Hello everyone,
I am currently trying to perform some research on cross-device power analysis using the CW308 UFO Board and the STM32F303 target.
For this, I have two sets of both, and I collected traces using the TinyAES implementation on each, using the same hex file and discovered that they look significantly different.
Here is an image showing one trace from each device superimposed:
While I expected some differences, this looks to me like there are some differences in the execution or some kind of jitter (which I compiled without), resulting in a significant misalignment.
This misalignment starts out small but increases over time.
Are these differences expected, or could there be some issue I am unaware of?
Thanks in advance.
1 Like
Here is another image showing the increase in misalignment from the start (top) of the trace to the end (bottom) of the trace.
Hmm that is strange. So you are using the exact same setup, just swapping the STM32F303 from the CW308? I have seen differences from different parts that I chalked up to the parts coming from different batches, but not time-based differences like these.
After a capture, what does scope.adc.trig_count show for each target?
What is the output of print(scope)?
I use each STM32F303 with its own UFO board. However, i have tried swapping the targets, which resulted in the behavior swapping. So I assume the timing differences are directly related to the target.
Regarding scope.adc.trig_count and the output of print(scope), I can provide them tomorrow.
Here’s the output of print(scope).
For the “faster” setup (blue trace):
cwlite Device
sn = 50203220313038543330363138313031
fw_version =
major = 0
minor = 64
debug = 0
gain =
mode = high
gain = 30
db = 24.8359375
adc =
state = False
basic_mode = rising_edge
timeout = 2
offset = 0
presamples = 0
samples = 24000
decimate = 1
trig_count = 26764
fifo_fill_mode = normal
clock =
adc_src = clkgen_x4
adc_phase = 0
adc_freq = 29538471
adc_rate = 29538471.0
adc_locked = True
freq_ctr = 0
freq_ctr_src = extclk
clkgen_src = system
extclk_freq = 10000000
clkgen_mul = 2
clkgen_div = 26
clkgen_freq = 7384615.384615385
clkgen_locked = True
trigger =
triggers = tio4
module = basic
io =
tio1 = serial_rx
tio2 = serial_tx
tio3 = high_z
tio4 = high_z
pdid = high_z
pdic = high_z
nrst = high_z
glitch_hp = False
glitch_lp = False
extclk_src = hs1
hs2 = clkgen
target_pwr = True
tio_states = (1, 1, 0, 0)
cdc_settings = bytearray(b'\x00\x00\x00\x00')
glitch =
clk_src = target
width = 10.15625
width_fine = 0
offset = 10.15625
offset_fine = 0
trigger_src = manual
arm_timing = after_scope
ext_offset = 0
repeat = 1
output = clock_xor
For the “slower” setup:
cwlite Device
sn = 50203220343043543130313133303037
fw_version =
major = 0
minor = 64
debug = 0
gain =
mode = high
gain = 30
db = 24.8359375
adc =
state = False
basic_mode = rising_edge
timeout = 2
offset = 0
presamples = 0
samples = 24000
decimate = 1
trig_count = 26892
fifo_fill_mode = normal
clock =
adc_src = clkgen_x4
adc_phase = 0
adc_freq = 29538471
adc_rate = 29538471.0
adc_locked = True
freq_ctr = 0
freq_ctr_src = extclk
clkgen_src = system
extclk_freq = 10000000
clkgen_mul = 2
clkgen_div = 26
clkgen_freq = 7384615.384615385
clkgen_locked = True
trigger =
triggers = tio4
module = basic
io =
tio1 = serial_rx
tio2 = serial_tx
tio3 = high_z
tio4 = high_z
pdid = high_z
pdic = high_z
nrst = high_z
glitch_hp = False
glitch_lp = False
extclk_src = hs1
hs2 = clkgen
target_pwr = True
tio_states = (1, 1, 0, 0)
cdc_settings = bytearray(b'\x00\x00\x00\x00')
glitch =
clk_src = target
width = 10.15625
width_fine = 0
offset = 10.15625
offset_fine = 0
trigger_src = manual
arm_timing = after_scope
ext_offset = 0
repeat = 1
output = clock_xor
The only difference between the two is scope.adc.trig_count, which tells us that the target operation takes 26764 on one target and 26892 on the other.
In both cases the target is clocked by CW-lite, at exactly the same clock frequency.
From this I see only two possible explanations:
- The targets are not actually running the same firmware. Maybe one was compiled with a different compiler version?
- Your two CW308’s are set up differently. Check that all their jumpers are in identical position. Is J3 set to HS2/OUT? If you’re using a crystal as the clock source instead, then this is the reason for the difference. (And if so, you should route that clock to your CW-lite (the required jumper settings are explained here), and set
scope.clock.adc_src = 'extclk_x4'.)
Thank you for your help so far.
Regarding your possible suggestions.
- The targets run the same firmware, as I use the exact same .hex file for both.
- I checked the jumpers, they are in the same position on both CW308’s.
scope.clock.adc_src is set to extclk_x4 on both.
Now am I confused! Before you had it set to clkgen_x4. How exactly is the target clock generated, and how are the jumpers set on CW308 J3?
I am very sorry, I misread your reply. scope.clock.adc_src is set to clkgen_x4 on both.
The jumpers for J3 on both CW308’s are set to HS2/OUT, and I am not using a crystal as the clock source.
Can you post a picture of each STM32 showing the full part number? One possibility is that due to parts shortages we may have substituted a slightly different part.
Here is the front and back of the “faster” target.
And here is the front and back of the “slower” target.
Hi, sorry for the delay- these are both F303’s but one has 128KB flash and the other 384. We suspect there is some difference in memory wait cycles between the two, which would explain why one power trace appears just slightly shifted in time compared to the other.
If you contact sales@newae.com, we will set you up with some identical STM32F303 targets.
Ah yes, this explains it, thank you very much for your help.
1 Like
