Using the H-Field probe for SCA

Hello there,

I went to the wiki to look for some tutorials on how to use the H-Field probe for some SCA but could only find this one: H Probe Usage - ChipWhisperer Wiki

It points to a video from 2017 which uses some CW Software for the analysis.

My questions are, are there more actual tutorials on how to use the H-Field probe? Where do I get the CW software from?

No, we don’t have any more recent tutorials.
If you’re using one of our targets, I recommend you take one of our existing tutorials (using power measurements from SMA cable), then, following the tips from the youtube video linked from that page, try it again with the H-probe. Expect to require more traces for attacks to succeed; obviously this will be highly dependent on probe placement.
The CW software shown in that page is obsolete and no longer supported.

could you provide me a link to the tutorial you are refering to? I did some of the power analysis tutorials, up to CPA on AES. I assume using a H-Field probe yields similar recordings of power traces, although how do I know where the trigger is set? Could you give me some steps I need to do in order to make this attack similar to CPA? Is there a way to see the captured traces live, just like in the youtube video I mentioned?

I didn’t mean any specific tutorial; any one which collects power traces would do.

You still need a trigger: I’m assuming you’re using one of our targets, and all you want to do is replace the direct power trace measurement connection with an h-probe. You still have the 20-pin connector providing trigger, clock, and serial communication with the target. If that’s not the case, then you’ll have to work that out for your specific target.

I don’t know what you mean by “steps to make this attack similar to CPA”. Our courses provide worked-out CPA examples on our supported targets; by learning the principles taught in the courses, you can apply them to different targets.

How to get live, dynamically updating power traces depends on what you want to use for plotting. With Jupyter, you have the freedom to use whatever plotting framework you prefer.


Thank you, I managed to gather some traces with the H-Field probe and just ran the same script as I did in normal CPA, although with no success. I assume I didnt hit the right spot for the measurement? Which plotting framework could you recommend me to capture the live traces, in order to figure out the best leaking spot (if thats possible)?

Can I still use the CWAnalyzer tool, I guess I would have to use different firmware version for that? Or doesnt it work anymore?

I can’t recommend a specific plotting framework. If you go through our courses you’ll see what’s used there. I don’t think any of our courses use dynamic plotting, but I’m pretty sure that is possible to do with many of the frameworks.

The CWAnalyzer GUI tool has been obsolete for about 3 years, we can’t support it (main issue is that it relied on some packages which required Python2).

Before you try to run CPA on your traces, make sure they “look good”, like that youtube video shows.


Whats the best solution to find out if the tracks look good? Is the idea with watching dynamic plotting good?

Should I record more than 2000 traces? Should I move my probe while recording or let it be static?

Colin shows how to do this in the video at around 3:30: CW Tips: H-Probe Usage for Side Channel Analysis - YouTube
This requires that you have a trigger, and that the target is repeatedly doing the same operation, so that you can visually identify the spikes of target activity among the high background noise.

Currently I am using CW1200 and STM32F Target on UFO. I understand that the trigger is already there. What in the case where I would attack a different device? Do I actually need a trigger? Cant I record the whole trace and then use correlation analysis on that, since the correlation will still occur only on the correct location?

Having the trigger makes things a lot easier and provides a better learning environment by removing two dimension of the problem: (1) finding where the target operations are executing, and (2) aligning the traces (so that the target operation is always at the same time within the power trace). This allows our courses to focus on the side-channel attacks.

In real-world products this is often not possible. This is not insurmountable but it can add a lot of time and effort to the attack. One recent write-up that I like a lot, in good part because it gives a very good idea of what that effort is like, is this Ninjalab paper: