Clock, power, and EM glitching discussions. Does not need to use ChipWhisperer.
#1151 by JoeB
Wed Feb 22, 2017 6:00 am
I bought the chipwhisperer in 2016 with a XMEGA 128D4 target.
it was pretty simple to successfully glitch the XMEGA by following the clock glitching tutorial but now I have a hard time to get the Vcc glitching tutorial works.
I'm following https://wiki.newae.com/Tutorial_A3_VCC_Glitch_Attacks but without success. Using the glitch explorer I let the Capture tool test Width and Offset parameters from 1 to 49 (step 0.5) and -49 to 49 (step 0.5) but didn't get anything from it.
As I'm a newbie and know pretty much nothing in hardware I'm surely missing something obvious. Could someone explain me how to find the correct parameters to glitch this target?

Thanks

Joe
#1154 by gdeon
Wed Feb 22, 2017 9:13 am
Joe,

Glad to hear you're getting some use out of the ChipWhisperer!

Glitching is hard, so don't get too hung up on this. Sometimes I find that my targets just don't care about VCC glitches - they either act normally or turn off. I think there are a few more things you can try, though:
  • Double-check your glitch settings. Do you have one (or both) of the HS-Glitch Out Enable settings turned on? Is your glitch module clock locked to the right input? Do you see some kind of glitch on the power trace?
  • Have you tried changing the Repeat setting in the glitch module? Sometimes, one pulse isn't long enough - if there's too much capacitance around, the target won't even notice that you tried to cut the power. Maybe try sweeping this from, say, 1 to 10 along with the other setting sweeps.
#1156 by JoeB
Wed Feb 22, 2017 9:59 am
Hi gdeon,

Thanks for you answer.

Glitching is hard, so don't get too hung up on this. Sometimes I find that my targets just don't care about VCC glitches


As the hardware comes directly from newae I was expecting it will be easy to glitch it :D

Do you have one (or both) of the HS-Glitch Out Enable settings turned on?

I'm following the tutorial https://wiki.newae.com/Tutorial_A3_VCC_Glitch_Attacks

See section 5.2.b from the tutorial, I checked the box marked "HS-Glitch Out Enable (Low Power)".
Do you mean I should try to check the other or even both? Could you please explain me what will be the effect?

Do you see some kind of glitch on the power trace?

Yeah I see the glitch on the power trace :)

Have you tried changing the Repeat setting in the glitch module? Sometimes, one pulse isn't long enough - if there's too much capacitance around, the target won't even notice that you tried to cut the power. Maybe try sweeping this from, say, 1 to 10 along with the other setting sweeps.


Yes I tried several parameters manually. The board either reset or keep running...
#1157 by gdeon
Wed Feb 22, 2017 11:06 am
JoeB wrote:As the hardware comes directly from newae I was expecting it will be easy to glitch it :D

It's definitely easier with our hardware than it is with any old board! However, these things can still be finicky - some days, the moon is in the wrong phase and it just refuses to glitch.

See section 5.2.b from the tutorial, I checked the box marked "HS-Glitch Out Enable (Low Power)".
Do you mean I should try to check the other or even both? Could you please explain me what will be the effect?

The ChipWhisperer uses a "crowbar" circuit to produce these voltage glitches. There's a picture of the circuit in the tutorial so you can see what's going on: a transistor is used to short the power rail to GND for a very short amount of time. There are two MOSFETs on the CW-Lite that you can use to do this. You can see them beside the glitch connector: there's a big one on the top and little one on the bottom.

If you enable the Low Power option, the glitch module output is connected to the small MOSFET. The High Power option connects to the larger MOSFET. The bigger one can handle more power, so it might be able to drain the power from the XMEGA more quickly. It's worth a try!

Yes I tried several parameters manually. The board either reset or keep running...

The glitch settings that work can be very precise - for example, I've seen glitches that work when the offset is 6 or 7, but not 5 or 8. Don't be surprised if you can't find working parameters manually! It's much easier to just set up the glitch explorer and let it do the hard work :)
#1285 by fuzzer
Thu May 11, 2017 10:26 pm
Hi Joe,
Any update? Have you got a successful VCC glitching with WhisperLite and XMEGA target? I'm having the same problem. Using the lower power MOSFET does nothing and high power always reset the target. Can't break into the while loop. No problem with clock glitching, just VCC glitching that drive me nut.

Has anyone successfully done VCC glitching on WhisperLite with XMEGA target? Please post the software settings if you do.
#1544 by skxo
Sat Aug 26, 2017 5:20 am
Hi everyone,

effectively it is really hard to perform successful vdd glitching here.
When I try powerful parameter, I have the following error:

An error has occurred:
XMEGA command 20 failed:err=1,timeout=1
raceback (most recent call last):
[i][i] File "/home/xisco/CW/software/chipwhisperer/capture/ui/CWCaptureGUI.py", line 112, in <lambda>
self.capture1Act = QAction(QIcon(':/images/play1.png'), 'Capture 1', self, triggered=lambda: self.doCapture(self.api.capture1))
File "/home/xisco/CW/software/chipwhisperer/capture/ui/CWCaptureGUI.py", line 219, in doCapture
if callback():
File "/home/xisco/CW/software/chipwhisperer/common/api/CWCoreAPI.py", line 313, in capture1
return ac.doSingleReading()
File "/home/xisco/CW/software/chipwhisperer/capture/api/acquisition_controller.py", line 87, in doSingleReading
aux.traceArm()
File "/home/xisco/CW/software/chipwhisperer/capture/auxiliary/ResetCW1173Read.py", line 70, in traceArm
self.resetDevice()
File "/home/xisco/CW/software/chipwhisperer/capture/auxiliary/ResetCW1173Read.py", line 93, in resetDevice
CWCoreAPI.getInstance().getScope().scopetype.dev.getCwliteXMEGA().readSignature()
File "/home/xisco/CW/software/chipwhisperer/capture/ui/programmers_dialog.py", line 259, in readSignature
self.xmega.find()
File "/home/xisco/CW/software/chipwhisperer/capture/api/programmers.py", line 105, in find
sig, chip = self.xmega.find()
File "/home/xisco/CW/software/chipwhisperer/hardware/naeusb/programmer_xmega.py", line 161, in find
self.enablePDI(True)
File "/home/xisco/CW/software/chipwhisperer/hardware/naeusb/programmer_xmega.py", line 295, in enablePDI
self._xmegaDoWrite(self.XPROG_CMD_ENTER_PROGMODE)
File "/home/xisco/CW/software/chipwhisperer/hardware/naeusb/programmer_xmega.py", line 490, in _xmegaDoWrite
raise IOError("XMEGA Command %x failed: err=%x, timeout=%d" % (status[0], status[1], status[2]))
IOError: XMEGA Command 20 failed: err=1, timeout=1
[/i][/i]



After that I cannot continue and I need to quit and restart CWCapture.
I need to reflash the .hex inside the xmega too.
Can you indicate me how I can avoid this error during my glitch parameters research please?
I am a little stuck here...:)

Kind regards
sk
#1550 by ExMachina
Wed Aug 30, 2017 2:51 am
Hi,

I am also having some trouble VCC glitching the hardware. I am trying to do glitch1.

I uploaded some samples and created a video showing some of the problems I encounter
I am using the following hex


https://github.com/x8-999-github/cw-pro ... litch1.hex

and running this script on CW-lite + the xmega target
https://github.com/x8-999-github/cw-pro ... _glitch.py

I created a small video showing the Problems I currently encounter https://youtu.be/g9qwju9O6Gk
-The glitch do not happen every time
-Somewhere something goes wrong when the glitch width is set to 0 (CW keeps the line low)

I will continue debugging (clock glitching worked fine)
#1553 by coflynn
Wed Aug 30, 2017 9:19 pm
Thanks for the detailed report - will try to take a look at what is happening.

As a note the VCC glitching on the XMEGA target seems to not be too successful, I don't know the exact reason but I typically am using VCC glitching on the STM32x or AVR target. Which one do you have there?

-Colin
#1556 by ExMachina
Thu Aug 31, 2017 10:07 am
So I continued trying to VCC glitch the xmega. So far still not success but we are slowly? getting closer.

* I started using the https://wiki.newae.com/CW506_Advanced_Breakout_Board and I am now powering the xmega 3.3v via the banna plug. This gives more stability towards the CW (e.g. I did not see hangs any more)
* with a glitch with of 17 I always get a normal output and with 18 I am getting a reset. playing with the fine adjust did not help here either.

I think that one of the problems is the way the glitch.c code is constructed. I will slightly modify the code to better be able to debug it by adding some need for input to before doing the glitch. Because currently if a glitch is results in a reset the code restart and triggers my scope.

Code: Select allARM SCOPE
RESET TARGET
PRINT HELLO
TRIGGER
PRINT A


into
Code: Select allARM SCOPE
RESET TARGET
PRINT HELLO 
WAIT FOR INPUT
PRINT A
TRIGGER

Who is online

Users browsing this forum: No registered users and 1 guest