As of August 2020 the site you are on (wiki.newae.com) is deprecated, and content is now at rtfm.newae.com.

Changes

Jump to: navigation, search

Tutorial A3 VCC Glitch Attacks

2,223 bytes removed, 14:30, 12 April 2018
Progress save, for complete tutorial rewrite for cw4.0
{{Warningbox|For the older V3.x tools, see [[V3:Tutorial A3 VCC Glitch Attacks]]}}
 
This advanced tutorial will demonstrate power glitch attacks using the ChipWhisperer system.
 
You can follow along with this video for details of this page too:
 
[[File:youtube-vccglitch.png|link=http://www.youtube.com/watch?v=hxU5uVbYCYo&hd=1]]
== Background on VCC (Power) Glitching ==
If using a target with only a single SMA, only connect the ''Glitch'' port. The measure port is optional to allow you to monitor the VCC line as you are inserting the glitch.
If using the ChipWhisperer-Lite with Multi-Target board, you can connect both ports by doing the following:
 
<blockquote><ol style="list-style-type: lower-alpha;">
<li>Connect the ''Glitch'' port to the ''VOUT'' pin.</li>
<li>Connect the ''Measure'' port to the ''LNAIN'' pin.</li>
<li>Add the jumper across JP21 to route the ''VOUT'' to the ''LNAIN''.</li></ol>
</blockquote>
=== Using VCC Glitching Add-on with Multi-Target Board ===
 
If using the ChipWhisperer Capture Rev2 (CW1002), you do not have a glitch output port. Instead you need the VCC glitching add-on.
 
The VCC glitching add-on can be added to the AVR or SmartCard 6-pin headers, or connected to the XMEGA by a few additional jumper wires.
 
The connection between the glitch input and FPGAOUT pin must be done via a jumper wire. This connects the glitch module output to the MOSFET input, such that whenever a glitch is requested the VCC on the target is shorted.
 
Note that the VCC glitcher is '''capable of being damaged''' or '''causing damage to''' the multi-target board. In particular the shunt resistor mounted on the VCC line (e.g. R1 for the AVR) is rated only for 0.1 watts. Shorting a 3.3V VCC to GND however causes 0.2 watts to be dissipated. Provided the glitch is only short-lived (as the glitches are for this system), the total average dissipation will not cause damage. If however the glitch module accidently caused a continous short of the VCC to GND, the power dissipation of the resistor may cause it to burn out.
 
The hardware is almost as in previous incarnations. Note that unlike the [[Tutorial_A2_Introduction_to_Glitch_Attacks_(including_Glitch_Explorer)]] you do not connect the FPGAOUT to the AVR Clock, instead you use the 7.37 MHz oscillator bridged to both the AVR clock and FPGAIN. This is the ''same clock setup as in the side-channel power analysis tutorials''.
 
The following figure shows the clock jumper configuration, which are the same as the settings from [[Tutorial_B5_Breaking_AES_(Straightforward)]].
 
<blockquote>[[File:hw-2.jpg|600px|image]]
</blockquote>
In addition the VCC glitcher board must be mounted, which means removing the jumpers on the 6-pin header around the AVR. Also the 'IN' pin on the VCC glitcher board connected to the FPGAOUT pin. This is done via a jumper wire. Both of these are shown in the following figure:
 
<blockquote>[[File:vccglitcher_routing.jpg|frame|none|alt=|The control line for the VCC glitcher board comes from the FPGAOUT pin.]]
 
[[File:vccglitcher_mounted.jpg|frame|none|alt=|The VCC glitcher board must be mounted with <code>GND</code> at the bottom matching, exactly as shown here.]]
</blockquote>
== Setting up Glitch Example ==
=== Software Setup ===
<ol style="list-style-type> <li> <p>Select the <code>connect_simpleserial.py</code> script</p> <p>[[File: decimal;"connect_script.png|400px]]</p> </li> <li> <p>Connect to Run the ChipWhisperer device<code>connect_simpleserial.py</code> script, by pressing the <b>Run</b> button</p> <p>[[File:connect_script_preview.png|400px]]</p> <blockquote/li> <ol style="list-style-typeli> <p>Setup up the settings by running the appropriate setup script for your device</p> <p>[[File: decimal;"setup_script_xmega.png|400px]]</p> </li>As <li> <p>Run the ''Scope Module''setup script by pressing the run button, select if you want to see what parameters the ''ChipWhispererscript changes, inspect the preview</OpenADC'' optionp> <p>[[File:setup_preview_xmega.png|400px]]</p> </li> <li>As <p>Open the appropriate programmer from top main menu ''Target ModuleTools'', select and in the dialog press ''Simple SerialCheck Signature'' optionto verify you can connect to the target</p> <p>[[File:xmega_programmer.png|400px]]</p> </li> <li>Switch to <p>Find the ''Scope Settings'' tabcorrect firmware file, and as previously compiled for the ''connection''target you are using, select and press the ''ChipWhisperer Rev2Erase/Program/Verify FLASH'' or ''ChipWhisperer-Lite'' option</p> <p>[[File:xmega_programmer_press_program.png|400px]]</p> </li> <li>Switch <p>Time to setup the voltage glitching parameters. Start with the ''Target SettingsGlitch Module'' tab, and as section under the ''connectionScope Settings'', select tab</p> <ol> <li>For the ChipWhisperer-Lite (CW1173/CW1180), set ''ChipWhisperer Rev2Target HS IO-Out'' or option to ''ChipWhisperer-LiteCLKGEN'' option.</li> <li>Run connect on both the Scope &amp; Target. They should both switch to green circles indicating the system is connected. </lip>Set the ''Clock Source'' as ''CLKGEN'':</olp> </blockquoteli> </liol>  
<li><p>Setup the CLKGEN Module to Generate a 7.37 MHz clock and route it through the Glitch Generator</p>
<blockquote><ol style="list-style-type: decimal;">
<blockquote><ol style="list-style-type: lower-alpha;">
<li>For the ChipWhisperer-Lite (CW1173/CW1180), set ''Target HS IO-Out'' option to ''CLKGEN''.</li>
<li>For the ChipWhisperer-Capture Rev 2 (CW1002), set ''Target HS IO-Out'' option to ''Glitch Module''.</li></ol></blockquote></li></ol></blockquote></li>
<li><p>Connect the Serial Port</p>
<blockquote><ol style="list-style-type: decimal;">
Retrieved from "http://wiki.newae.com/Special:MobileDiff/3215"

Navigation menu