Power Analysis on IoT device

johnbuck2221 · May 4, 2023, 1:28pm

Help!

I am trying to follow this:

newaetech/chipwhisperer-jupyter/blob/training-versions/demos/H-Field Probe Demo 1 (with CPA).ipynb

{
 "cells": [
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "# H-Field Probe Demo 1 (with CPA)\n",
    "\n",
    "This notebook is designed to work with an H-Field Probe. This can be used to attack devices without needing to modify them with a shunt resistor at all."
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Normal Setup\n",
    "\n",
    "Perform a normal setup as you otherwise would. Adjust the platform & target as needed. Here we'll attack an XMEGA device on the CW308 UFO board for example. Note that because the UFO boards are missing the decoupling capacitors & have a resistive shunt, you may find they perform *worse* for H-Field probe usage than normal development kits.\n",
    "\n",
    "Neverless, we're going to give it a shot! We found the XMEGA works better than the STM32F3 target on the UFO board, so we'll do this tutorial with the XMEGA target board."

This file has been truncated. show original

To get a power analysis on an IoT device. What do I put for platform and crypto_traget? I’m not really interested in breaking any crypto atm, just want to get some power traces from the chips on the board

jpthibault · May 4, 2023, 2:01pm

CRYPTO_TARGET is only used for our target FW make command in the following cell.

PLATFORM is also used in the Setup_Generic.ipynb that’s called next, but you won’t need that if you’re not using our targets; instead, just do scope = cw.scope().

johnbuck2221 · May 4, 2023, 2:22pm

So if I want a script that will just capture power traces from an actual device and not a test board, I can use something like the below

SCOPETYPE = ‘OPENADC’
num_traces = 50
CHECK_CORR = False

scope.gain.gain = 70

%run “…/Helper_Scripts/plot.ipynb”
plot = real_time_plot(plot_len=3000)

from tqdm import tnrange
ktp = cw.ktp.Basic()

key, text = ktp.next()

for i in tnrange(5000, desc=‘Capturing traces’):
trace = cw.capture_trace(scope, target, text, key)
if trace is None:
continue
plot.send(trace)

jpthibault · May 4, 2023, 2:34pm

Depends on your target.
If you look at what capture_trace() does under the hood, it sends the text and key to the target via UART and our SimpleSerial protocol, and it captures a power trace when the target sets the IO4 line (which, in our targets, is done in response to receiving the text).

So you need to sort out how you’re communicating with your target, and how you’re triggering the capture.

johnbuck2221 · May 4, 2023, 4:01pm

Isn’t there a script that will just capture all power traces and plot them on a live graph through the magnetic field probe? I’m not directly communicating with the target currently

jpthibault · May 4, 2023, 4:14pm

CW is like a scope that needs to be armed and triggered.
If you don’t have a trigger, you could manually trigger captures like this:

scope.sc.arm(False)
scope.arm()
scope.sc.triggerNow()
scope.sc.arm(False)
assert scope.capture() == False
wave = scope.get_last_trace(True)

This will capture scope.adc.samples samples.
You’ll also need to set your sampling clock (scope.clock.adc_src, scope.clock.clkgen_freq).

johnbuck2221 · May 5, 2023, 10:38am

So something like this?

%run “…/Helper_Scripts/plot.ipynb”
plot = real_time_plot(plot_len=3000)

from tqdm import tnrange
scope.sc.arm(False)

for i in tnrange(5000, desc=‘Capturing traces’):
scope.arm()
scope.sc.triggerNow()
wave = scope.get_last_trace(True)
plot.send(wave)

scope.sc.arm(False)
assert scope.capture() == False

Where should I set scope.clock.adc_src , scope.clock.clkgen_freq?

jpthibault · May 5, 2023, 2:38pm

No, scope.capture() needs to be called before scope.get_last_trace().
The clock settings only need to be done once, prior to your capture loop.

johnbuck2221 · May 5, 2023, 3:03pm

Any recommendations on what to set these two CLK values to? Say if I am doing a power analysis on a CPU from a high end mobile phone?

jpthibault · May 5, 2023, 3:40pm

If you have a CW-lite or Pro, their ADC is rated to 105 MS/s, so you’d set:

scope.clock.adc_src = 'clkgen_x1'
scope.clock.clkgen_freq = 105e6

If you have a Husky then you can go to 200 MHz.

A high-end mobile phone will have a processor that’s running much faster than this; that will limit what you can do. For power analysis, ChipWhisperer works best when you (a) are able to sample at least once per clock cycle, and (b) you have access to the target clock, so that you can sample it synchronously.

We do have a demo of glitching a Raspberry Pi, which has a processor similar to what you may find in some phones:

johnbuck2221 · June 6, 2023, 3:24pm

Question, the scope.arm line, should this be in the for loop so I am arming it each time I am doing a capture?. Can this be outside the loop?

jpthibault · June 6, 2023, 3:34pm

For capturing traces it needs to be in the loop. For glitching, not if you use ext_continuous.