VCC glitching: decreasing glitch width?


#1

I’m trying to glitch a complex SoC with a CPU running at 111MHz. I was able to corrupt a counter with a 3500ns pulse but that seems a bit too high. If I try to glitch anything more complex (icache is actively filled with instructions rather than holding a tight loop for the counter), I get freezes instead (probably execution of junk data). A couple of questions:

  1. Is there a rule of thumb for how long of a glitch width is expected for a given clock frequency if I only want to skip a handful of instructions?
  2. Does removing decoupling capacitors help? I removed all the caps closest to the SoC associated with the voltage domain I’m glitching but I did not touch the caps for other domains nor did I touch the big caps near the PMIC.
  3. I’m using CWlite to glitch VDD12 to GND, but would it be more effective to glitch it to -1.0V or beyond? I’ve seen some success doing so in this paper: riscure.com/uploads/2017/09 … ection.pdf