Oscilloscope settings help (Hardware Hacking Handbook)

Hello,
I read The Hardware Hacking Handbook, and in that book there is an exercise to hook an oscilloscope to an ATmega328P. The code running on that on microntroller:

  • sets a pin low
  • takes user input (a password)
  • sets the pin high
  • checks if the password is correct
  • repeats (loops and does same thing over again

The point of the exercise is to learn how to do an SPA attack. So, you hook an oscilloscope up, use one channel to trigger on the rising edge of the pin, and then on the other channel capture the waveforms and compare what they look like with the wrong password vs the right password.

So, the book shows that the waveforms should like like (what’s on the left), and on the right is what I get:

However, in spite of spending many hours trying to figure out what settings I need to use, I cannot get my waveforms to look like that. Some information that I hope can help someone to guide me:

  • Siglent SDS 1104X-E 100 MHz 4 channels, oscilliscope
  • My probes have a little slider on it that says (1 and 10), I have them set to 1
  • I am triggering on Edge- Slope Rising, this seems to at least trigger when I want
  • Source channel 2 (this is the correct channel for my trigger)
  • AC coupling
  • 0.0 delay
  • M 5.00 us
  • Both channels set to Probe 1x, and the switch on each probe also set to 1x

I have spent hours trying different settings, reading the owner’s manual, reading blog posts, watching youtube videos so although it may not seem like it I have put some effort into getting this to work but so far have not succeeded in getting it to work nor understanding a lot about scopes.

Thank you for reading all this and for any help you may provide.

Hi,

For the waveform you’ve captured, how many correct characters did you send?

Alex

Hi Alex,
Thanks for the response! I’m not sure for that particular image but I tried again here. The correct password is ilovecheese, so the left is when the password is correct and the right is when the password is wrong (iloveaaaaaa)

Hi @matt,

Welcome! That waveform actually looks good :slight_smile: The specifics of the “spikes” will look different, as it varies with your exact setup, what compiler version you had, etc. So you don’t need to exactly copy that.

What you should do is compare between the two waveforms to see the “differences”. As Alex was alluding to - knowing how many characters you have correct or not is a good first step. Looking at your waveform - zoom in on this area, to me it looks like The one on the right has 5 or 6 “spikes” in this area - this would correspond with 5 or 6 times through a loop (I saw 5 or 6 since it might run through 6 times, since there is 5 right characters, and on the 6th time it bails on the comparison).

This can be easier to do if you get the scope interface working to the computer ultimately, but for this example you should have a reference waveform you could save. If you save the reference waveform of the correct PW run, and display it when tryign different number of wrong passwords, you should be easily able to see the difference on your scope screen. If you haven’t used the ref feature, see e.g. page 112 of this siglent manual (not sure exactly right, but you get the idea)..

Thanks,

-Colin

Hi @coflynn ,
Thanks for the information, that’s great news! Tonight after work I will try to zoom in that area a bit and try to make use of the reference waveform- thank you!

Best,
Matt

Hi @Alex_Dewar and @coflynn,
I just finished work for the day and haven’t experimented with the ref feature yet- will probably do that over the weekend. In the meantime, I wanted to follow up and say that I zoomed in to the waveform an I think it does look pretty good! Thanks for the help!

Best,
Matt

1 Like