Hello, at the moment I am writing a master thesis where I am exploring FI using the CW-Lite and the PicoEMP. I am targeting a third-party device. I am having some trouble with the CW mechanism that is sampling the trigger signal sent from the target(GPIO pin on target is set high when we enter code we want to glitch).
The problem:
Here are the errors/warnings that are causing me some troubles:
|(ChipWhisperer Scope WARNING|File _OpenADCInterface.py:951) Trigger not found in ADC data. No data reported!|
|(ChipWhisperer Scope ERROR|File OpenADC.py:781) Received fewer points than expected: 0 vs 5000|
|(ChipWhisperer Scope WARNING|File _OpenADCInterface.py:642) Timeout in OpenADC capture(), no trigger seen! Trigger forced, data is invalid. Status: 02
For the last warning I also get statuses: 03, 08 and 88. I tried looking into the CW code, but I were not able to understand what the status codes mean.
Also, the error that says it received fewer points than expected, can have varying numbers of captured points, but most often more than 4000.
Setups
I have two experimental setups:
- VFI: CW-Lite detects trigger signal from target(GPIO pin on target is connected to IO4 on CW). The crowbar/glitch output is connected to the decouple line of the targets digital logic. After trigger signal is detected, crowbar is activated.
- EMFI: CW-Lite controls the PicoEMP(HS2 on CW is connected to HVP on PicoEMP). CW-Lite detects trigger signal from target(GPIO pin on target is connected to IO4 on CW). After trigger signal is detected, HS2 is set, and PicoEMP is activated. The CW also checks that the PicoEMP is sufficiently charged for a new attack(IO3 on the CW is connected to the CHG pin on the PicoEMP). The CHG pin is checked before the CW starts looking for a new trigger signal from target.
The CW sends a command to the target, and the target will then run the corresponding application to that command. In the following observations a counter application was run.
Observations
For VFI I get more or less none of the above errors while running with a CW freq of 190MHz(maybe 1/1000). While at 200MHz, that number increases significantly.
EMFI is the one that is causing the most trouble. Seemingly independent of frequency of the CW, I can get a lot of the above errors. When I run a glitch campaign with parameters that cause no unusual behavior(normal execution of target application), I get little of the above errors. But when a glitch campaign that can cause resets and successful glitches run, the above errors are prevalent(maybe 1/4). This results in the glitching campaign running quite slow.
I don’t have the exact number of how prevalent each of the independent errors are, but I believe from memory that the “Received fewer points than expected:” error is occurring most. I can provide some numbers if necessary.
Thoughts
As I understand, the ADC of the CW-Lite has a limit of 105MS/s. Could it then be that by running the CW with a very high frequency(200MHz), the ADC will not “keep up”? I guess this is not the total truth, as I have seen forum posts here(by you guys at NewAE) stating that you run your attacks at 200MHz.
For EMFI, it is of course interesting that the ADC seems much more unstable when the target is being reset and glitched successfully. I make sure that the target is reset if no trigger signal is seen(as it could be that the target was reset/locked during the last glitch). Should I always just reset the target? Even if I got a normal/successful response from target?
Considering I get much less errors with my VFI setup than my EMFI setup, could this be the result of the CW sampling signals on both IO3 and IO4 with EMFI? I would guess not, as they are not sampling at the same time.
If anyone have any insights to share I would appreciate to hear them. Thanks!