencesâ. As Alex was alluding to - knowing how many characters you have correct or not is a good first step. Looking at your waveform - zoom in on this area, to me it looks like The one on the right has 5 or 6 âspikesâ in this area - this would correspond with 5 or 6 times through a loop (I saw 5 or 6 since it might run through 6 times, since there is 5 right characters, and on the 6th time it bails on the comparison).
This can be easier to do if you get the scope interface working to the computer ultimately, but for this example you should have a reference waveform you could save. If you save the reference waveform of the correct PW run, and display it when tryign different number of wrong passwords, you should be easily able to see the difference on your scope screen. If you havenât used the ref feature, see e.g. page 112 of this siglent manual (not sure exactly right, but you get the idea)..
Hi @coflynn ,
Thanks for the information, thatâs great news! Tonight after work I will try to zoom in that area a bit and try to make use of the reference waveform- thank you!
Hi @Alex_Dewar and @coflynn,
I just finished work for the day and havenât experimented with the ref feature yet- will probably do that over the weekend. In the meantime, I wanted to follow up and say that I zoomed in to the waveform an I think it does look pretty good! Thanks for the help!
How do you like that scope Matt? Is this scope good enough for all the glitching/power analysis attacks? Iâm a newbie to all this and donât really know much about oscilloscopes, so wondering what scope I should get, not sure whether the 100Mhz/200Mhz thing matters for this kind of stuff (glitching etc.), or if something else is more important, like having 4 channels instead of two, being able to interface with it directly via your PC etc.
Any tips or recommendations anyone has would be awesome, thanks for the above as well guys, helps to understand what it is supposed to look like. Still kind of hard to tell for me, maybe an incorrect character earlier on, instead of at the end might make it a bit clearer, Iâm guessing the little jump and then drop back down after the âaâ is what is different vs the correct password below, where it seems to stay high?
hi @smc, that oscilloscope suited all my needs, but to be honest I havenât done much with it since I finished reading that book. I was using it for a few other things after and it was fine.
Iâm far from an expert in all this. If it were available to me I probably wouldâve got a Rigol DS1054Z instead of what I have- they just werenât for sale near me. Anyway, thatâs just based on what I remember from a year ago when I myself was trying to decide on a scope to get. Good luck to you
Thanks, yeah Iâm in the same boat, never used one in my life, but also want to get one that I can definitely do this stuff with so trying to figure out what I need. Thanks for the info.
The specifics of the âspikesâ will look different, as it varies with your exact setup, what compiler version you had, etc. So you donât need to exactly copy that.
