Phywhisperer: Setup for non-USB powered devices

Hi Guys,

hope all of the readers are doing just fine & are healthy. :slight_smile:

So, I’m a big NewAE fanboy and hence bought the PhyWhisperer.
I now want start playing around with triggering a glitch when sending certain USB commands to a DuT.
Anyway, the embedded device running is not powered via USB but instead uses an external 12V power supply.

So, I would like to ask you about your opinion regarding the most elegant solution for being able to trigger a reboot automatically. I can think about some evil hacks using relais which are flying around here somewhere but meh, you guys probably know better than me.
I really would have to do this in an automated manner, because the device may get unresponsive when injecting the faults. This has already been shown during testing.

Second, when having some really basic analysis it shows up, that the time variance from
1) Transferring the command on USB packet level
2) Receiving the answer of the command
is rather high.
In recent publications, it has been mentioned that the time variance has been about ~4us. In my case however, it varies about ~50us.
This may be due to the fact of initializing crypto libraries etc. which require some entropy source being ready2go.
Do you have any suggestions on how to generate reliable glitches anyway? :slight_smile:

Hope to hear from you.

Have a nice weekend,
Marvin

Hi Marvin,

For controlling your 12V target power, why not use a ChipWhisperer to control a relay? The 5V and 3.3V pins of the 20-pin connector can be turned on and off with:

scope.io.target_pwr = [True | False]

Regarding time variance of USB responses, that is going to depend on the target USB stack. What’s the target that is giving you 50us variance?

If there is some variance which is preventing USB sniffing from providing a stable time reference, then you could perhaps use the USB as an initial rough marker for finding points of interest, and then look at power traces around that rough marker to hopefully find some marker that is stable?

Maybe @coflynn has more to add. I know that he was successful with USB sniffing for the attacks documented here:
https://www.usenix.org/conference/woot19/presentation/oflynn

Regards,
Jean-Pierre