Problems running CW-Lite to attack Arduino Uno


#1

Hi, my name is Joonjae Bang and I’m currently trying to conduct a CPA attack on an AES-ECB implementation on an Arduino Uno.
I currently have the Uno talking to the CW through serial communication, and I have what I think is the appropriate setup for the trigger and RX/TX pins. But when I go to take the traces, the board most of the time fails to acknowledge the trigger input and instead times out and forces a trigger, and even when I take a trace they don’t have the telltale sign of an AES nor do they yield any meaningful result in the analyzer.
I’ve been reading through the documentation and the forum, but I am lost. Any help would be appreciated!


#2

Well, I somehow fixed the trigger timing issue. However the traces still look very vague and I can’t see any defining traits.
One of the traces: imgur.com/a/JTTRl
Another trace: imgur.com/a/2AS7J


#3

Hi Joonjae Bang,

Do you have a way of testing that the trigger is set to high by the Arduino Uno consistently (oscilloscope or equivalent)? Once you have verified that the Arduino Uno sets the line to high every time, you can check the scope settings in the ChipWhisperer software. Make sure that your trigger settings are:
mode: rising edge
Are you using the serial protocol to start execution of the AES implementation on the Arduino Uno (the go command)? The process of events is as follows:

After pressing capture the scope arms (actively listening for the trigger to go high) and sends the go command to the target (in your case the Arduino Uno). The target should respond by setting the trigger high just before it begins execution of the AES implementation (your code, this part is up to you.) If the scope does not receive the trigger signal before the timeout it will raise the ADC Timeout failed error (or similar). If you think all of this may be taking longer than the timeout period you can try extending it just to make sure.
Finally, make sure that you made the correct connections (that the scope trigger pin is connected to the target line that is set high during execution).
Let me know if this helps!

Cheers,

Franz


#4

Franz,
Thank you for your input. Currently I am struggling with getting my trigger input right. When I supply a 5v trigger directly from the arduino into the ChipWhisperer, I get several normal triggers but then get a noisy signal where the trigger “crashes” and produces false rising edges the ChipWhisperer picks up to conduct wrong measures.
When the trigger is sent through my voltage divider, despite it outputting 2.4~2.5v it is interpreted as a noisy signal with multiple rising edges by the ChipWhisperer.
A clean trigger: imgur.com/a/dUdxT
A crash: imgur.com/a/e5CLY

I believe this may be a voltage stability issue. Do you know if there are any properties of the CW that causes it to malfunction when it accepts 4v trigger input? When I attempted to use a 3.3v input it was not as cleanly interpreted as the 4v triggers.


#5

Hmm I made a simple arduino program that just turns pin 13 high and low with 1 second in between. I tried taking a power trace of this but this is what I ended up getting: imgur.com/a/LmYP8
This was the power trace when the pin was set to high.

Clearly not what I expected. I tried taking the same trace on an oscilloscope and I got what I expected - a straight parallel line that shifts voltage levels every second.
I’m really not sure what is going on here. Just to make sure I connected the original XMega target and ran some built in attacks, and the traces that I got there were just fine.
Am I messing up how I attach the scopes to the measure port? I have the measure port’s ground attached to the arduino’s ground and the measure pin plugged into arduino’s pin 13 port.


#6

Hi Joonjae Bang,

I looked at the pinout of an Arduino Uno, pin 13 is not related to power. Here is a link to a document that might help you get a better understanding of power analysis (There is a super short section on Arduino on page 33 but the rest is also very useful).

There are quite a few introductory resources for power analysis and differential power analysis out there, they may help too.

In the end you will have at least two connections to the Arduino Uno, one for the trigger line and one for the measurement. Remember that you are measuring the power not the trigger. Let me know if I misunderstood what you were doing.

Cheers,
Franz


#7

Hi Franz,
I appreciate your continued discussion. To clarify I was testing the chipwhisperer capture on pin 13 so that I could see the state of my trigger pin, not to measure the power consumption of the microcontroller.
I am having trouble understanding two things however. First, does ADC measure the actual voltage level like an oscilloscope or does it measure the CHANGE in voltage levels? I tried reading a trace of a steady 3.3v DC supply and the straight line was situated at the 0 position on the data axis, which leads me to believe that it measures the change in voltage levels rather than the actual voltage levels .

Second, when conducting actual power analysis where would I connect the ground of the measure port? Initially I thought it would work like a differential probe and connected it to the other side of the shunt resistor, but it only resulted in a short between the power supply so I’ve just been connecting it to the target ground.

Once again thanks for the discussion!
Joonjae


#8

Hi Joonjae,

Here are some of the general differences of the ChipWhisperer scope versus a normal oscilloscope. The CW scope is AC coupled so it gets rid of any DC signal found in the measurement. So you are correct in assuming it only measures the difference in a way.

The default swing that the CW scope is comfortable measuring is 100mV, voltage signals with changes much higher than this like a step from 0v to 3.3v will be measured improperly and be shown as cutoff on the graph.

This is because the CW scope is specialized for small swings in power measurements for side-channel power analysis.

You are right, grounding to the other side of the shunt resistor is not a good idea as it shorts power to ground. Connecting it to the target ground is this correct way to do it.

I hope this helps! :slight_smile:

Cheers,
Franz


#9

Hi Franz,

I’ve been working on trying to minimize noise and synchronize the power traces, but I don’t seem to be able to get it to work. Right now I’ve added a decoupling capacitor to the measure resistor and added delays around the trigger point, but the traces still look inconsistent and nothing like the original CW-Lite target board trace.

Example trace: imgur.com/a/W5BVc
Trace of the noise in the circuit: imgur.com/a/lVh7U

I’ve been working on trying to get a clock signal from the arduino instead for more consistent traces, but the extclk pin on the CW-Lite 20 pin connector doesn’t seem to connect to my arduino’s output pin (i used pin 9 as an output for the clock, as described herer: gammon.com.au/forum/?id=11643). I was wondering if there was any easier way to get clock signals from the arduino to the CW.

What are some differences I should expect in the traces between a custom arduino target and the built in XMega target? I am assuming that there will be a lot more noise, but the general shape of the trace should be similar.

Cheers,
Joonjae