Voltage Glitch (ext_trigger)

Hi there! I’m preparing a lab scenario to perform a voltage glitch attack on an Arduino Uno (password-comparison application) using Chipwhisperer Lite, triggered by an external signal.

Question: Could you please take a look at my code and let me know if it’s set up correctly for this attack using ext_trigger? I’d really appreciate your confirmation that I’ve followed the API properly and that I’m not missing anything. My understanding is that the voltage glitch will occur when the glitch is triggered, and I just need to adjust the ext_offset value based on my measurements ?

Thank you so much for your help! I truly appreciate any comments or advice you can provide.

Arduino code:
image

Hi,

There’s a few things I recommend changing:

  1. You need to call scope.capture() after ser.write(), as this disarms the scope so that you can glitch again. It’s also valuable in that it will let you know if the scope is timing out (aka it doesn’t see a trigger).
  2. I’d recommend removing repeat and adding offset as a glitch parameter to search through. Even if you have a good width and ext_offset, you won’t get many glitches if you don’t have the correct offset as well. Repeat tends to not be as useful during voltage glitching, so you don’t really need to scan through that.
  3. I assume the arduino firmware is reading the serial message in, then setting the trigger high? If so, 500ms is way too big of a delay for the ext_offset range you’ve got. For reference, you’ll need an ext_offset of at least 8 million to get past that delay and actually start glitching what you want to. I’d recommend just removing the delay.
  4. You’re probably going to want to try detecting a successful glitch somehow as well.

I think making those changes should be sufficient to try to start glitching. If you run into issues, you may want to try picking some easier firmware to glitch on, such as something similar to glitch_loop from chipwhisperer/firmware/mcu/simpleserial-glitch/simpleserial-glitch.c at develop · newaetech/chipwhisperer · GitHub

Alex

Thanks, Alex! By following your suggestion, I successfully performed the glitch correctly.

Parameters Adjusted in My Chipwhisp-lite Code:

  • gc.set_range("width", 20, 45)
  • gc.set_range("offset", 0, 48)
  • gc.set_range("ext_offset", 0, 10000)
  • call scope.capture() after ser.write()

Parameters Adjusted in My Chipwhisp-lite Code:

  • remove delay

Lesson 1 Learned:
ext_offset = number of clock cycles after the trigger to apply the glitch.
So i measured the time from the rising edge to the falling edge of the Arduino trigger, which takes 273 microseconds. This corresponds to 4,368 cycles (273 × 10⁻⁶ seconds × 16,000,000 cycles/second). We need to perform the glitch during this window, so I assumed the ext_offset should target clock cycles within or shortly after these 4,368 cycles.

Lesson 2 Learned:

The offset allows fine-tuning the exact moment within a clock cycle when the glitch occurs. In CW-Lite and CW-Pro, the glitch can be adjusted by a percentage of the clock cycle (from -49.8% to 49.8%). In other words, the glitch can occur earlier or later in the clock cycle, depending on the offset you set. This makes it a powerful parameter for precisely timing the glitch to interfere with critical instructions in the target device.

Offset: After the trigger, the offset tells ChipWhisperer when within the clock cycle to apply the glitch.

Result: