http://wiki.newae.com/api.php?action=feedcontributions&feedformat=atom&user=GdeonChipWhisperer Wiki - User contributions [en]2026-04-24T13:22:58ZUser contributionsMediaWiki 1.26.2http://wiki.newae.com/index.php?title=Tutorial_A5_Breaking_AES-256_Bootloader&diff=3714Tutorial A5 Breaking AES-256 Bootloader2018-08-04T04:21:26Z<p>Gdeon: Update code for new SAD API</p>
<hr />
<div>{{Warningbox|This tutorial has been updated for ChipWhisperer 4.0.0 release. If you are using 3.x.x see the "V3" link in the sidebar.}}<br />
<br />
{{Infobox tutorial<br />
|name = A5: Breaking AES-256 Bootloader<br />
|image = <br />
|caption = <br />
|software versions =<br />
|capture hardware = CW-Lite, CW-Lite 2-Part, CW-Pro<br />
|Target Device = <br />
|Target Architecture = XMEGA<br />
|Hardware Crypto = No<br />
|Purchase Hardware = <br />
}}<br />
<br />
This tutorial will take you through a complete attack on an encrypted bootloader using AES-256. This demonstrates how to using side-channel power analysis on practical systems, along with discussing how to perform analysis with custom scripts.<br />
<br />
Whilst the tutorial assumes you will be performing the entire capture of traces along with the attack, it is possible to download the traces if you don't have the hardware, in which case skip section [[#Setting up the Hardware]] and [[#Capturing the Traces]].<br />
<br />
== Background ==<br />
In the world of microcontrollers, a bootloader is a special piece of firmware that is made to let the user upload new programs into memory. This is especially useful for devices with complex code that may need to be patched or otherwise updated in the future - a bootloader makes it possible for the user to upload a patched version of the firmware onto the micro. The bootloader receives information from a communication line (a USB port, serial port, ethernet port, WiFi connection, etc...) and stores this data into program memory. Once the full firmware has been received, the micro can happily run its updated code.<br />
<br />
There is one big security issue to worry about with bootloaders. A company may want to stop their customers from writing their own firmware and uploading it onto the micro. For example, this might be for protection reasons - hackers might be able to access parts of the device that weren't meant to be accessed. One way of stopping this is to add encryption. The company can add their own secret signature to the firmware code and encrypt it with a secret key. Then, the bootloader can decrypt the incoming firmware and confirm that the incoming firmware is correctly signed. Users will not know the secret key or the signature tied to the firmware, so they won't be able to "fake" their own.<br />
<br />
This tutorial will work with a simple AES-256 bootloader. The victim will receive data through a serial connection, decrypt the command, and confirm that the included signature is correct. Then, it will only save the code into memory if the signature check succeeded. To make this system more robust against attacks, the bootloader will use cipher-block chaining (CBC mode). Our goal is to find the secret key and the CBC initialization vector so that we could successfully fake our own firmware.<br />
<br />
=== Bootloader Communications Protocol ===<br />
The bootloader's communications protocol operates over a serial port at 38400 baud rate. The bootloader is always waiting for new data to be sent in this example; in real life one would typically force the bootloader to enter through a command sequence.<br />
<br />
Commands sent to the bootloader look as follows:<br />
<br />
<pre><br />
|<-------- Encrypted block (16 bytes) ---------->|<br />
| |<br />
+------+------+------+------+------+------+ .... +------+------+------+<br />
| 0x00 | Signature (4 Bytes) | Data (12 Bytes) | CRC-16 |<br />
+------+------+------+------+------+------+ .... +------+------+------+<br />
</pre><br />
<br />
This frame has four parts:<br />
* <code>0x00</code>: 1 byte of fixed header<br />
* Signature: A secret 4 byte constant. The bootloader will confirm that this signature is correct after decrypting the frame.<br />
* Data: 12 bytes of the incoming firmware. This system forces us to send the code 12 bytes at a time; more complete bootloaders may allow longer variable-length frames.<br />
* CRC-16: A 16-bit checksum using the CRC-CCITT polynomial (0x1021). The LSB of the CRC is sent first, followed by the MSB. The bootloader will reply over the serial port, describing whether or not this CRC check was valid.<br />
As described in the diagram, the 16 byte block is not sent as plaintext. Instead, it is encrypted using AES-256 in CBC mode. This encryption method will be described in the next section.<br />
<br />
The bootloader responds to each command with a single byte indicating if the CRC-16 was OK or not:<br />
<br />
<pre><br />
+------+<br />
CRC-OK: | 0xA1 |<br />
+------+<br />
<br />
+------+<br />
CRC Failed: | 0xA4 |<br />
+------+<br />
</pre><br />
<br />
Then, after replying to the command, the bootloader veries that the signature is correct. If it matches the expected manufacturer's signature, the 12 bytes of data will be written to flash memory. Otherwise, the data is discarded.<br />
<br />
=== Details of AES-256 CBC ===<br />
<br />
The system uses the AES algorithm in Cipher Block Chaining (CBC) mode. In general one avoids using encryption 'as-is' (i.e. Electronic Code Book), since it means any piece of plaintext always maps to the same piece of ciphertext. Cipher Block Chaining ensures that if you encrypted the same thing a bunch of times it would always encrypt to a new piece of ciphertext.<br />
<br />
You can see another reference on the design of the encryption side; we'll be only talking about the decryption side here. In this case AES-256 CBC mode is used as follows, where the details of the AES-256 Decryption block will be discussed in detail later:<br />
<br />
[[File:aes256_cbc.png|image]]<br />
<br />
This diagram shows that the output of the decryption is no longer used directly as the plaintext. Instead, the output is XORed with a 16 byte mask, which is usually taken from the previous ciphertext. Also, the first decryption block has no previous ciphertext to use, so a secret initialization vector (IV) is used instead. If we are going to decrypt the entire ciphertext (including block 0) or correctly generate our own ciphertext, we'll need to find this IV along with the AES key.<br />
<br />
<br />
=== Attacking AES-256 ===<br />
The system in this tutorial uses AES-256 encryption, which has a 256 bit (32 byte) key - twice as large as the 16 byte key we've attacked in previous tutorials. This means that our regular AES-128 CPA attacks won't quite work. However, extending these attacks to AES-256 is fairly straightforward: the theory is explained in detail in [[Extending AES-128 Attacks to AES-256]]. <br />
<br />
As the theory page explains, our AES-256 attack will have 4 steps:<br />
# Perform a standard attack (as in AES-128 decryption) to determine the first 16 bytes of the key, corresponding to the 14th round encryption key.<br />
# Using the known 14th round key, calculate the hypothetical outputs of each S-Box from the 13th round using the ciphertext processed by the 14th round, and determine the 16 bytes of the 13th round key manipulated by inverse MixColumns.<br />
# Perform the MixColumns and ShiftRows operation on the hypothetical key determined above, recovering the 13th round key.<br />
# Using the AES-256 key schedule, reverse the 13th and 14th round keys to determine the original AES-256 encryption key.<br />
<br />
== Setting up the Hardware ==<br />
This tutorial uses the [[CW1173 ChipWhisperer-Lite]] hardware. This hardware does not require any special setup - it should be ready to go out-of-the-box.<br />
<br />
Note that you '''don't need hardware''' to complete the tutorial. Instead, you can download [https://www.assembla.com/spaces/chipwhisperer/wiki/Example_Captures example traces from the ChipWhisperer Site]. Just look for the traces titled ''AVR: AES256 Bootloader (ChipWhisperer Tutorial #A5)''.<br />
<br />
=== Building/Programming the Bootloader ===<br />
<br />
{{Warningbox|Are you following this tutorial at a training event? If so ONLY use the provided hex-file with secret key already embedded, do not rebuild the firmware!}}<br />
<br />
<br />
The firmware that implements the bootloader is available inside the ChipWhisperer folder at <code>chipwhisperer\hardware\victims\firmware\bootloader-aes256</code>. If you've uploaded the firmware for any of the other tutorials, the process is identical:<br />
<br />
# Open a command prompt/terminal window and navigate to this folder. Enter the command <code>make PLATFORM=X</code>, where X is the name of your target. For instance, use <code>PLATFORM=CW303</code> on the ChipWhisperer Lite. Ensure that the program is successfully compiled. The output should end with a line like<br />
#: <pre>Built for platform CW-Lite XMEGA</pre><br />
# Open the ChipWhisperer Capture software and connect to your hardware. Open the programmer window (''Tools > CW-Lite XMEGA Programmer''), find the <code>.hex</code> file that you just made, and ''Erase/Program/Verify FLASH''.<br />
<br />
The firmware is now loaded onto your hardware, and you can continue onto the capture process.<br />
<br />
== Capturing the Traces ==<br />
Once the hardware is ready, we can capture some traces for our attack using the ChipWhisperer Capture software. If you somehow got to the 5th ''Advanced Tutorial'' without getting this software ready, you can follow the helpful guide at [[Installing ChipWhisperer]].<br />
<br />
The first thing we need to do is add a new target to the ChipWhisperer system. (None of the existing ones know about the bootloader's data format, nor do they recognize the CRC responses that are sent back to us.) The code for this target is included in [[#Appendix A: Target Code]]. Copy/paste this into a Python file (call it whatever you want) and save it in a place where ChipWhisperer will look for it. There are two folders that you can use:<br />
* Your computer should have a folder called <code>chipwhisperer_projects</code> - if you don't know where this is, the ''File > Preferences'' window will tell you. The system looks in the folder <code>chipwhisperer_projects\chipwhisperer\capture\targets</code> for new targets, so you can save your file here.<br />
* Alternatively, all of the normal targets are stored in <code>chipwhisperer\software\chipwhisperer\capture\targets</code>, so you can also save the file here. Note that this may not be possible if you don't have access to these folders (ex: your account doesn't have admin access).<br />
<br />
Next is the capture script. In some of the previous tutorials, we entered all of the capture settings by hand. Since we are civilized humans armed with technology, we can use a script to do all of this setup for us. A pre-written Python script is provided at [[#Appendix B: Capture Script]]. Take a look at this code and notice what it does:<br />
* it fills in the scope, target, and trace format that we'll use;<br />
* it connects to the hardware; and<br />
* it loads all of the hardware parameters for us. Nice!<br />
Copy this script into a <code>.py</code> file somewhere convenient. Then, perform the following steps to finish the capture:<br />
# Run the capture script, which will open a ChipWhisperer Capture window with everything connected for us.<br />
# Open the terminal (''Tools > Terminal'') and connect to the board. While the terminal is open, press the ''Capture 1'' button. A single byte of data should appear in the terminal. This byte will either be <code>a1</code> (CRC failed) or <code>a4</code> (CRC OK). If you see any other responses, something is wrong. <br />
#: [[File:Tutorial-A5-Capture.PNG|image]]<br />
# Once you're happy with this, open the General Settings tab and set the Number of Traces. You should need around 100 traces to break AES.<br />
# Press the ''Capture Many'' button to record the 100 traces. You'll see the new traces plotted on-screen.<br />
# Once the program is finished capturing the traces, save the project. Put it somewhere memorable and give it a nice name.<br />
<br />
== Finding the Encryption Key ==<br />
Now that we have our traces, we can go ahead and perform the attack. As described in the background theory, we'll have to do two attacks - one to get the 14th round key, and another (using the first result) to get the 13th round key. Then, we'll do some post-processing to finally get the 256 bit encryption key.<br />
<br />
=== 14th Round Key ===<br />
We can attack the 14th round key with a standard, no-frills CPA attack:<br />
<br />
# Open the ChipWhisperer Analyzer program and load the <code>.cwp</code> file with the 13th and 14th round traces. This can be either the <code>aes256_round1413_key0_100.cwp</code> file downloaded or the capture you performed.<br />
# View and manipulate the trace data with the following steps:<br />
## Switch to the ''Trace Output Plot'' tab<br />
## Switch to the ''Results'' parameter setting tab<br />
## Choose the traces to be plotted and press the ''Redraw'' button to draw them<br />
## Right-click on the waveform to change options, or left-click and drag to zoom<br />
## Use the toolbar to quickly reset the zoom back to original<br />
##: [[File:Tutorial-A5-Plot-Traces.PNG|image]]<br />
##: Notice that the traces are synchronized for the first 7000 samples, but become unsynchronized later. This fact will be important later in the tutorial.<br />
# Set up the attack in the ''Attack'' script:<br />
## Make a copy of the ''attack_cpa.py'' script, call it something new (such as ''attack_aesdec14.py'')<br />
## Adjust the model from ''SBox_output'' to ''InvSBox_output''. This is done by finding the following line in the script:<br />
##: <pre>from chipwhisperer.analyzer.attacks.models.AES128_8bit import AES128_8bit, SBox_output</pre><br />
##: and change that line to:<br />
##: <pre>from chipwhisperer.analyzer.attacks.models.AES128_8bit import AES128_8bit, InvSBox_output</pre><br />
## and then also change this further down where we set the leakage model:<br />
##: <pre>leak_model = AES128_8bit(InvSBox_output)</pre><br />
## If you're finding the attack very slow, narrow down the attack a bit. Normally, this requires a bit of investigation to determine which ranges of the trace are important. Here, you can use the range from 2900 for 4200. The default settings will also work fine! To do this adjust the following line to look as follows:<br />
##: <pre>attack.setPointRange((2900, 4200))</pre><br />
# Note that we do ''not'' know the secret encryption key, so we cannot highlight the correct key automatically. If you want to fix this, the ''Results'' settings tab has a Highlighted Key setting. Change this to Override mode and enter the key <code>ea 79 79 20 c8 71 44 7d 46 62 5f 51 85 c1 3b cb</code>.<br />
# Finally, run the attack by switching to the ''Results Table'' tab and then hitting the ''Run'' button while your script is selected.<br />
#: [[File:A5_run_script_round14.png|400px]]<br />
There are a few ways to check the results of the attack. First, the results table will show the best guesses for each subkey. With the highlight override enabled, the red bytes should be the best guesses for every single subkey:<br />
<br />
[[File:Tutorial-A5-Results-Right-Key.PNG|image]]<br />
<br />
However, the correct key will still rise to the top even if the wrong bytes are highlighted. The coloring and correlation coefficients in the results table should still make it clear that the top guess is the best one:<br />
<br />
[[File:Tutorial-A5-Results-Wrong-Key.PNG|image]]<br />
<br />
{{warningbox|The default capture stores the WRONG knownkey, so you will have highlighted bytes that are not the correct key. We are looking instead for a large delta between the best-guess and all other guesses. For example for Byte 0 we have the most likely as 0.8141, and 2nd best guess as 0.3551. If our best guess was 0.8141 and 2nd best guess was 0.7981 this would indicate we likely haven't broken the key.}}<br />
<br />
Finally, the ''Output vs Point Plot'' shows the correlation against all of the sample points. The spikes on this plot show exactly where the attack was successful (ie: where the sensitive data was leaked):<br />
<br />
[[File:Aes14round points.png|image]]<br />
<br />
In any case, we've determined that the correct 14th round key is <code>ea 79 79 20 c8 71 44 7d 46 62 5f 51 85 c1 3b cb</code>.<br />
<br />
''NOTE: if you're stuck, a full listing of the attack script is given in [[#Appendix C: AES-256 14th Round Key Script]].''<br />
<br />
=== 13th Round Key ===<br />
Unfortunately, we cannot use the GUI to attack the 13th round key. The system has no built-in model for round 13 of the AES-256 algorithm. Instead, we can write our own script and insert a custom model into the system. See [[#Appendix D: AES-256 13th Round Key Script]] for complete script used here.<br />
<br />
# Open the ChipWhisperer Analyzer software again and reopen the project file (if closed).<br />
# Recall from the 14th round attack that the trace data becomes unsynchronized around sample 7000. This is due to a non-constant AES implementation: the code does not always take the same amount of time to run for every input. (It's actually possible to do a timing attack on this AES implementation! We'll stick with our CPA attack for now.)<br />
#: [[File:syncproblems.png|image]]<br />
# Resynchronize the traces, see the separate 'Preprocessing' tutorial (NB: only in slides right now!)<br />
<br />
{{warningbox|Make sure you get a nice aligned last section of the traces, as in the below figure. You may need to adjust the "input window" or "reference points" slightly. If you do not see the nice alignment the remaining attack will fail!<br />
<br />
[[File:A5_pp_resync_end.png|400px]]}}<br />
<br />
The next step is to program our own leakage model. The following Python code models the Hamming weight model of the 13th round S-box:<br />
<br />
<pre><br />
# Imports for AES256 Attack<br />
from chipwhisperer.analyzer.attacks.models.AES128_8bit import AESLeakageHelper<br />
<br />
class AES256_Round13_Model(AESLeakageHelper):<br />
def leakage(self, pt, ct, guess, bnum):<br />
#You must but YOUR recovered 14th round key here - this example may not be accurate!<br />
calc_round_key = [0xea, 0x79, 0x79, 0x20, 0xc8, 0x71, 0x44, 0x7d, 0x46, 0x62, 0x5f, 0x51, 0x85, 0xc1, 0x3b, 0xcb]<br />
xored = [calc_round_key[i] ^ pt[i] for i in range(0, 16)]<br />
block = xored<br />
block = self.inv_shiftrows(block)<br />
block = self.inv_subbytes(block)<br />
block = self.inv_mixcolumns(block)<br />
block = self.inv_shiftrows(block)<br />
result = block<br />
return self.inv_sbox((result[bnum] ^ guess[bnum]))<br />
</pre><br />
You can look back at the C code of the AES-256 decryption to see how this is implementing the decryption code. Note that because of the Inverse MixColumns operation, we need the entire input ciphertext -- otherwise, we would only need to operate on one byte of the ciphertext.<br />
<br />
The last step is to perform the attack using this model:<br />
# Add the above function to your custom script file.<br />
# Change the <code>setAnalysisAlgorithm</code> in the script to use your custom functions by making the following call:<br />
#:<pre>leak_model = AES128_8bit(AES256_Round13_Model)</pre><br />
# As we did in the 14th round attack, reducing the point range can speed up the attack. For example, to use a smaller range of points, try changing the <code>setPointRange()</code> function call to<br />
#:<pre>self.attack.setPointRange((8000,10990))</pre><br />
# Start the attack! Wait for the attack to complete, and you will determine the 13th round key:<br />
#: [[File:Tutorial-A5-Results-Round-13.PNG|image]]<br />
<br />
Note you can check [[#Appendix C AES-256 13th Round Key Script]] for the complete contents of the attack script.<br />
<br />
Finally, we need to convert this hypothetical key into the actual value of the 13th round key. We can do this by passing the key through ShiftRows and MixColumns to remove the effect of these two functions. This is easy to do in the Python console (assuming we had the recovered key <code>C6 BD 4E 50 AB CA 75 77 79 87 96 CA 1C 7F C5 82</code>, if you recovered a different key replace the <code>knownkey</code> value with yours):<br />
<br />
<pre><br />
>>> from chipwhisperer.analyzer.attacks.models.aes.funcs import shiftrows,mixcolumns<br />
>>> knownkey = [0xC6, 0xBD, 0x4E, 0x50, 0xAB, 0xCA, 0x75, 0x77, 0x79, 0x87, 0x96, 0xCA, 0x1C, 0x7F, 0xC5, 0x82]<br />
>>> key = shiftrows(knownkey)<br />
>>> key = mixcolumns(key)<br />
>>> print &quot; &quot;.join([&quot;%02x&quot; % i for i in key])<br />
c6 6a a6 12 4a ba 4d 04 4a 22 03 54 5b 28 0e 63<br />
</pre><br />
<br />
Our hard work has rewarded us with the 13th round key, which is <code>c6 6a a6 12 4a ba 4d 04 4a 22 03 54 5b 28 0e 63</code>.<br />
<br />
=== Recovering the Encryption Key ===<br />
Finally, we have enough information to recover the initial encryption key. In AES-256, the initial key is used in the key expansion routine to generate 15 round keys, and we know the key for round 13 and 14. All we need to do now is reverse the key scheduling algorithm to calculate the ''0/1 Round Key'' from the ''13/14 Round Key''. <br />
<br />
In the ChipWhisperer Analyzer software, a key schedule calculator is provided in ''Tools > AES Key Schedule'':<br />
<br />
[[File:keyschedule_tool.png|image]]<br />
<br />
Open this tool and paste the 13/14 round keys, which are<br />
<pre><br />
c6 6a a6 12 4a ba 4d 04 4a 22 03 54 5b 28 0e 63 ea 79 79 20 c8 71 44 7d 46 62 5f 51 85 c1 3b cb<br />
</pre><br />
<br />
Tell the tool that this key is the 13/14 round key; it will automatically display the entire key schedule and the initial encryption key. You should find the initial encryption key is:<br />
<pre><br />
94 28 5d 4d 6d cf ec 08 d8 ac dd f6 be 25 a4 99 c4 d9 d0 1e c3 40 7e d7 d5 28 d4 09 e9 f0 88 a1<br />
</pre><br />
<br />
Peek into <code>supersecret.h</code>, confirm that this is the right key, and celebrate!<br />
<br />
== Next Steps ==<br />
If you want to go further with this tutorial, [[Tutorial A5-Bonus Breaking AES-256 Bootloader]] continues working with the same firmware to find the remaining secrets in the bootloader (the IV and the signature).<br />
<br />
== Appendix A: Target Code ==<br />
<pre><br />
#!/usr/bin/python<br />
# -*- coding: utf-8 -*-<br />
#<br />
# Copyright (c) 2013-2016, NewAE Technology Inc<br />
# All rights reserved.<br />
#<br />
# Authors: Colin O'Flynn, Greg d'Eon<br />
#<br />
# Find this and more at newae.com - this file is part of the chipwhisperer<br />
# project, http://www.assembla.com/spaces/chipwhisperer<br />
#<br />
# This file is part of chipwhisperer.<br />
#<br />
# chipwhisperer is free software: you can redistribute it and/or modify<br />
# it under the terms of the GNU General Public License as published by<br />
# the Free Software Foundation, either version 3 of the License, or<br />
# (at your option) any later version.<br />
#<br />
# chipwhisperer is distributed in the hope that it will be useful,<br />
# but WITHOUT ANY WARRANTY; without even the implied warranty of<br />
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the<br />
# GNU Lesser General Public License for more details.<br />
#<br />
# You should have received a copy of the GNU General Public License<br />
# along with chipwhisperer. If not, see <http://www.gnu.org/licenses/>.<br />
#=================================================<br />
<br />
import sys<br />
import time<br />
import chipwhisperer.capture.ui.CWCaptureGUI as cwc<br />
from chipwhisperer.common.api.CWCoreAPI import CWCoreAPI<br />
from chipwhisperer.capture.targets.SimpleSerial import SimpleSerial<br />
from chipwhisperer.common.scripts.base import UserScriptBase<br />
from chipwhisperer.capture.targets._base import TargetTemplate<br />
from chipwhisperer.common.utils import pluginmanager<br />
from chipwhisperer.capture.targets.simpleserial_readers.cwlite import SimpleSerial_ChipWhispererLite<br />
from chipwhisperer.common.utils.parameter import setupSetParam<br />
<br />
# Class Crc<br />
#############################################################<br />
# These CRC routines are copy-pasted from pycrc, which are:<br />
# Copyright (c) 2006-2013 Thomas Pircher <tehpeh@gmx.net><br />
#<br />
class Crc(object):<br />
"""<br />
A base class for CRC routines.<br />
"""<br />
<br />
def __init__(self, width, poly):<br />
"""The Crc constructor.<br />
<br />
The parameters are as follows:<br />
width<br />
poly<br />
reflect_in<br />
xor_in<br />
reflect_out<br />
xor_out<br />
"""<br />
self.Width = width<br />
self.Poly = poly<br />
<br />
<br />
self.MSB_Mask = 0x1 << (self.Width - 1)<br />
self.Mask = ((self.MSB_Mask - 1) << 1) | 1<br />
<br />
self.XorIn = 0x0000<br />
self.XorOut = 0x0000<br />
<br />
self.DirectInit = self.XorIn<br />
self.NonDirectInit = self.__get_nondirect_init(self.XorIn)<br />
if self.Width < 8:<br />
self.CrcShift = 8 - self.Width<br />
else:<br />
self.CrcShift = 0<br />
<br />
def __get_nondirect_init(self, init):<br />
"""<br />
return the non-direct init if the direct algorithm has been selected.<br />
"""<br />
crc = init<br />
for i in range(self.Width):<br />
bit = crc & 0x01<br />
if bit:<br />
crc ^= self.Poly<br />
crc >>= 1<br />
if bit:<br />
crc |= self.MSB_Mask<br />
return crc & self.Mask<br />
<br />
<br />
def bit_by_bit(self, in_data):<br />
"""<br />
Classic simple and slow CRC implementation. This function iterates bit<br />
by bit over the augmented input message and returns the calculated CRC<br />
value at the end.<br />
"""<br />
# If the input data is a string, convert to bytes.<br />
if isinstance(in_data, str):<br />
in_data = [ord(c) for c in in_data]<br />
<br />
register = self.NonDirectInit<br />
for octet in in_data:<br />
for i in range(8):<br />
topbit = register & self.MSB_Mask<br />
register = ((register << 1) & self.Mask) | ((octet >> (7 - i)) & 0x01)<br />
if topbit:<br />
register ^= self.Poly<br />
<br />
for i in range(self.Width):<br />
topbit = register & self.MSB_Mask<br />
register = ((register << 1) & self.Mask)<br />
if topbit:<br />
register ^= self.Poly<br />
<br />
return register ^ self.XorOut<br />
<br />
<br />
class BootloaderTarget(TargetTemplate):<br />
_name = 'AES Bootloader'<br />
<br />
def __init__(self):<br />
TargetTemplate.__init__(self)<br />
<br />
ser_cons = pluginmanager.getPluginsInDictFromPackage("chipwhisperer.capture.targets.simpleserial_readers", True, False)<br />
self.ser = ser_cons[SimpleSerial_ChipWhispererLite._name]<br />
<br />
self.keylength = 16<br />
self.input = ""<br />
self.crc = Crc(width=16, poly=0x1021)<br />
self.setConnection(self.ser)<br />
<br />
def setKeyLen(self, klen):<br />
""" Set key length in BITS """<br />
self.keylength = klen / 8 <br />
<br />
def keyLen(self):<br />
""" Return key length in BYTES """<br />
return self.keylength<br />
<br />
def getConnection(self):<br />
return self.ser<br />
<br />
def setConnection(self, con):<br />
self.ser = con<br />
self.params.append(self.ser.getParams())<br />
self.ser.connectStatus.connect(self.connectStatus.emit)<br />
self.ser.selectionChanged()<br />
<br />
def con(self, scope=None):<br />
if not scope or not hasattr(scope, "qtadc"): Warning(<br />
"You need a scope with OpenADC connected to use this Target")<br />
<br />
self.ser.con(scope)<br />
# 'x' flushes everything & sets system back to idle<br />
self.ser.write("xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx")<br />
self.ser.flush()<br />
self.connectStatus.setValue(True)<br />
<br />
def close(self):<br />
if self.ser != None:<br />
self.ser.close()<br />
return<br />
<br />
def init(self):<br />
pass<br />
<br />
def setModeEncrypt(self):<br />
return<br />
<br />
def setModeDecrypt(self):<br />
return<br />
<br />
def convertVarToString(self, var):<br />
if isinstance(var, str):<br />
return var<br />
<br />
sep = ""<br />
s = sep.join(["%c" % b for b in var])<br />
return s<br />
<br />
def loadEncryptionKey(self, key):<br />
pass<br />
<br />
def loadInput(self, inputtext):<br />
self.input = inputtext<br />
<br />
def readOutput(self):<br />
# No actual output<br />
return [0] * 16<br />
<br />
def isDone(self):<br />
return True<br />
<br />
def checkEncryptionKey(self, kin):<br />
return kin<br />
<br />
def go(self):<br />
# Starting byte is 0x00<br />
message = [0x00]<br />
<br />
# Append 16 bytes of data<br />
message.extend(self.input)<br />
<br />
# Append 2 bytes of CRC for input only (not including 0x00)<br />
crcdata = self.crc.bit_by_bit(self.input)<br />
<br />
message.append(crcdata >> 8)<br />
message.append(crcdata & 0xff)<br />
<br />
# Write message<br />
message = self.convertVarToString(message)<br />
for i in range(0, 5):<br />
self.ser.flush()<br />
self.ser.write(message)<br />
time.sleep(0.1)<br />
data = self.ser.read(1)<br />
<br />
if len(data) > 0:<br />
resp = ord(data[0])<br />
<br />
if resp == 0xA4:<br />
# Encryption run OK<br />
break<br />
<br />
if resp != 0xA1:<br />
raise IOError("Bad Response %x" % resp)<br />
<br />
if len(data) > 0:<br />
if resp != 0xA4:<br />
raise IOError("Failed to communicate, last response: %x" % resp)<br />
else:<br />
raise IOError("Failed to communicate, no response")<br />
</pre><br />
<br />
== Appendix B: Capture Script ==<br />
<br />
Note you need to manually CONNECT to the CW-Lite & AES Bootloader target before running this. To do this:<br />
<br />
# Set the 'Scope Module' as 'ChipWhisperer/OpenADC'<br />
# Set the 'Target Module' as 'AES Bootloader' (you need to have that target on your system)<br />
<br />
<pre><br />
"""Setup script for CWLite/1200 with XMEGA (CW303/CW308-XMEGA/CWLite target)<br />
specifically for Tutorial A5: the AES-256 bootloader attack<br />
"""<br />
<br />
try:<br />
scope = self.scope<br />
except NameError:<br />
pass<br />
<br />
scope.gain.gain = 45<br />
scope.adc.samples = 11000<br />
scope.adc.offset = 0<br />
scope.adc.basic_mode = "rising_edge"<br />
scope.clock.clkgen_freq = 7370000<br />
scope.clock.adc_src = "clkgen_x4"<br />
scope.trigger.triggers = "tio4"<br />
scope.io.tio1 = "serial_rx"<br />
scope.io.tio2 = "serial_tx"<br />
scope.io.hs2 = "clkgen"<br />
</pre><br />
<br />
== Appendix C: AES-256 14th Round Key Script ==<br />
Full attack script, copy/paste into a file then run from within ChipWhisperer-Analyzer:<br />
<br />
<syntaxhighlight lang=python><br />
import chipwhisperer as cw<br />
from chipwhisperer.analyzer.attacks.cpa import CPA<br />
from chipwhisperer.analyzer.attacks.cpa_algorithms.progressive import CPAProgressive<br />
from chipwhisperer.analyzer.attacks.models.AES128_8bit import AES128_8bit, InvSBox_output<br />
<br />
#self.project = cw.openProject("2017-mar23-xmega-aes.cwp")<br />
traces = self.project.traceManager()<br />
<br />
attack = CPA()<br />
leak_model = AES128_8bit(InvSBox_output)<br />
attack.setAnalysisAlgorithm(CPAProgressive, leak_model)<br />
attack.setTraceSource(traces)<br />
attack.setTraceStart(0)<br />
attack.setTracesPerAttack(-1)<br />
attack.setIterations(1)<br />
attack.setReportingInterval(10)<br />
attack.setTargetSubkeys([0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15])<br />
attack.setPointRange((2900, 3400))<br />
<br />
self.results_table.setAnalysisSource(attack)<br />
self.correlation_plot.setAnalysisSource(attack)<br />
self.output_plot.setAnalysisSource(attack)<br />
self.pge_plot.setAnalysisSource(attack)<br />
attack.processTraces()<br />
</syntaxhighlight><br />
<br />
== Appendix D: AES-256 13th Round Key Script ==<br />
<br />
<syntaxhighlight lang=python><br />
import chipwhisperer as cw<br />
from chipwhisperer.analyzer.attacks.cpa import CPA<br />
from chipwhisperer.analyzer.attacks.cpa_algorithms.progressive import CPAProgressive<br />
from chipwhisperer.analyzer.attacks.models.AES128_8bit import AES128_8bit, AESLeakageHelper<br />
from chipwhisperer.analyzer.preprocessing.resync_sad import ResyncSAD<br />
<br />
class AES256_Round13_Model(AESLeakageHelper):<br />
def leakage(self, pt, ct, guess, bnum):<br />
#You must but YOUR recovered 14th round key here - this example may not be accurate!<br />
calc_round_key = [0xea, 0x79, 0x79, 0x20, 0xc8, 0x71, 0x44, 0x7d, 0x46, 0x62, 0x5f, 0x51, 0x85, 0xc1, 0x3b, 0xcb]<br />
xored = [calc_round_key[i] ^ pt[i] for i in range(0, 16)]<br />
block = xored<br />
block = self.inv_shiftrows(block)<br />
block = self.inv_subbytes(block)<br />
block = self.inv_mixcolumns(block)<br />
block = self.inv_shiftrows(block)<br />
result = block<br />
return self.inv_sbox((result[bnum] ^ guess[bnum]))<br />
<br />
traces = self.project.traceManager()<br />
<br />
resync_traces = ResyncSAD(traces)<br />
resync_traces.enabled = True<br />
resync_traces.ref_trace = 0<br />
resync_traces.target_window = (9100, 9300)<br />
resync_traces.max_shift = 200<br />
<br />
attack = CPA()<br />
leak_model = AES128_8bit(AES256_Round13_Model)<br />
attack.setAnalysisAlgorithm(CPAProgressive, leak_model)<br />
attack.setTraceSource(resync_traces)<br />
attack.setTraceStart(0)<br />
attack.setTracesPerAttack(-1)<br />
attack.setIterations(1)<br />
attack.setReportingInterval(10)<br />
attack.setTargetSubkeys([0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15])<br />
attack.setPointRange((0, -1))<br />
<br />
self.results_table.setAnalysisSource(attack)<br />
self.correlation_plot.setAnalysisSource(attack)<br />
self.output_plot.setAnalysisSource(attack)<br />
self.pge_plot.setAnalysisSource(attack)<br />
attack.processTraces()<br />
</syntaxhighlight><br />
<br />
== Links ==<br />
<br />
{{Template:Tutorials}}<br />
[[Category:Tutorials]]</div>Gdeonhttp://wiki.newae.com/index.php?title=Tutorial_B1-2_Controlling_ChipWhisperer_using_Python&diff=2805Tutorial B1-2 Controlling ChipWhisperer using Python2017-08-18T19:48:53Z<p>Gdeon: Created page with "This tutorial is an introduction to the ChipWhisperer's Python API. While it is possible to use all of the ChipWhisperer devices' features without writing any code, controllin..."</p>
<hr />
<div>This tutorial is an introduction to the ChipWhisperer's Python API. While it is possible to use all of the ChipWhisperer devices' features without writing any code, controlling them with Python makes them much more powerful, allowing capture settings to be prepared and power traces to be recorded automatically. <br />
<br />
{{TOC|limit=3}}<br />
<br />
<h1> The ChipWhisperer package </h1><br />
The ChipWhisperer Python package contains the high-level API used to control and communicate with ChipWhisperer devices. This package can be imported in any Python interpreter as<br />
<pre><br />
import chipwhisperer as cw<br />
</pre><br />
<br />
ChipWhisperer is a relatively large package that contains many features ranging from low-level control of USB devices to a PyQt GUI program, and it's possible to access all of these components through the package. However, for most users, only a small subset of the package is important. For these tutorials, there are five main concepts to understand:<br />
<ul><br />
<li> A <b>scope</b> object represents a connection to a ChipWhisperer device, such as a CW-Lite or CW1200. Scopes have a large number of settings related to clock frequencies, ADC levels, trigger logic, IO lines, and glitch output - the same parameters that are accessed under the "Scope Settings" tab. </li><br />
<li> A <b>target</b> object represents a connection to a target (or <i>victim</i>) board. The target classes describe how the ChipWhisperer program can communicate with a target board to cause encryptions, password checks, or other operations of interest. As with the scope, the "Target Settings" tab contains the same settings as a target object. </li><br />
<li> A <b>project</b> object is in charge of saving recorded power traces along with some auxiliary data. There are multiple project classes that save data in different formats - for example, it's possible to save power traces to make them compatible with DPAContest v3. </li><br />
<li> An <b>aux_list</b> object keeps track of some extra functions that can be run during a capture. For example, one aux function could reset the target board immediately before capturing a power trace to show a power trace of the device's boot process. </li><br />
<li> A <b>ktp</b> (short for <i>key-text pattern</i>) controls what data is sent to the target during a capture. For example, the basic KTP object can be configured to send many encryption inputs with a fixed key for side-channel analysis. </li><br />
</ul> <br />
<br />
Outside of these objects, the main function for capturing power traces is <code>captureN()</code>. Generally, this function requires a scope, target, project, aux_list, and ktp, along with the number of traces to be captured. However, some of these parameters can be left out. For example, the call<br />
<pre><br />
captureN(scope, target, None, aux_list, ktp, 1)<br />
</pre><br />
will capture a single power trace without saving the data to a project. This is similar to the Capture 1 button in the GUI, which is helpful for testing the ChipWhisperer's settings.<br />
<br />
To find more details about any of these objects, try running <code>help(cw)</code> or <code>help(x)</code> on a scope/target/etc object. <br />
<br />
<h1> The Python Console</h1><br />
<h2> Interpreter </h2><br />
The ChipWhisperer Capture program includes a Python interpreter to give users an interface to the program. This is a full-featured Python console: any installed packages can be imported and used as if Python was run from the command line. <br />
<br />
This console also has a few special objects that provide access to the objects from the GUI. In this console, <code>self</code> is a special object that refers to the CWCapture GUI. This object contains a scope, target, project, aux_list, and ktp, and changes to these objects are linked to the settings shown in the sidebar. For example, with a connected CW-Lite, the line<br />
<pre><br />
self.scope.clock.clkgen_freq = 7370000<br />
</pre><br />
is equivalent to changing the CLKGEN frequency in the Scope Settings tab. By working with these special objects, it's possible to recreate the entire scope setup process in Python, removing all the hard work of preparing these settings by hand.<br />
<br />
{{Warningbox|Caution: The built-in Python console runs in the program's main thread to give it access to the program's scope, target, and other objects. Unfortunately, this means that it's very possible to lock up CWCapture with the console. We've taken a few precautions to avoid lockups: Ctrl-C can stop a running script, and the GUI regains control for a moment every time the interpreter prints to the output field. However, code like <code>while True: pass</code> will certainly stop CWCapture in its tracks. Be careful! }}<br />
<br />
<h2> Script Browser </h2><br />
Alongside the Python console, ChipWhisperer Capture has a file browser and a text preview window. These widgets are used to run pre-written scripts in the console. The file browser has three tabs:<br />
<ul><br />
<li> The <b>ChipWhisperer</b> tab has its root in the <code>chipwhisperer/software/chipwhisperer</code> directory. This tab is provided for convenience - it saves the trouble of digging through folders to find the ChipWhisperer folder to run a script. </li><br />
<li> The <b>Hard Drive</b> tab has its root at the root of the computer's file system. </li><br />
<li> The <b>Recent</b> tab shows the 10 most recently run scripts. It also allows useful scripts to be pinned to the top of the list or removed using the right-click menu. To save space, the full paths aren't shown in this tab - to see it, hold your mouse over a file and the tooltip will show the entire path. </li><br />
</ul><br />
To get you started, the ChipWhisperer repository contains a number of scripts in the <code>capture/scripts</code> folder. These pre-written Python files perform a number of tasks ranging from connecting to a ChipWhisperer to setting up auxiliary modules. Of course, you're encouraged to copy and edit these scripts however you like for your own projects.<br />
<br />
On the side, the preview window shows the selected script. To run it, double-click a script in the browser or press the Run button: the Python console will show the line<br />
<pre><br />
execfile("path/to/script.py")<br />
</pre><br />
which runs the file as if its contents were pasted into the input. The preview window is read-only, but the Edit button opens the selected file in an external editor. By default, the system's regular Python file editor is used, but you can select any executable as the editor under <i>File > Preferences</i>.<br />
<br />
{{Warningbox|Caution: The script preview doesn't automatically update when a file is modified. Don't worry - if you press Run, the most recent copy of the file will be executed! This is just a cosmetic issue. }}<br />
<br />
<h1> Repeating Tutorial B1 </h1><br />
Let's re-run the Tutorial B1 setup. Run the following two scripts:<br />
<ul><br />
<li> <code>capture/scripts/connect_cwlite_simpleserial.py</code>: Connect to a ChipWhisperer-Lite/Pro and a SimpleSerial target </li><br />
<li> <code>capture/scripts/setup_cwlite_xmega_spa</code>: Configure the ChipWhisperer's ADC/clock/IO settings for SPA (<i>simple power analysis</i>) on the XMEGA target board </li><br />
</ul><br />
That's it! If all went well, you can capture power traces as if you worked through the previous tutorial. These scripts will come in handy for the rest of the tutorials.<br />
<br />
{{Template:Tutorials}}<br />
[[Category:Tutorials]]</div>Gdeonhttp://wiki.newae.com/index.php?title=Tutorial_A5_Breaking_AES-256_Bootloader&diff=2786Tutorial A5 Breaking AES-256 Bootloader2017-07-23T16:24:38Z<p>Gdeon: /* 13th Round Key */</p>
<hr />
<div>This tutorial will take you through a complete attack on an encrypted bootloader using AES-256. This demonstrates how to using side-channel power analysis on practical systems, along with discussing how to perform analysis with custom scripts.<br />
<br />
Whilst the tutorial assumes you will be performing the entire capture of traces along with the attack, it is possible to download the traces if you don't have the hardware, in which case skip section [[#Setting up the Hardware]] and [[#Capturing the Traces]].<br />
<br />
= Background =<br />
In the world of microcontrollers, a bootloader is a special piece of firmware that is made to let the user upload new programs into memory. This is especially useful for devices with complex code that may need to be patched or otherwise updated in the future - a bootloader makes it possible for the user to upload a patched version of the firmware onto the micro. The bootloader receives information from a communication line (a USB port, serial port, ethernet port, WiFi connection, etc...) and stores this data into program memory. Once the full firmware has been received, the micro can happily run its updated code.<br />
<br />
There is one big security issue to worry about with bootloaders. A company may want to stop their customers from writing their own firmware and uploading it onto the micro. For example, this might be for protection reasons - hackers might be able to access parts of the device that weren't meant to be accessed. One way of stopping this is to add encryption. The company can add their own secret signature to the firmware code and encrypt it with a secret key. Then, the bootloader can decrypt the incoming firmware and confirm that the incoming firmware is correctly signed. Users will not know the secret key or the signature tied to the firmware, so they won't be able to "fake" their own.<br />
<br />
This tutorial will work with a simple AES-256 bootloader. The victim will receive data through a serial connection, decrypt the command, and confirm that the included signature is correct. Then, it will only save the code into memory if the signature check succeeded. To make this system more robust against attacks, the bootloader will use cipher-block chaining (CBC mode). Our goal is to find the secret key and the CBC initialization vector so that we could successfully fake our own firmware.<br />
<br />
== Bootloader Communications Protocol ==<br />
The bootloader's communications protocol operates over a serial port at 38400 baud rate. The bootloader is always waiting for new data to be sent in this example; in real life one would typically force the bootloader to enter through a command sequence.<br />
<br />
Commands sent to the bootloader look as follows:<br />
<br />
<pre><br />
|<-------- Encrypted block (16 bytes) ---------->|<br />
| |<br />
+------+------+------+------+------+------+ .... +------+------+------+<br />
| 0x00 | Signature (4 Bytes) | Data (12 Bytes) | CRC-16 |<br />
+------+------+------+------+------+------+ .... +------+------+------+<br />
</pre><br />
<br />
This frame has four parts:<br />
* <code>0x00</code>: 1 byte of fixed header<br />
* Signature: A secret 4 byte constant. The bootloader will confirm that this signature is correct after decrypting the frame.<br />
* Data: 12 bytes of the incoming firmware. This system forces us to send the code 12 bytes at a time; more complete bootloaders may allow longer variable-length frames.<br />
* CRC-16: A 16-bit checksum using the CRC-CCITT polynomial (0x1021). The LSB of the CRC is sent first, followed by the MSB. The bootloader will reply over the serial port, describing whether or not this CRC check was valid.<br />
As described in the diagram, the 16 byte block is not sent as plaintext. Instead, it is encrypted using AES-256 in CBC mode. This encryption method will be described in the next section.<br />
<br />
The bootloader responds to each command with a single byte indicating if the CRC-16 was OK or not:<br />
<br />
<pre><br />
+------+<br />
CRC-OK: | 0xA1 |<br />
+------+<br />
<br />
+------+<br />
CRC Failed: | 0xA4 |<br />
+------+<br />
</pre><br />
<br />
Then, after replying to the command, the bootloader veries that the signature is correct. If it matches the expected manufacturer's signature, the 12 bytes of data will be written to flash memory. Otherwise, the data is discarded.<br />
<br />
== Details of AES-256 CBC ==<br />
<br />
The system uses the AES algorithm in Cipher Block Chaining (CBC) mode. In general one avoids using encryption 'as-is' (i.e. Electronic Code Book), since it means any piece of plaintext always maps to the same piece of ciphertext. Cipher Block Chaining ensures that if you encrypted the same thing a bunch of times it would always encrypt to a new piece of ciphertext.<br />
<br />
You can see another reference on the design of the encryption side; we'll be only talking about the decryption side here. In this case AES-256 CBC mode is used as follows, where the details of the AES-256 Decryption block will be discussed in detail later:<br />
<br />
[[File:aes256_cbc.png|image]]<br />
<br />
This diagram shows that the output of the decryption is no longer used directly as the plaintext. Instead, the output is XORed with a 16 byte mask, which is usually taken from the previous ciphertext. Also, the first decryption block has no previous ciphertext to use, so a secret initialization vector (IV) is used instead. If we are going to decrypt the entire ciphertext (including block 0) or correctly generate our own ciphertext, we'll need to find this IV along with the AES key.<br />
<br />
<br />
== Attacking AES-256 ==<br />
The system in this tutorial uses AES-256 encryption, which has a 256 bit (32 byte) key - twice as large as the 16 byte key we've attacked in previous tutorials. This means that our regular AES-128 CPA attacks won't quite work. However, extending these attacks to AES-256 is fairly straightforward: the theory is explained in detail in [[Extending AES-128 Attacks to AES-256]]. <br />
<br />
As the theory page explains, our AES-256 attack will have 4 steps:<br />
# Perform a standard attack (as in AES-128 decryption) to determine the first 16 bytes of the key, corresponding to the 14th round encryption key.<br />
# Using the known 14th round key, calculate the hypothetical outputs of each S-Box from the 13th round using the ciphertext processed by the 14th round, and determine the 16 bytes of the 13th round key manipulated by inverse MixColumns.<br />
# Perform the MixColumns and ShiftRows operation on the hypothetical key determined above, recovering the 13th round key.<br />
# Using the AES-256 key schedule, reverse the 13th and 14th round keys to determine the original AES-256 encryption key.<br />
<br />
= Setting up the Hardware =<br />
This tutorial uses the [[CW1173 ChipWhisperer-Lite]] hardware. This hardware does not require any special setup - it should be ready to go out-of-the-box.<br />
<br />
Note that you '''don't need hardware''' to complete the tutorial. Instead, you can download [https://www.assembla.com/spaces/chipwhisperer/wiki/Example_Captures example traces from the ChipWhisperer Site]. Just look for the traces titled ''AVR: AES256 Bootloader (ChipWhisperer Tutorial #A5)''.<br />
<br />
== Building/Programming the Bootloader ==<br />
The firmware that implements the bootloader is available inside the ChipWhisperer folder at <code>chipwhisperer\hardware\victims\firmware\bootloader-aes256</code>. If you've uploaded the firmware for any of the other tutorials, the process is identical:<br />
<br />
# Open a command prompt/terminal window and navigate to this folder. Enter the command <code>make PLATFORM=X</code>, where X is the name of your target. For instance, use <code>PLATFORM=CW303</code> on the ChipWhisperer Lite. Ensure that the program is successfully compiled. The output should end with a line like<br />
#: <pre>Built for platform CW-Lite XMEGA</pre><br />
# Open the ChipWhisperer Capture software and connect to your hardware. Open the programmer window (''Tools > CW-Lite XMEGA Programmer''), find the <code>.hex</code> file that you just made, and ''Erase/Program/Verify FLASH''.<br />
<br />
The firmware is now loaded onto your hardware, and you can continue onto the capture process.<br />
<br />
= Capturing the Traces =<br />
Once the hardware is ready, we can capture some traces for our attack using the ChipWhisperer Capture software. If you somehow got to the 5th ''Advanced Tutorial'' without getting this software ready, you can follow the helpful guide at [[Installing ChipWhisperer]].<br />
<br />
The first thing we need to do is add a new target to the ChipWhisperer system. (None of the existing ones know about the bootloader's data format, nor do they recognize the CRC responses that are sent back to us.) The code for this target is included in [[#Appendix A: Target Code]]. Copy/paste this into a Python file (call it whatever you want) and save it in a place where ChipWhisperer will look for it. There are two folders that you can use:<br />
* Your computer should have a folder called <code>chipwhisperer_projects</code> - if you don't know where this is, the ''File > Preferences'' window will tell you. The system looks in the folder <code>chipwhisperer_projects\chipwhisperer\capture\targets</code> for new targets, so you can save your file here.<br />
* Alternatively, all of the normal targets are stored in <code>chipwhisperer\software\chipwhisperer\capture\targets</code>, so you can also save the file here. Note that this may not be possible if you don't have access to these folders (ex: your account doesn't have admin access).<br />
<br />
Next is the capture script. In some of the previous tutorials, we entered all of the capture settings by hand. Since we are civilized humans armed with technology, we can use a script to do all of this setup for us. A pre-written Python script is provided at [[#Appendix B: Capture Script]]. Take a look at this code and notice what it does:<br />
* it fills in the scope, target, and trace format that we'll use;<br />
* it connects to the hardware; and<br />
* it loads all of the hardware parameters for us. Nice!<br />
Copy this script into a <code>.py</code> file somewhere convenient. Then, perform the following steps to finish the capture:<br />
# Run the capture script, which will open a ChipWhisperer Capture window with everything connected for us.<br />
# Open the terminal (''Tools > Terminal'') and connect to the board. While the terminal is open, press the ''Capture 1'' button. A single byte of data should appear in the terminal. This byte will either be <code>a1</code> (CRC failed) or <code>a4</code> (CRC OK). If you see any other responses, something is wrong. <br />
#: [[File:Tutorial-A5-Capture.PNG|image]]<br />
# Once you're happy with this, open the General Settings tab and set the Number of Traces. You should need around 100 traces to break AES.<br />
# Press the ''Capture Many'' button to record the 100 traces. You'll see the new traces plotted on-screen.<br />
# Once the program is finished capturing the traces, save the project. Put it somewhere memorable and give it a nice name.<br />
<br />
= Finding the Encryption Key =<br />
Now that we have our traces, we can go ahead and perform the attack. As described in the background theory, we'll have to do two attacks - one to get the 14th round key, and another (using the first result) to get the 13th round key. Then, we'll do some post-processing to finally get the 256 bit encryption key.<br />
<br />
== 14th Round Key ==<br />
We can attack the 14th round key with a standard, no-frills CPA attack:<br />
<br />
# Open the ChipWhisperer Analyzer program and load the <code>.cwp</code> file with the 13th and 14th round traces. This can be either the <code>aes256_round1413_key0_100.cwp</code> file downloaded or the capture you performed.<br />
# View and manipulate the trace data with the following steps:<br />
## Switch to the ''Trace Output Plot'' tab<br />
## Switch to the ''Results'' parameter setting tab<br />
## Choose the traces to be plotted and press the ''Redraw'' button to draw them<br />
## Right-click on the waveform to change options, or left-click and drag to zoom<br />
## Use the toolbar to quickly reset the zoom back to original<br />
##: [[File:Tutorial-A5-Plot-Traces.PNG|image]]<br />
##: Notice that the traces are synchronized for the first 7000 samples, but become unsynchronized later. This fact will be important later in the tutorial.<br />
# Set up the attack in the ''Attack'' settings tab:<br />
## Leave the Crypto Algorithm set to AES-128. (Remember that we're applying the AES-128 attack to half of the AES-256 key!)<br />
## Change the Leakage Model to ''HW: AES Inv SBox Output, First Round (Dec)''. <br />
## If you're finding the attack very slow, narrow down the attack a bit. Normally, this requires a bit of investigation to determine which ranges of the trace are important. Here, you can use the range from 2900 for 4200. The default settings will also work fine!<br />
##: [[File:Tutorial-A5-Hardware-Model.PNG|image]]<br />
# Note that we do ''not'' know the secret encryption key, so we cannot highlight the correct key automatically. If you want to fix this, the ''Results'' settings tab has a Highlighted Key setting. Change this to Override mode and enter the key <code>ea 79 79 20 c8 71 44 7d 46 62 5f 51 85 c1 3b cb</code>.<br />
# Finally, run the attack by switching to the ''Results Table'' tab and then hitting the ''Attack'' button.<br />
<br />
There are a few ways to check the results of the attack. First, the results table will show the best guesses for each subkey. With the highlight override enabled, the red bytes should be the best guesses for every single subkey:<br />
<br />
[[File:Tutorial-A5-Results-Right-Key.PNG|image]]<br />
<br />
However, the correct key will still rise to the top even if the wrong bytes are highlighted. The coloring and correlation coefficients in the results table should still make it clear that the top guess is the best one:<br />
<br />
[[File:Tutorial-A5-Results-Wrong-Key.PNG|image]]<br />
<br />
{{warningbox|The default capture stores the WRONG knownkey, so you will have highlighted bytes that are not the correct key. We are looking instead for a large delta between the best-guess and all other guesses. For example for Byte 0 we have the most likely as 0.8141, and 2nd best guess as 0.3551. If our best guess was 0.8141 and 2nd best guess was 0.7981 this would indicate we likely haven't broken the key.}}<br />
<br />
Finally, the ''Output vs Point Plot'' shows the correlation against all of the sample points. The spikes on this plot show exactly where the attack was successful (ie: where the sensitive data was leaked):<br />
<br />
[[File:Aes14round points.png|image]]<br />
<br />
In any case, we've determined that the correct 14th round key is <code>ea 79 79 20 c8 71 44 7d 46 62 5f 51 85 c1 3b cb</code>.<br />
<br />
''NOTE: if you're stuck, a full listing of the attack script is given in [[#Appendix C: AES-256 14th Round Key Script]].''<br />
<br />
== 13th Round Key ==<br />
Unfortunately, we cannot use the GUI to attack the 13th round key. The system has no built-in model for round 13 of the AES-256 algorithm. Instead, we can write our own script and insert a custom model into the system. See [[#Appendix D: AES-256 13th Round Key Script]] for complete script used here.<br />
<br />
The ChipWhisperer Analyzer software uses the settings in the GUI to automatically adjust an attack script. Every time you change a setting in the GUI, the autogenerated script is overwritten. Fpr example, the point range is mapped directly to an API call:<br />
<br />
[[File:autoscript1.png|image]]<br />
<br />
If we modified this script directly, it would be very easy for us to accidentally overwrite our custom script from the GUI. Instead, we'll use the autogenerated code to set up a base script, then add in our own attack model. To set up the base script, the procedure is as follows:<br />
<br />
# Open the ChipWhisperer Analyzer software again and reopen the project file.<br />
# Recall from the 14th round attack that the trace data becomes unsynchronized around sample 7000. This is due to a non-constant AES implementation: the code does not always take the same amount of time to run for every input. (It's actually possible to do a timing attack on this AES implementation! We'll stick with our CPA attack for now.)<br />
#: [[File:syncproblems.png|image]]<br />
# Resynchronize the traces:<br />
## In the ''Attack Script Generator'' tab, enable the ''Resync: Sum of Difference'' preprocessing:<br />
##: [[File:resyncsad.png|image]]<br />
## Enable the module and configure the input points. To start, set the reference points to (9063, 9177) and the input window to (9010, 9080), but don't be afraid to change these ranges:<br />
##: [[File:resyncsad2.png|image]]<br />
## Redraw the traces and confirm we now have synchronization on the second half:<br />
##: [[File:resyncsad3.png|image]]<br />
<br />
{{warningbox|Make sure you get a nice aligned last section of the traces, as in the above figure. You may need to adjust the "input window" or "reference points" slightly. If you do not see the nice alignment the remaining attack will fail!}}<br />
<br />
Now, we are ready to make a copy of this script:<br />
# Click on the auto-generated script<br />
# Hit ''Copy'' and save the file somewhere<br />
# Double-click on the description of the new file and give it a better name. <br />
# Finally, hit ''Set Active'' after clicking on your new file. The result should look like this:<br />
#: [[File:aes256_customscript.png|image]]<br />
You can now edit the custom script file using the built-in editor OR with an external editor. In this example, the file would be <code>C:\Users\Colin\AppData\Local\Temp\testaes256.py</code>.<br />
<br />
The next step is to program our own leakage model. The following Python code models the Hamming weight model of the 13th round S-box:<br />
<br />
<pre><br />
# Imports for AES256 Attack<br />
from chipwhisperer.analyzer.attacks.models.base import ModelsBase<br />
from chipwhisperer.analyzer.attacks.models.AES128_8bit import AESLeakageHelper, AES128_8bit<br />
<br />
class AES256_Model(AESLeakageHelper):<br />
name = 'Our model'<br />
def leakage(self, pt, ct, guess, bnum):<br />
knownkey = <PUT YOUR 14TH ROUND KEY YOU RECOVERED HERE><br />
#For example: knownkey = [0xea, 0x79, 0x79, 0x20, 0xc8, 0x71, 0x44, 0x7d, 0x46, 0x62, 0x5f, 0x51, 0x85, 0xc1, 0x3b, 0xcb]<br />
xored = [knownkey[i] ^ pt[i] for i in range(0, 16)]<br />
block = xored<br />
block = self.inv_shiftrows(block)<br />
block = self.inv_subbytes(block)<br />
block = self.inv_mixcolumns(block)<br />
block = self.inv_shiftrows(block)<br />
result = block<br />
return self.inv_sbox((result[bnum] ^ guess[bnum]))<br />
</pre><br />
You can look back at the C code of the AES-256 decryption to see how this is implementing the decryption code. Note that because of the Inverse MixColumns operation, we need the entire input ciphertext -- otherwise, we would only need to operate on one byte of the ciphertext.<br />
<br />
The last step is to perform the attack using this model:<br />
# Add the above function to your custom script file.<br />
# Change the <code>setAnalysisAlgorithm</code> in the script to use your custom functions by making the following call:<br />
#:<pre>leakage_object = AES128_8bit(AES256_Model)</pre><br />
# As we did in the 14th round attack, reducing the point range can speed up the attack. For example, to use a smaller range of points, try changing the <code>setPointRange()</code> function call to<br />
#:<pre>self.attack.setPointRange((8000,10990))</pre><br />
# Start the attack! Wait for the attack to complete, and you will determine the 13th round key:<br />
#: [[File:Tutorial-A5-Results-Round-13.PNG|image]]<br />
<br />
Note you can check [[#Appendix C AES-256 13th Round Key Script]] for the complete contents of the attack script.<br />
<br />
Finally, we need to convert this hypothetical key into the actual value of the 13th round key. We can do this by passing the key through ShiftRows and MixColumns to remove the effect of these two functions. This is easy to do in the Python console (assuming we had the recovered key <code>C6 BD 4E 50 AB CA 75 77 79 87 96 CA 1C 7F C5 82</code>, if you recovered a different key replace the <code>knownkey</code> value with yours):<br />
<br />
<pre><br />
>>> from chipwhisperer.analyzer.attacks.models.aes.funcs import shiftrows,mixcolumns<br />
>>> knownkey = [0xC6, 0xBD, 0x4E, 0x50, 0xAB, 0xCA, 0x75, 0x77, 0x79, 0x87, 0x96, 0xCA, 0x1C, 0x7F, 0xC5, 0x82]<br />
>>> key = shiftrows(knownkey)<br />
>>> key = mixcolumns(key)<br />
>>> print &quot; &quot;.join([&quot;%02x&quot; % i for i in key])<br />
c6 6a a6 12 4a ba 4d 04 4a 22 03 54 5b 28 0e 63<br />
</pre><br />
<br />
Our hard work has rewarded us with the 13th round key, which is <code>c6 6a a6 12 4a ba 4d 04 4a 22 03 54 5b 28 0e 63</code>.<br />
<br />
== Recovering the Encryption Key ==<br />
Finally, we have enough information to recover the initial encryption key. In AES-256, the initial key is used in the key expansion routine to generate 15 round keys, and we know the key for round 13 and 14. All we need to do now is reverse the key scheduling algorithm to calculate the ''0/1 Round Key'' from the ''13/14 Round Key''. <br />
<br />
In the ChipWhisperer Analyzer software, a key schedule calculator is provided in ''Tools > AES Key Schedule'':<br />
<br />
[[File:keyschedule_tool.png|image]]<br />
<br />
Open this tool and paste the 13/14 round keys, which are<br />
<pre><br />
c6 6a a6 12 4a ba 4d 04 4a 22 03 54 5b 28 0e 63 ea 79 79 20 c8 71 44 7d 46 62 5f 51 85 c1 3b cb<br />
</pre><br />
<br />
Tell the tool that this key is the 13/14 round key; it will automatically display the entire key schedule and the initial encryption key. You should find the initial encryption key is:<br />
<pre><br />
94 28 5d 4d 6d cf ec 08 d8 ac dd f6 be 25 a4 99 c4 d9 d0 1e c3 40 7e d7 d5 28 d4 09 e9 f0 88 a1<br />
</pre><br />
<br />
Peek into <code>supersecret.h</code>, confirm that this is the right key, and celebrate!<br />
<br />
= Next Steps =<br />
If you want to go further with this tutorial, [[Tutorial A5-Bonus Breaking AES-256 Bootloader]] continues working with the same firmware to find the remaining secrets in the bootloader (the IV and the signature).<br />
<br />
= Appendix A: Target Code =<br />
<pre><br />
#!/usr/bin/python<br />
# -*- coding: utf-8 -*-<br />
#<br />
# Copyright (c) 2013-2016, NewAE Technology Inc<br />
# All rights reserved.<br />
#<br />
# Authors: Colin O'Flynn, Greg d'Eon<br />
#<br />
# Find this and more at newae.com - this file is part of the chipwhisperer<br />
# project, http://www.assembla.com/spaces/chipwhisperer<br />
#<br />
# This file is part of chipwhisperer.<br />
#<br />
# chipwhisperer is free software: you can redistribute it and/or modify<br />
# it under the terms of the GNU General Public License as published by<br />
# the Free Software Foundation, either version 3 of the License, or<br />
# (at your option) any later version.<br />
#<br />
# chipwhisperer is distributed in the hope that it will be useful,<br />
# but WITHOUT ANY WARRANTY; without even the implied warranty of<br />
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the<br />
# GNU Lesser General Public License for more details.<br />
#<br />
# You should have received a copy of the GNU General Public License<br />
# along with chipwhisperer. If not, see <http://www.gnu.org/licenses/>.<br />
#=================================================<br />
<br />
import sys<br />
import time<br />
import chipwhisperer.capture.ui.CWCaptureGUI as cwc<br />
from chipwhisperer.common.api.CWCoreAPI import CWCoreAPI<br />
from chipwhisperer.capture.targets.SimpleSerial import SimpleSerial<br />
from chipwhisperer.common.scripts.base import UserScriptBase<br />
from chipwhisperer.capture.targets._base import TargetTemplate<br />
from chipwhisperer.common.utils import pluginmanager<br />
from chipwhisperer.capture.targets.simpleserial_readers.cwlite import SimpleSerial_ChipWhispererLite<br />
from chipwhisperer.common.utils.parameter import setupSetParam<br />
<br />
# Class Crc<br />
#############################################################<br />
# These CRC routines are copy-pasted from pycrc, which are:<br />
# Copyright (c) 2006-2013 Thomas Pircher <tehpeh@gmx.net><br />
#<br />
class Crc(object):<br />
"""<br />
A base class for CRC routines.<br />
"""<br />
<br />
def __init__(self, width, poly):<br />
"""The Crc constructor.<br />
<br />
The parameters are as follows:<br />
width<br />
poly<br />
reflect_in<br />
xor_in<br />
reflect_out<br />
xor_out<br />
"""<br />
self.Width = width<br />
self.Poly = poly<br />
<br />
<br />
self.MSB_Mask = 0x1 << (self.Width - 1)<br />
self.Mask = ((self.MSB_Mask - 1) << 1) | 1<br />
<br />
self.XorIn = 0x0000<br />
self.XorOut = 0x0000<br />
<br />
self.DirectInit = self.XorIn<br />
self.NonDirectInit = self.__get_nondirect_init(self.XorIn)<br />
if self.Width < 8:<br />
self.CrcShift = 8 - self.Width<br />
else:<br />
self.CrcShift = 0<br />
<br />
def __get_nondirect_init(self, init):<br />
"""<br />
return the non-direct init if the direct algorithm has been selected.<br />
"""<br />
crc = init<br />
for i in range(self.Width):<br />
bit = crc & 0x01<br />
if bit:<br />
crc ^= self.Poly<br />
crc >>= 1<br />
if bit:<br />
crc |= self.MSB_Mask<br />
return crc & self.Mask<br />
<br />
<br />
def bit_by_bit(self, in_data):<br />
"""<br />
Classic simple and slow CRC implementation. This function iterates bit<br />
by bit over the augmented input message and returns the calculated CRC<br />
value at the end.<br />
"""<br />
# If the input data is a string, convert to bytes.<br />
if isinstance(in_data, str):<br />
in_data = [ord(c) for c in in_data]<br />
<br />
register = self.NonDirectInit<br />
for octet in in_data:<br />
for i in range(8):<br />
topbit = register & self.MSB_Mask<br />
register = ((register << 1) & self.Mask) | ((octet >> (7 - i)) & 0x01)<br />
if topbit:<br />
register ^= self.Poly<br />
<br />
for i in range(self.Width):<br />
topbit = register & self.MSB_Mask<br />
register = ((register << 1) & self.Mask)<br />
if topbit:<br />
register ^= self.Poly<br />
<br />
return register ^ self.XorOut<br />
<br />
<br />
class BootloaderTarget(TargetTemplate):<br />
_name = 'AES Bootloader'<br />
<br />
def __init__(self):<br />
TargetTemplate.__init__(self)<br />
<br />
ser_cons = pluginmanager.getPluginsInDictFromPackage("chipwhisperer.capture.targets.simpleserial_readers", True, False)<br />
self.ser = ser_cons[SimpleSerial_ChipWhispererLite._name]<br />
<br />
self.keylength = 16<br />
self.input = ""<br />
self.crc = Crc(width=16, poly=0x1021)<br />
self.setConnection(self.ser)<br />
<br />
def setKeyLen(self, klen):<br />
""" Set key length in BITS """<br />
self.keylength = klen / 8 <br />
<br />
def keyLen(self):<br />
""" Return key length in BYTES """<br />
return self.keylength<br />
<br />
def getConnection(self):<br />
return self.ser<br />
<br />
def setConnection(self, con):<br />
self.ser = con<br />
self.params.append(self.ser.getParams())<br />
self.ser.connectStatus.connect(self.connectStatus.emit)<br />
self.ser.selectionChanged()<br />
<br />
def con(self, scope=None):<br />
if not scope or not hasattr(scope, "qtadc"): Warning(<br />
"You need a scope with OpenADC connected to use this Target")<br />
<br />
self.ser.con(scope)<br />
# 'x' flushes everything & sets system back to idle<br />
self.ser.write("xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx")<br />
self.ser.flush()<br />
self.connectStatus.setValue(True)<br />
<br />
def close(self):<br />
if self.ser != None:<br />
self.ser.close()<br />
return<br />
<br />
def init(self):<br />
pass<br />
<br />
def setModeEncrypt(self):<br />
return<br />
<br />
def setModeDecrypt(self):<br />
return<br />
<br />
def convertVarToString(self, var):<br />
if isinstance(var, str):<br />
return var<br />
<br />
sep = ""<br />
s = sep.join(["%c" % b for b in var])<br />
return s<br />
<br />
def loadEncryptionKey(self, key):<br />
pass<br />
<br />
def loadInput(self, inputtext):<br />
self.input = inputtext<br />
<br />
def readOutput(self):<br />
# No actual output<br />
return [0] * 16<br />
<br />
def isDone(self):<br />
return True<br />
<br />
def checkEncryptionKey(self, kin):<br />
return kin<br />
<br />
def go(self):<br />
# Starting byte is 0x00<br />
message = [0x00]<br />
<br />
# Append 16 bytes of data<br />
message.extend(self.input)<br />
<br />
# Append 2 bytes of CRC for input only (not including 0x00)<br />
crcdata = self.crc.bit_by_bit(self.input)<br />
<br />
message.append(crcdata >> 8)<br />
message.append(crcdata & 0xff)<br />
<br />
# Write message<br />
message = self.convertVarToString(message)<br />
for i in range(0, 5):<br />
self.ser.flush()<br />
self.ser.write(message)<br />
time.sleep(0.1)<br />
data = self.ser.read(1)<br />
<br />
if len(data) > 0:<br />
resp = ord(data[0])<br />
<br />
if resp == 0xA4:<br />
# Encryption run OK<br />
break<br />
<br />
if resp != 0xA1:<br />
raise IOError("Bad Response %x" % resp)<br />
<br />
if len(data) > 0:<br />
if resp != 0xA4:<br />
raise IOError("Failed to communicate, last response: %x" % resp)<br />
else:<br />
raise IOError("Failed to communicate, no response")<br />
</pre><br />
<br />
= Appendix B: Capture Script =<br />
<pre><br />
#!/usr/bin/python<br />
# -*- coding: utf-8 -*-<br />
#<br />
# Copyright (c) 2013-2016, NewAE Technology Inc<br />
# All rights reserved.<br />
#<br />
# Authors: Colin O'Flynn, Greg d'Eon<br />
#<br />
# Find this and more at newae.com - this file is part of the chipwhisperer<br />
# project, http://www.assembla.com/spaces/chipwhisperer<br />
#<br />
# This file is part of chipwhisperer.<br />
#<br />
# chipwhisperer is free software: you can redistribute it and/or modify<br />
# it under the terms of the GNU General Public License as published by<br />
# the Free Software Foundation, either version 3 of the License, or<br />
# (at your option) any later version.<br />
#<br />
# chipwhisperer is distributed in the hope that it will be useful,<br />
# but WITHOUT ANY WARRANTY; without even the implied warranty of<br />
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the<br />
# GNU Lesser General Public License for more details.<br />
#<br />
# You should have received a copy of the GNU General Public License<br />
# along with chipwhisperer. If not, see <http://www.gnu.org/licenses/>.<br />
#=================================================<br />
<br />
import sys<br />
import chipwhisperer.capture.ui.CWCaptureGUI as cwc<br />
from chipwhisperer.common.api.CWCoreAPI import CWCoreAPI<br />
from chipwhisperer.common.scripts.base import UserScriptBase<br />
from chipwhisperer.common.utils.parameter import Parameter<br />
<br />
# Check for PySide<br />
try:<br />
from PySide.QtCore import *<br />
from PySide.QtGui import *<br />
except ImportError:<br />
print "ERROR: PySide is required for this program"<br />
sys.exit()<br />
<br />
class UserScript(UserScriptBase):<br />
def __init__(self, api):<br />
super(UserScript, self).__init__(api)<br />
<br />
def run(self):<br />
#User commands here<br />
print "***** Starting User Script *****"<br />
<br />
# Set up board and target<br />
self.api.setParameter(['Generic Settings', 'Scope Module', 'ChipWhisperer/OpenADC'])<br />
self.api.setParameter(['Generic Settings', 'Trace Format', 'ChipWhisperer/Native'])<br />
self.api.setParameter(['Generic Settings', 'Target Module', 'AES Bootloader'])<br />
self.api.connect()<br />
<br />
# Fill in our other settings<br />
lstexample = [['CW Extra Settings', 'Trigger Pins', 'Target IO4 (Trigger Line)', True],<br />
['CW Extra Settings', 'Clock Source', 'Target IO-IN'],<br />
['CW Extra Settings', 'Target IOn Pins', 'Target IO2', 'Serial TXD'],<br />
['CW Extra Settings', 'Target IOn Pins', 'Target IO1', 'Serial RXD'],<br />
['CW Extra Settings', 'Target HS IO-Out', 'CLKGEN'],<br />
['OpenADC', 'Clock Setup', 'ADC Clock', 'Source', 'CLKGEN x4 via DCM'],<br />
['OpenADC', 'Trigger Setup', 'Total Samples', 11000],<br />
['OpenADC', 'Trigger Setup', 'Offset', 0],<br />
['OpenADC', 'Gain Setting', 'Setting', 45],<br />
['OpenADC', 'Trigger Setup', 'Mode', 'rising edge'],<br />
['OpenADC', 'Clock Setup', 'CLKGEN Settings', 'Multiply', 2],<br />
['OpenADC', 'Clock Setup', 'CLKGEN Settings', 'Divide', 26],<br />
['OpenADC', 'Clock Setup', 'ADC Clock', 'Reset ADC DCM', None],<br />
]<br />
<br />
# NOTE: For IV: offset = 70000<br />
#Download all hardware setup parameters<br />
for cmd in lstexample:<br />
self.api.setParameter(cmd)<br />
<br />
# Try a couple of captures<br />
self.api.capture1()<br />
self.api.capture1()<br />
<br />
print "***** Ending User Script *****"<br />
<br />
<br />
if __name__ == '__main__':<br />
# Run the program<br />
app = cwc.makeApplication()<br />
Parameter.usePyQtGraph = True <br />
api = CWCoreAPI() <br />
gui = cwc.CWCaptureGUI(api) <br />
gui.show() <br />
<br />
# Run our program and let the GUI take over<br />
api.runScriptClass(UserScript) <br />
sys.exit(app.exec_())<br />
</pre><br />
<br />
= Appendix C: AES-256 14th Round Key Script =<br />
Full attack script, copy/paste into a file then add as active attack script:<br />
<br />
<pre><br />
# AES-256 14th Round Key Attack<br />
from chipwhisperer.common.scripts.base import UserScriptBase<br />
# Imports from Preprocessing<br />
import chipwhisperer.analyzer.preprocessing as preprocessing<br />
# Imports from Attack<br />
from chipwhisperer.analyzer.attacks.cpa import CPA<br />
from chipwhisperer.analyzer.attacks.cpa_algorithms.progressive import CPAProgressive<br />
import chipwhisperer.analyzer.attacks.models.AES128_8bit<br />
# Imports from utilList<br />
<br />
class UserScript(UserScriptBase):<br />
name = "Auto-generated"<br />
description = "Auto-generated Attack Script"<br />
def __init__(self, api):<br />
UserScriptBase.__init__(self, api)<br />
self.initProject()<br />
self.initPreprocessing()<br />
self.initAnalysis()<br />
self.initReporting()<br />
<br />
def initProject(self):<br />
pass<br />
<br />
def initPreprocessing(self):<br />
self.traces = self.api.project().traceManager()<br />
<br />
def initAnalysis(self):<br />
self.attack = CPA()<br />
self.attack.setTraceSource(self.traces, blockSignal=True)<br />
self.attack.setAnalysisAlgorithm(CPAProgressive,chipwhisperer.analyzer.attacks.models.AES128_8bit.AES128_8bit,chipwhisperer.analyzer.attacks.models.AES128_8bit.AES128_8bit.LEAK_HW_INVSBOXOUT_FIRSTROUND)<br />
self.attack.setTraceStart(0)<br />
self.attack.setTracesPerAttack(200)<br />
self.attack.setIterations(1)<br />
self.attack.setReportingInterval(10)<br />
self.attack.setTargetSubkeys([0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15])<br />
self.attack.setPointRange((0,10991))<br />
<br />
def initReporting(self):<br />
# Configures the attack observers (usually a set of GUI widgets)<br />
self.api.getResults("Attack Settings").setAnalysisSource(self.attack)<br />
self.api.getResults("Correlation vs Traces in Attack").setAnalysisSource(self.attack)<br />
self.api.getResults("Output vs Point Plot").setAnalysisSource(self.attack)<br />
self.api.getResults("PGE vs Trace Plot").setAnalysisSource(self.attack)<br />
self.api.getResults("Results Table").setAnalysisSource(self.attack)<br />
self.api.getResults("Save to Files").setAnalysisSource(self.attack)<br />
self.api.getResults("Trace Output Plot").setTraceSource(self.traces)<br />
self.api.getResults("Trace Recorder").setTraceSource(self.traces)<br />
<br />
def run(self):<br />
self.attack.processTraces()<br />
<br />
if __name__ == '__main__':<br />
from chipwhisperer.common.api.CWCoreAPI import CWCoreAPI<br />
import chipwhisperer.analyzer.ui.CWAnalyzerGUI as cwa<br />
from chipwhisperer.common.utils.parameter import Parameter<br />
app = cwa.makeApplication() # Comment if you don't need the GUI<br />
Parameter.usePyQtGraph = True # Comment if you don't need the GUI<br />
api = CWCoreAPI() # Instantiate the API<br />
gui = cwa.CWAnalyzerGUI(api) # Comment if you don't need the GUI<br />
gui.show() # Comment if you don't need the GUI<br />
api.runScriptClass(UserScript) # Run UserScript through the API<br />
app.exec_() # Comment if you don't need the GUI<br />
</pre><br />
<br />
= Appendix D: AES-256 13th Round Key Script =<br />
<br />
<pre><br />
# AES-256 13th Round Key Script<br />
from chipwhisperer.common.scripts.base import UserScriptBase<br />
# Imports from Preprocessing<br />
import chipwhisperer.analyzer.preprocessing as preprocessing<br />
# Imports from Attack<br />
from chipwhisperer.analyzer.attacks.cpa import CPA<br />
from chipwhisperer.analyzer.attacks.cpa_algorithms.progressive import CPAProgressive<br />
import chipwhisperer.analyzer.attacks.models.AES128_8bit<br />
# Imports from utilList<br />
<br />
# Imports for AES256 Attack<br />
from chipwhisperer.analyzer.attacks.models.base import ModelsBase<br />
from chipwhisperer.analyzer.attacks.models.AES128_8bit import AESLeakageHelper, AES128_8bit<br />
<br />
class AES256_Model(AESLeakageHelper):<br />
name = 'Our model'<br />
def leakage(self, pt, ct, guess, bnum):<br />
knownkey = [0xea, 0x79, 0x79, 0x20, 0xc8, 0x71, 0x44, 0x7d, 0x46, 0x62, 0x5f, 0x51, 0x85, 0xc1, 0x3b, 0xcb]<br />
xored = [knownkey[i] ^ pt[i] for i in range(0, 16)]<br />
block = xored<br />
block = self.inv_shiftrows(block)<br />
block = self.inv_subbytes(block)<br />
block = self.inv_mixcolumns(block)<br />
block = self.inv_shiftrows(block)<br />
result = block<br />
return self.inv_sbox((result[bnum] ^ guess[bnum]))<br />
<br />
class UserScript(UserScriptBase):<br />
_name = "Auto-generated"<br />
_description = "Auto-generated Attack Script"<br />
def __init__(self, api):<br />
UserScriptBase.__init__(self, api)<br />
self.initProject()<br />
self.initPreprocessing()<br />
self.initAnalysis()<br />
self.initReporting()<br />
<br />
def initProject(self):<br />
pass<br />
<br />
def initPreprocessing(self):<br />
ppMod0 = preprocessing.resync_sad.ResyncSAD(self.api.project().traceManager())<br />
ppMod0.setEnabled(True)<br />
ppMod0.setReference(rtraceno=0, refpoints=(9100,9300), inputwindow=(8900,9500))<br />
ppMod0.init()<br />
self.traces = ppMod0<br />
<br />
def initAnalysis(self):<br />
self.attack = CPA()<br />
self.attack.setProject(self.api.project())<br />
self.attack.setTraceSource(self.traces, blockSignal=True)<br />
leakage_object = AES128_8bit(AES256_Model)<br />
self.attack.setAnalysisAlgorithm(chipwhisperer.analyzer.attacks.cpa_algorithms.progressive.CPAProgressive,leakage_object)<br />
self.attack.setTargetSubkeys([0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15])<br />
self.attack.setTraceStart(0)<br />
self.attack.setTracesPerAttack(150)<br />
self.attack.setIterations(1)<br />
self.attack.setReportingInterval(10)<br />
self.attack.setPointRange((0,10991))<br />
<br />
def initReporting(self):<br />
# Configures the attack observers (usually a set of GUI widgets)<br />
self.api.getResults("Attack Settings").setAnalysisSource(self.attack)<br />
self.api.getResults("Correlation vs Traces in Attack").setAnalysisSource(self.attack)<br />
self.api.getResults("Output vs Point Plot").setAnalysisSource(self.attack)<br />
self.api.getResults("PGE vs Trace Plot").setAnalysisSource(self.attack)<br />
self.api.getResults("Results Table").setAnalysisSource(self.attack)<br />
self.api.getResults("Save to Files").setAnalysisSource(self.attack)<br />
self.api.getResults("Trace Output Plot").setTraceSource(self.traces)<br />
self.api.getResults("Trace Recorder").setTraceSource(self.traces)<br />
<br />
def run(self):<br />
self.attack.processTraces()<br />
<br />
if __name__ == '__main__':<br />
import chipwhisperer.analyzer.ui.CWAnalyzerGUI as cwa<br />
from chipwhisperer.common.utils.parameter import Parameter<br />
Parameter.usePyQtGraph = True # Comment if you don't need the GUI<br />
api = CWCoreAPI() # Instantiate the API<br />
app = cwa.makeApplication("Analyzer") # Comment if you don't need the GUI<br />
gui = cwa.CWAnalyzerGUI(api) # Comment if you don't need the GUI<br />
api.runScriptClass(UserScript) # Run UserScript through the API<br />
app.exec_() # Comment if you don't need the GUI<br />
<br />
</pre><br />
<br />
{{Template:Tutorials}}<br />
[[Category:Tutorials]]</div>Gdeonhttp://wiki.newae.com/index.php?title=Tutorial_A5_Breaking_AES-256_Bootloader&diff=2785Tutorial A5 Breaking AES-256 Bootloader2017-07-23T16:20:03Z<p>Gdeon: </p>
<hr />
<div>This tutorial will take you through a complete attack on an encrypted bootloader using AES-256. This demonstrates how to using side-channel power analysis on practical systems, along with discussing how to perform analysis with custom scripts.<br />
<br />
Whilst the tutorial assumes you will be performing the entire capture of traces along with the attack, it is possible to download the traces if you don't have the hardware, in which case skip section [[#Setting up the Hardware]] and [[#Capturing the Traces]].<br />
<br />
= Background =<br />
In the world of microcontrollers, a bootloader is a special piece of firmware that is made to let the user upload new programs into memory. This is especially useful for devices with complex code that may need to be patched or otherwise updated in the future - a bootloader makes it possible for the user to upload a patched version of the firmware onto the micro. The bootloader receives information from a communication line (a USB port, serial port, ethernet port, WiFi connection, etc...) and stores this data into program memory. Once the full firmware has been received, the micro can happily run its updated code.<br />
<br />
There is one big security issue to worry about with bootloaders. A company may want to stop their customers from writing their own firmware and uploading it onto the micro. For example, this might be for protection reasons - hackers might be able to access parts of the device that weren't meant to be accessed. One way of stopping this is to add encryption. The company can add their own secret signature to the firmware code and encrypt it with a secret key. Then, the bootloader can decrypt the incoming firmware and confirm that the incoming firmware is correctly signed. Users will not know the secret key or the signature tied to the firmware, so they won't be able to "fake" their own.<br />
<br />
This tutorial will work with a simple AES-256 bootloader. The victim will receive data through a serial connection, decrypt the command, and confirm that the included signature is correct. Then, it will only save the code into memory if the signature check succeeded. To make this system more robust against attacks, the bootloader will use cipher-block chaining (CBC mode). Our goal is to find the secret key and the CBC initialization vector so that we could successfully fake our own firmware.<br />
<br />
== Bootloader Communications Protocol ==<br />
The bootloader's communications protocol operates over a serial port at 38400 baud rate. The bootloader is always waiting for new data to be sent in this example; in real life one would typically force the bootloader to enter through a command sequence.<br />
<br />
Commands sent to the bootloader look as follows:<br />
<br />
<pre><br />
|<-------- Encrypted block (16 bytes) ---------->|<br />
| |<br />
+------+------+------+------+------+------+ .... +------+------+------+<br />
| 0x00 | Signature (4 Bytes) | Data (12 Bytes) | CRC-16 |<br />
+------+------+------+------+------+------+ .... +------+------+------+<br />
</pre><br />
<br />
This frame has four parts:<br />
* <code>0x00</code>: 1 byte of fixed header<br />
* Signature: A secret 4 byte constant. The bootloader will confirm that this signature is correct after decrypting the frame.<br />
* Data: 12 bytes of the incoming firmware. This system forces us to send the code 12 bytes at a time; more complete bootloaders may allow longer variable-length frames.<br />
* CRC-16: A 16-bit checksum using the CRC-CCITT polynomial (0x1021). The LSB of the CRC is sent first, followed by the MSB. The bootloader will reply over the serial port, describing whether or not this CRC check was valid.<br />
As described in the diagram, the 16 byte block is not sent as plaintext. Instead, it is encrypted using AES-256 in CBC mode. This encryption method will be described in the next section.<br />
<br />
The bootloader responds to each command with a single byte indicating if the CRC-16 was OK or not:<br />
<br />
<pre><br />
+------+<br />
CRC-OK: | 0xA1 |<br />
+------+<br />
<br />
+------+<br />
CRC Failed: | 0xA4 |<br />
+------+<br />
</pre><br />
<br />
Then, after replying to the command, the bootloader veries that the signature is correct. If it matches the expected manufacturer's signature, the 12 bytes of data will be written to flash memory. Otherwise, the data is discarded.<br />
<br />
== Details of AES-256 CBC ==<br />
<br />
The system uses the AES algorithm in Cipher Block Chaining (CBC) mode. In general one avoids using encryption 'as-is' (i.e. Electronic Code Book), since it means any piece of plaintext always maps to the same piece of ciphertext. Cipher Block Chaining ensures that if you encrypted the same thing a bunch of times it would always encrypt to a new piece of ciphertext.<br />
<br />
You can see another reference on the design of the encryption side; we'll be only talking about the decryption side here. In this case AES-256 CBC mode is used as follows, where the details of the AES-256 Decryption block will be discussed in detail later:<br />
<br />
[[File:aes256_cbc.png|image]]<br />
<br />
This diagram shows that the output of the decryption is no longer used directly as the plaintext. Instead, the output is XORed with a 16 byte mask, which is usually taken from the previous ciphertext. Also, the first decryption block has no previous ciphertext to use, so a secret initialization vector (IV) is used instead. If we are going to decrypt the entire ciphertext (including block 0) or correctly generate our own ciphertext, we'll need to find this IV along with the AES key.<br />
<br />
<br />
== Attacking AES-256 ==<br />
The system in this tutorial uses AES-256 encryption, which has a 256 bit (32 byte) key - twice as large as the 16 byte key we've attacked in previous tutorials. This means that our regular AES-128 CPA attacks won't quite work. However, extending these attacks to AES-256 is fairly straightforward: the theory is explained in detail in [[Extending AES-128 Attacks to AES-256]]. <br />
<br />
As the theory page explains, our AES-256 attack will have 4 steps:<br />
# Perform a standard attack (as in AES-128 decryption) to determine the first 16 bytes of the key, corresponding to the 14th round encryption key.<br />
# Using the known 14th round key, calculate the hypothetical outputs of each S-Box from the 13th round using the ciphertext processed by the 14th round, and determine the 16 bytes of the 13th round key manipulated by inverse MixColumns.<br />
# Perform the MixColumns and ShiftRows operation on the hypothetical key determined above, recovering the 13th round key.<br />
# Using the AES-256 key schedule, reverse the 13th and 14th round keys to determine the original AES-256 encryption key.<br />
<br />
= Setting up the Hardware =<br />
This tutorial uses the [[CW1173 ChipWhisperer-Lite]] hardware. This hardware does not require any special setup - it should be ready to go out-of-the-box.<br />
<br />
Note that you '''don't need hardware''' to complete the tutorial. Instead, you can download [https://www.assembla.com/spaces/chipwhisperer/wiki/Example_Captures example traces from the ChipWhisperer Site]. Just look for the traces titled ''AVR: AES256 Bootloader (ChipWhisperer Tutorial #A5)''.<br />
<br />
== Building/Programming the Bootloader ==<br />
The firmware that implements the bootloader is available inside the ChipWhisperer folder at <code>chipwhisperer\hardware\victims\firmware\bootloader-aes256</code>. If you've uploaded the firmware for any of the other tutorials, the process is identical:<br />
<br />
# Open a command prompt/terminal window and navigate to this folder. Enter the command <code>make PLATFORM=X</code>, where X is the name of your target. For instance, use <code>PLATFORM=CW303</code> on the ChipWhisperer Lite. Ensure that the program is successfully compiled. The output should end with a line like<br />
#: <pre>Built for platform CW-Lite XMEGA</pre><br />
# Open the ChipWhisperer Capture software and connect to your hardware. Open the programmer window (''Tools > CW-Lite XMEGA Programmer''), find the <code>.hex</code> file that you just made, and ''Erase/Program/Verify FLASH''.<br />
<br />
The firmware is now loaded onto your hardware, and you can continue onto the capture process.<br />
<br />
= Capturing the Traces =<br />
Once the hardware is ready, we can capture some traces for our attack using the ChipWhisperer Capture software. If you somehow got to the 5th ''Advanced Tutorial'' without getting this software ready, you can follow the helpful guide at [[Installing ChipWhisperer]].<br />
<br />
The first thing we need to do is add a new target to the ChipWhisperer system. (None of the existing ones know about the bootloader's data format, nor do they recognize the CRC responses that are sent back to us.) The code for this target is included in [[#Appendix A: Target Code]]. Copy/paste this into a Python file (call it whatever you want) and save it in a place where ChipWhisperer will look for it. There are two folders that you can use:<br />
* Your computer should have a folder called <code>chipwhisperer_projects</code> - if you don't know where this is, the ''File > Preferences'' window will tell you. The system looks in the folder <code>chipwhisperer_projects\chipwhisperer\capture\targets</code> for new targets, so you can save your file here.<br />
* Alternatively, all of the normal targets are stored in <code>chipwhisperer\software\chipwhisperer\capture\targets</code>, so you can also save the file here. Note that this may not be possible if you don't have access to these folders (ex: your account doesn't have admin access).<br />
<br />
Next is the capture script. In some of the previous tutorials, we entered all of the capture settings by hand. Since we are civilized humans armed with technology, we can use a script to do all of this setup for us. A pre-written Python script is provided at [[#Appendix B: Capture Script]]. Take a look at this code and notice what it does:<br />
* it fills in the scope, target, and trace format that we'll use;<br />
* it connects to the hardware; and<br />
* it loads all of the hardware parameters for us. Nice!<br />
Copy this script into a <code>.py</code> file somewhere convenient. Then, perform the following steps to finish the capture:<br />
# Run the capture script, which will open a ChipWhisperer Capture window with everything connected for us.<br />
# Open the terminal (''Tools > Terminal'') and connect to the board. While the terminal is open, press the ''Capture 1'' button. A single byte of data should appear in the terminal. This byte will either be <code>a1</code> (CRC failed) or <code>a4</code> (CRC OK). If you see any other responses, something is wrong. <br />
#: [[File:Tutorial-A5-Capture.PNG|image]]<br />
# Once you're happy with this, open the General Settings tab and set the Number of Traces. You should need around 100 traces to break AES.<br />
# Press the ''Capture Many'' button to record the 100 traces. You'll see the new traces plotted on-screen.<br />
# Once the program is finished capturing the traces, save the project. Put it somewhere memorable and give it a nice name.<br />
<br />
= Finding the Encryption Key =<br />
Now that we have our traces, we can go ahead and perform the attack. As described in the background theory, we'll have to do two attacks - one to get the 14th round key, and another (using the first result) to get the 13th round key. Then, we'll do some post-processing to finally get the 256 bit encryption key.<br />
<br />
== 14th Round Key ==<br />
We can attack the 14th round key with a standard, no-frills CPA attack:<br />
<br />
# Open the ChipWhisperer Analyzer program and load the <code>.cwp</code> file with the 13th and 14th round traces. This can be either the <code>aes256_round1413_key0_100.cwp</code> file downloaded or the capture you performed.<br />
# View and manipulate the trace data with the following steps:<br />
## Switch to the ''Trace Output Plot'' tab<br />
## Switch to the ''Results'' parameter setting tab<br />
## Choose the traces to be plotted and press the ''Redraw'' button to draw them<br />
## Right-click on the waveform to change options, or left-click and drag to zoom<br />
## Use the toolbar to quickly reset the zoom back to original<br />
##: [[File:Tutorial-A5-Plot-Traces.PNG|image]]<br />
##: Notice that the traces are synchronized for the first 7000 samples, but become unsynchronized later. This fact will be important later in the tutorial.<br />
# Set up the attack in the ''Attack'' settings tab:<br />
## Leave the Crypto Algorithm set to AES-128. (Remember that we're applying the AES-128 attack to half of the AES-256 key!)<br />
## Change the Leakage Model to ''HW: AES Inv SBox Output, First Round (Dec)''. <br />
## If you're finding the attack very slow, narrow down the attack a bit. Normally, this requires a bit of investigation to determine which ranges of the trace are important. Here, you can use the range from 2900 for 4200. The default settings will also work fine!<br />
##: [[File:Tutorial-A5-Hardware-Model.PNG|image]]<br />
# Note that we do ''not'' know the secret encryption key, so we cannot highlight the correct key automatically. If you want to fix this, the ''Results'' settings tab has a Highlighted Key setting. Change this to Override mode and enter the key <code>ea 79 79 20 c8 71 44 7d 46 62 5f 51 85 c1 3b cb</code>.<br />
# Finally, run the attack by switching to the ''Results Table'' tab and then hitting the ''Attack'' button.<br />
<br />
There are a few ways to check the results of the attack. First, the results table will show the best guesses for each subkey. With the highlight override enabled, the red bytes should be the best guesses for every single subkey:<br />
<br />
[[File:Tutorial-A5-Results-Right-Key.PNG|image]]<br />
<br />
However, the correct key will still rise to the top even if the wrong bytes are highlighted. The coloring and correlation coefficients in the results table should still make it clear that the top guess is the best one:<br />
<br />
[[File:Tutorial-A5-Results-Wrong-Key.PNG|image]]<br />
<br />
{{warningbox|The default capture stores the WRONG knownkey, so you will have highlighted bytes that are not the correct key. We are looking instead for a large delta between the best-guess and all other guesses. For example for Byte 0 we have the most likely as 0.8141, and 2nd best guess as 0.3551. If our best guess was 0.8141 and 2nd best guess was 0.7981 this would indicate we likely haven't broken the key.}}<br />
<br />
Finally, the ''Output vs Point Plot'' shows the correlation against all of the sample points. The spikes on this plot show exactly where the attack was successful (ie: where the sensitive data was leaked):<br />
<br />
[[File:Aes14round points.png|image]]<br />
<br />
In any case, we've determined that the correct 14th round key is <code>ea 79 79 20 c8 71 44 7d 46 62 5f 51 85 c1 3b cb</code>.<br />
<br />
''NOTE: if you're stuck, a full listing of the attack script is given in [[#Appendix C: AES-256 14th Round Key Script]].''<br />
<br />
== 13th Round Key ==<br />
Unfortunately, we cannot use the GUI to attack the 13th round key. The system has no built-in model for round 13 of the AES-256 algorithm. Instead, we can write our own script and insert a custom model into the system. See [[#Appendix D: AES-256 13th Round Key Script]] for complete script used here.<br />
<br />
The ChipWhisperer Analyzer software uses the settings in the GUI to automatically adjust an attack script. Every time you change a setting in the GUI, the autogenerated script is overwritten. Fpr example, the point range is mapped directly to an API call:<br />
<br />
[[File:autoscript1.png|image]]<br />
<br />
If we modified this script directly, it would be very easy for us to accidentally overwrite our custom script from the GUI. Instead, we'll use the autogenerated code to set up a base script, then add in our own attack model. To set up the base script, the procedure is as follows:<br />
<br />
# Open the ChipWhisperer Analyzer software again and reopen the project file.<br />
# Recall from the 14th round attack that the trace data becomes unsynchronized around sample 7000. This is due to a non-constant AES implementation: the code does not always take the same amount of time to run for every input. (It's actually possible to do a timing attack on this AES implementation! We'll stick with our CPA attack for now.)<br />
#: [[File:syncproblems.png|image]]<br />
# Resynchronize the traces:<br />
## In the ''Attack Script Generator'' tab, enable the ''Resync: Sum of Difference'' preprocessing:<br />
##: [[File:resyncsad.png|image]]<br />
## Enable the module and configure the input points. To start, set the reference points to (9063, 9177) and the input window to (9010, 9080), but don't be afraid to change these ranges:<br />
##: [[File:resyncsad2.png|image]]<br />
##: You may have to adjust the reference points & input window ranges - the objective is to get a nice aligned trace on the second part.<br />
## Redraw the traces and confirm we now have synchronization on the second half:<br />
##: [[File:resyncsad3.png|image]]<br />
<br />
Now, we are ready to make a copy of this script:<br />
# Click on the auto-generated script<br />
# Hit ''Copy'' and save the file somewhere<br />
# Double-click on the description of the new file and give it a better name. <br />
# Finally, hit ''Set Active'' after clicking on your new file. The result should look like this:<br />
#: [[File:aes256_customscript.png|image]]<br />
You can now edit the custom script file using the built-in editor OR with an external editor. In this example, the file would be <code>C:\Users\Colin\AppData\Local\Temp\testaes256.py</code>.<br />
<br />
The next step is to program our own leakage model. The following Python code models the Hamming weight model of the 13th round S-box:<br />
<br />
<pre><br />
# Imports for AES256 Attack<br />
from chipwhisperer.analyzer.attacks.models.base import ModelsBase<br />
from chipwhisperer.analyzer.attacks.models.AES128_8bit import AESLeakageHelper, AES128_8bit<br />
<br />
class AES256_Model(AESLeakageHelper):<br />
name = 'Our model'<br />
def leakage(self, pt, ct, guess, bnum):<br />
knownkey = <PUT YOUR 14TH ROUND KEY YOU RECOVERED HERE><br />
#For example: knownkey = [0xea, 0x79, 0x79, 0x20, 0xc8, 0x71, 0x44, 0x7d, 0x46, 0x62, 0x5f, 0x51, 0x85, 0xc1, 0x3b, 0xcb]<br />
xored = [knownkey[i] ^ pt[i] for i in range(0, 16)]<br />
block = xored<br />
block = self.inv_shiftrows(block)<br />
block = self.inv_subbytes(block)<br />
block = self.inv_mixcolumns(block)<br />
block = self.inv_shiftrows(block)<br />
result = block<br />
return self.inv_sbox((result[bnum] ^ guess[bnum]))<br />
</pre><br />
You can look back at the C code of the AES-256 decryption to see how this is implementing the decryption code. Note that because of the Inverse MixColumns operation, we need the entire input ciphertext -- otherwise, we would only need to operate on one byte of the ciphertext.<br />
<br />
The last step is to perform the attack using this model:<br />
# Add the above function to your custom script file.<br />
# Change the <code>setAnalysisAlgorithm</code> in the script to use your custom functions by making the following call:<br />
#:<pre>leakage_object = AES128_8bit(AES256_Model)</pre><br />
# As we did in the 14th round attack, reducing the point range can speed up the attack. For example, to use a smaller range of points, try changing the <code>setPointRange()</code> function call to<br />
#:<pre>self.attack.setPointRange((8000,10990))</pre><br />
# Start the attack! Wait for the attack to complete, and you will determine the 13th round key:<br />
#: [[File:Tutorial-A5-Results-Round-13.PNG|image]]<br />
<br />
Note you can check [[#Appendix C AES-256 13th Round Key Script]] for the complete contents of the attack script.<br />
<br />
Finally, we need to convert this hypothetical key into the actual value of the 13th round key. We can do this by passing the key through ShiftRows and MixColumns to remove the effect of these two functions. This is easy to do in the Python console (assuming we had the recovered key <code>C6 BD 4E 50 AB CA 75 77 79 87 96 CA 1C 7F C5 82</code>, if you recovered a different key replace the <code>knownkey</code> value with yours):<br />
<br />
<pre><br />
>>> from chipwhisperer.analyzer.attacks.models.aes.funcs import shiftrows,mixcolumns<br />
>>> knownkey = [0xC6, 0xBD, 0x4E, 0x50, 0xAB, 0xCA, 0x75, 0x77, 0x79, 0x87, 0x96, 0xCA, 0x1C, 0x7F, 0xC5, 0x82]<br />
>>> key = shiftrows(knownkey)<br />
>>> key = mixcolumns(key)<br />
>>> print &quot; &quot;.join([&quot;%02x&quot; % i for i in key])<br />
c6 6a a6 12 4a ba 4d 04 4a 22 03 54 5b 28 0e 63<br />
</pre><br />
<br />
Our hard work has rewarded us with the 13th round key, which is <code>c6 6a a6 12 4a ba 4d 04 4a 22 03 54 5b 28 0e 63</code>.<br />
<br />
== Recovering the Encryption Key ==<br />
Finally, we have enough information to recover the initial encryption key. In AES-256, the initial key is used in the key expansion routine to generate 15 round keys, and we know the key for round 13 and 14. All we need to do now is reverse the key scheduling algorithm to calculate the ''0/1 Round Key'' from the ''13/14 Round Key''. <br />
<br />
In the ChipWhisperer Analyzer software, a key schedule calculator is provided in ''Tools > AES Key Schedule'':<br />
<br />
[[File:keyschedule_tool.png|image]]<br />
<br />
Open this tool and paste the 13/14 round keys, which are<br />
<pre><br />
c6 6a a6 12 4a ba 4d 04 4a 22 03 54 5b 28 0e 63 ea 79 79 20 c8 71 44 7d 46 62 5f 51 85 c1 3b cb<br />
</pre><br />
<br />
Tell the tool that this key is the 13/14 round key; it will automatically display the entire key schedule and the initial encryption key. You should find the initial encryption key is:<br />
<pre><br />
94 28 5d 4d 6d cf ec 08 d8 ac dd f6 be 25 a4 99 c4 d9 d0 1e c3 40 7e d7 d5 28 d4 09 e9 f0 88 a1<br />
</pre><br />
<br />
Peek into <code>supersecret.h</code>, confirm that this is the right key, and celebrate!<br />
<br />
= Next Steps =<br />
If you want to go further with this tutorial, [[Tutorial A5-Bonus Breaking AES-256 Bootloader]] continues working with the same firmware to find the remaining secrets in the bootloader (the IV and the signature).<br />
<br />
= Appendix A: Target Code =<br />
<pre><br />
#!/usr/bin/python<br />
# -*- coding: utf-8 -*-<br />
#<br />
# Copyright (c) 2013-2016, NewAE Technology Inc<br />
# All rights reserved.<br />
#<br />
# Authors: Colin O'Flynn, Greg d'Eon<br />
#<br />
# Find this and more at newae.com - this file is part of the chipwhisperer<br />
# project, http://www.assembla.com/spaces/chipwhisperer<br />
#<br />
# This file is part of chipwhisperer.<br />
#<br />
# chipwhisperer is free software: you can redistribute it and/or modify<br />
# it under the terms of the GNU General Public License as published by<br />
# the Free Software Foundation, either version 3 of the License, or<br />
# (at your option) any later version.<br />
#<br />
# chipwhisperer is distributed in the hope that it will be useful,<br />
# but WITHOUT ANY WARRANTY; without even the implied warranty of<br />
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the<br />
# GNU Lesser General Public License for more details.<br />
#<br />
# You should have received a copy of the GNU General Public License<br />
# along with chipwhisperer. If not, see <http://www.gnu.org/licenses/>.<br />
#=================================================<br />
<br />
import sys<br />
import time<br />
import chipwhisperer.capture.ui.CWCaptureGUI as cwc<br />
from chipwhisperer.common.api.CWCoreAPI import CWCoreAPI<br />
from chipwhisperer.capture.targets.SimpleSerial import SimpleSerial<br />
from chipwhisperer.common.scripts.base import UserScriptBase<br />
from chipwhisperer.capture.targets._base import TargetTemplate<br />
from chipwhisperer.common.utils import pluginmanager<br />
from chipwhisperer.capture.targets.simpleserial_readers.cwlite import SimpleSerial_ChipWhispererLite<br />
from chipwhisperer.common.utils.parameter import setupSetParam<br />
<br />
# Class Crc<br />
#############################################################<br />
# These CRC routines are copy-pasted from pycrc, which are:<br />
# Copyright (c) 2006-2013 Thomas Pircher <tehpeh@gmx.net><br />
#<br />
class Crc(object):<br />
"""<br />
A base class for CRC routines.<br />
"""<br />
<br />
def __init__(self, width, poly):<br />
"""The Crc constructor.<br />
<br />
The parameters are as follows:<br />
width<br />
poly<br />
reflect_in<br />
xor_in<br />
reflect_out<br />
xor_out<br />
"""<br />
self.Width = width<br />
self.Poly = poly<br />
<br />
<br />
self.MSB_Mask = 0x1 << (self.Width - 1)<br />
self.Mask = ((self.MSB_Mask - 1) << 1) | 1<br />
<br />
self.XorIn = 0x0000<br />
self.XorOut = 0x0000<br />
<br />
self.DirectInit = self.XorIn<br />
self.NonDirectInit = self.__get_nondirect_init(self.XorIn)<br />
if self.Width < 8:<br />
self.CrcShift = 8 - self.Width<br />
else:<br />
self.CrcShift = 0<br />
<br />
def __get_nondirect_init(self, init):<br />
"""<br />
return the non-direct init if the direct algorithm has been selected.<br />
"""<br />
crc = init<br />
for i in range(self.Width):<br />
bit = crc & 0x01<br />
if bit:<br />
crc ^= self.Poly<br />
crc >>= 1<br />
if bit:<br />
crc |= self.MSB_Mask<br />
return crc & self.Mask<br />
<br />
<br />
def bit_by_bit(self, in_data):<br />
"""<br />
Classic simple and slow CRC implementation. This function iterates bit<br />
by bit over the augmented input message and returns the calculated CRC<br />
value at the end.<br />
"""<br />
# If the input data is a string, convert to bytes.<br />
if isinstance(in_data, str):<br />
in_data = [ord(c) for c in in_data]<br />
<br />
register = self.NonDirectInit<br />
for octet in in_data:<br />
for i in range(8):<br />
topbit = register & self.MSB_Mask<br />
register = ((register << 1) & self.Mask) | ((octet >> (7 - i)) & 0x01)<br />
if topbit:<br />
register ^= self.Poly<br />
<br />
for i in range(self.Width):<br />
topbit = register & self.MSB_Mask<br />
register = ((register << 1) & self.Mask)<br />
if topbit:<br />
register ^= self.Poly<br />
<br />
return register ^ self.XorOut<br />
<br />
<br />
class BootloaderTarget(TargetTemplate):<br />
_name = 'AES Bootloader'<br />
<br />
def __init__(self):<br />
TargetTemplate.__init__(self)<br />
<br />
ser_cons = pluginmanager.getPluginsInDictFromPackage("chipwhisperer.capture.targets.simpleserial_readers", True, False)<br />
self.ser = ser_cons[SimpleSerial_ChipWhispererLite._name]<br />
<br />
self.keylength = 16<br />
self.input = ""<br />
self.crc = Crc(width=16, poly=0x1021)<br />
self.setConnection(self.ser)<br />
<br />
def setKeyLen(self, klen):<br />
""" Set key length in BITS """<br />
self.keylength = klen / 8 <br />
<br />
def keyLen(self):<br />
""" Return key length in BYTES """<br />
return self.keylength<br />
<br />
def getConnection(self):<br />
return self.ser<br />
<br />
def setConnection(self, con):<br />
self.ser = con<br />
self.params.append(self.ser.getParams())<br />
self.ser.connectStatus.connect(self.connectStatus.emit)<br />
self.ser.selectionChanged()<br />
<br />
def con(self, scope=None):<br />
if not scope or not hasattr(scope, "qtadc"): Warning(<br />
"You need a scope with OpenADC connected to use this Target")<br />
<br />
self.ser.con(scope)<br />
# 'x' flushes everything & sets system back to idle<br />
self.ser.write("xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx")<br />
self.ser.flush()<br />
self.connectStatus.setValue(True)<br />
<br />
def close(self):<br />
if self.ser != None:<br />
self.ser.close()<br />
return<br />
<br />
def init(self):<br />
pass<br />
<br />
def setModeEncrypt(self):<br />
return<br />
<br />
def setModeDecrypt(self):<br />
return<br />
<br />
def convertVarToString(self, var):<br />
if isinstance(var, str):<br />
return var<br />
<br />
sep = ""<br />
s = sep.join(["%c" % b for b in var])<br />
return s<br />
<br />
def loadEncryptionKey(self, key):<br />
pass<br />
<br />
def loadInput(self, inputtext):<br />
self.input = inputtext<br />
<br />
def readOutput(self):<br />
# No actual output<br />
return [0] * 16<br />
<br />
def isDone(self):<br />
return True<br />
<br />
def checkEncryptionKey(self, kin):<br />
return kin<br />
<br />
def go(self):<br />
# Starting byte is 0x00<br />
message = [0x00]<br />
<br />
# Append 16 bytes of data<br />
message.extend(self.input)<br />
<br />
# Append 2 bytes of CRC for input only (not including 0x00)<br />
crcdata = self.crc.bit_by_bit(self.input)<br />
<br />
message.append(crcdata >> 8)<br />
message.append(crcdata & 0xff)<br />
<br />
# Write message<br />
message = self.convertVarToString(message)<br />
for i in range(0, 5):<br />
self.ser.flush()<br />
self.ser.write(message)<br />
time.sleep(0.1)<br />
data = self.ser.read(1)<br />
<br />
if len(data) > 0:<br />
resp = ord(data[0])<br />
<br />
if resp == 0xA4:<br />
# Encryption run OK<br />
break<br />
<br />
if resp != 0xA1:<br />
raise IOError("Bad Response %x" % resp)<br />
<br />
if len(data) > 0:<br />
if resp != 0xA4:<br />
raise IOError("Failed to communicate, last response: %x" % resp)<br />
else:<br />
raise IOError("Failed to communicate, no response")<br />
</pre><br />
<br />
= Appendix B: Capture Script =<br />
<pre><br />
#!/usr/bin/python<br />
# -*- coding: utf-8 -*-<br />
#<br />
# Copyright (c) 2013-2016, NewAE Technology Inc<br />
# All rights reserved.<br />
#<br />
# Authors: Colin O'Flynn, Greg d'Eon<br />
#<br />
# Find this and more at newae.com - this file is part of the chipwhisperer<br />
# project, http://www.assembla.com/spaces/chipwhisperer<br />
#<br />
# This file is part of chipwhisperer.<br />
#<br />
# chipwhisperer is free software: you can redistribute it and/or modify<br />
# it under the terms of the GNU General Public License as published by<br />
# the Free Software Foundation, either version 3 of the License, or<br />
# (at your option) any later version.<br />
#<br />
# chipwhisperer is distributed in the hope that it will be useful,<br />
# but WITHOUT ANY WARRANTY; without even the implied warranty of<br />
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the<br />
# GNU Lesser General Public License for more details.<br />
#<br />
# You should have received a copy of the GNU General Public License<br />
# along with chipwhisperer. If not, see <http://www.gnu.org/licenses/>.<br />
#=================================================<br />
<br />
import sys<br />
import chipwhisperer.capture.ui.CWCaptureGUI as cwc<br />
from chipwhisperer.common.api.CWCoreAPI import CWCoreAPI<br />
from chipwhisperer.common.scripts.base import UserScriptBase<br />
from chipwhisperer.common.utils.parameter import Parameter<br />
<br />
# Check for PySide<br />
try:<br />
from PySide.QtCore import *<br />
from PySide.QtGui import *<br />
except ImportError:<br />
print "ERROR: PySide is required for this program"<br />
sys.exit()<br />
<br />
class UserScript(UserScriptBase):<br />
def __init__(self, api):<br />
super(UserScript, self).__init__(api)<br />
<br />
def run(self):<br />
#User commands here<br />
print "***** Starting User Script *****"<br />
<br />
# Set up board and target<br />
self.api.setParameter(['Generic Settings', 'Scope Module', 'ChipWhisperer/OpenADC'])<br />
self.api.setParameter(['Generic Settings', 'Trace Format', 'ChipWhisperer/Native'])<br />
self.api.setParameter(['Generic Settings', 'Target Module', 'AES Bootloader'])<br />
self.api.connect()<br />
<br />
# Fill in our other settings<br />
lstexample = [['CW Extra Settings', 'Trigger Pins', 'Target IO4 (Trigger Line)', True],<br />
['CW Extra Settings', 'Clock Source', 'Target IO-IN'],<br />
['CW Extra Settings', 'Target IOn Pins', 'Target IO2', 'Serial TXD'],<br />
['CW Extra Settings', 'Target IOn Pins', 'Target IO1', 'Serial RXD'],<br />
['CW Extra Settings', 'Target HS IO-Out', 'CLKGEN'],<br />
['OpenADC', 'Clock Setup', 'ADC Clock', 'Source', 'CLKGEN x4 via DCM'],<br />
['OpenADC', 'Trigger Setup', 'Total Samples', 11000],<br />
['OpenADC', 'Trigger Setup', 'Offset', 0],<br />
['OpenADC', 'Gain Setting', 'Setting', 45],<br />
['OpenADC', 'Trigger Setup', 'Mode', 'rising edge'],<br />
['OpenADC', 'Clock Setup', 'CLKGEN Settings', 'Multiply', 2],<br />
['OpenADC', 'Clock Setup', 'CLKGEN Settings', 'Divide', 26],<br />
['OpenADC', 'Clock Setup', 'ADC Clock', 'Reset ADC DCM', None],<br />
]<br />
<br />
# NOTE: For IV: offset = 70000<br />
#Download all hardware setup parameters<br />
for cmd in lstexample:<br />
self.api.setParameter(cmd)<br />
<br />
# Try a couple of captures<br />
self.api.capture1()<br />
self.api.capture1()<br />
<br />
print "***** Ending User Script *****"<br />
<br />
<br />
if __name__ == '__main__':<br />
# Run the program<br />
app = cwc.makeApplication()<br />
Parameter.usePyQtGraph = True <br />
api = CWCoreAPI() <br />
gui = cwc.CWCaptureGUI(api) <br />
gui.show() <br />
<br />
# Run our program and let the GUI take over<br />
api.runScriptClass(UserScript) <br />
sys.exit(app.exec_())<br />
</pre><br />
<br />
= Appendix C: AES-256 14th Round Key Script =<br />
Full attack script, copy/paste into a file then add as active attack script:<br />
<br />
<pre><br />
# AES-256 14th Round Key Attack<br />
from chipwhisperer.common.scripts.base import UserScriptBase<br />
# Imports from Preprocessing<br />
import chipwhisperer.analyzer.preprocessing as preprocessing<br />
# Imports from Attack<br />
from chipwhisperer.analyzer.attacks.cpa import CPA<br />
from chipwhisperer.analyzer.attacks.cpa_algorithms.progressive import CPAProgressive<br />
import chipwhisperer.analyzer.attacks.models.AES128_8bit<br />
# Imports from utilList<br />
<br />
class UserScript(UserScriptBase):<br />
name = "Auto-generated"<br />
description = "Auto-generated Attack Script"<br />
def __init__(self, api):<br />
UserScriptBase.__init__(self, api)<br />
self.initProject()<br />
self.initPreprocessing()<br />
self.initAnalysis()<br />
self.initReporting()<br />
<br />
def initProject(self):<br />
pass<br />
<br />
def initPreprocessing(self):<br />
self.traces = self.api.project().traceManager()<br />
<br />
def initAnalysis(self):<br />
self.attack = CPA()<br />
self.attack.setTraceSource(self.traces, blockSignal=True)<br />
self.attack.setAnalysisAlgorithm(CPAProgressive,chipwhisperer.analyzer.attacks.models.AES128_8bit.AES128_8bit,chipwhisperer.analyzer.attacks.models.AES128_8bit.AES128_8bit.LEAK_HW_INVSBOXOUT_FIRSTROUND)<br />
self.attack.setTraceStart(0)<br />
self.attack.setTracesPerAttack(200)<br />
self.attack.setIterations(1)<br />
self.attack.setReportingInterval(10)<br />
self.attack.setTargetSubkeys([0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15])<br />
self.attack.setPointRange((0,10991))<br />
<br />
def initReporting(self):<br />
# Configures the attack observers (usually a set of GUI widgets)<br />
self.api.getResults("Attack Settings").setAnalysisSource(self.attack)<br />
self.api.getResults("Correlation vs Traces in Attack").setAnalysisSource(self.attack)<br />
self.api.getResults("Output vs Point Plot").setAnalysisSource(self.attack)<br />
self.api.getResults("PGE vs Trace Plot").setAnalysisSource(self.attack)<br />
self.api.getResults("Results Table").setAnalysisSource(self.attack)<br />
self.api.getResults("Save to Files").setAnalysisSource(self.attack)<br />
self.api.getResults("Trace Output Plot").setTraceSource(self.traces)<br />
self.api.getResults("Trace Recorder").setTraceSource(self.traces)<br />
<br />
def run(self):<br />
self.attack.processTraces()<br />
<br />
if __name__ == '__main__':<br />
from chipwhisperer.common.api.CWCoreAPI import CWCoreAPI<br />
import chipwhisperer.analyzer.ui.CWAnalyzerGUI as cwa<br />
from chipwhisperer.common.utils.parameter import Parameter<br />
app = cwa.makeApplication() # Comment if you don't need the GUI<br />
Parameter.usePyQtGraph = True # Comment if you don't need the GUI<br />
api = CWCoreAPI() # Instantiate the API<br />
gui = cwa.CWAnalyzerGUI(api) # Comment if you don't need the GUI<br />
gui.show() # Comment if you don't need the GUI<br />
api.runScriptClass(UserScript) # Run UserScript through the API<br />
app.exec_() # Comment if you don't need the GUI<br />
</pre><br />
<br />
= Appendix D: AES-256 13th Round Key Script =<br />
<br />
<pre><br />
# AES-256 13th Round Key Script<br />
from chipwhisperer.common.scripts.base import UserScriptBase<br />
# Imports from Preprocessing<br />
import chipwhisperer.analyzer.preprocessing as preprocessing<br />
# Imports from Attack<br />
from chipwhisperer.analyzer.attacks.cpa import CPA<br />
from chipwhisperer.analyzer.attacks.cpa_algorithms.progressive import CPAProgressive<br />
import chipwhisperer.analyzer.attacks.models.AES128_8bit<br />
# Imports from utilList<br />
<br />
# Imports for AES256 Attack<br />
from chipwhisperer.analyzer.attacks.models.base import ModelsBase<br />
from chipwhisperer.analyzer.attacks.models.AES128_8bit import AESLeakageHelper, AES128_8bit<br />
<br />
class AES256_Model(AESLeakageHelper):<br />
name = 'Our model'<br />
def leakage(self, pt, ct, guess, bnum):<br />
knownkey = [0xea, 0x79, 0x79, 0x20, 0xc8, 0x71, 0x44, 0x7d, 0x46, 0x62, 0x5f, 0x51, 0x85, 0xc1, 0x3b, 0xcb]<br />
xored = [knownkey[i] ^ pt[i] for i in range(0, 16)]<br />
block = xored<br />
block = self.inv_shiftrows(block)<br />
block = self.inv_subbytes(block)<br />
block = self.inv_mixcolumns(block)<br />
block = self.inv_shiftrows(block)<br />
result = block<br />
return self.inv_sbox((result[bnum] ^ guess[bnum]))<br />
<br />
class UserScript(UserScriptBase):<br />
_name = "Auto-generated"<br />
_description = "Auto-generated Attack Script"<br />
def __init__(self, api):<br />
UserScriptBase.__init__(self, api)<br />
self.initProject()<br />
self.initPreprocessing()<br />
self.initAnalysis()<br />
self.initReporting()<br />
<br />
def initProject(self):<br />
pass<br />
<br />
def initPreprocessing(self):<br />
ppMod0 = preprocessing.resync_sad.ResyncSAD(self.api.project().traceManager())<br />
ppMod0.setEnabled(True)<br />
ppMod0.setReference(rtraceno=0, refpoints=(9100,9300), inputwindow=(8900,9500))<br />
ppMod0.init()<br />
self.traces = ppMod0<br />
<br />
def initAnalysis(self):<br />
self.attack = CPA()<br />
self.attack.setProject(self.api.project())<br />
self.attack.setTraceSource(self.traces, blockSignal=True)<br />
leakage_object = AES128_8bit(AES256_Model)<br />
self.attack.setAnalysisAlgorithm(chipwhisperer.analyzer.attacks.cpa_algorithms.progressive.CPAProgressive,leakage_object)<br />
self.attack.setTargetSubkeys([0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15])<br />
self.attack.setTraceStart(0)<br />
self.attack.setTracesPerAttack(150)<br />
self.attack.setIterations(1)<br />
self.attack.setReportingInterval(10)<br />
self.attack.setPointRange((0,10991))<br />
<br />
def initReporting(self):<br />
# Configures the attack observers (usually a set of GUI widgets)<br />
self.api.getResults("Attack Settings").setAnalysisSource(self.attack)<br />
self.api.getResults("Correlation vs Traces in Attack").setAnalysisSource(self.attack)<br />
self.api.getResults("Output vs Point Plot").setAnalysisSource(self.attack)<br />
self.api.getResults("PGE vs Trace Plot").setAnalysisSource(self.attack)<br />
self.api.getResults("Results Table").setAnalysisSource(self.attack)<br />
self.api.getResults("Save to Files").setAnalysisSource(self.attack)<br />
self.api.getResults("Trace Output Plot").setTraceSource(self.traces)<br />
self.api.getResults("Trace Recorder").setTraceSource(self.traces)<br />
<br />
def run(self):<br />
self.attack.processTraces()<br />
<br />
if __name__ == '__main__':<br />
import chipwhisperer.analyzer.ui.CWAnalyzerGUI as cwa<br />
from chipwhisperer.common.utils.parameter import Parameter<br />
Parameter.usePyQtGraph = True # Comment if you don't need the GUI<br />
api = CWCoreAPI() # Instantiate the API<br />
app = cwa.makeApplication("Analyzer") # Comment if you don't need the GUI<br />
gui = cwa.CWAnalyzerGUI(api) # Comment if you don't need the GUI<br />
api.runScriptClass(UserScript) # Run UserScript through the API<br />
app.exec_() # Comment if you don't need the GUI<br />
<br />
</pre><br />
<br />
{{Template:Tutorials}}<br />
[[Category:Tutorials]]</div>Gdeonhttp://wiki.newae.com/index.php?title=Tutorial_A5_Breaking_AES-256_Bootloader&diff=2784Tutorial A5 Breaking AES-256 Bootloader2017-07-23T16:18:24Z<p>Gdeon: </p>
<hr />
<div>This tutorial will take you through a complete attack on an encrypted bootloader using AES-256. This demonstrates how to using side-channel power analysis on practical systems, along with discussing how to perform analysis with custom scripts.<br />
<br />
Whilst the tutorial assumes you will be performing the entire capture of traces along with the attack, it is possible to download the traces if you don't have the hardware, in which case skip section [[#Setting up the Hardware]] and [[#Capturing the Traces]].<br />
<br />
= Background =<br />
In the world of microcontrollers, a bootloader is a special piece of firmware that is made to let the user upload new programs into memory. This is especially useful for devices with complex code that may need to be patched or otherwise updated in the future - a bootloader makes it possible for the user to upload a patched version of the firmware onto the micro. The bootloader receives information from a communication line (a USB port, serial port, ethernet port, WiFi connection, etc...) and stores this data into program memory. Once the full firmware has been received, the micro can happily run its updated code.<br />
<br />
There is one big security issue to worry about with bootloaders. A company may want to stop their customers from writing their own firmware and uploading it onto the micro. For example, this might be for protection reasons - hackers might be able to access parts of the device that weren't meant to be accessed. One way of stopping this is to add encryption. The company can add their own secret signature to the firmware code and encrypt it with a secret key. Then, the bootloader can decrypt the incoming firmware and confirm that the incoming firmware is correctly signed. Users will not know the secret key or the signature tied to the firmware, so they won't be able to "fake" their own.<br />
<br />
This tutorial will work with a simple AES-256 bootloader. The victim will receive data through a serial connection, decrypt the command, and confirm that the included signature is correct. Then, it will only save the code into memory if the signature check succeeded. To make this system more robust against attacks, the bootloader will use cipher-block chaining (CBC mode). Our goal is to find the secret key and the CBC initialization vector so that we could successfully fake our own firmware.<br />
<br />
== Bootloader Communications Protocol ==<br />
The bootloader's communications protocol operates over a serial port at 38400 baud rate. The bootloader is always waiting for new data to be sent in this example; in real life one would typically force the bootloader to enter through a command sequence.<br />
<br />
Commands sent to the bootloader look as follows:<br />
<br />
<pre><br />
|<-------- Encrypted block (16 bytes) ---------->|<br />
| |<br />
+------+------+------+------+------+------+ .... +------+------+------+<br />
| 0x00 | Signature (4 Bytes) | Data (12 Bytes) | CRC-16 |<br />
+------+------+------+------+------+------+ .... +------+------+------+<br />
</pre><br />
<br />
This frame has four parts:<br />
* <code>0x00</code>: 1 byte of fixed header<br />
* Signature: A secret 4 byte constant. The bootloader will confirm that this signature is correct after decrypting the frame.<br />
* Data: 12 bytes of the incoming firmware. This system forces us to send the code 12 bytes at a time; more complete bootloaders may allow longer variable-length frames.<br />
* CRC-16: A 16-bit checksum using the CRC-CCITT polynomial (0x1021). The LSB of the CRC is sent first, followed by the MSB. The bootloader will reply over the serial port, describing whether or not this CRC check was valid.<br />
As described in the diagram, the 16 byte block is not sent as plaintext. Instead, it is encrypted using AES-256 in CBC mode. This encryption method will be described in the next section.<br />
<br />
The bootloader responds to each command with a single byte indicating if the CRC-16 was OK or not:<br />
<br />
<pre><br />
+------+<br />
CRC-OK: | 0xA1 |<br />
+------+<br />
<br />
+------+<br />
CRC Failed: | 0xA4 |<br />
+------+<br />
</pre><br />
<br />
Then, after replying to the command, the bootloader veries that the signature is correct. If it matches the expected manufacturer's signature, the 12 bytes of data will be written to flash memory. Otherwise, the data is discarded.<br />
<br />
== Details of AES-256 CBC ==<br />
<br />
The system uses the AES algorithm in Cipher Block Chaining (CBC) mode. In general one avoids using encryption 'as-is' (i.e. Electronic Code Book), since it means any piece of plaintext always maps to the same piece of ciphertext. Cipher Block Chaining ensures that if you encrypted the same thing a bunch of times it would always encrypt to a new piece of ciphertext.<br />
<br />
You can see another reference on the design of the encryption side; we'll be only talking about the decryption side here. In this case AES-256 CBC mode is used as follows, where the details of the AES-256 Decryption block will be discussed in detail later:<br />
<br />
[[File:aes256_cbc.png|image]]<br />
<br />
This diagram shows that the output of the decryption is no longer used directly as the plaintext. Instead, the output is XORed with a 16 byte mask, which is usually taken from the previous ciphertext. Also, the first decryption block has no previous ciphertext to use, so a secret initialization vector (IV) is used instead. If we are going to decrypt the entire ciphertext (including block 0) or correctly generate our own ciphertext, we'll need to find this IV along with the AES key.<br />
<br />
<br />
== Attacking AES-256 ==<br />
The system in this tutorial uses AES-256 encryption, which has a 256 bit (32 byte) key - twice as large as the 16 byte key we've attacked in previous tutorials. This means that our regular AES-128 CPA attacks won't quite work. However, extending these attacks to AES-256 is fairly straightforward: the theory is explained in detail in [[Extending AES-128 Attacks to AES-256]]. <br />
<br />
As the theory page explains, our AES-256 attack will have 4 steps:<br />
# Perform a standard attack (as in AES-128 decryption) to determine the first 16 bytes of the key, corresponding to the 14th round encryption key.<br />
# Using the known 14th round key, calculate the hypothetical outputs of each S-Box from the 13th round using the ciphertext processed by the 14th round, and determine the 16 bytes of the 13th round key manipulated by inverse MixColumns.<br />
# Perform the MixColumns and ShiftRows operation on the hypothetical key determined above, recovering the 13th round key.<br />
# Using the AES-256 key schedule, reverse the 13th and 14th round keys to determine the original AES-256 encryption key.<br />
<br />
= Setting up the Hardware =<br />
This tutorial uses the [[CW1173 ChipWhisperer-Lite]] hardware. This hardware does not require any special setup - it should be ready to go out-of-the-box.<br />
<br />
Note that you '''don't need hardware''' to complete the tutorial. Instead, you can download [https://www.assembla.com/spaces/chipwhisperer/wiki/Example_Captures example traces from the ChipWhisperer Site]. Just look for the traces titled ''AVR: AES256 Bootloader (ChipWhisperer Tutorial #A5)''.<br />
<br />
== Building/Programming the Bootloader ==<br />
The firmware that implements the bootloader is available inside the ChipWhisperer folder at <code>chipwhisperer\hardware\victims\firmware\bootloader-aes256</code>. If you've uploaded the firmware for any of the other tutorials, the process is identical:<br />
<br />
# Open a command prompt/terminal window and navigate to this folder. Enter the command <code>make PLATFORM=X</code>, where X is the name of your target. For instance, use <code>PLATFORM=CW303</code> on the ChipWhisperer Lite. Ensure that the program is successfully compiled. The output should end with a line like<br />
#: <pre>Built for platform CW-Lite XMEGA</pre><br />
# Open the ChipWhisperer Capture software and connect to your hardware. Open the programmer window (''Tools > CW-Lite XMEGA Programmer''), find the <code>.hex</code> file that you just made, and ''Erase/Program/Verify FLASH''.<br />
<br />
The firmware is now loaded onto your hardware, and you can continue onto the capture process.<br />
<br />
= Capturing the Traces =<br />
Once the hardware is ready, we can capture some traces for our attack using the ChipWhisperer Capture software. If you somehow got to the 5th ''Advanced Tutorial'' without getting this software ready, you can follow the helpful guide at [[Installing ChipWhisperer]].<br />
<br />
The first thing we need to do is add a new target to the ChipWhisperer system. (None of the existing ones know about the bootloader's data format, nor do they recognize the CRC responses that are sent back to us.) The code for this target is included in [[#Appendix A: Target Code]]. Copy/paste this into a Python file (call it whatever you want) and save it in a place where ChipWhisperer will look for it. There are two folders that you can use:<br />
* Your computer should have a folder called <code>chipwhisperer_projects</code> - if you don't know where this is, the ''File > Preferences'' window will tell you. The system looks in the folder <code>chipwhisperer_projects\chipwhisperer\capture\targets</code> for new targets, so you can save your file here.<br />
* Alternatively, all of the normal targets are stored in <code>chipwhisperer\software\chipwhisperer\capture\targets</code>, so you can also save the file here. Note that this may not be possible if you don't have access to these folders (ex: your account doesn't have admin access).<br />
<br />
Next is the capture script. In some of the previous tutorials, we entered all of the capture settings by hand. Since we are civilized humans armed with technology, we can use a script to do all of this setup for us. A pre-written Python script is provided at [[#Appendix B: Capture Script]]. Take a look at this code and notice what it does:<br />
* it fills in the scope, target, and trace format that we'll use;<br />
* it connects to the hardware; and<br />
* it loads all of the hardware parameters for us. Nice!<br />
Copy this script into a <code>.py</code> file somewhere convenient. Then, perform the following steps to finish the capture:<br />
# Run the capture script, which will open a ChipWhisperer Capture window with everything connected for us.<br />
# Open the terminal (''Tools > Terminal'') and connect to the board. While the terminal is open, press the ''Capture 1'' button. A single byte of data should appear in the terminal. This byte will either be <code>a1</code> (CRC failed) or <code>a4</code> (CRC OK). If you see any other responses, something is wrong. <br />
#: [[File:Tutorial-A5-Capture.PNG|image]]<br />
# Once you're happy with this, open the General Settings tab and set the Number of Traces. You should need around 100 traces to break AES.<br />
# Press the ''Capture Many'' button to record the 100 traces. You'll see the new traces plotted on-screen.<br />
# Once the program is finished capturing the traces, save the project. Put it somewhere memorable and give it a nice name.<br />
<br />
= Finding the Encryption Key =<br />
Now that we have our traces, we can go ahead and perform the attack. As described in the background theory, we'll have to do two attacks - one to get the 14th round key, and another (using the first result) to get the 13th round key. Then, we'll do some post-processing to finally get the 256 bit encryption key.<br />
<br />
== 14th Round Key ==<br />
We can attack the 14th round key with a standard, no-frills CPA attack:<br />
<br />
# Open the ChipWhisperer Analyzer program and load the <code>.cwp</code> file with the 13th and 14th round traces. This can be either the <code>aes256_round1413_key0_100.cwp</code> file downloaded or the capture you performed.<br />
# View and manipulate the trace data with the following steps:<br />
## Switch to the ''Trace Output Plot'' tab<br />
## Switch to the ''Results'' parameter setting tab<br />
## Choose the traces to be plotted and press the ''Redraw'' button to draw them<br />
## Right-click on the waveform to change options, or left-click and drag to zoom<br />
## Use the toolbar to quickly reset the zoom back to original<br />
##: [[File:Tutorial-A5-Plot-Traces.PNG|image]]<br />
##: Notice that the traces are synchronized for the first 7000 samples, but become unsynchronized later. This fact will be important later in the tutorial.<br />
# Set up the attack in the ''Attack'' settings tab:<br />
## Leave the Crypto Algorithm set to AES-128. (Remember that we're applying the AES-128 attack to half of the AES-256 key!)<br />
## Change the Leakage Model to ''HW: AES Inv SBox Output, First Round (Dec)''. <br />
## If you're finding the attack very slow, narrow down the attack a bit. Normally, this requires a bit of investigation to determine which ranges of the trace are important. Here, you can use the range from 2900 for 4200. The default settings will also work fine!<br />
##: [[File:Tutorial-A5-Hardware-Model.PNG|image]]<br />
# Note that we do ''not'' know the secret encryption key, so we cannot highlight the correct key automatically. If you want to fix this, the ''Results'' settings tab has a Highlighted Key setting. Change this to Override mode and enter the key <code>ea 79 79 20 c8 71 44 7d 46 62 5f 51 85 c1 3b cb</code>.<br />
# Finally, run the attack by switching to the ''Results Table'' tab and then hitting the ''Attack'' button.<br />
<br />
There are a few ways to check the results of the attack. First, the results table will show the best guesses for each subkey. With the highlight override enabled, the red bytes should be the best guesses for every single subkey:<br />
<br />
[[File:Tutorial-A5-Results-Right-Key.PNG|image]]<br />
<br />
However, the correct key will still rise to the top even if the wrong bytes are highlighted. The coloring and correlation coefficients in the results table should still make it clear that the top guess is the best one:<br />
<br />
[[File:Tutorial-A5-Results-Wrong-Key.PNG|image]]<br />
<br />
{{warningbox|The default capture stores the WRONG knownkey, so you will have highlighted bytes that are not the correct key. We are looking instead for a large delta between the best-guess and all other guesses. For example for Byte 0 we have the most likely as 0.8141, and 2nd best guess as 0.3551. If our best guess was 0.8141 and 2nd best guess was 0.7981 this would indicate we likely haven't broken the key.}}<br />
<br />
Finally, the ''Output vs Point Plot'' shows the correlation against all of the sample points. The spikes on this plot show exactly where the attack was successful (ie: where the sensitive data was leaked):<br />
<br />
[[File:Aes14round points.png|image]]<br />
<br />
In any case, we've determined that the correct 14th round key is <code>ea 79 79 20 c8 71 44 7d 46 62 5f 51 85 c1 3b cb</code>.<br />
<br />
''NOTE: if you're stuck, a full listing of the attack script is given in [[#Appendix C: AES-256 14th Round Key Script]].''<br />
<br />
== 13th Round Key ==<br />
Unfortunately, we cannot use the GUI to attack the 13th round key. The system has no built-in model for round 13 of the AES-256 algorithm. Instead, we can write our own script and insert a custom model into the system. See [[#Appendix D: AES-256 13th Round Key Script]] for complete script used here.<br />
<br />
The ChipWhisperer Analyzer software uses the settings in the GUI to automatically adjust an attack script. Every time you change a setting in the GUI, the autogenerated script is overwritten. Fpr example, the point range is mapped directly to an API call:<br />
<br />
[[File:autoscript1.png|image]]<br />
<br />
If we modified this script directly, it would be very easy for us to accidentally overwrite our custom script from the GUI. Instead, we'll use the autogenerated code to set up a base script, then add in our own attack model. To set up the base script, the procedure is as follows:<br />
<br />
# Open the ChipWhisperer Analyzer software again and reopen the project file.<br />
# Recall from the 14th round attack that the trace data becomes unsynchronized around sample 7000. This is due to a non-constant AES implementation: the code does not always take the same amount of time to run for every input. (It's actually possible to do a timing attack on this AES implementation! We'll stick with our CPA attack for now.)<br />
#: [[File:syncproblems.png|image]]<br />
# Resynchronize the traces:<br />
## In the ''Attack Script Generator'' tab, enable the ''Resync: Sum of Difference'' preprocessing:<br />
##: [[File:resyncsad.png|image]]<br />
## Enable the module and configure the input points. To start, set the reference points to (9063, 9177) and the input window to (9010, 9080), but don't be afraid to change these ranges:<br />
##: [[File:resyncsad2.png|image]]<br />
##: {{warningbox| You may have to adjust the reference points & input window ranges - the objective is to get a nice aligned trace on the second part.}}<br />
## Redraw the traces and confirm we now have synchronization on the second half:<br />
##: [[File:resyncsad3.png|image]]<br />
<br />
Now, we are ready to make a copy of this script:<br />
# Click on the auto-generated script<br />
# Hit ''Copy'' and save the file somewhere<br />
# Double-click on the description of the new file and give it a better name. <br />
# Finally, hit ''Set Active'' after clicking on your new file. The result should look like this:<br />
#: [[File:aes256_customscript.png|image]]<br />
You can now edit the custom script file using the built-in editor OR with an external editor. In this example, the file would be <code>C:\Users\Colin\AppData\Local\Temp\testaes256.py</code>.<br />
<br />
The next step is to program our own leakage model. The following Python code models the Hamming weight model of the 13th round S-box:<br />
<br />
<pre><br />
# Imports for AES256 Attack<br />
from chipwhisperer.analyzer.attacks.models.base import ModelsBase<br />
from chipwhisperer.analyzer.attacks.models.AES128_8bit import AESLeakageHelper, AES128_8bit<br />
<br />
class AES256_Model(AESLeakageHelper):<br />
name = 'Our model'<br />
def leakage(self, pt, ct, guess, bnum):<br />
knownkey = <PUT YOUR 14TH ROUND KEY YOU RECOVERED HERE><br />
#For example: knownkey = [0xea, 0x79, 0x79, 0x20, 0xc8, 0x71, 0x44, 0x7d, 0x46, 0x62, 0x5f, 0x51, 0x85, 0xc1, 0x3b, 0xcb]<br />
xored = [knownkey[i] ^ pt[i] for i in range(0, 16)]<br />
block = xored<br />
block = self.inv_shiftrows(block)<br />
block = self.inv_subbytes(block)<br />
block = self.inv_mixcolumns(block)<br />
block = self.inv_shiftrows(block)<br />
result = block<br />
return self.inv_sbox((result[bnum] ^ guess[bnum]))<br />
</pre><br />
You can look back at the C code of the AES-256 decryption to see how this is implementing the decryption code. Note that because of the Inverse MixColumns operation, we need the entire input ciphertext -- otherwise, we would only need to operate on one byte of the ciphertext.<br />
<br />
The last step is to perform the attack using this model:<br />
# Add the above function to your custom script file.<br />
# Change the <code>setAnalysisAlgorithm</code> in the script to use your custom functions by making the following call:<br />
#:<pre>leakage_object = AES128_8bit(AES256_Model)</pre><br />
# As we did in the 14th round attack, reducing the point range can speed up the attack. For example, to use a smaller range of points, try changing the <code>setPointRange()</code> function call to<br />
#:<pre>self.attack.setPointRange((8000,10990))</pre><br />
# Start the attack! Wait for the attack to complete, and you will determine the 13th round key:<br />
#: [[File:Tutorial-A5-Results-Round-13.PNG|image]]<br />
<br />
Note you can check [[#Appendix C AES-256 13th Round Key Script]] for the complete contents of the attack script.<br />
<br />
Finally, we need to convert this hypothetical key into the actual value of the 13th round key. We can do this by passing the key through ShiftRows and MixColumns to remove the effect of these two functions. This is easy to do in the Python console (assuming we had the recovered key <code>C6 BD 4E 50 AB CA 75 77 79 87 96 CA 1C 7F C5 82</code>, if you recovered a different key replace the <code>knownkey</code> value with yours):<br />
<br />
<pre><br />
>>> from chipwhisperer.analyzer.attacks.models.aes.funcs import shiftrows,mixcolumns<br />
>>> knownkey = [0xC6, 0xBD, 0x4E, 0x50, 0xAB, 0xCA, 0x75, 0x77, 0x79, 0x87, 0x96, 0xCA, 0x1C, 0x7F, 0xC5, 0x82]<br />
>>> key = shiftrows(knownkey)<br />
>>> key = mixcolumns(key)<br />
>>> print &quot; &quot;.join([&quot;%02x&quot; % i for i in key])<br />
c6 6a a6 12 4a ba 4d 04 4a 22 03 54 5b 28 0e 63<br />
</pre><br />
<br />
Our hard work has rewarded us with the 13th round key, which is <code>c6 6a a6 12 4a ba 4d 04 4a 22 03 54 5b 28 0e 63</code>.<br />
<br />
== Recovering the Encryption Key ==<br />
Finally, we have enough information to recover the initial encryption key. In AES-256, the initial key is used in the key expansion routine to generate 15 round keys, and we know the key for round 13 and 14. All we need to do now is reverse the key scheduling algorithm to calculate the ''0/1 Round Key'' from the ''13/14 Round Key''. <br />
<br />
In the ChipWhisperer Analyzer software, a key schedule calculator is provided in ''Tools > AES Key Schedule'':<br />
<br />
[[File:keyschedule_tool.png|image]]<br />
<br />
Open this tool and paste the 13/14 round keys, which are<br />
<pre><br />
c6 6a a6 12 4a ba 4d 04 4a 22 03 54 5b 28 0e 63 ea 79 79 20 c8 71 44 7d 46 62 5f 51 85 c1 3b cb<br />
</pre><br />
<br />
Tell the tool that this key is the 13/14 round key; it will automatically display the entire key schedule and the initial encryption key. You should find the initial encryption key is:<br />
<pre><br />
94 28 5d 4d 6d cf ec 08 d8 ac dd f6 be 25 a4 99 c4 d9 d0 1e c3 40 7e d7 d5 28 d4 09 e9 f0 88 a1<br />
</pre><br />
<br />
Peek into <code>supersecret.h</code>, confirm that this is the right key, and celebrate!<br />
<br />
= Next Steps =<br />
If you want to go further with this tutorial, [[Tutorial A5-Bonus Breaking AES-256 Bootloader]] continues working with the same firmware to find the remaining secrets in the bootloader (the IV and the signature).<br />
<br />
= Appendix A: Target Code =<br />
<pre><br />
#!/usr/bin/python<br />
# -*- coding: utf-8 -*-<br />
#<br />
# Copyright (c) 2013-2016, NewAE Technology Inc<br />
# All rights reserved.<br />
#<br />
# Authors: Colin O'Flynn, Greg d'Eon<br />
#<br />
# Find this and more at newae.com - this file is part of the chipwhisperer<br />
# project, http://www.assembla.com/spaces/chipwhisperer<br />
#<br />
# This file is part of chipwhisperer.<br />
#<br />
# chipwhisperer is free software: you can redistribute it and/or modify<br />
# it under the terms of the GNU General Public License as published by<br />
# the Free Software Foundation, either version 3 of the License, or<br />
# (at your option) any later version.<br />
#<br />
# chipwhisperer is distributed in the hope that it will be useful,<br />
# but WITHOUT ANY WARRANTY; without even the implied warranty of<br />
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the<br />
# GNU Lesser General Public License for more details.<br />
#<br />
# You should have received a copy of the GNU General Public License<br />
# along with chipwhisperer. If not, see <http://www.gnu.org/licenses/>.<br />
#=================================================<br />
<br />
import sys<br />
import time<br />
import chipwhisperer.capture.ui.CWCaptureGUI as cwc<br />
from chipwhisperer.common.api.CWCoreAPI import CWCoreAPI<br />
from chipwhisperer.capture.targets.SimpleSerial import SimpleSerial<br />
from chipwhisperer.common.scripts.base import UserScriptBase<br />
from chipwhisperer.capture.targets._base import TargetTemplate<br />
from chipwhisperer.common.utils import pluginmanager<br />
from chipwhisperer.capture.targets.simpleserial_readers.cwlite import SimpleSerial_ChipWhispererLite<br />
from chipwhisperer.common.utils.parameter import setupSetParam<br />
<br />
# Class Crc<br />
#############################################################<br />
# These CRC routines are copy-pasted from pycrc, which are:<br />
# Copyright (c) 2006-2013 Thomas Pircher <tehpeh@gmx.net><br />
#<br />
class Crc(object):<br />
"""<br />
A base class for CRC routines.<br />
"""<br />
<br />
def __init__(self, width, poly):<br />
"""The Crc constructor.<br />
<br />
The parameters are as follows:<br />
width<br />
poly<br />
reflect_in<br />
xor_in<br />
reflect_out<br />
xor_out<br />
"""<br />
self.Width = width<br />
self.Poly = poly<br />
<br />
<br />
self.MSB_Mask = 0x1 << (self.Width - 1)<br />
self.Mask = ((self.MSB_Mask - 1) << 1) | 1<br />
<br />
self.XorIn = 0x0000<br />
self.XorOut = 0x0000<br />
<br />
self.DirectInit = self.XorIn<br />
self.NonDirectInit = self.__get_nondirect_init(self.XorIn)<br />
if self.Width < 8:<br />
self.CrcShift = 8 - self.Width<br />
else:<br />
self.CrcShift = 0<br />
<br />
def __get_nondirect_init(self, init):<br />
"""<br />
return the non-direct init if the direct algorithm has been selected.<br />
"""<br />
crc = init<br />
for i in range(self.Width):<br />
bit = crc & 0x01<br />
if bit:<br />
crc ^= self.Poly<br />
crc >>= 1<br />
if bit:<br />
crc |= self.MSB_Mask<br />
return crc & self.Mask<br />
<br />
<br />
def bit_by_bit(self, in_data):<br />
"""<br />
Classic simple and slow CRC implementation. This function iterates bit<br />
by bit over the augmented input message and returns the calculated CRC<br />
value at the end.<br />
"""<br />
# If the input data is a string, convert to bytes.<br />
if isinstance(in_data, str):<br />
in_data = [ord(c) for c in in_data]<br />
<br />
register = self.NonDirectInit<br />
for octet in in_data:<br />
for i in range(8):<br />
topbit = register & self.MSB_Mask<br />
register = ((register << 1) & self.Mask) | ((octet >> (7 - i)) & 0x01)<br />
if topbit:<br />
register ^= self.Poly<br />
<br />
for i in range(self.Width):<br />
topbit = register & self.MSB_Mask<br />
register = ((register << 1) & self.Mask)<br />
if topbit:<br />
register ^= self.Poly<br />
<br />
return register ^ self.XorOut<br />
<br />
<br />
class BootloaderTarget(TargetTemplate):<br />
_name = 'AES Bootloader'<br />
<br />
def __init__(self):<br />
TargetTemplate.__init__(self)<br />
<br />
ser_cons = pluginmanager.getPluginsInDictFromPackage("chipwhisperer.capture.targets.simpleserial_readers", True, False)<br />
self.ser = ser_cons[SimpleSerial_ChipWhispererLite._name]<br />
<br />
self.keylength = 16<br />
self.input = ""<br />
self.crc = Crc(width=16, poly=0x1021)<br />
self.setConnection(self.ser)<br />
<br />
def setKeyLen(self, klen):<br />
""" Set key length in BITS """<br />
self.keylength = klen / 8 <br />
<br />
def keyLen(self):<br />
""" Return key length in BYTES """<br />
return self.keylength<br />
<br />
def getConnection(self):<br />
return self.ser<br />
<br />
def setConnection(self, con):<br />
self.ser = con<br />
self.params.append(self.ser.getParams())<br />
self.ser.connectStatus.connect(self.connectStatus.emit)<br />
self.ser.selectionChanged()<br />
<br />
def con(self, scope=None):<br />
if not scope or not hasattr(scope, "qtadc"): Warning(<br />
"You need a scope with OpenADC connected to use this Target")<br />
<br />
self.ser.con(scope)<br />
# 'x' flushes everything & sets system back to idle<br />
self.ser.write("xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx")<br />
self.ser.flush()<br />
self.connectStatus.setValue(True)<br />
<br />
def close(self):<br />
if self.ser != None:<br />
self.ser.close()<br />
return<br />
<br />
def init(self):<br />
pass<br />
<br />
def setModeEncrypt(self):<br />
return<br />
<br />
def setModeDecrypt(self):<br />
return<br />
<br />
def convertVarToString(self, var):<br />
if isinstance(var, str):<br />
return var<br />
<br />
sep = ""<br />
s = sep.join(["%c" % b for b in var])<br />
return s<br />
<br />
def loadEncryptionKey(self, key):<br />
pass<br />
<br />
def loadInput(self, inputtext):<br />
self.input = inputtext<br />
<br />
def readOutput(self):<br />
# No actual output<br />
return [0] * 16<br />
<br />
def isDone(self):<br />
return True<br />
<br />
def checkEncryptionKey(self, kin):<br />
return kin<br />
<br />
def go(self):<br />
# Starting byte is 0x00<br />
message = [0x00]<br />
<br />
# Append 16 bytes of data<br />
message.extend(self.input)<br />
<br />
# Append 2 bytes of CRC for input only (not including 0x00)<br />
crcdata = self.crc.bit_by_bit(self.input)<br />
<br />
message.append(crcdata >> 8)<br />
message.append(crcdata & 0xff)<br />
<br />
# Write message<br />
message = self.convertVarToString(message)<br />
for i in range(0, 5):<br />
self.ser.flush()<br />
self.ser.write(message)<br />
time.sleep(0.1)<br />
data = self.ser.read(1)<br />
<br />
if len(data) > 0:<br />
resp = ord(data[0])<br />
<br />
if resp == 0xA4:<br />
# Encryption run OK<br />
break<br />
<br />
if resp != 0xA1:<br />
raise IOError("Bad Response %x" % resp)<br />
<br />
if len(data) > 0:<br />
if resp != 0xA4:<br />
raise IOError("Failed to communicate, last response: %x" % resp)<br />
else:<br />
raise IOError("Failed to communicate, no response")<br />
</pre><br />
<br />
= Appendix B: Capture Script =<br />
<pre><br />
#!/usr/bin/python<br />
# -*- coding: utf-8 -*-<br />
#<br />
# Copyright (c) 2013-2016, NewAE Technology Inc<br />
# All rights reserved.<br />
#<br />
# Authors: Colin O'Flynn, Greg d'Eon<br />
#<br />
# Find this and more at newae.com - this file is part of the chipwhisperer<br />
# project, http://www.assembla.com/spaces/chipwhisperer<br />
#<br />
# This file is part of chipwhisperer.<br />
#<br />
# chipwhisperer is free software: you can redistribute it and/or modify<br />
# it under the terms of the GNU General Public License as published by<br />
# the Free Software Foundation, either version 3 of the License, or<br />
# (at your option) any later version.<br />
#<br />
# chipwhisperer is distributed in the hope that it will be useful,<br />
# but WITHOUT ANY WARRANTY; without even the implied warranty of<br />
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the<br />
# GNU Lesser General Public License for more details.<br />
#<br />
# You should have received a copy of the GNU General Public License<br />
# along with chipwhisperer. If not, see <http://www.gnu.org/licenses/>.<br />
#=================================================<br />
<br />
import sys<br />
import chipwhisperer.capture.ui.CWCaptureGUI as cwc<br />
from chipwhisperer.common.api.CWCoreAPI import CWCoreAPI<br />
from chipwhisperer.common.scripts.base import UserScriptBase<br />
from chipwhisperer.common.utils.parameter import Parameter<br />
<br />
# Check for PySide<br />
try:<br />
from PySide.QtCore import *<br />
from PySide.QtGui import *<br />
except ImportError:<br />
print "ERROR: PySide is required for this program"<br />
sys.exit()<br />
<br />
class UserScript(UserScriptBase):<br />
def __init__(self, api):<br />
super(UserScript, self).__init__(api)<br />
<br />
def run(self):<br />
#User commands here<br />
print "***** Starting User Script *****"<br />
<br />
# Set up board and target<br />
self.api.setParameter(['Generic Settings', 'Scope Module', 'ChipWhisperer/OpenADC'])<br />
self.api.setParameter(['Generic Settings', 'Trace Format', 'ChipWhisperer/Native'])<br />
self.api.setParameter(['Generic Settings', 'Target Module', 'AES Bootloader'])<br />
self.api.connect()<br />
<br />
# Fill in our other settings<br />
lstexample = [['CW Extra Settings', 'Trigger Pins', 'Target IO4 (Trigger Line)', True],<br />
['CW Extra Settings', 'Clock Source', 'Target IO-IN'],<br />
['CW Extra Settings', 'Target IOn Pins', 'Target IO2', 'Serial TXD'],<br />
['CW Extra Settings', 'Target IOn Pins', 'Target IO1', 'Serial RXD'],<br />
['CW Extra Settings', 'Target HS IO-Out', 'CLKGEN'],<br />
['OpenADC', 'Clock Setup', 'ADC Clock', 'Source', 'CLKGEN x4 via DCM'],<br />
['OpenADC', 'Trigger Setup', 'Total Samples', 11000],<br />
['OpenADC', 'Trigger Setup', 'Offset', 0],<br />
['OpenADC', 'Gain Setting', 'Setting', 45],<br />
['OpenADC', 'Trigger Setup', 'Mode', 'rising edge'],<br />
['OpenADC', 'Clock Setup', 'CLKGEN Settings', 'Multiply', 2],<br />
['OpenADC', 'Clock Setup', 'CLKGEN Settings', 'Divide', 26],<br />
['OpenADC', 'Clock Setup', 'ADC Clock', 'Reset ADC DCM', None],<br />
]<br />
<br />
# NOTE: For IV: offset = 70000<br />
#Download all hardware setup parameters<br />
for cmd in lstexample:<br />
self.api.setParameter(cmd)<br />
<br />
# Try a couple of captures<br />
self.api.capture1()<br />
self.api.capture1()<br />
<br />
print "***** Ending User Script *****"<br />
<br />
<br />
if __name__ == '__main__':<br />
# Run the program<br />
app = cwc.makeApplication()<br />
Parameter.usePyQtGraph = True <br />
api = CWCoreAPI() <br />
gui = cwc.CWCaptureGUI(api) <br />
gui.show() <br />
<br />
# Run our program and let the GUI take over<br />
api.runScriptClass(UserScript) <br />
sys.exit(app.exec_())<br />
</pre><br />
<br />
= Appendix C: AES-256 14th Round Key Script =<br />
Full attack script, copy/paste into a file then add as active attack script:<br />
<br />
<pre><br />
# AES-256 14th Round Key Attack<br />
from chipwhisperer.common.scripts.base import UserScriptBase<br />
# Imports from Preprocessing<br />
import chipwhisperer.analyzer.preprocessing as preprocessing<br />
# Imports from Attack<br />
from chipwhisperer.analyzer.attacks.cpa import CPA<br />
from chipwhisperer.analyzer.attacks.cpa_algorithms.progressive import CPAProgressive<br />
import chipwhisperer.analyzer.attacks.models.AES128_8bit<br />
# Imports from utilList<br />
<br />
class UserScript(UserScriptBase):<br />
name = "Auto-generated"<br />
description = "Auto-generated Attack Script"<br />
def __init__(self, api):<br />
UserScriptBase.__init__(self, api)<br />
self.initProject()<br />
self.initPreprocessing()<br />
self.initAnalysis()<br />
self.initReporting()<br />
<br />
def initProject(self):<br />
pass<br />
<br />
def initPreprocessing(self):<br />
self.traces = self.api.project().traceManager()<br />
<br />
def initAnalysis(self):<br />
self.attack = CPA()<br />
self.attack.setTraceSource(self.traces, blockSignal=True)<br />
self.attack.setAnalysisAlgorithm(CPAProgressive,chipwhisperer.analyzer.attacks.models.AES128_8bit.AES128_8bit,chipwhisperer.analyzer.attacks.models.AES128_8bit.AES128_8bit.LEAK_HW_INVSBOXOUT_FIRSTROUND)<br />
self.attack.setTraceStart(0)<br />
self.attack.setTracesPerAttack(200)<br />
self.attack.setIterations(1)<br />
self.attack.setReportingInterval(10)<br />
self.attack.setTargetSubkeys([0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15])<br />
self.attack.setPointRange((0,10991))<br />
<br />
def initReporting(self):<br />
# Configures the attack observers (usually a set of GUI widgets)<br />
self.api.getResults("Attack Settings").setAnalysisSource(self.attack)<br />
self.api.getResults("Correlation vs Traces in Attack").setAnalysisSource(self.attack)<br />
self.api.getResults("Output vs Point Plot").setAnalysisSource(self.attack)<br />
self.api.getResults("PGE vs Trace Plot").setAnalysisSource(self.attack)<br />
self.api.getResults("Results Table").setAnalysisSource(self.attack)<br />
self.api.getResults("Save to Files").setAnalysisSource(self.attack)<br />
self.api.getResults("Trace Output Plot").setTraceSource(self.traces)<br />
self.api.getResults("Trace Recorder").setTraceSource(self.traces)<br />
<br />
def run(self):<br />
self.attack.processTraces()<br />
<br />
if __name__ == '__main__':<br />
from chipwhisperer.common.api.CWCoreAPI import CWCoreAPI<br />
import chipwhisperer.analyzer.ui.CWAnalyzerGUI as cwa<br />
from chipwhisperer.common.utils.parameter import Parameter<br />
app = cwa.makeApplication() # Comment if you don't need the GUI<br />
Parameter.usePyQtGraph = True # Comment if you don't need the GUI<br />
api = CWCoreAPI() # Instantiate the API<br />
gui = cwa.CWAnalyzerGUI(api) # Comment if you don't need the GUI<br />
gui.show() # Comment if you don't need the GUI<br />
api.runScriptClass(UserScript) # Run UserScript through the API<br />
app.exec_() # Comment if you don't need the GUI<br />
</pre><br />
<br />
= Appendix D: AES-256 13th Round Key Script =<br />
<br />
<pre><br />
# AES-256 13th Round Key Script<br />
from chipwhisperer.common.scripts.base import UserScriptBase<br />
# Imports from Preprocessing<br />
import chipwhisperer.analyzer.preprocessing as preprocessing<br />
# Imports from Attack<br />
from chipwhisperer.analyzer.attacks.cpa import CPA<br />
from chipwhisperer.analyzer.attacks.cpa_algorithms.progressive import CPAProgressive<br />
import chipwhisperer.analyzer.attacks.models.AES128_8bit<br />
# Imports from utilList<br />
<br />
# Imports for AES256 Attack<br />
from chipwhisperer.analyzer.attacks.models.base import ModelsBase<br />
from chipwhisperer.analyzer.attacks.models.AES128_8bit import AESLeakageHelper, AES128_8bit<br />
<br />
class AES256_Model(AESLeakageHelper):<br />
name = 'Our model'<br />
def leakage(self, pt, ct, guess, bnum):<br />
knownkey = [0xea, 0x79, 0x79, 0x20, 0xc8, 0x71, 0x44, 0x7d, 0x46, 0x62, 0x5f, 0x51, 0x85, 0xc1, 0x3b, 0xcb]<br />
xored = [knownkey[i] ^ pt[i] for i in range(0, 16)]<br />
block = xored<br />
block = self.inv_shiftrows(block)<br />
block = self.inv_subbytes(block)<br />
block = self.inv_mixcolumns(block)<br />
block = self.inv_shiftrows(block)<br />
result = block<br />
return self.inv_sbox((result[bnum] ^ guess[bnum]))<br />
<br />
class UserScript(UserScriptBase):<br />
_name = "Auto-generated"<br />
_description = "Auto-generated Attack Script"<br />
def __init__(self, api):<br />
UserScriptBase.__init__(self, api)<br />
self.initProject()<br />
self.initPreprocessing()<br />
self.initAnalysis()<br />
self.initReporting()<br />
<br />
def initProject(self):<br />
pass<br />
<br />
def initPreprocessing(self):<br />
ppMod0 = preprocessing.resync_sad.ResyncSAD(self.api.project().traceManager())<br />
ppMod0.setEnabled(True)<br />
ppMod0.setReference(rtraceno=0, refpoints=(9100,9300), inputwindow=(8900,9500))<br />
ppMod0.init()<br />
self.traces = ppMod0<br />
<br />
def initAnalysis(self):<br />
self.attack = CPA()<br />
self.attack.setProject(self.api.project())<br />
self.attack.setTraceSource(self.traces, blockSignal=True)<br />
leakage_object = AES128_8bit(AES256_Model)<br />
self.attack.setAnalysisAlgorithm(chipwhisperer.analyzer.attacks.cpa_algorithms.progressive.CPAProgressive,leakage_object)<br />
self.attack.setTargetSubkeys([0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15])<br />
self.attack.setTraceStart(0)<br />
self.attack.setTracesPerAttack(150)<br />
self.attack.setIterations(1)<br />
self.attack.setReportingInterval(10)<br />
self.attack.setPointRange((0,10991))<br />
<br />
def initReporting(self):<br />
# Configures the attack observers (usually a set of GUI widgets)<br />
self.api.getResults("Attack Settings").setAnalysisSource(self.attack)<br />
self.api.getResults("Correlation vs Traces in Attack").setAnalysisSource(self.attack)<br />
self.api.getResults("Output vs Point Plot").setAnalysisSource(self.attack)<br />
self.api.getResults("PGE vs Trace Plot").setAnalysisSource(self.attack)<br />
self.api.getResults("Results Table").setAnalysisSource(self.attack)<br />
self.api.getResults("Save to Files").setAnalysisSource(self.attack)<br />
self.api.getResults("Trace Output Plot").setTraceSource(self.traces)<br />
self.api.getResults("Trace Recorder").setTraceSource(self.traces)<br />
<br />
def run(self):<br />
self.attack.processTraces()<br />
<br />
if __name__ == '__main__':<br />
import chipwhisperer.analyzer.ui.CWAnalyzerGUI as cwa<br />
from chipwhisperer.common.utils.parameter import Parameter<br />
Parameter.usePyQtGraph = True # Comment if you don't need the GUI<br />
api = CWCoreAPI() # Instantiate the API<br />
app = cwa.makeApplication("Analyzer") # Comment if you don't need the GUI<br />
gui = cwa.CWAnalyzerGUI(api) # Comment if you don't need the GUI<br />
api.runScriptClass(UserScript) # Run UserScript through the API<br />
app.exec_() # Comment if you don't need the GUI<br />
<br />
</pre><br />
<br />
{{Template:Tutorials}}<br />
[[Category:Tutorials]]</div>Gdeonhttp://wiki.newae.com/index.php?title=Tutorial_A5_Breaking_AES-256_Bootloader&diff=2783Tutorial A5 Breaking AES-256 Bootloader2017-07-23T16:13:34Z<p>Gdeon: </p>
<hr />
<div>This tutorial will take you through a complete attack on an encrypted bootloader using AES-256. This demonstrates how to using side-channel power analysis on practical systems, along with discussing how to perform analysis with custom scripts.<br />
<br />
Whilst the tutorial assumes you will be performing the entire capture of traces along with the attack, it is possible to download the traces if you don't have the hardware, in which case skip section [[#Setting up the Hardware]] and [[#Capturing the Traces]].<br />
<br />
= Background =<br />
In the world of microcontrollers, a bootloader is a special piece of firmware that is made to let the user upload new programs into memory. This is especially useful for devices with complex code that may need to be patched or otherwise updated in the future - a bootloader makes it possible for the user to upload a patched version of the firmware onto the micro. The bootloader receives information from a communication line (a USB port, serial port, ethernet port, WiFi connection, etc...) and stores this data into program memory. Once the full firmware has been received, the micro can happily run its updated code.<br />
<br />
There is one big security issue to worry about with bootloaders. A company may want to stop their customers from writing their own firmware and uploading it onto the micro. For example, this might be for protection reasons - hackers might be able to access parts of the device that weren't meant to be accessed. One way of stopping this is to add encryption. The company can add their own secret signature to the firmware code and encrypt it with a secret key. Then, the bootloader can decrypt the incoming firmware and confirm that the incoming firmware is correctly signed. Users will not know the secret key or the signature tied to the firmware, so they won't be able to "fake" their own.<br />
<br />
This tutorial will work with a simple AES-256 bootloader. The victim will receive data through a serial connection, decrypt the command, and confirm that the included signature is correct. Then, it will only save the code into memory if the signature check succeeded. To make this system more robust against attacks, the bootloader will use cipher-block chaining (CBC mode). Our goal is to find the secret key and the CBC initialization vector so that we could successfully fake our own firmware.<br />
<br />
== Bootloader Communications Protocol ==<br />
The bootloader's communications protocol operates over a serial port at 38400 baud rate. The bootloader is always waiting for new data to be sent in this example; in real life one would typically force the bootloader to enter through a command sequence.<br />
<br />
Commands sent to the bootloader look as follows:<br />
<br />
<pre><br />
|<-------- Encrypted block (16 bytes) ---------->|<br />
| |<br />
+------+------+------+------+------+------+ .... +------+------+------+<br />
| 0x00 | Signature (4 Bytes) | Data (12 Bytes) | CRC-16 |<br />
+------+------+------+------+------+------+ .... +------+------+------+<br />
</pre><br />
<br />
This frame has four parts:<br />
* <code>0x00</code>: 1 byte of fixed header<br />
* Signature: A secret 4 byte constant. The bootloader will confirm that this signature is correct after decrypting the frame.<br />
* Data: 12 bytes of the incoming firmware. This system forces us to send the code 12 bytes at a time; more complete bootloaders may allow longer variable-length frames.<br />
* CRC-16: A 16-bit checksum using the CRC-CCITT polynomial (0x1021). The LSB of the CRC is sent first, followed by the MSB. The bootloader will reply over the serial port, describing whether or not this CRC check was valid.<br />
As described in the diagram, the 16 byte block is not sent as plaintext. Instead, it is encrypted using AES-256 in CBC mode. This encryption method will be described in the next section.<br />
<br />
The bootloader responds to each command with a single byte indicating if the CRC-16 was OK or not:<br />
<br />
<pre><br />
+------+<br />
CRC-OK: | 0xA1 |<br />
+------+<br />
<br />
+------+<br />
CRC Failed: | 0xA4 |<br />
+------+<br />
</pre><br />
<br />
Then, after replying to the command, the bootloader veries that the signature is correct. If it matches the expected manufacturer's signature, the 12 bytes of data will be written to flash memory. Otherwise, the data is discarded.<br />
<br />
== Details of AES-256 CBC ==<br />
<br />
The system uses the AES algorithm in Cipher Block Chaining (CBC) mode. In general one avoids using encryption 'as-is' (i.e. Electronic Code Book), since it means any piece of plaintext always maps to the same piece of ciphertext. Cipher Block Chaining ensures that if you encrypted the same thing a bunch of times it would always encrypt to a new piece of ciphertext.<br />
<br />
You can see another reference on the design of the encryption side; we'll be only talking about the decryption side here. In this case AES-256 CBC mode is used as follows, where the details of the AES-256 Decryption block will be discussed in detail later:<br />
<br />
[[File:aes256_cbc.png|image]]<br />
<br />
This diagram shows that the output of the decryption is no longer used directly as the plaintext. Instead, the output is XORed with a 16 byte mask, which is usually taken from the previous ciphertext. Also, the first decryption block has no previous ciphertext to use, so a secret initialization vector (IV) is used instead. If we are going to decrypt the entire ciphertext (including block 0) or correctly generate our own ciphertext, we'll need to find this IV along with the AES key.<br />
<br />
<br />
== Attacking AES-256 ==<br />
The system in this tutorial uses AES-256 encryption, which has a 256 bit (32 byte) key - twice as large as the 16 byte key we've attacked in previous tutorials. This means that our regular AES-128 CPA attacks won't quite work. However, extending these attacks to AES-256 is fairly straightforward: the theory is explained in detail in [[Extending AES-128 Attacks to AES-256]]. <br />
<br />
As the theory page explains, our AES-256 attack will have 4 steps:<br />
# Perform a standard attack (as in AES-128 decryption) to determine the first 16 bytes of the key, corresponding to the 14th round encryption key.<br />
# Using the known 14th round key, calculate the hypothetical outputs of each S-Box from the 13th round using the ciphertext processed by the 14th round, and determine the 16 bytes of the 13th round key manipulated by inverse MixColumns.<br />
# Perform the MixColumns and ShiftRows operation on the hypothetical key determined above, recovering the 13th round key.<br />
# Using the AES-256 key schedule, reverse the 13th and 14th round keys to determine the original AES-256 encryption key.<br />
<br />
= Setting up the Hardware =<br />
This tutorial uses the [[CW1173 ChipWhisperer-Lite]] hardware. This hardware does not require any special setup - it should be ready to go out-of-the-box.<br />
<br />
Note that you '''don't need hardware''' to complete the tutorial. Instead, you can download [https://www.assembla.com/spaces/chipwhisperer/wiki/Example_Captures example traces from the ChipWhisperer Site]. Just look for the traces titled ''AVR: AES256 Bootloader (ChipWhisperer Tutorial #A5)''.<br />
<br />
== Building/Programming the Bootloader ==<br />
The firmware that implements the bootloader is available inside the ChipWhisperer folder at <code>chipwhisperer\hardware\victims\firmware\bootloader-aes256</code>. If you've uploaded the firmware for any of the other tutorials, the process is identical:<br />
<br />
# Open a command prompt/terminal window and navigate to this folder. Enter the command <code>make PLATFORM=X</code>, where X is the name of your target. For instance, use <code>PLATFORM=CW303</code> on the ChipWhisperer Lite. Ensure that the program is successfully compiled. The output should end with a line like<br />
#: <pre>Built for platform CW-Lite XMEGA</pre><br />
# Open the ChipWhisperer Capture software and connect to your hardware. Open the programmer window (''Tools > CW-Lite XMEGA Programmer''), find the <code>.hex</code> file that you just made, and ''Erase/Program/Verify FLASH''.<br />
<br />
The firmware is now loaded onto your hardware, and you can continue onto the capture process.<br />
<br />
= Capturing the Traces =<br />
Once the hardware is ready, we can capture some traces for our attack using the ChipWhisperer Capture software. If you somehow got to the 5th ''Advanced Tutorial'' without getting this software ready, you can follow the helpful guide at [[Installing ChipWhisperer]].<br />
<br />
The first thing we need to do is add a new target to the ChipWhisperer system. (None of the existing ones know about the bootloader's data format, nor do they recognize the CRC responses that are sent back to us.) The code for this target is included in [[#Appendix A: Target Code]]. Copy/paste this into a Python file (call it whatever you want) and save it in a place where ChipWhisperer will look for it. There are two folders that you can use:<br />
* Your computer should have a folder called <code>chipwhisperer_projects</code> - if you don't know where this is, the ''File > Preferences'' window will tell you. The system looks in the folder <code>chipwhisperer_projects\chipwhisperer\capture\targets</code> for new targets, so you can save your file here.<br />
* Alternatively, all of the normal targets are stored in <code>chipwhisperer\software\chipwhisperer\capture\targets</code>, so you can also save the file here. Note that this may not be possible if you don't have access to these folders (ex: your account doesn't have admin access).<br />
<br />
Next is the capture script. In some of the previous tutorials, we entered all of the capture settings by hand. Since we are civilized humans armed with technology, we can use a script to do all of this setup for us. A pre-written Python script is provided at [[#Appendix B: Capture Script]]. Take a look at this code and notice what it does:<br />
* it fills in the scope, target, and trace format that we'll use;<br />
* it connects to the hardware; and<br />
* it loads all of the hardware parameters for us. Nice!<br />
Copy this script into a <code>.py</code> file somewhere convenient. Then, perform the following steps to finish the capture:<br />
# Run the capture script, which will open a ChipWhisperer Capture window with everything connected for us.<br />
# Open the terminal (''Tools > Terminal'') and connect to the board. While the terminal is open, press the ''Capture 1'' button. A single byte of data should appear in the terminal. This byte will either be <code>a1</code> (CRC failed) or <code>a4</code> (CRC OK). If you see any other responses, something is wrong. <br />
#: [[File:Tutorial-A5-Capture.PNG|image]]<br />
# Once you're happy with this, open the General Settings tab and set the Number of Traces. You should need around 100 traces to break AES.<br />
# Press the ''Capture Many'' button to record the 100 traces. You'll see the new traces plotted on-screen.<br />
# Once the program is finished capturing the traces, save the project. Put it somewhere memorable and give it a nice name.<br />
<br />
= Finding the Encryption Key =<br />
Now that we have our traces, we can go ahead and perform the attack. As described in the background theory, we'll have to do two attacks - one to get the 14th round key, and another (using the first result) to get the 13th round key. Then, we'll do some post-processing to finally get the 256 bit encryption key.<br />
<br />
== 14th Round Key ==<br />
We can attack the 14th round key with a standard, no-frills CPA attack:<br />
<br />
# Open the ChipWhisperer Analyzer program and load the <code>.cwp</code> file with the 13th and 14th round traces. This can be either the <code>aes256_round1413_key0_100.cwp</code> file downloaded or the capture you performed.<br />
# View and manipulate the trace data with the following steps:<br />
## Switch to the ''Trace Output Plot'' tab<br />
## Switch to the ''Results'' parameter setting tab<br />
## Choose the traces to be plotted and press the ''Redraw'' button to draw them<br />
## Right-click on the waveform to change options, or left-click and drag to zoom<br />
## Use the toolbar to quickly reset the zoom back to original<br />
##: [[File:Tutorial-A5-Plot-Traces.PNG|image]]<br />
##: Notice that the traces are synchronized for the first 7000 samples, but become unsynchronized later. This fact will be important later in the tutorial.<br />
# Set up the attack in the ''Attack'' settings tab:<br />
## Leave the Crypto Algorithm set to AES-128. (Remember that we're applying the AES-128 attack to half of the AES-256 key!)<br />
## Change the Leakage Model to ''HW: AES Inv SBox Output, First Round (Dec)''. <br />
## If you're finding the attack very slow, narrow down the attack a bit. Normally, this requires a bit of investigation to determine which ranges of the trace are important. Here, you can use the range from 2900 for 4200. The default settings will also work fine!<br />
##: [[File:Tutorial-A5-Hardware-Model.PNG|image]]<br />
# Note that we do ''not'' know the secret encryption key, so we cannot highlight the correct key automatically. If you want to fix this, the ''Results'' settings tab has a Highlighted Key setting. Change this to Override mode and enter the key <code>ea 79 79 20 c8 71 44 7d 46 62 5f 51 85 c1 3b cb</code>.<br />
# Finally, run the attack by switching to the ''Results Table'' tab and then hitting the ''Attack'' button.<br />
<br />
There are a few ways to check the results of the attack. First, the results table will show the best guesses for each subkey. With the highlight override enabled, the red bytes should be the best guesses for every single subkey:<br />
<br />
[[File:Tutorial-A5-Results-Right-Key.PNG|image]]<br />
<br />
However, the correct key will still rise to the top even if the wrong bytes are highlighted. The coloring and correlation coefficients in the results table should still make it clear that the top guess is the best one:<br />
<br />
[[File:Tutorial-A5-Results-Wrong-Key.PNG|image]]<br />
<br />
Finally, the ''Output vs Point Plot'' shows the correlation against all of the sample points. The spikes on this plot show exactly where the attack was successful (ie: where the sensitive data was leaked):<br />
<br />
[[File:Aes14round points.png|image]]<br />
<br />
In any case, we've determined that the correct 14th round key is <code>ea 79 79 20 c8 71 44 7d 46 62 5f 51 85 c1 3b cb</code>.<br />
<br />
''NOTE: if you're stuck, a full listing of the attack script is given in [[#Appendix C: AES-256 14th Round Key Script]].''<br />
<br />
== 13th Round Key ==<br />
Unfortunately, we cannot use the GUI to attack the 13th round key. The system has no built-in model for round 13 of the AES-256 algorithm. Instead, we can write our own script and insert a custom model into the system. See [[#Appendix D: AES-256 13th Round Key Script]] for complete script used here.<br />
<br />
The ChipWhisperer Analyzer software uses the settings in the GUI to automatically adjust an attack script. Every time you change a setting in the GUI, the autogenerated script is overwritten. Fpr example, the point range is mapped directly to an API call:<br />
<br />
[[File:autoscript1.png|image]]<br />
<br />
If we modified this script directly, it would be very easy for us to accidentally overwrite our custom script from the GUI. Instead, we'll use the autogenerated code to set up a base script, then add in our own attack model. To set up the base script, the procedure is as follows:<br />
<br />
# Open the ChipWhisperer Analyzer software again and reopen the project file.<br />
# Recall from the 14th round attack that the trace data becomes unsynchronized around sample 7000. This is due to a non-constant AES implementation: the code does not always take the same amount of time to run for every input. (It's actually possible to do a timing attack on this AES implementation! We'll stick with our CPA attack for now.)<br />
#: [[File:syncproblems.png|image]]<br />
# Resynchronize the traces:<br />
## In the ''Attack Script Generator'' tab, enable the ''Resync: Sum of Difference'' preprocessing:<br />
##: [[File:resyncsad.png|image]]<br />
## Enable the module and configure the input points. To start, set the reference points to (9063, 9177) and the input window to (9010, 9080), but don't be afraid to change these ranges:<br />
##: [[File:resyncsad2.png|image]]<br />
## Redraw the traces and confirm we now have synchronization on the second half:<br />
##: [[File:resyncsad3.png|image]]<br />
<br />
Now, we are ready to make a copy of this script:<br />
# Click on the auto-generated script<br />
# Hit ''Copy'' and save the file somewhere<br />
# Double-click on the description of the new file and give it a better name. <br />
# Finally, hit ''Set Active'' after clicking on your new file. The result should look like this:<br />
#: [[File:aes256_customscript.png|image]]<br />
You can now edit the custom script file using the built-in editor OR with an external editor. In this example, the file would be <code>C:\Users\Colin\AppData\Local\Temp\testaes256.py</code>.<br />
<br />
The next step is to program our own leakage model. The following Python code models the Hamming weight model of the 13th round S-box:<br />
<br />
<pre><br />
# Imports for AES256 Attack<br />
from chipwhisperer.analyzer.attacks.models.base import ModelsBase<br />
from chipwhisperer.analyzer.attacks.models.AES128_8bit import AESLeakageHelper, AES128_8bit<br />
<br />
class AES256_Model(AESLeakageHelper):<br />
name = 'Our model'<br />
def leakage(self, pt, ct, guess, bnum):<br />
knownkey = <PUT YOUR 14TH ROUND KEY YOU RECOVERED HERE><br />
#For example: knownkey = [0xea, 0x79, 0x79, 0x20, 0xc8, 0x71, 0x44, 0x7d, 0x46, 0x62, 0x5f, 0x51, 0x85, 0xc1, 0x3b, 0xcb]<br />
xored = [knownkey[i] ^ pt[i] for i in range(0, 16)]<br />
block = xored<br />
block = self.inv_shiftrows(block)<br />
block = self.inv_subbytes(block)<br />
block = self.inv_mixcolumns(block)<br />
block = self.inv_shiftrows(block)<br />
result = block<br />
return self.inv_sbox((result[bnum] ^ guess[bnum]))<br />
</pre><br />
You can look back at the C code of the AES-256 decryption to see how this is implementing the decryption code. Note that because of the Inverse MixColumns operation, we need the entire input ciphertext -- otherwise, we would only need to operate on one byte of the ciphertext.<br />
<br />
The last step is to perform the attack using this model:<br />
# Add the above function to your custom script file.<br />
# Change the <code>setAnalysisAlgorithm</code> in the script to use your custom functions by making the following call:<br />
#:<pre>leakage_object = AES128_8bit(AES256_Model)</pre><br />
# As we did in the 14th round attack, reducing the point range can speed up the attack. For example, to use a smaller range of points, try changing the <code>setPointRange()</code> function call to<br />
#:<pre>self.attack.setPointRange((8000,10990))</pre><br />
# Start the attack! Wait for the attack to complete, and you will determine the 13th round key:<br />
#: [[File:Tutorial-A5-Results-Round-13.PNG|image]]<br />
<br />
Note you can check [[#Appendix C AES-256 13th Round Key Script]] for the complete contents of the attack script.<br />
<br />
Finally, we need to convert this hypothetical key into the actual value of the 13th round key. We can do this by passing the key through ShiftRows and MixColumns to remove the effect of these two functions. This is easy to do in the Python console (assuming we had the recovered key <code>C6 BD 4E 50 AB CA 75 77 79 87 96 CA 1C 7F C5 82</code>, if you recovered a different key replace the <code>knownkey</code> value with yours):<br />
<br />
<pre><br />
>>> from chipwhisperer.analyzer.attacks.models.aes.funcs import shiftrows,mixcolumns<br />
>>> knownkey = [0xC6, 0xBD, 0x4E, 0x50, 0xAB, 0xCA, 0x75, 0x77, 0x79, 0x87, 0x96, 0xCA, 0x1C, 0x7F, 0xC5, 0x82]<br />
>>> key = shiftrows(knownkey)<br />
>>> key = mixcolumns(key)<br />
>>> print &quot; &quot;.join([&quot;%02x&quot; % i for i in key])<br />
c6 6a a6 12 4a ba 4d 04 4a 22 03 54 5b 28 0e 63<br />
</pre><br />
<br />
Our hard work has rewarded us with the 13th round key, which is <code>c6 6a a6 12 4a ba 4d 04 4a 22 03 54 5b 28 0e 63</code>.<br />
<br />
== Recovering the Encryption Key ==<br />
Finally, we have enough information to recover the initial encryption key. In AES-256, the initial key is used in the key expansion routine to generate 15 round keys, and we know the key for round 13 and 14. All we need to do now is reverse the key scheduling algorithm to calculate the ''0/1 Round Key'' from the ''13/14 Round Key''. <br />
<br />
In the ChipWhisperer Analyzer software, a key schedule calculator is provided in ''Tools > AES Key Schedule'':<br />
<br />
[[File:keyschedule_tool.png|image]]<br />
<br />
Open this tool and paste the 13/14 round keys, which are<br />
<pre><br />
c6 6a a6 12 4a ba 4d 04 4a 22 03 54 5b 28 0e 63 ea 79 79 20 c8 71 44 7d 46 62 5f 51 85 c1 3b cb<br />
</pre><br />
<br />
Tell the tool that this key is the 13/14 round key; it will automatically display the entire key schedule and the initial encryption key. You should find the initial encryption key is:<br />
<pre><br />
94 28 5d 4d 6d cf ec 08 d8 ac dd f6 be 25 a4 99 c4 d9 d0 1e c3 40 7e d7 d5 28 d4 09 e9 f0 88 a1<br />
</pre><br />
<br />
Peek into <code>supersecret.h</code>, confirm that this is the right key, and celebrate!<br />
<br />
= Next Steps =<br />
If you want to go further with this tutorial, [[Tutorial A5-Bonus Breaking AES-256 Bootloader]] continues working with the same firmware to find the remaining secrets in the bootloader (the IV and the signature).<br />
<br />
= Appendix A: Target Code =<br />
<pre><br />
#!/usr/bin/python<br />
# -*- coding: utf-8 -*-<br />
#<br />
# Copyright (c) 2013-2016, NewAE Technology Inc<br />
# All rights reserved.<br />
#<br />
# Authors: Colin O'Flynn, Greg d'Eon<br />
#<br />
# Find this and more at newae.com - this file is part of the chipwhisperer<br />
# project, http://www.assembla.com/spaces/chipwhisperer<br />
#<br />
# This file is part of chipwhisperer.<br />
#<br />
# chipwhisperer is free software: you can redistribute it and/or modify<br />
# it under the terms of the GNU General Public License as published by<br />
# the Free Software Foundation, either version 3 of the License, or<br />
# (at your option) any later version.<br />
#<br />
# chipwhisperer is distributed in the hope that it will be useful,<br />
# but WITHOUT ANY WARRANTY; without even the implied warranty of<br />
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the<br />
# GNU Lesser General Public License for more details.<br />
#<br />
# You should have received a copy of the GNU General Public License<br />
# along with chipwhisperer. If not, see <http://www.gnu.org/licenses/>.<br />
#=================================================<br />
<br />
import sys<br />
import time<br />
import chipwhisperer.capture.ui.CWCaptureGUI as cwc<br />
from chipwhisperer.common.api.CWCoreAPI import CWCoreAPI<br />
from chipwhisperer.capture.targets.SimpleSerial import SimpleSerial<br />
from chipwhisperer.common.scripts.base import UserScriptBase<br />
from chipwhisperer.capture.targets._base import TargetTemplate<br />
from chipwhisperer.common.utils import pluginmanager<br />
from chipwhisperer.capture.targets.simpleserial_readers.cwlite import SimpleSerial_ChipWhispererLite<br />
from chipwhisperer.common.utils.parameter import setupSetParam<br />
<br />
# Class Crc<br />
#############################################################<br />
# These CRC routines are copy-pasted from pycrc, which are:<br />
# Copyright (c) 2006-2013 Thomas Pircher <tehpeh@gmx.net><br />
#<br />
class Crc(object):<br />
"""<br />
A base class for CRC routines.<br />
"""<br />
<br />
def __init__(self, width, poly):<br />
"""The Crc constructor.<br />
<br />
The parameters are as follows:<br />
width<br />
poly<br />
reflect_in<br />
xor_in<br />
reflect_out<br />
xor_out<br />
"""<br />
self.Width = width<br />
self.Poly = poly<br />
<br />
<br />
self.MSB_Mask = 0x1 << (self.Width - 1)<br />
self.Mask = ((self.MSB_Mask - 1) << 1) | 1<br />
<br />
self.XorIn = 0x0000<br />
self.XorOut = 0x0000<br />
<br />
self.DirectInit = self.XorIn<br />
self.NonDirectInit = self.__get_nondirect_init(self.XorIn)<br />
if self.Width < 8:<br />
self.CrcShift = 8 - self.Width<br />
else:<br />
self.CrcShift = 0<br />
<br />
def __get_nondirect_init(self, init):<br />
"""<br />
return the non-direct init if the direct algorithm has been selected.<br />
"""<br />
crc = init<br />
for i in range(self.Width):<br />
bit = crc & 0x01<br />
if bit:<br />
crc ^= self.Poly<br />
crc >>= 1<br />
if bit:<br />
crc |= self.MSB_Mask<br />
return crc & self.Mask<br />
<br />
<br />
def bit_by_bit(self, in_data):<br />
"""<br />
Classic simple and slow CRC implementation. This function iterates bit<br />
by bit over the augmented input message and returns the calculated CRC<br />
value at the end.<br />
"""<br />
# If the input data is a string, convert to bytes.<br />
if isinstance(in_data, str):<br />
in_data = [ord(c) for c in in_data]<br />
<br />
register = self.NonDirectInit<br />
for octet in in_data:<br />
for i in range(8):<br />
topbit = register & self.MSB_Mask<br />
register = ((register << 1) & self.Mask) | ((octet >> (7 - i)) & 0x01)<br />
if topbit:<br />
register ^= self.Poly<br />
<br />
for i in range(self.Width):<br />
topbit = register & self.MSB_Mask<br />
register = ((register << 1) & self.Mask)<br />
if topbit:<br />
register ^= self.Poly<br />
<br />
return register ^ self.XorOut<br />
<br />
<br />
class BootloaderTarget(TargetTemplate):<br />
_name = 'AES Bootloader'<br />
<br />
def __init__(self):<br />
TargetTemplate.__init__(self)<br />
<br />
ser_cons = pluginmanager.getPluginsInDictFromPackage("chipwhisperer.capture.targets.simpleserial_readers", True, False)<br />
self.ser = ser_cons[SimpleSerial_ChipWhispererLite._name]<br />
<br />
self.keylength = 16<br />
self.input = ""<br />
self.crc = Crc(width=16, poly=0x1021)<br />
self.setConnection(self.ser)<br />
<br />
def setKeyLen(self, klen):<br />
""" Set key length in BITS """<br />
self.keylength = klen / 8 <br />
<br />
def keyLen(self):<br />
""" Return key length in BYTES """<br />
return self.keylength<br />
<br />
def getConnection(self):<br />
return self.ser<br />
<br />
def setConnection(self, con):<br />
self.ser = con<br />
self.params.append(self.ser.getParams())<br />
self.ser.connectStatus.connect(self.connectStatus.emit)<br />
self.ser.selectionChanged()<br />
<br />
def con(self, scope=None):<br />
if not scope or not hasattr(scope, "qtadc"): Warning(<br />
"You need a scope with OpenADC connected to use this Target")<br />
<br />
self.ser.con(scope)<br />
# 'x' flushes everything & sets system back to idle<br />
self.ser.write("xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx")<br />
self.ser.flush()<br />
self.connectStatus.setValue(True)<br />
<br />
def close(self):<br />
if self.ser != None:<br />
self.ser.close()<br />
return<br />
<br />
def init(self):<br />
pass<br />
<br />
def setModeEncrypt(self):<br />
return<br />
<br />
def setModeDecrypt(self):<br />
return<br />
<br />
def convertVarToString(self, var):<br />
if isinstance(var, str):<br />
return var<br />
<br />
sep = ""<br />
s = sep.join(["%c" % b for b in var])<br />
return s<br />
<br />
def loadEncryptionKey(self, key):<br />
pass<br />
<br />
def loadInput(self, inputtext):<br />
self.input = inputtext<br />
<br />
def readOutput(self):<br />
# No actual output<br />
return [0] * 16<br />
<br />
def isDone(self):<br />
return True<br />
<br />
def checkEncryptionKey(self, kin):<br />
return kin<br />
<br />
def go(self):<br />
# Starting byte is 0x00<br />
message = [0x00]<br />
<br />
# Append 16 bytes of data<br />
message.extend(self.input)<br />
<br />
# Append 2 bytes of CRC for input only (not including 0x00)<br />
crcdata = self.crc.bit_by_bit(self.input)<br />
<br />
message.append(crcdata >> 8)<br />
message.append(crcdata & 0xff)<br />
<br />
# Write message<br />
message = self.convertVarToString(message)<br />
for i in range(0, 5):<br />
self.ser.flush()<br />
self.ser.write(message)<br />
time.sleep(0.1)<br />
data = self.ser.read(1)<br />
<br />
if len(data) > 0:<br />
resp = ord(data[0])<br />
<br />
if resp == 0xA4:<br />
# Encryption run OK<br />
break<br />
<br />
if resp != 0xA1:<br />
raise IOError("Bad Response %x" % resp)<br />
<br />
if len(data) > 0:<br />
if resp != 0xA4:<br />
raise IOError("Failed to communicate, last response: %x" % resp)<br />
else:<br />
raise IOError("Failed to communicate, no response")<br />
</pre><br />
<br />
= Appendix B: Capture Script =<br />
<pre><br />
#!/usr/bin/python<br />
# -*- coding: utf-8 -*-<br />
#<br />
# Copyright (c) 2013-2016, NewAE Technology Inc<br />
# All rights reserved.<br />
#<br />
# Authors: Colin O'Flynn, Greg d'Eon<br />
#<br />
# Find this and more at newae.com - this file is part of the chipwhisperer<br />
# project, http://www.assembla.com/spaces/chipwhisperer<br />
#<br />
# This file is part of chipwhisperer.<br />
#<br />
# chipwhisperer is free software: you can redistribute it and/or modify<br />
# it under the terms of the GNU General Public License as published by<br />
# the Free Software Foundation, either version 3 of the License, or<br />
# (at your option) any later version.<br />
#<br />
# chipwhisperer is distributed in the hope that it will be useful,<br />
# but WITHOUT ANY WARRANTY; without even the implied warranty of<br />
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the<br />
# GNU Lesser General Public License for more details.<br />
#<br />
# You should have received a copy of the GNU General Public License<br />
# along with chipwhisperer. If not, see <http://www.gnu.org/licenses/>.<br />
#=================================================<br />
<br />
import sys<br />
import chipwhisperer.capture.ui.CWCaptureGUI as cwc<br />
from chipwhisperer.common.api.CWCoreAPI import CWCoreAPI<br />
from chipwhisperer.common.scripts.base import UserScriptBase<br />
from chipwhisperer.common.utils.parameter import Parameter<br />
<br />
# Check for PySide<br />
try:<br />
from PySide.QtCore import *<br />
from PySide.QtGui import *<br />
except ImportError:<br />
print "ERROR: PySide is required for this program"<br />
sys.exit()<br />
<br />
class UserScript(UserScriptBase):<br />
def __init__(self, api):<br />
super(UserScript, self).__init__(api)<br />
<br />
def run(self):<br />
#User commands here<br />
print "***** Starting User Script *****"<br />
<br />
# Set up board and target<br />
self.api.setParameter(['Generic Settings', 'Scope Module', 'ChipWhisperer/OpenADC'])<br />
self.api.setParameter(['Generic Settings', 'Trace Format', 'ChipWhisperer/Native'])<br />
self.api.setParameter(['Generic Settings', 'Target Module', 'AES Bootloader'])<br />
self.api.connect()<br />
<br />
# Fill in our other settings<br />
lstexample = [['CW Extra Settings', 'Trigger Pins', 'Target IO4 (Trigger Line)', True],<br />
['CW Extra Settings', 'Clock Source', 'Target IO-IN'],<br />
['CW Extra Settings', 'Target IOn Pins', 'Target IO2', 'Serial TXD'],<br />
['CW Extra Settings', 'Target IOn Pins', 'Target IO1', 'Serial RXD'],<br />
['CW Extra Settings', 'Target HS IO-Out', 'CLKGEN'],<br />
['OpenADC', 'Clock Setup', 'ADC Clock', 'Source', 'CLKGEN x4 via DCM'],<br />
['OpenADC', 'Trigger Setup', 'Total Samples', 11000],<br />
['OpenADC', 'Trigger Setup', 'Offset', 0],<br />
['OpenADC', 'Gain Setting', 'Setting', 45],<br />
['OpenADC', 'Trigger Setup', 'Mode', 'rising edge'],<br />
['OpenADC', 'Clock Setup', 'CLKGEN Settings', 'Multiply', 2],<br />
['OpenADC', 'Clock Setup', 'CLKGEN Settings', 'Divide', 26],<br />
['OpenADC', 'Clock Setup', 'ADC Clock', 'Reset ADC DCM', None],<br />
]<br />
<br />
# NOTE: For IV: offset = 70000<br />
#Download all hardware setup parameters<br />
for cmd in lstexample:<br />
self.api.setParameter(cmd)<br />
<br />
# Try a couple of captures<br />
self.api.capture1()<br />
self.api.capture1()<br />
<br />
print "***** Ending User Script *****"<br />
<br />
<br />
if __name__ == '__main__':<br />
# Run the program<br />
app = cwc.makeApplication()<br />
Parameter.usePyQtGraph = True <br />
api = CWCoreAPI() <br />
gui = cwc.CWCaptureGUI(api) <br />
gui.show() <br />
<br />
# Run our program and let the GUI take over<br />
api.runScriptClass(UserScript) <br />
sys.exit(app.exec_())<br />
</pre><br />
<br />
= Appendix C: AES-256 14th Round Key Script =<br />
Full attack script, copy/paste into a file then add as active attack script:<br />
<br />
<pre><br />
# AES-256 14th Round Key Attack<br />
from chipwhisperer.common.scripts.base import UserScriptBase<br />
# Imports from Preprocessing<br />
import chipwhisperer.analyzer.preprocessing as preprocessing<br />
# Imports from Attack<br />
from chipwhisperer.analyzer.attacks.cpa import CPA<br />
from chipwhisperer.analyzer.attacks.cpa_algorithms.progressive import CPAProgressive<br />
import chipwhisperer.analyzer.attacks.models.AES128_8bit<br />
# Imports from utilList<br />
<br />
class UserScript(UserScriptBase):<br />
name = "Auto-generated"<br />
description = "Auto-generated Attack Script"<br />
def __init__(self, api):<br />
UserScriptBase.__init__(self, api)<br />
self.initProject()<br />
self.initPreprocessing()<br />
self.initAnalysis()<br />
self.initReporting()<br />
<br />
def initProject(self):<br />
pass<br />
<br />
def initPreprocessing(self):<br />
self.traces = self.api.project().traceManager()<br />
<br />
def initAnalysis(self):<br />
self.attack = CPA()<br />
self.attack.setTraceSource(self.traces, blockSignal=True)<br />
self.attack.setAnalysisAlgorithm(CPAProgressive,chipwhisperer.analyzer.attacks.models.AES128_8bit.AES128_8bit,chipwhisperer.analyzer.attacks.models.AES128_8bit.AES128_8bit.LEAK_HW_INVSBOXOUT_FIRSTROUND)<br />
self.attack.setTraceStart(0)<br />
self.attack.setTracesPerAttack(200)<br />
self.attack.setIterations(1)<br />
self.attack.setReportingInterval(10)<br />
self.attack.setTargetSubkeys([0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15])<br />
self.attack.setPointRange((0,10991))<br />
<br />
def initReporting(self):<br />
# Configures the attack observers (usually a set of GUI widgets)<br />
self.api.getResults("Attack Settings").setAnalysisSource(self.attack)<br />
self.api.getResults("Correlation vs Traces in Attack").setAnalysisSource(self.attack)<br />
self.api.getResults("Output vs Point Plot").setAnalysisSource(self.attack)<br />
self.api.getResults("PGE vs Trace Plot").setAnalysisSource(self.attack)<br />
self.api.getResults("Results Table").setAnalysisSource(self.attack)<br />
self.api.getResults("Save to Files").setAnalysisSource(self.attack)<br />
self.api.getResults("Trace Output Plot").setTraceSource(self.traces)<br />
self.api.getResults("Trace Recorder").setTraceSource(self.traces)<br />
<br />
def run(self):<br />
self.attack.processTraces()<br />
<br />
if __name__ == '__main__':<br />
from chipwhisperer.common.api.CWCoreAPI import CWCoreAPI<br />
import chipwhisperer.analyzer.ui.CWAnalyzerGUI as cwa<br />
from chipwhisperer.common.utils.parameter import Parameter<br />
app = cwa.makeApplication() # Comment if you don't need the GUI<br />
Parameter.usePyQtGraph = True # Comment if you don't need the GUI<br />
api = CWCoreAPI() # Instantiate the API<br />
gui = cwa.CWAnalyzerGUI(api) # Comment if you don't need the GUI<br />
gui.show() # Comment if you don't need the GUI<br />
api.runScriptClass(UserScript) # Run UserScript through the API<br />
app.exec_() # Comment if you don't need the GUI<br />
</pre><br />
<br />
= Appendix D: AES-256 13th Round Key Script =<br />
<br />
<pre><br />
# AES-256 13th Round Key Script<br />
from chipwhisperer.common.scripts.base import UserScriptBase<br />
# Imports from Preprocessing<br />
import chipwhisperer.analyzer.preprocessing as preprocessing<br />
# Imports from Attack<br />
from chipwhisperer.analyzer.attacks.cpa import CPA<br />
from chipwhisperer.analyzer.attacks.cpa_algorithms.progressive import CPAProgressive<br />
import chipwhisperer.analyzer.attacks.models.AES128_8bit<br />
# Imports from utilList<br />
<br />
# Imports for AES256 Attack<br />
from chipwhisperer.analyzer.attacks.models.base import ModelsBase<br />
from chipwhisperer.analyzer.attacks.models.AES128_8bit import AESLeakageHelper, AES128_8bit<br />
<br />
class AES256_Model(AESLeakageHelper):<br />
name = 'Our model'<br />
def leakage(self, pt, ct, guess, bnum):<br />
knownkey = [0xea, 0x79, 0x79, 0x20, 0xc8, 0x71, 0x44, 0x7d, 0x46, 0x62, 0x5f, 0x51, 0x85, 0xc1, 0x3b, 0xcb]<br />
xored = [knownkey[i] ^ pt[i] for i in range(0, 16)]<br />
block = xored<br />
block = self.inv_shiftrows(block)<br />
block = self.inv_subbytes(block)<br />
block = self.inv_mixcolumns(block)<br />
block = self.inv_shiftrows(block)<br />
result = block<br />
return self.inv_sbox((result[bnum] ^ guess[bnum]))<br />
<br />
class UserScript(UserScriptBase):<br />
_name = "Auto-generated"<br />
_description = "Auto-generated Attack Script"<br />
def __init__(self, api):<br />
UserScriptBase.__init__(self, api)<br />
self.initProject()<br />
self.initPreprocessing()<br />
self.initAnalysis()<br />
self.initReporting()<br />
<br />
def initProject(self):<br />
pass<br />
<br />
def initPreprocessing(self):<br />
ppMod0 = preprocessing.resync_sad.ResyncSAD(self.api.project().traceManager())<br />
ppMod0.setEnabled(True)<br />
ppMod0.setReference(rtraceno=0, refpoints=(9100,9300), inputwindow=(8900,9500))<br />
ppMod0.init()<br />
self.traces = ppMod0<br />
<br />
def initAnalysis(self):<br />
self.attack = CPA()<br />
self.attack.setProject(self.api.project())<br />
self.attack.setTraceSource(self.traces, blockSignal=True)<br />
leakage_object = AES128_8bit(AES256_Model)<br />
self.attack.setAnalysisAlgorithm(chipwhisperer.analyzer.attacks.cpa_algorithms.progressive.CPAProgressive,leakage_object)<br />
self.attack.setTargetSubkeys([0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15])<br />
self.attack.setTraceStart(0)<br />
self.attack.setTracesPerAttack(150)<br />
self.attack.setIterations(1)<br />
self.attack.setReportingInterval(10)<br />
self.attack.setPointRange((0,10991))<br />
<br />
def initReporting(self):<br />
# Configures the attack observers (usually a set of GUI widgets)<br />
self.api.getResults("Attack Settings").setAnalysisSource(self.attack)<br />
self.api.getResults("Correlation vs Traces in Attack").setAnalysisSource(self.attack)<br />
self.api.getResults("Output vs Point Plot").setAnalysisSource(self.attack)<br />
self.api.getResults("PGE vs Trace Plot").setAnalysisSource(self.attack)<br />
self.api.getResults("Results Table").setAnalysisSource(self.attack)<br />
self.api.getResults("Save to Files").setAnalysisSource(self.attack)<br />
self.api.getResults("Trace Output Plot").setTraceSource(self.traces)<br />
self.api.getResults("Trace Recorder").setTraceSource(self.traces)<br />
<br />
def run(self):<br />
self.attack.processTraces()<br />
<br />
if __name__ == '__main__':<br />
import chipwhisperer.analyzer.ui.CWAnalyzerGUI as cwa<br />
from chipwhisperer.common.utils.parameter import Parameter<br />
Parameter.usePyQtGraph = True # Comment if you don't need the GUI<br />
api = CWCoreAPI() # Instantiate the API<br />
app = cwa.makeApplication("Analyzer") # Comment if you don't need the GUI<br />
gui = cwa.CWAnalyzerGUI(api) # Comment if you don't need the GUI<br />
api.runScriptClass(UserScript) # Run UserScript through the API<br />
app.exec_() # Comment if you don't need the GUI<br />
<br />
</pre><br />
<br />
{{Template:Tutorials}}<br />
[[Category:Tutorials]]</div>Gdeonhttp://wiki.newae.com/index.php?title=Tutorial_A5_Breaking_AES-256_Bootloader&diff=2782Tutorial A5 Breaking AES-256 Bootloader2017-07-23T00:07:53Z<p>Gdeon: /* 14th Round Key */</p>
<hr />
<div>This tutorial will take you through a complete attack on an encrypted bootloader using AES-256. This demonstrates how to using side-channel power analysis on practical systems, along with discussing how to perform analysis with custom scripts.<br />
<br />
Whilst the tutorial assumes you will be performing the entire capture of traces along with the attack, it is possible to download the traces if you don't have the hardware, in which case skip section [[#Setting up the Hardware]] and [[#Capturing the Traces]].<br />
<br />
= Background =<br />
In the world of microcontrollers, a bootloader is a special piece of firmware that is made to let the user upload new programs into memory. This is especially useful for devices with complex code that may need to be patched or otherwise updated in the future - a bootloader makes it possible for the user to upload a patched version of the firmware onto the micro. The bootloader receives information from a communication line (a USB port, serial port, ethernet port, WiFi connection, etc...) and stores this data into program memory. Once the full firmware has been received, the micro can happily run its updated code.<br />
<br />
There is one big security issue to worry about with bootloaders. A company may want to stop their customers from writing their own firmware and uploading it onto the micro. For example, this might be for protection reasons - hackers might be able to access parts of the device that weren't meant to be accessed. One way of stopping this is to add encryption. The company can add their own secret signature to the firmware code and encrypt it with a secret key. Then, the bootloader can decrypt the incoming firmware and confirm that the incoming firmware is correctly signed. Users will not know the secret key or the signature tied to the firmware, so they won't be able to "fake" their own.<br />
<br />
This tutorial will work with a simple AES-256 bootloader. The victim will receive data through a serial connection, decrypt the command, and confirm that the included signature is correct. Then, it will only save the code into memory if the signature check succeeded. To make this system more robust against attacks, the bootloader will use cipher-block chaining (CBC mode). Our goal is to find the secret key and the CBC initialization vector so that we could successfully fake our own firmware.<br />
<br />
== Bootloader Communications Protocol ==<br />
The bootloader's communications protocol operates over a serial port at 38400 baud rate. The bootloader is always waiting for new data to be sent in this example; in real life one would typically force the bootloader to enter through a command sequence.<br />
<br />
Commands sent to the bootloader look as follows:<br />
<br />
<pre><br />
|<-------- Encrypted block (16 bytes) ---------->|<br />
| |<br />
+------+------+------+------+------+------+ .... +------+------+------+<br />
| 0x00 | Signature (4 Bytes) | Data (12 Bytes) | CRC-16 |<br />
+------+------+------+------+------+------+ .... +------+------+------+<br />
</pre><br />
<br />
This frame has four parts:<br />
* <code>0x00</code>: 1 byte of fixed header<br />
* Signature: A secret 4 byte constant. The bootloader will confirm that this signature is correct after decrypting the frame.<br />
* Data: 12 bytes of the incoming firmware. This system forces us to send the code 12 bytes at a time; more complete bootloaders may allow longer variable-length frames.<br />
* CRC-16: A 16-bit checksum using the CRC-CCITT polynomial (0x1021). The LSB of the CRC is sent first, followed by the MSB. The bootloader will reply over the serial port, describing whether or not this CRC check was valid.<br />
As described in the diagram, the 16 byte block is not sent as plaintext. Instead, it is encrypted using AES-256 in CBC mode. This encryption method will be described in the next section.<br />
<br />
The bootloader responds to each command with a single byte indicating if the CRC-16 was OK or not:<br />
<br />
<pre><br />
+------+<br />
CRC-OK: | 0xA1 |<br />
+------+<br />
<br />
+------+<br />
CRC Failed: | 0xA4 |<br />
+------+<br />
</pre><br />
<br />
Then, after replying to the command, the bootloader veries that the signature is correct. If it matches the expected manufacturer's signature, the 12 bytes of data will be written to flash memory. Otherwise, the data is discarded.<br />
<br />
== Details of AES-256 CBC ==<br />
<br />
The system uses the AES algorithm in Cipher Block Chaining (CBC) mode. In general one avoids using encryption 'as-is' (i.e. Electronic Code Book), since it means any piece of plaintext always maps to the same piece of ciphertext. Cipher Block Chaining ensures that if you encrypted the same thing a bunch of times it would always encrypt to a new piece of ciphertext.<br />
<br />
You can see another reference on the design of the encryption side; we'll be only talking about the decryption side here. In this case AES-256 CBC mode is used as follows, where the details of the AES-256 Decryption block will be discussed in detail later:<br />
<br />
[[File:aes256_cbc.png|image]]<br />
<br />
This diagram shows that the output of the decryption is no longer used directly as the plaintext. Instead, the output is XORed with a 16 byte mask, which is usually taken from the previous ciphertext. Also, the first decryption block has no previous ciphertext to use, so a secret initialization vector (IV) is used instead. If we are going to decrypt the entire ciphertext (including block 0) or correctly generate our own ciphertext, we'll need to find this IV along with the AES key.<br />
<br />
<br />
== Attacking AES-256 ==<br />
The system in this tutorial uses AES-256 encryption, which has a 256 bit (32 byte) key - twice as large as the 16 byte key we've attacked in previous tutorials. This means that our regular AES-128 CPA attacks won't quite work. However, extending these attacks to AES-256 is fairly straightforward: the theory is explained in detail in [[Extending AES-128 Attacks to AES-256]]. <br />
<br />
As the theory page explains, our AES-256 attack will have 4 steps:<br />
# Perform a standard attack (as in AES-128 decryption) to determine the first 16 bytes of the key, corresponding to the 14th round encryption key.<br />
# Using the known 14th round key, calculate the hypothetical outputs of each S-Box from the 13th round using the ciphertext processed by the 14th round, and determine the 16 bytes of the 13th round key manipulated by inverse MixColumns.<br />
# Perform the MixColumns and ShiftRows operation on the hypothetical key determined above, recovering the 13th round key.<br />
# Using the AES-256 key schedule, reverse the 13th and 14th round keys to determine the original AES-256 encryption key.<br />
<br />
= Setting up the Hardware =<br />
This tutorial uses the [[CW1173 ChipWhisperer-Lite]] hardware. This hardware does not require any special setup - it should be ready to go out-of-the-box.<br />
<br />
Note that you '''don't need hardware''' to complete the tutorial. Instead, you can download [https://www.assembla.com/spaces/chipwhisperer/wiki/Example_Captures example traces from the ChipWhisperer Site]. Just look for the traces titled ''AVR: AES256 Bootloader (ChipWhisperer Tutorial #A5)''.<br />
<br />
== Building/Programming the Bootloader ==<br />
The firmware that implements the bootloader is available inside the ChipWhisperer folder at <code>chipwhisperer\hardware\victims\firmware\bootloader-aes256</code>. If you've uploaded the firmware for any of the other tutorials, the process is identical:<br />
<br />
# Open a command prompt/terminal window and navigate to this folder. Enter the command <code>make PLATFORM=X</code>, where X is the name of your target. For instance, use <code>PLATFORM=CW303</code> on the ChipWhisperer Lite. Ensure that the program is successfully compiled. The output should end with a line like<br />
#: <pre>Built for platform CW-Lite XMEGA</pre><br />
# Open the ChipWhisperer Capture software and connect to your hardware. Open the programmer window (''Tools > CW-Lite XMEGA Programmer''), find the <code>.hex</code> file that you just made, and ''Erase/Program/Verify FLASH''.<br />
<br />
The firmware is now loaded onto your hardware, and you can continue onto the capture process.<br />
<br />
= Capturing the Traces =<br />
Once the hardware is ready, we can capture some traces for our attack using the ChipWhisperer Capture software. If you somehow got to the 5th ''Advanced Tutorial'' without getting this software ready, you can follow the helpful guide at [[Installing ChipWhisperer]].<br />
<br />
The first thing we need to do is add a new target to the ChipWhisperer system. (None of the existing ones know about the bootloader's data format, nor do they recognize the CRC responses that are sent back to us.) The code for this target is included in [[#Appendix A: Target Code]]. Copy/paste this into a Python file (call it whatever you want) and save it in a place where ChipWhisperer will look for it. There are two folders that you can use:<br />
* Your computer should have a folder called <code>chipwhisperer_projects</code> - if you don't know where this is, the ''File > Preferences'' window will tell you. The system looks in the folder <code>chipwhisperer_projects\chipwhisperer\capture\targets</code> for new targets, so you can save your file here.<br />
* Alternatively, all of the normal targets are stored in <code>chipwhisperer\software\chipwhisperer\capture\targets</code>, so you can also save the file here. Note that this may not be possible if you don't have access to these folders (ex: your account doesn't have admin access).<br />
<br />
Next is the capture script. In some of the previous tutorials, we entered all of the capture settings by hand. Since we are civilized humans armed with technology, we can use a script to do all of this setup for us. A pre-written Python script is provided at [[#Appendix B: Capture Script]]. Take a look at this code and notice what it does:<br />
* it fills in the scope, target, and trace format that we'll use;<br />
* it connects to the hardware; and<br />
* it loads all of the hardware parameters for us. Nice!<br />
Copy this script into a <code>.py</code> file somewhere convenient. Then, perform the following steps to finish the capture:<br />
# Run the capture script, which will open a ChipWhisperer Capture window with everything connected for us.<br />
# Open the terminal (''Tools > Terminal'') and connect to the board. While the terminal is open, press the ''Capture 1'' button. A single byte of data should appear in the terminal. This byte will either be <code>a1</code> (CRC failed) or <code>a4</code> (CRC OK). If you see any other responses, something is wrong. <br />
#: [[File:Tutorial-A5-Capture.PNG|image]]<br />
# Once you're happy with this, open the General Settings tab and set the Number of Traces. You should need around 100 traces to break AES.<br />
# Press the ''Capture Many'' button to record the 100 traces. You'll see the new traces plotted on-screen.<br />
# Once the program is finished capturing the traces, save the project. Put it somewhere memorable and give it a nice name.<br />
<br />
= Finding the Encryption Key =<br />
Now that we have our traces, we can go ahead and perform the attack. As described in the background theory, we'll have to do two attacks - one to get the 14th round key, and another (using the first result) to get the 13th round key. Then, we'll do some post-processing to finally get the 256 bit encryption key.<br />
<br />
== 14th Round Key ==<br />
We can attack the 14th round key with a standard, no-frills CPA attack:<br />
<br />
# Open the ChipWhisperer Analyzer program and load the <code>.cwp</code> file with the 13th and 14th round traces. This can be either the <code>aes256_round1413_key0_100.cwp</code> file downloaded or the capture you performed.<br />
# View and manipulate the trace data with the following steps:<br />
## Switch to the ''Trace Output Plot'' tab<br />
## Switch to the ''Results'' parameter setting tab<br />
## Choose the traces to be plotted and press the ''Redraw'' button to draw them<br />
## Right-click on the waveform to change options, or left-click and drag to zoom<br />
## Use the toolbar to quickly reset the zoom back to original<br />
##: [[File:Tutorial-A5-Plot-Traces.PNG|image]]<br />
##: Notice that the traces are synchronized for the first 7000 samples, but become unsynchronized later. This fact will be important later in the tutorial.<br />
# Set up the attack in the ''Attack'' settings tab:<br />
## Leave the Crypto Algorithm set to AES-128. (Remember that we're applying the AES-128 attack to half of the AES-256 key!)<br />
## Change the Leakage Model to ''HW: AES Inv SBox Output, First Round (Dec)''. <br />
## If you're finding the attack very slow, narrow down the attack a bit. Normally, this requires a bit of investigation to determine which ranges of the trace are important. Here, you can use the range from 2900 for 4200. The default settings will also work fine!<br />
##: [[File:Tutorial-A5-Hardware-Model.PNG|image]]<br />
# Note that we do ''not'' know the secret encryption key, so we cannot highlight the correct key automatically. If you want to fix this, the ''Results'' settings tab has a Highlighted Key setting. Change this to Override mode and enter the key <code>ea 79 79 20 c8 71 44 7d 46 62 5f 51 85 c1 3b cb</code>.<br />
# Finally, run the attack by switching to the ''Results Table'' tab and then hitting the ''Attack'' button.<br />
<br />
There are a few ways to check the results of the attack. First, the results table will show the best guesses for each subkey. With the highlight override enabled, the red bytes should be the best guesses for every single subkey:<br />
<br />
[[File:Tutorial-A5-Results-Right-Key.PNG|image]]<br />
<br />
However, the correct key will still rise to the top even if the wrong bytes are highlighted. The coloring and correlation coefficients in the results table should still make it clear that the top guess is the best one:<br />
<br />
[[File:Tutorial-A5-Results-Wrong-Key.PNG|image]]<br />
<br />
Finally, the ''Output vs Point Plot'' shows the correlation against all of the sample points. The spikes on this plot show exactly where the attack was successful (ie: where the sensitive data was leaked):<br />
<br />
[[File:Aes14round points.png|image]]<br />
<br />
In any case, we've determined that the correct 14th round key is <code>ea 79 79 20 c8 71 44 7d 46 62 5f 51 85 c1 3b cb</code>.<br />
<br />
''NOTE: if you're stuck, a full listing of the attack script is given in [[#Appendix C: AES-256 14th Round Key Script]].''<br />
<br />
== 13th Round Key ==<br />
Unfortunately, we cannot use the GUI to attack the 13th round key. The system has no built-in model for round 13 of the AES-256 algorithm. Instead, we can write our own script and insert a custom model into the system. See [[#Appendix D: AES-256 13th Round Key Script]] for complete script used here.<br />
<br />
The ChipWhisperer Analyzer software uses the settings in the GUI to automatically adjust an attack script. Every time you change a setting in the GUI, the autogenerated script is overwritten. Fpr example, the point range is mapped directly to an API call:<br />
<br />
[[File:autoscript1.png|image]]<br />
<br />
If we modified this script directly, it would be very easy for us to accidentally overwrite our custom script from the GUI. Instead, we'll use the autogenerated code to set up a base script, then add in our own attack model. To set up the base script, the procedure is as follows:<br />
<br />
# Open the ChipWhisperer Analyzer software again and reopen the project file.<br />
# Recall from the 14th round attack that the trace data becomes unsynchronized around sample 7000. This is due to a non-constant AES implementation: the code does not always take the same amount of time to run for every input. (It's actually possible to do a timing attack on this AES implementation! We'll stick with our CPA attack for now.)<br />
#: [[File:syncproblems.png|image]]<br />
# Resynchronize the traces:<br />
## In the ''Attack Script Generator'' tab, enable the ''Resync: Sum of Difference'' preprocessing:<br />
##: [[File:resyncsad.png|image]]<br />
## Enable the module and configure the input points. To start, set the reference points to (9063, 9177) and the input window to (9010, 9080), but don't be afraid to change these ranges:<br />
##: [[File:resyncsad2.png|image]]<br />
## Redraw the traces and confirm we now have synchronization on the second half:<br />
##: [[File:resyncsad3.png|image]]<br />
<br />
Now, we are ready to make a copy of this script:<br />
# Click on the auto-generated script<br />
# Hit ''Copy'' and save the file somewhere<br />
# Double-click on the description of the new file and give it a better name. <br />
# Finally, hit ''Set Active'' after clicking on your new file. The result should look like this:<br />
#: [[File:aes256_customscript.png|image]]<br />
You can now edit the custom script file using the built-in editor OR with an external editor. In this example, the file would be <code>C:\Users\Colin\AppData\Local\Temp\testaes256.py</code>.<br />
<br />
The next step is to program our own leakage model. The following Python code models the Hamming weight model of the 13th round S-box:<br />
<br />
<pre><br />
# Imports for AES256 Attack<br />
from chipwhisperer.analyzer.attacks.models.base import ModelsBase<br />
from chipwhisperer.analyzer.attacks.models.AES128_8bit import AESLeakageHelper, AES128_8bit<br />
<br />
class AES256_Model(AESLeakageHelper):<br />
name = 'Our model'<br />
def leakage(self, pt, ct, guess, bnum):<br />
knownkey = [0xea, 0x79, 0x79, 0x20, 0xc8, 0x71, 0x44, 0x7d, 0x46, 0x62, 0x5f, 0x51, 0x85, 0xc1, 0x3b, 0xcb]<br />
xored = [knownkey[i] ^ pt[i] for i in range(0, 16)]<br />
block = xored<br />
block = self.inv_shiftrows(block)<br />
block = self.inv_subbytes(block)<br />
block = self.inv_mixcolumns(block)<br />
block = self.inv_shiftrows(block)<br />
result = block<br />
return self.inv_sbox((result[bnum] ^ guess[bnum]))<br />
</pre><br />
You can look back at the C code of the AES-256 decryption to see how this is implementing the decryption code. Note that because of the Inverse MixColumns operation, we need the entire input ciphertext -- otherwise, we would only need to operate on one byte of the ciphertext.<br />
<br />
The last step is to perform the attack using this model:<br />
# Add the above function to your custom script file.<br />
# Change the <code>setAnalysisAlgorithm</code> in the script to use your custom functions by making the following call:<br />
#:<pre>leakage_object = AES128_8bit(AES256_Model)</pre><br />
# As we did in the 14th round attack, reducing the point range can speed up the attack. For example, to use a smaller range of points, try changing the <code>setPointRange()</code> function call to<br />
#:<pre>self.attack.setPointRange((8000,10990))</pre><br />
# Start the attack! Wait for the attack to complete, and you will determine the 13th round key:<br />
#: [[File:Tutorial-A5-Results-Round-13.PNG|image]]<br />
<br />
Note you can check [[#Appendix C AES-256 13th Round Key Script]] for the complete contents of the attack script.<br />
<br />
Finally, we need to convert this hypothetical key into the actual value of the 13th round key. We can do this by passing the key through ShiftRows and MixColumns to remove the effect of these two functions. This is easy to do in the Python console:<br />
<br />
<pre><br />
>>> from chipwhisperer.analyzer.attacks.models.aes.funcs import shiftrows,mixcolumns<br />
>>> knownkey = [0xC6, 0xBD, 0x4E, 0x50, 0xAB, 0xCA, 0x75, 0x77, 0x79, 0x87, 0x96, 0xCA, 0x1C, 0x7F, 0xC5, 0x82]<br />
>>> key = shiftrows(knownkey)<br />
>>> key = mixcolumns(key)<br />
>>> print &quot; &quot;.join([&quot;%02x&quot; % i for i in key])<br />
c6 6a a6 12 4a ba 4d 04 4a 22 03 54 5b 28 0e 63<br />
</pre><br />
<br />
Our hard work has rewarded us with the 13th round key, which is <code>c6 6a a6 12 4a ba 4d 04 4a 22 03 54 5b 28 0e 63</code>.<br />
<br />
== Recovering the Encryption Key ==<br />
Finally, we have enough information to recover the initial encryption key. In AES-256, the initial key is used in the key expansion routine to generate 15 round keys, and we know the key for round 13 and 14. All we need to do now is reverse the key scheduling algorithm to calculate the ''0/1 Round Key'' from the ''13/14 Round Key''. <br />
<br />
In the ChipWhisperer Analyzer software, a key schedule calculator is provided in ''Tools > AES Key Schedule'':<br />
<br />
[[File:keyschedule_tool.png|image]]<br />
<br />
Open this tool and paste the 13/14 round keys, which are<br />
<pre><br />
c6 6a a6 12 4a ba 4d 04 4a 22 03 54 5b 28 0e 63 ea 79 79 20 c8 71 44 7d 46 62 5f 51 85 c1 3b cb<br />
</pre><br />
<br />
Tell the tool that this key is the 13/14 round key; it will automatically display the entire key schedule and the initial encryption key. You should find the initial encryption key is:<br />
<pre><br />
94 28 5d 4d 6d cf ec 08 d8 ac dd f6 be 25 a4 99 c4 d9 d0 1e c3 40 7e d7 d5 28 d4 09 e9 f0 88 a1<br />
</pre><br />
<br />
Peek into <code>supersecret.h</code>, confirm that this is the right key, and celebrate!<br />
<br />
= Next Steps =<br />
If you want to go further with this tutorial, [[Tutorial A5-Bonus Breaking AES-256 Bootloader]] continues working with the same firmware to find the remaining secrets in the bootloader (the IV and the signature).<br />
<br />
= Appendix A: Target Code =<br />
<pre><br />
#!/usr/bin/python<br />
# -*- coding: utf-8 -*-<br />
#<br />
# Copyright (c) 2013-2016, NewAE Technology Inc<br />
# All rights reserved.<br />
#<br />
# Authors: Colin O'Flynn, Greg d'Eon<br />
#<br />
# Find this and more at newae.com - this file is part of the chipwhisperer<br />
# project, http://www.assembla.com/spaces/chipwhisperer<br />
#<br />
# This file is part of chipwhisperer.<br />
#<br />
# chipwhisperer is free software: you can redistribute it and/or modify<br />
# it under the terms of the GNU General Public License as published by<br />
# the Free Software Foundation, either version 3 of the License, or<br />
# (at your option) any later version.<br />
#<br />
# chipwhisperer is distributed in the hope that it will be useful,<br />
# but WITHOUT ANY WARRANTY; without even the implied warranty of<br />
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the<br />
# GNU Lesser General Public License for more details.<br />
#<br />
# You should have received a copy of the GNU General Public License<br />
# along with chipwhisperer. If not, see <http://www.gnu.org/licenses/>.<br />
#=================================================<br />
<br />
import sys<br />
import time<br />
import chipwhisperer.capture.ui.CWCaptureGUI as cwc<br />
from chipwhisperer.common.api.CWCoreAPI import CWCoreAPI<br />
from chipwhisperer.capture.targets.SimpleSerial import SimpleSerial<br />
from chipwhisperer.common.scripts.base import UserScriptBase<br />
from chipwhisperer.capture.targets._base import TargetTemplate<br />
from chipwhisperer.common.utils import pluginmanager<br />
from chipwhisperer.capture.targets.simpleserial_readers.cwlite import SimpleSerial_ChipWhispererLite<br />
from chipwhisperer.common.utils.parameter import setupSetParam<br />
<br />
# Class Crc<br />
#############################################################<br />
# These CRC routines are copy-pasted from pycrc, which are:<br />
# Copyright (c) 2006-2013 Thomas Pircher <tehpeh@gmx.net><br />
#<br />
class Crc(object):<br />
"""<br />
A base class for CRC routines.<br />
"""<br />
<br />
def __init__(self, width, poly):<br />
"""The Crc constructor.<br />
<br />
The parameters are as follows:<br />
width<br />
poly<br />
reflect_in<br />
xor_in<br />
reflect_out<br />
xor_out<br />
"""<br />
self.Width = width<br />
self.Poly = poly<br />
<br />
<br />
self.MSB_Mask = 0x1 << (self.Width - 1)<br />
self.Mask = ((self.MSB_Mask - 1) << 1) | 1<br />
<br />
self.XorIn = 0x0000<br />
self.XorOut = 0x0000<br />
<br />
self.DirectInit = self.XorIn<br />
self.NonDirectInit = self.__get_nondirect_init(self.XorIn)<br />
if self.Width < 8:<br />
self.CrcShift = 8 - self.Width<br />
else:<br />
self.CrcShift = 0<br />
<br />
def __get_nondirect_init(self, init):<br />
"""<br />
return the non-direct init if the direct algorithm has been selected.<br />
"""<br />
crc = init<br />
for i in range(self.Width):<br />
bit = crc & 0x01<br />
if bit:<br />
crc ^= self.Poly<br />
crc >>= 1<br />
if bit:<br />
crc |= self.MSB_Mask<br />
return crc & self.Mask<br />
<br />
<br />
def bit_by_bit(self, in_data):<br />
"""<br />
Classic simple and slow CRC implementation. This function iterates bit<br />
by bit over the augmented input message and returns the calculated CRC<br />
value at the end.<br />
"""<br />
# If the input data is a string, convert to bytes.<br />
if isinstance(in_data, str):<br />
in_data = [ord(c) for c in in_data]<br />
<br />
register = self.NonDirectInit<br />
for octet in in_data:<br />
for i in range(8):<br />
topbit = register & self.MSB_Mask<br />
register = ((register << 1) & self.Mask) | ((octet >> (7 - i)) & 0x01)<br />
if topbit:<br />
register ^= self.Poly<br />
<br />
for i in range(self.Width):<br />
topbit = register & self.MSB_Mask<br />
register = ((register << 1) & self.Mask)<br />
if topbit:<br />
register ^= self.Poly<br />
<br />
return register ^ self.XorOut<br />
<br />
<br />
class BootloaderTarget(TargetTemplate):<br />
_name = 'AES Bootloader'<br />
<br />
def __init__(self):<br />
TargetTemplate.__init__(self)<br />
<br />
ser_cons = pluginmanager.getPluginsInDictFromPackage("chipwhisperer.capture.targets.simpleserial_readers", True, False)<br />
self.ser = ser_cons[SimpleSerial_ChipWhispererLite._name]<br />
<br />
self.keylength = 16<br />
self.input = ""<br />
self.crc = Crc(width=16, poly=0x1021)<br />
self.setConnection(self.ser)<br />
<br />
def setKeyLen(self, klen):<br />
""" Set key length in BITS """<br />
self.keylength = klen / 8 <br />
<br />
def keyLen(self):<br />
""" Return key length in BYTES """<br />
return self.keylength<br />
<br />
def getConnection(self):<br />
return self.ser<br />
<br />
def setConnection(self, con):<br />
self.ser = con<br />
self.params.append(self.ser.getParams())<br />
self.ser.connectStatus.connect(self.connectStatus.emit)<br />
self.ser.selectionChanged()<br />
<br />
def con(self, scope=None):<br />
if not scope or not hasattr(scope, "qtadc"): Warning(<br />
"You need a scope with OpenADC connected to use this Target")<br />
<br />
self.ser.con(scope)<br />
# 'x' flushes everything & sets system back to idle<br />
self.ser.write("xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx")<br />
self.ser.flush()<br />
self.connectStatus.setValue(True)<br />
<br />
def close(self):<br />
if self.ser != None:<br />
self.ser.close()<br />
return<br />
<br />
def init(self):<br />
pass<br />
<br />
def setModeEncrypt(self):<br />
return<br />
<br />
def setModeDecrypt(self):<br />
return<br />
<br />
def convertVarToString(self, var):<br />
if isinstance(var, str):<br />
return var<br />
<br />
sep = ""<br />
s = sep.join(["%c" % b for b in var])<br />
return s<br />
<br />
def loadEncryptionKey(self, key):<br />
pass<br />
<br />
def loadInput(self, inputtext):<br />
self.input = inputtext<br />
<br />
def readOutput(self):<br />
# No actual output<br />
return [0] * 16<br />
<br />
def isDone(self):<br />
return True<br />
<br />
def checkEncryptionKey(self, kin):<br />
return kin<br />
<br />
def go(self):<br />
# Starting byte is 0x00<br />
message = [0x00]<br />
<br />
# Append 16 bytes of data<br />
message.extend(self.input)<br />
<br />
# Append 2 bytes of CRC for input only (not including 0x00)<br />
crcdata = self.crc.bit_by_bit(self.input)<br />
<br />
message.append(crcdata >> 8)<br />
message.append(crcdata & 0xff)<br />
<br />
# Write message<br />
message = self.convertVarToString(message)<br />
for i in range(0, 5):<br />
self.ser.flush()<br />
self.ser.write(message)<br />
time.sleep(0.1)<br />
data = self.ser.read(1)<br />
<br />
if len(data) > 0:<br />
resp = ord(data[0])<br />
<br />
if resp == 0xA4:<br />
# Encryption run OK<br />
break<br />
<br />
if resp != 0xA1:<br />
raise IOError("Bad Response %x" % resp)<br />
<br />
if len(data) > 0:<br />
if resp != 0xA4:<br />
raise IOError("Failed to communicate, last response: %x" % resp)<br />
else:<br />
raise IOError("Failed to communicate, no response")<br />
</pre><br />
<br />
= Appendix B: Capture Script =<br />
<pre><br />
#!/usr/bin/python<br />
# -*- coding: utf-8 -*-<br />
#<br />
# Copyright (c) 2013-2016, NewAE Technology Inc<br />
# All rights reserved.<br />
#<br />
# Authors: Colin O'Flynn, Greg d'Eon<br />
#<br />
# Find this and more at newae.com - this file is part of the chipwhisperer<br />
# project, http://www.assembla.com/spaces/chipwhisperer<br />
#<br />
# This file is part of chipwhisperer.<br />
#<br />
# chipwhisperer is free software: you can redistribute it and/or modify<br />
# it under the terms of the GNU General Public License as published by<br />
# the Free Software Foundation, either version 3 of the License, or<br />
# (at your option) any later version.<br />
#<br />
# chipwhisperer is distributed in the hope that it will be useful,<br />
# but WITHOUT ANY WARRANTY; without even the implied warranty of<br />
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the<br />
# GNU Lesser General Public License for more details.<br />
#<br />
# You should have received a copy of the GNU General Public License<br />
# along with chipwhisperer. If not, see <http://www.gnu.org/licenses/>.<br />
#=================================================<br />
<br />
import sys<br />
import chipwhisperer.capture.ui.CWCaptureGUI as cwc<br />
from chipwhisperer.common.api.CWCoreAPI import CWCoreAPI<br />
from chipwhisperer.common.scripts.base import UserScriptBase<br />
from chipwhisperer.common.utils.parameter import Parameter<br />
<br />
# Check for PySide<br />
try:<br />
from PySide.QtCore import *<br />
from PySide.QtGui import *<br />
except ImportError:<br />
print "ERROR: PySide is required for this program"<br />
sys.exit()<br />
<br />
class UserScript(UserScriptBase):<br />
def __init__(self, api):<br />
super(UserScript, self).__init__(api)<br />
<br />
def run(self):<br />
#User commands here<br />
print "***** Starting User Script *****"<br />
<br />
# Set up board and target<br />
self.api.setParameter(['Generic Settings', 'Scope Module', 'ChipWhisperer/OpenADC'])<br />
self.api.setParameter(['Generic Settings', 'Trace Format', 'ChipWhisperer/Native'])<br />
self.api.setParameter(['Generic Settings', 'Target Module', 'AES Bootloader'])<br />
self.api.connect()<br />
<br />
# Fill in our other settings<br />
lstexample = [['CW Extra Settings', 'Trigger Pins', 'Target IO4 (Trigger Line)', True],<br />
['CW Extra Settings', 'Clock Source', 'Target IO-IN'],<br />
['CW Extra Settings', 'Target IOn Pins', 'Target IO2', 'Serial TXD'],<br />
['CW Extra Settings', 'Target IOn Pins', 'Target IO1', 'Serial RXD'],<br />
['CW Extra Settings', 'Target HS IO-Out', 'CLKGEN'],<br />
['OpenADC', 'Clock Setup', 'ADC Clock', 'Source', 'CLKGEN x4 via DCM'],<br />
['OpenADC', 'Trigger Setup', 'Total Samples', 11000],<br />
['OpenADC', 'Trigger Setup', 'Offset', 0],<br />
['OpenADC', 'Gain Setting', 'Setting', 45],<br />
['OpenADC', 'Trigger Setup', 'Mode', 'rising edge'],<br />
['OpenADC', 'Clock Setup', 'CLKGEN Settings', 'Multiply', 2],<br />
['OpenADC', 'Clock Setup', 'CLKGEN Settings', 'Divide', 26],<br />
['OpenADC', 'Clock Setup', 'ADC Clock', 'Reset ADC DCM', None],<br />
]<br />
<br />
# NOTE: For IV: offset = 70000<br />
#Download all hardware setup parameters<br />
for cmd in lstexample:<br />
self.api.setParameter(cmd)<br />
<br />
# Try a couple of captures<br />
self.api.capture1()<br />
self.api.capture1()<br />
<br />
print "***** Ending User Script *****"<br />
<br />
<br />
if __name__ == '__main__':<br />
# Run the program<br />
app = cwc.makeApplication()<br />
Parameter.usePyQtGraph = True <br />
api = CWCoreAPI() <br />
gui = cwc.CWCaptureGUI(api) <br />
gui.show() <br />
<br />
# Run our program and let the GUI take over<br />
api.runScriptClass(UserScript) <br />
sys.exit(app.exec_())<br />
</pre><br />
<br />
= Appendix C: AES-256 14th Round Key Script =<br />
Full attack script, copy/paste into a file then add as active attack script:<br />
<br />
<pre><br />
# AES-256 14th Round Key Attack<br />
from chipwhisperer.common.scripts.base import UserScriptBase<br />
# Imports from Preprocessing<br />
import chipwhisperer.analyzer.preprocessing as preprocessing<br />
# Imports from Attack<br />
from chipwhisperer.analyzer.attacks.cpa import CPA<br />
from chipwhisperer.analyzer.attacks.cpa_algorithms.progressive import CPAProgressive<br />
import chipwhisperer.analyzer.attacks.models.AES128_8bit<br />
# Imports from utilList<br />
<br />
class UserScript(UserScriptBase):<br />
name = "Auto-generated"<br />
description = "Auto-generated Attack Script"<br />
def __init__(self, api):<br />
UserScriptBase.__init__(self, api)<br />
self.initProject()<br />
self.initPreprocessing()<br />
self.initAnalysis()<br />
self.initReporting()<br />
<br />
def initProject(self):<br />
pass<br />
<br />
def initPreprocessing(self):<br />
self.traces = self.api.project().traceManager()<br />
<br />
def initAnalysis(self):<br />
self.attack = CPA()<br />
self.attack.setTraceSource(self.traces, blockSignal=True)<br />
self.attack.setAnalysisAlgorithm(CPAProgressive,chipwhisperer.analyzer.attacks.models.AES128_8bit.AES128_8bit,chipwhisperer.analyzer.attacks.models.AES128_8bit.AES128_8bit.LEAK_HW_INVSBOXOUT_FIRSTROUND)<br />
self.attack.setTraceStart(0)<br />
self.attack.setTracesPerAttack(200)<br />
self.attack.setIterations(1)<br />
self.attack.setReportingInterval(10)<br />
self.attack.setTargetSubkeys([0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15])<br />
self.attack.setPointRange((0,10991))<br />
<br />
def initReporting(self):<br />
# Configures the attack observers (usually a set of GUI widgets)<br />
self.api.getResults("Attack Settings").setAnalysisSource(self.attack)<br />
self.api.getResults("Correlation vs Traces in Attack").setAnalysisSource(self.attack)<br />
self.api.getResults("Output vs Point Plot").setAnalysisSource(self.attack)<br />
self.api.getResults("PGE vs Trace Plot").setAnalysisSource(self.attack)<br />
self.api.getResults("Results Table").setAnalysisSource(self.attack)<br />
self.api.getResults("Save to Files").setAnalysisSource(self.attack)<br />
self.api.getResults("Trace Output Plot").setTraceSource(self.traces)<br />
self.api.getResults("Trace Recorder").setTraceSource(self.traces)<br />
<br />
def run(self):<br />
self.attack.processTraces()<br />
<br />
if __name__ == '__main__':<br />
from chipwhisperer.common.api.CWCoreAPI import CWCoreAPI<br />
import chipwhisperer.analyzer.ui.CWAnalyzerGUI as cwa<br />
from chipwhisperer.common.utils.parameter import Parameter<br />
app = cwa.makeApplication() # Comment if you don't need the GUI<br />
Parameter.usePyQtGraph = True # Comment if you don't need the GUI<br />
api = CWCoreAPI() # Instantiate the API<br />
gui = cwa.CWAnalyzerGUI(api) # Comment if you don't need the GUI<br />
gui.show() # Comment if you don't need the GUI<br />
api.runScriptClass(UserScript) # Run UserScript through the API<br />
app.exec_() # Comment if you don't need the GUI<br />
</pre><br />
<br />
= Appendix D: AES-256 13th Round Key Script =<br />
<br />
<pre><br />
# AES-256 13th Round Key Script<br />
from chipwhisperer.common.scripts.base import UserScriptBase<br />
# Imports from Preprocessing<br />
import chipwhisperer.analyzer.preprocessing as preprocessing<br />
# Imports from Attack<br />
from chipwhisperer.analyzer.attacks.cpa import CPA<br />
from chipwhisperer.analyzer.attacks.cpa_algorithms.progressive import CPAProgressive<br />
import chipwhisperer.analyzer.attacks.models.AES128_8bit<br />
# Imports from utilList<br />
<br />
# Imports for AES256 Attack<br />
from chipwhisperer.analyzer.attacks.models.base import ModelsBase<br />
from chipwhisperer.analyzer.attacks.models.AES128_8bit import AESLeakageHelper, AES128_8bit<br />
<br />
class AES256_Model(AESLeakageHelper):<br />
name = 'Our model'<br />
def leakage(self, pt, ct, guess, bnum):<br />
knownkey = [0xea, 0x79, 0x79, 0x20, 0xc8, 0x71, 0x44, 0x7d, 0x46, 0x62, 0x5f, 0x51, 0x85, 0xc1, 0x3b, 0xcb]<br />
xored = [knownkey[i] ^ pt[i] for i in range(0, 16)]<br />
block = xored<br />
block = self.inv_shiftrows(block)<br />
block = self.inv_subbytes(block)<br />
block = self.inv_mixcolumns(block)<br />
block = self.inv_shiftrows(block)<br />
result = block<br />
return self.inv_sbox((result[bnum] ^ guess[bnum]))<br />
<br />
class UserScript(UserScriptBase):<br />
_name = "Auto-generated"<br />
_description = "Auto-generated Attack Script"<br />
def __init__(self, api):<br />
UserScriptBase.__init__(self, api)<br />
self.initProject()<br />
self.initPreprocessing()<br />
self.initAnalysis()<br />
self.initReporting()<br />
<br />
def initProject(self):<br />
pass<br />
<br />
def initPreprocessing(self):<br />
ppMod0 = preprocessing.resync_sad.ResyncSAD(self.api.project().traceManager())<br />
ppMod0.setEnabled(True)<br />
ppMod0.setReference(rtraceno=0, refpoints=(9100,9300), inputwindow=(8900,9500))<br />
ppMod0.init()<br />
self.traces = ppMod0<br />
<br />
def initAnalysis(self):<br />
self.attack = CPA()<br />
self.attack.setProject(self.api.project())<br />
self.attack.setTraceSource(self.traces, blockSignal=True)<br />
leakage_object = AES128_8bit(AES256_Model)<br />
self.attack.setAnalysisAlgorithm(chipwhisperer.analyzer.attacks.cpa_algorithms.progressive.CPAProgressive,leakage_object)<br />
self.attack.setTargetSubkeys([0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15])<br />
self.attack.setTraceStart(0)<br />
self.attack.setTracesPerAttack(150)<br />
self.attack.setIterations(1)<br />
self.attack.setReportingInterval(10)<br />
self.attack.setPointRange((0,10991))<br />
<br />
def initReporting(self):<br />
# Configures the attack observers (usually a set of GUI widgets)<br />
self.api.getResults("Attack Settings").setAnalysisSource(self.attack)<br />
self.api.getResults("Correlation vs Traces in Attack").setAnalysisSource(self.attack)<br />
self.api.getResults("Output vs Point Plot").setAnalysisSource(self.attack)<br />
self.api.getResults("PGE vs Trace Plot").setAnalysisSource(self.attack)<br />
self.api.getResults("Results Table").setAnalysisSource(self.attack)<br />
self.api.getResults("Save to Files").setAnalysisSource(self.attack)<br />
self.api.getResults("Trace Output Plot").setTraceSource(self.traces)<br />
self.api.getResults("Trace Recorder").setTraceSource(self.traces)<br />
<br />
def run(self):<br />
self.attack.processTraces()<br />
<br />
if __name__ == '__main__':<br />
import chipwhisperer.analyzer.ui.CWAnalyzerGUI as cwa<br />
from chipwhisperer.common.utils.parameter import Parameter<br />
Parameter.usePyQtGraph = True # Comment if you don't need the GUI<br />
api = CWCoreAPI() # Instantiate the API<br />
app = cwa.makeApplication("Analyzer") # Comment if you don't need the GUI<br />
gui = cwa.CWAnalyzerGUI(api) # Comment if you don't need the GUI<br />
api.runScriptClass(UserScript) # Run UserScript through the API<br />
app.exec_() # Comment if you don't need the GUI<br />
<br />
</pre><br />
<br />
{{Template:Tutorials}}<br />
[[Category:Tutorials]]</div>Gdeonhttp://wiki.newae.com/index.php?title=Tutorial_A8_32bit_AES&diff=2770Tutorial A8 32bit AES2017-07-18T14:22:38Z<p>Gdeon: /* Background */</p>
<hr />
<div>Most of our previous tutorials were running on 8-bit modes of operation. We can target typical implementation on ARM devices which actually looks a little different.<br />
<br />
This tutorial is ONLY possible if you have an ARM target. For example the UFO Board with the STM32F3 target (or similar).<br />
<br />
== Background ==<br />
<br />
A 32-bit machine can operate on 32-bit words, so it seems wasteful to use the same 8-bit operations. Indeed we can speed up the AES operation considerably by generating several tables (called T-Tables), as was described in the book [http://www.springer.com/gp/book/9783540425809 The Design of Rijndael] which was published by the authors of AES.<br />
<br />
In order to take advantage of our 32 bit machine, we can examine a typical round of AES. With the exception of the final round, each round looks like:<br />
<br />
<math><br />
\mathbf{a} = \text{Round Input}<br />
</math><br />
<br />
<math><br />
\mathbf{b} = \text{SubBytes}(\mathbf{a})<br />
</math><br />
<br />
<math><br />
\mathbf{c} = \text{ShiftRows}(\mathbf{b})<br />
</math><br />
<br />
<math><br />
\mathbf{d} = \text{MixColumns}(\mathbf{c})<br />
</math><br />
<br />
<math><br />
\mathbf{a'} = \text{AddRoundKey}(d) = \text{Round Output}<br />
</math><br />
<br />
We'll leave AddRoundKey the way it is. The other operations are:<br />
<br />
<math><br />
b_{i,j} = \text{sbox}[a_{i,j}]<br />
</math><br />
<br />
<math><br />
\begin{bmatrix}<br />
c_{0,j} \\<br />
c_{1,j} \\<br />
c_{2,j} \\<br />
c_{3,j} <br />
\end{bmatrix}<br />
=<br />
\begin{bmatrix}<br />
b_{0, j+0} \\<br />
b_{1, j+1} \\<br />
b_{2, j+2} \\<br />
b_{3, j+3}<br />
\end{bmatrix}<br />
</math><br />
<br />
<math><br />
\begin{bmatrix}<br />
d_{0,j} \\<br />
d_{1,j} \\<br />
d_{2,j} \\<br />
d_{3,j} <br />
\end{bmatrix}<br />
=<br />
\begin{bmatrix}<br />
02 & 03 & 01 & 01 \\<br />
01 & 02 & 03 & 01 \\<br />
01 & 01 & 02 & 03 \\<br />
03 & 01 & 01 & 02<br />
\end{bmatrix}<br />
\times<br />
\begin{bmatrix}<br />
c_{0,j} \\<br />
c_{1,j} \\<br />
c_{2,j} \\<br />
c_{3,j} <br />
\end{bmatrix}<br />
</math><br />
<br />
Note that the ShiftRows operation <math>b_{i, j+c}</math> is a cyclic shift and the matrix multiplcation in MixColumns denotes the xtime operation in GF(<math>2^8</math>). <br />
<br />
It's possible to combine all three of these operations into a single line. We can write 4 bytes of <math>d</math> as the linear combination of four different 4 byte vectors:<br />
<br />
<math><br />
\begin{bmatrix}<br />
d_{0,j} \\<br />
d_{1,j} \\<br />
d_{2,j} \\<br />
d_{3,j} <br />
\end{bmatrix}<br />
=<br />
\begin{bmatrix}<br />
02 \\<br />
01 \\<br />
01 \\<br />
03<br />
\end{bmatrix}<br />
\text{sbox}[a_{0,j+0}]\ <br />
<br />
\oplus<br />
<br />
\begin{bmatrix}<br />
03 \\<br />
02 \\<br />
01 \\<br />
01<br />
\end{bmatrix}<br />
\text{sbox}[a_{1,j+1}]\ <br />
<br />
\oplus<br />
<br />
\begin{bmatrix}<br />
01 \\<br />
03 \\<br />
02 \\<br />
01<br />
\end{bmatrix}<br />
\text{sbox}[a_{2,j+2}]\ <br />
<br />
\oplus<br />
<br />
\begin{bmatrix}<br />
01 \\<br />
01 \\<br />
03 \\<br />
02<br />
\end{bmatrix}<br />
\text{sbox}[a_{3,j+3}]<br />
</math><br />
<br />
Now, for each of these four components, we can tabulate the outputs for every possible 8-bit input:<br />
<br />
<math><br />
T_0[a] = <br />
\begin{bmatrix}<br />
02 \times \text{sbox}[a] \\<br />
01 \times \text{sbox}[a] \\<br />
01 \times \text{sbox}[a] \\<br />
03 \times \text{sbox}[a] \\<br />
\end{bmatrix}<br />
</math><br />
<br />
<math><br />
T_1[a] = <br />
\begin{bmatrix}<br />
03 \times \text{sbox}[a] \\<br />
02 \times \text{sbox}[a] \\<br />
01 \times \text{sbox}[a] \\<br />
01 \times \text{sbox}[a] \\<br />
\end{bmatrix}<br />
</math><br />
<br />
<math><br />
T_2[a] = <br />
\begin{bmatrix}<br />
01 \times \text{sbox}[a] \\<br />
03 \times \text{sbox}[a] \\<br />
02 \times \text{sbox}[a] \\<br />
01 \times \text{sbox}[a] \\<br />
\end{bmatrix}<br />
</math><br />
<br />
<math><br />
T_3[a] = <br />
\begin{bmatrix}<br />
01 \times \text{sbox}[a] \\<br />
01 \times \text{sbox}[a] \\<br />
03 \times \text{sbox}[a] \\<br />
02 \times \text{sbox}[a] \\<br />
\end{bmatrix}<br />
</math><br />
<br />
These tables have 2^8 different 32-bit entries, so together the tables take up 4 kB. Finally, we can quickly compute one round of AES by calculating<br />
<br />
<math><br />
\begin{bmatrix}<br />
d_{0,j} \\<br />
d_{1,j} \\<br />
d_{2,j} \\<br />
d_{3,j} <br />
\end{bmatrix}<br />
=<br />
T_0[a_0,j+0] \oplus<br />
T_1[a_1,j+1] \oplus<br />
T_2[a_2,j+2] \oplus<br />
T_3[a_3,j+3]<br />
</math><br />
<br />
All together, with AddRoundKey at the end, a single round now takes 16 table lookups and 16 32-bit XOR operations. This arrangement is much more efficient than the traditional 8-bit implementation. There are a few more tradeoffs that can be made: for instance, the tables only differ by 8-bit shifts, so it's also possible to store only 1 kB of lookup tables at the expense of a few rotate operations.<br />
<br />
Note that T-tables don't have a big effect on AES from a side-channel analysis perspective. The SubBytes output is still buried in the T-tables and the other operations are linear, so it's still possible to attack 32-bit AES using the same 8-bit attack methods.<br />
<br />
== Building Firmware ==<br />
<br />
You will have to build with the <code>PLATFORM</code> set to one of the ARM targets (such as <code>CW308_STM32F0</code> for the STM32F0 victim, or <code>CW308_STM32F3</code> for the STM32F3 victim). If you haven't setup the ARM build environment see the page [[CW308T-STM32F#Example_Projects]]. Assuming your build environment is OK, you can build it as follows:<br />
<br />
cd chipwhisperer\hardware\victims\firmware\simpleserial-aes<br />
make PLATFORM=CW308_STM32F3 CRYPTO_TARGET=MBEDTLS<br />
<br />
If this works you should get something like the following:<br />
<br />
Creating Symbol Table: simpleserial-aes-CW308_STM32F3.sym<br />
arm-none-eabi-nm -n simpleserial-aes-CW308_STM32F3.elf > simpleserial-aes-CW308_<br />
STM32F3.sym<br />
Size after:<br />
text data bss dec hex filename<br />
8440 1076 10320 19836 4d7c simpleserial-aes-CW308_STM32F3.elf<br />
+--------------------------------------------------------<br />
+ Built for platform CW308T: STM32F3 Target<br />
+--------------------------------------------------------<br />
<br />
== Hardware Setup ==<br />
<br />
# Using a UFO board, connect your desired STM32Fx target:<br />
#: [[File:A8_hwsetup.jpg|600px]]<br />
# Before finishing the hardware setup, you should connect to the target device. To do this you can use one of the standard setup scripts. This will provide a clock & setup TX/RX lines as expected for the STM32F, which is required for the programmer to work.<br />
#: <br />
<br />
=== Programming STM32F Device ===<br />
<br />
{{:CW308T-STM32F/ChipWhisperer_Bootloader}}<br />
<br />
== Capturing Traces ==<br />
<br />
The capture process is similar to previous setups. After running the setup script, adjust the following settings:<br />
<br />
# Set the offset to by 0 samples:<br />
#: [[File:A8_offset.png|400px]]<br />
# Adjust the gain upward to get a good signal - note it will look VERY different from previous encryption examples:<br />
#: [[File:A8_traceexample.png|400px]]<br />
#Capture a larger (~500) number of traces.<br />
<br />
== Running Attack ==<br />
<br />
The attach is ran in the same manner as previous AES attacks, we use the same leakage assumptions as we don't actually care about the T-Table implementation. The resulting output vs. point location will look a little "messier", as shown here:<br />
<br />
[[File:A8_outputvspoint.png]]<br />
<br />
<br />
{{Template:Tutorials}}<br />
[[Category:Tutorials]]</div>Gdeonhttp://wiki.newae.com/index.php?title=File:09_Cw1173_connectrun.png&diff=2742File:09 Cw1173 connectrun.png2017-07-17T13:04:29Z<p>Gdeon: Gdeon uploaded a new version of File:09 Cw1173 connectrun.png</p>
<hr />
<div>File uploaded with MsUpload</div>Gdeonhttp://wiki.newae.com/index.php?title=Tutorial_B3-1_Timing_Analysis_with_Power_for_Password_Bypass&diff=2741Tutorial B3-1 Timing Analysis with Power for Password Bypass2017-07-17T12:53:15Z<p>Gdeon: /* Recording Power Traces */</p>
<hr />
<div>This tutorial will introduce you to breaking devices by determining when a device is performing certain operations. It will use a simple password check, and demonstrate how to perform a basic power analysis.<br />
<br />
In addition this example shows you how to drive the ChipWhisperer software with a script, rather than using the GUI. This will be required when attacking new devices which you have not yet added to the core ChipWhisperer software.<br />
<br />
Note this is not a prerequisite to the tutorial on breaking AES. You can skip this tutorial if you wish to go ahead with the AES tutorial.<br />
<br />
You can also view a 53-min [https://www.youtube.com/watch?v=h4eAU6vEONs&hd=1 Video Version on YouTube]:<br />
<br />
= Prerequisites =<br />
<br />
You should have already completed [[Tutorial B2 Viewing Instruction Power Differences]] to gain a better understanding of the ChipWhisperer interface.<br />
<br />
= Building the Target Firmware =<br />
<br />
The target firmware is located in the directory <code>chipwhisperer\hardware\victims\firmware\basic-passwdcheck</code>. Build the firmware using <code>make</code>, once again being careful to ensure you are using the correct <code>PLATFORM=</code> command. You should end up with something like this being printed:<br />
<br />
<pre>Creating Symbol Table: basic-passwdcheck.sym<br />
avr-nm -n basic-passwdcheck.elf &gt; basic-passwdcheck.sym<br />
<br />
Size after:<br />
AVR Memory Usage<br />
----------------<br />
Device: atxmega128d3<br />
<br />
Program: 5400 bytes (3.9% Full)<br />
(.text + .data + .bootloader)<br />
<br />
Data: 524 bytes (6.4% Full)<br />
(.data + .bss + .noinit)<br />
<br />
<br />
Built for platform CW-Lite XMEGA<br />
<br />
-------- end --------</pre><br />
<br />
= Manual Communications with the Target =<br />
<br />
At this point, you should be able to configure the target as in the previous tutorials. Rather than tediously going through the setup process again, we'll simply use one of the scripts built into the ChipWhisperer-Capture software. This will demonstrate how we can use a script as a starting point to simplify our setup.<br />
<br />
<ol style="list-style-type: decimal;"><br />
<li>Connect your target hardware (ChipWhisperer-Lite/Pro or ChipWhisperer-Capture Rev 2 with target board).</li><br />
<li>Open the ChipWhisperer-Capture software.</li><br />
<li>From the ''Example Scripts'', select one which most closely matches your hardware. For example here I'm using a ChipWhisperer-Lite with the XMEGA target, so will select that script. Note I'm ''NOT'' attacking AES, so will need to make some adjustments later.</li><br />
<li>The system should connect to your hardware. Remember you have not yet reprogrammed the target so won't be communicating with the target program.</li><br />
<li>Using the programming tool (such as XMEGA programming dialog), program the file <code>basic-passwdcheck.hex</code> into the target device. This file is located where you ran <code>make</code> previously.</li><br />
<li><p>Select ''Tools --&gt; Open Terminal'', and press ''Connect''. You should see a window such as this:</p><br />
<blockquote><p>[[File:Termconn.png|image]]</p></blockquote></li><br />
<li><p>At this point we need to reset the target device. The easiest way to do this is use the programmer interface, and press the ''Check Signature'' or ''Read Signature'' button. This will reset the target device as part of the signature read operation. You should see some messages come across the terminal emulator window:</p><br />
<blockquote><p>[[File:Checksig_print.png|image]]</p></blockquote><br />
<dl><br />
<dt>Note a few warnings about the terminal emulator:</dt><br />
<dd><ul><br />
<li>The on-board buffer is fairly small, and can be easily overflowed. You may notice a few longer lines become trunicated if printing is too fast!</li><br />
<li>You can uncheck the &quot;Show non-ASCII as hex&quot; to avoid having the <code>0a</code> printed in red. The <code>0a</code> is the hex character for a newline. Many protocols use non-ASCII characters, so to help with debugging it is left enabled by default.</li></ul><br />
</dd></dl><br />
</li><br />
<li><p>We've now got some super-secure system! Let's begin with some exploratory tests - in this case I happened to know the correct password is <code>h0px3</code>.</p><br />
<blockquote><p>'''tip'''</p><br />
<p>In real systems, you may often know ''one'' of the passwords, which is sufficient to investigate the password checking routines as we will do. You also normally have an ability to reset passwords to default. While the reset procedure would erase any data you care about, the attacker will be able to use this 'sacrificial' device to learn about possible vulnerabilites. So the assumption that we have access to the password is really just saying we have access to ''a'' password, and will use that knowledge to break the system in general.</p></blockquote></li><br />
<li><p>Using the terminal emulator, write the correct password in, and press <code>&lt;enter&gt;</code>. You should be greeted by a welcome message, and if using the CW-Lite XMEGA target the green LED will illuminate:</p><br />
<p>[[File:Passok.png|image]]</p></li><br />
<li>The system enters an infinite loop for any password entry. Thus you must reset the system, use the ''Programmer Window'' to again perform a ''Check Signature'' or ''Read Signature'' operation.</li><br />
<li>Enter an incorrect password - notice a different message is printed, and if using the CW-Lite XMEGA target the red LED will come on.</li></ol><br />
<br />
= Recording Power Traces =<br />
Now that we can communicate with our super-secure system, our next goal is to get a power trace while the target is running. To do this, we'll get the power measurements to trigger after we send our password to the target. <br />
<br />
<ol style="list-style-type: decimal;"><br />
<li><p>We'll make some changes to the trigger setup of the ChipWhisperer. In particular, ensure you set the following:</p><br />
<blockquote><ul><br />
<li>Offset = 0</li><br />
<li>Timeout set to 5 seconds or greater (to give yourself time when manually testing)</li></ul><br />
<br />
<p>[[File:Timeout_offset.png|image]]</p></blockquote></li><br />
<li><p>Change to the ''Target Settings'' tab, and delete the ''Command'' strings. Those strings are used in the AES attack to send a specific command to the target device, for now we will be manually sending data:</p><br />
<blockquote><p>[[File:Text_targetsettings.png|image]]</p></blockquote></li><br />
<li>Still in the ''Target Settings'' tab, under ''Protocol Version'', change ''Version'' from ''Auto'' to ''1.0''<br />
<li><p>Perform the following actions:</p><br />
<blockquote><ol style="list-style-type: lower-roman;"><br />
<li>Reset the target device (e.g. by performing the signature check).</li><br />
<li>Enter the password <code>h0px3</code> in the terminal window, but ''do not'' yet hit enter.</li><br />
<li>Press the ''Capture 1'' button, and immediately switch to the terminal emulator window and press <code>&lt;enter&gt;</code> to send the password.</li></ol><br />
</blockquote><br />
<p>You must send the password before the timeout occurs -- you can increase the length of the timeout if needed to give yourself more time! If this works you should see the power consumption displayed in the GUI:</p><br />
<blockquote><p>[[File:Trace_manual_pass.png|image]]</p></blockquote></li><br />
<br />
<li><p>Rather than using the manual terminal, let's now use the GUI to automatically send a password try. Switching back to the ''Target Settings'' tab, write <code>h0px3\n</code> into the ''Go Command'' option:</p><br />
<blockquote><p>[[File:Gocorrect.png|image]]</p></blockquote><br />
<p>The ''Go Command'' is sent right after the scope is armed. In this example it means we can capture the power consumption during the password entry phase.</p></li><br />
<li><p>Now perform the following actions:</p><br />
<blockquote><ol style="list-style-type: lower-roman;"><br />
<li>Reset the target device (e.g. by performing the signature check).</li><br />
<li>Press the ''Capture 1'' button.</li></ol><br />
</blockquote><br />
<p>Hopefully this resulted in the same waveform as before! Note the device takes around 1 second to 'boot', so if you are too lightning fast after resetting the device it won't actually be ready to accept the password. You can keep the terminal emulator window open to view the output data.</p></li><br />
<li><p>Play around with the password entered on the ''Go Command'' - try all of the following:</p><br />
<ul><br />
<li><code>h0px3\n</code></li><br />
<li><code>h0px4\n</code></li><br />
<li><code>h0paa\n</code></li><br />
<li><code>haaaa\n</code></li><br />
<li><code>a\n</code></li></ul><br />
<br />
<p>You should notice a distinct change in the password depending how many characters were correct. For example the following shows the difference between passwords of <code>h0px4</code> (which has 4 correct characters) and <code>h0paa</code> (which has 3 correct characters):</p><br />
<blockquote><p>[[File:3vs4.png|image]]</p></blockquote></li></ol><br />
<br />
= Automatic Resets =<br />
The last step before scripting an entire attack is to figure out how to automatically reset the target device before (or after) each capture. There are two ways to do this, and the following steps take you through two examples of how to accomplish this goal.<br />
<br />
== Reset via Spare IO Lines ==<br />
<br />
TODO - see reset via programming interface for now<br />
<br />
== Reset via Auxiliary Module ==<br />
<br />
Auxiliary modules are small pieces of code that can perform some extra functions during the capture process. The functions inside these Python modules are run before a capture, before the power measurement is armed, before the measurement is triggered, after a single trace is completed, and after an entire capture is finished. We will use an existing auxiliary module to reset the target chip before arming the measurement so that we don't have to manually reset the device.<br />
<br />
<ol style="list-style-type: decimal;"><br />
<li> We're going to use the ''Reset AVR/XMEGA via CW-Lite'' auxiliary module. Let's get an idea of how this module works: <br />
* Navigate to the auxiliary modules folder (<code>chipwhisperer\software\chipwhisperer\capture\auxiliary\</code>) and open <code>ResetCW1183Read.py</code> in your choice of text editor.<br />
* Find the function definition for <code>resetDevice()</code>. It contains a line that looks like: <br />
<pre><br />
CWCoreAPI.getInstance().getScope().scopetype.cwliteXMEGA.readSignature()<br />
</pre><br />
* Look for the lines where this function gets called. You'll find that the function <code>traceArm()</code> uses it like: <br />
<pre><br />
resettiming = self.findParam('resettiming').value()<br />
if resettiming == 'Pre-Arm':<br />
self.resetDevice()<br />
</pre><br />
Effectively, this code will read the target's signature before we arm the power measurement. This means that the target will automatically be reset before capturing a power trace.<br />
</li><br />
<br />
<li> Go back to the ChipWhisperer Capture software. In the ''Generic Settings'' tab, switch the Auxiliary Module to ''Reset AVR/XMEGA via CW-Lite''.<br />
</li><br />
<li> Now, in the ''Aux Settings'' tab, we can configure our automatic reset. Make sure the settings are:<br />
* Pre-arm delay: roughly 1200 ms<br />
* Post-arm delay: the default (0 ms) is fine<br />
* Reset timing: Pre-arm (reset the device before we arm the scope)<br />
</li><br />
<li> Press ''Capture 1''. The target will automatically reset, with the Safe-o-matic 3000 boot sequence appearing in the console. Then, 1 second later, the program will send the password to the target and record a power trace.<br />
</li><br />
</ol><br />
<br />
Now, confirm that you can try different passwords (in ''Target Settings'') and see how the power trace changes when your password has 0, 1, 2... correct characters.<br />
<br />
= Performing the Timing Attack =<br />
So far, we've set up our ChipWhisperer to automatically reset the target, send it a password attempt of our choice, and record a power trace while the target processes the password. Now, we'll write a Python script to automatically try different passwords and use these power traces to discover the password stored on the target.<br />
<br />
== Scripting the Setup ==<br />
Our first step will be to write a script that automatically sets up the ChipWhisperer Capture software with all of the settings we've tested above. We'll do this by modifying an existing script with our own settings.<br />
<br />
<ol style="list-style-type: decimal;"><br />
<li>Make a copy of an existing ChipWhisperer script. The example scripts are located at <code>chipwhisperer\software\chipwhisperer\capture\scripts</code>; for example, the default one for the XMEGA device is called <code>cwlite-simpleserialxmega.py</code>. Make a copy of this script and put it somewhere memorable.<br />
</li><br />
<li><p>Rename the script something else - for example, <code>cwlite-passwordcrack.py</code> - and open it for editing. You'll notice that a large chunk of the code is used to set the parameters:</p><br />
<pre>#Example of using a list to set parameters. Slightly easier to copy/paste in this format<br />
lstexample = [['CW Extra', 'CW Extra Settings', 'Trigger Pins', 'Target IO4 (Trigger Line)', True],<br />
['CW Extra', 'CW Extra Settings', 'Target IOn Pins', 'Target IO1', 'Serial RXD'],<br />
['CW Extra', 'CW Extra Settings', 'Target IOn Pins', 'Target IO2', 'Serial TXD'],<br />
['OpenADC', 'Clock Setup', 'CLKGEN Settings', 'Desired Frequency', 7370000.0],<br />
['CW Extra', 'CW Extra Settings', 'Target HS IO-Out', 'CLKGEN'],<br />
['OpenADC', 'Clock Setup', 'ADC Clock', 'Source', 'CLKGEN x4 via DCM'],<br />
['OpenADC', 'Trigger Setup', 'Total Samples', 3000],<br />
['OpenADC', 'Trigger Setup', 'Offset', 1500],<br />
['OpenADC', 'Gain Setting', 'Setting', 45],<br />
['OpenADC', 'Trigger Setup', 'Mode', 'rising edge'],<br />
#Final step: make DCMs relock in case they are lost<br />
['OpenADC', 'Clock Setup', 'ADC Clock', 'Reset ADC DCM', None],<br />
]</pre><br />
<p>Those parameters come from the ''Scripting Parameters'' tab. Switch over to it and notice this tab logs all of the parameter changes, showing you how to change the parameters through the API:</p><br />
<blockquote><p>[[File:Scriptcommands.png|image]]</p></blockquote><br />
<p>Note that commands run via the script are also printed, so you can see where the values being set are coming from too. </p><br />
</li><br />
<br />
<li><p>At this point, close the ''ChipWhisperer-Capture'' window so we can confirm the script still works. Run the new script (which doesn't have any changes yet) from the command line. You may have to open a console with Python in the path:</p><br />
<blockquote><ol style="list-style-type: lower-roman;"><br />
<li>If you installed WinPython, run the ''WinPython Console'' from your WinPython installation directory.</li><br />
<li>If using the VMWare image of a Linux machine, this should just be a regular console</li></ol><br />
</blockquote></li></ol><br />
<blockquote>Run the script with <code>python cwlite-passwordcrack.py</code>. If the script errors out, it might be that the location of the FPGA bitstream is stored in relative terms. To fix this perform the following:<br />
<blockquote><ol style="list-style-type: lower-roman;"><br />
<li>Open ChipWhisperer-Capture regularly.</li><br />
<li>Run the ChipWhisperer script that you used previously.</li><br />
<li>Select ''Tools--&gt;Config CW Firmware''</li><br />
<li>Under the &quot;FPGA .zip (Release)&quot;, hit the &quot;Find&quot; button. Point the system to the file <code>chipwhisperer/hardware/capture/chipwhisperer-lite/cwlite_firmware.zip</code> on your filesystem. Note by default there is a relative path.</li></ol><br />
</blockquote></blockquote><br />
<br />
<ol start="4" style="list-style-type: decimal;"><br />
<li>Once again on the ''Target Settings'' tab, delete the various commands. Make a note of the resulting ''Script Commands'' which you will need to enter to achieve this same goal. Close ChipWhisperer-Capture.</li><br />
<li><p>Continue editing your script. First, find the line setting the Trigger Offset:</p><br />
<pre>['OpenADC', 'Trigger Setup', 'Offset', 1500],</pre><br />
<p>And set this to 0, which we were using previously:</p><br />
<pre>['OpenADC', 'Trigger Setup', 'Offset', 0],</pre></li><br />
<li><p>Next, append the required commands to clear the simpleserial commands and to enable the automatic resets:</p><br />
<pre>#Example of using a list to set parameters. Slightly easier to copy/paste in this format<br />
lstexample = [['CW Extra', 'CW Extra Settings', 'Trigger Pins', 'Target IO4 (Trigger Line)', True],<br />
...BUNCH MORE COMMANDS HERE HAVE BEEN REMOVED...<br />
#Final step: make DCMs relock in case they are lost<br />
['OpenADC', 'Clock Setup', 'ADC Clock', 'Reset ADC DCM', None],<br />
<br />
#Append your commands here<br />
['Simple Serial', 'Load Key Command', u''],<br />
['Simple Serial', 'Go Command', u''],<br />
['Simple Serial', 'Output Format', u''], <br />
<br />
['Generic Settings', 'Auxiliary Module', 'Reset AVR/XMEGA via CW-Lite'],<br />
['Aux Settings', 'Reset AVR/XMEGA via CW-Lite', 'Delay (Post-Arm)', 1200], <br />
]</pre></li><br />
<br />
<li><p>Finally, we will set the password. You can enter the password in the Capture ''Target Settings'' tab, and see the following sort of call would set the appropriate password:</p><br />
<pre>self.api.setParameter(['Simple Serial', 'Go Command', u'h0px3\\n'])</pre><br />
<p>Note the newline is actually escaped, to set the text equivalent of what will be printed. This will result in an actual newline going out across the serial port. Set that command at some point in your script.</p><br />
<li>Close any open ChipWhisperer-Capture windows, and run the script as before. You should connect to the target, and be able to press ''Capture 1'' and see the correct waveform.</li><br />
</ol><br />
<br />
<br />
== Running a Single Capture ==<br />
With our settings prepared, the next step is to use our script to record and analyze a power trace. We need to be able to get the trace data into our Python script so we can analyze it for the timing attack.<br />
<br />
The API allows us to ''press the Capture 1'' button and ''view the power trace'' without using the GUI. There are two relevant commands here:<br />
* <code> self.api.capture1()</code> acts as if we've just pressed the ''Capture 1'' button;<br />
* <code> self.api.getScope().channels[0].getTrace()</code> returns a list of datapoints that were recorded in the previous capture.<br />
We want to test these two commands. After the setup portion of your script, add some code similar to the following:<br />
<pre><br />
self.api.capture1()<br />
data = self.api.getScope().channels[0].getTrace()<br />
print data<br />
</pre><br />
Run your script. The ChipWhisperer should automatically capture one trace and print out the several thousand datapoints. This is all we need to continue.<br />
<br />
== Attacking a Single Letter ==<br />
Now that we can record one power trace, we can start the timing attack. Our goal here is to automatically find the first letter of the Super Secret (tm) password.<br />
<br />
<li><p>Look at this example of the power traces when 0 and 1 bytes are correct. We can see a clear point that appears to shift forward in time:</p><br />
<blockquote><p>[[File:Passwordcrackerpts.png|image]]</p></blockquote><br />
<p>When we guess the first byte incorrectly, there is a distinct power spike at sample number 153. However, when we guess correctly, the target spends more time processing the password, and this spike moves 72 samples forward. This means that we can check if our first byte is correct by checking this data point: if we're right, it will have an amplitude greater than -0.2. Note the specific point will change for different hardware, and may also change if you use different versions of avr-gcc to compile the target code. The example code here was compiled with WinAVR 20100110, which has avr-gcc 4.3.3. If you view the video version of this tutorial the point numbers are different for example, so be sure to check what they are for your specific system.</p></li><br />
<br />
<li> Add a loop to your script that does the following:<br />
* Sets the ''Go Command'' to the next character we want to try<br />
* Captures a power trace<br />
* Checks if sample 153 is above -0.2 (fill in the appropriate numbers here)<br />
* Repeats for all characters we want to try<br />
An example of this loop is:<br />
<pre><br />
trylist = 'abcdefghijklmnopqrstuvwxyz0123456789'<br />
<br />
for c in trylist:<br />
# Test this password and record a power trace<br />
self.api.setParameter(['Simple Serial', 'Go Command', c + '\n'])<br />
self.api.capture1()<br />
<br />
# Get the data and check data[153]<br />
data = self.api.getScope().channels[0].getTrace()<br />
if data[153] > -0.2:<br />
print "Success: " + c <br />
</pre><br />
This script will eventually stop, but you can use Ctrl+C on the command line to kill it. Make sure your script prints "Success: h"!<br />
</li><br />
<br />
== Attacking the Full Password ==<br />
The last step is to attack the entire password, one letter at a time. The procedure to do this is:<br />
* Start with a blank password string<br />
* Loop through all of the characters we want to try:<br />
** Add the next character to the end of the password<br />
** Test this new candidate password using code similar to the above<br />
** If the new password is correct up to character (1, 2, ..., 5), add it to the end of the password<br />
* Repeat until we've cracked all 5 characters.<br />
<br />
Note that the point of interest is no longer at sample 153. We noticed earlier that this key point moves 72 samples forward for every correct character, so we'll have to check location <code>153</code> for character 0, <code>153 + 72</code> for character 1, and <code>153 + i*72</code> for character <code>i</code>.<br />
<br />
An example of this loop is:<br />
<pre><br />
password = ''<br />
trylist = 'abcdefghijklmnopqrstuvwxyz0123456789'<br />
<br />
for i in range(5):<br />
for c in trylist:<br />
# Get a power trace using our next attempt<br />
nextPass = password + '{}'.format(c)<br />
self.api.setParameter(['Simple Serial', 'Go Command', '{}\n'.format(nextPass)])<br />
self.api.capture1()<br />
<br />
# Grab the trace<br />
nextTrace = self.api.getScope().channels[0].getTrace()<br />
<br />
# Check location 153, 225, etc. If it's too low, we've failed<br />
if nextTrace[153 + 72*i] < -0.2:<br />
continue<br />
<br />
# If we got here, we've found the right letter<br />
password += c<br />
print '{} characters: {}'.format(i+1, password)<br />
break<br />
</pre><br />
After some time, this prints <code>5 characters: h0px3</code> -- it automatically finds the correct password.<br />
<br />
That's it! You should have successfully cracked a password using the timing attack. Some notes on this method:<br />
<br />
* The target device has a finite start-up time, which slows down the attack. If you wish, remove some of the printf()'s from the target code, recompile and reprogram, and see how quickly you can do this attack.<br />
* The current script doesn't look for the &quot;WELCOME&quot; message when the password is OK. That is an extension that allows it to crack any size password.<br />
* If there was a lock-out on a wrong password, the system would ignore it, as it resets the target after every attempt.<br />
<br />
= Conclusion =<br />
<br />
This tutorial has demonstrated the use of the power side-channel for performing timing attacks. A target with a simple password-based security system is broken. In addition you have learned about the scripting support in the ChipWhisperer-Capture software.<br />
<br />
= Appendix: Completed Timing Attack Script =<br />
The <code>run()</code> function at the end of the tutorial might look something like the following:<br />
<pre><br />
def run(self):<br />
# This is the function that gets called when our script starts<br />
<br />
# First: set up the basics and connect to the CW-Lite<br />
self.api.setParameter(['Generic Settings', 'Scope Module', 'ChipWhisperer/OpenADC'])<br />
self.api.setParameter(['Generic Settings', 'Target Module', 'Simple Serial'])<br />
self.api.setParameter(['Generic Settings', 'Trace Format', 'ChipWhisperer/Native'])<br />
self.api.setParameter(['Simple Serial', 'Connection', 'ChipWhisperer-Lite'])<br />
self.api.setParameter(['ChipWhisperer/OpenADC', 'Connection', 'ChipWhisperer-Lite'])<br />
self.api.connect()<br />
<br />
<br />
# Next: set up everything we need to connect to the target<br />
# Put all of our commands in a list and execute them at the end<br />
lstexample = [<br />
# Gain<br />
['OpenADC', 'Gain Setting', 'Setting', 45],<br />
# Trigger<br />
['OpenADC', 'Trigger Setup', 'Mode', 'rising edge'],<br />
['OpenADC', 'Trigger Setup', 'Offset', 0],<br />
['OpenADC', 'Trigger Setup', 'Total Samples', 2000],<br />
# Clock<br />
['OpenADC', 'Clock Setup', 'CLKGEN Settings', 'Desired Frequency', 7370000.0],<br />
['OpenADC', 'Clock Setup', 'ADC Clock', 'Source', 'CLKGEN x4 via DCM'],<br />
['OpenADC', 'Clock Setup', 'ADC Clock', 'Reset ADC DCM', None],<br />
# Pins<br />
['CW Extra Settings', 'Trigger Pins', 'Target IO4 (Trigger Line)', True],<br />
['CW Extra Settings', 'Target HS IO-Out', 'CLKGEN'],<br />
['CW Extra Settings', 'Target IOn Pins', 'Target IO1', 'Serial RXD'],<br />
['CW Extra Settings', 'Target IOn Pins', 'Target IO2', 'Serial TXD'],<br />
# Automatic commands<br />
['Simple Serial', 'Load Key Command', ''],<br />
['Simple Serial', 'Go Command', 'h0px3\n'],<br />
['Simple Serial', 'Output Format', ''],<br />
# Auto-reset<br />
['Generic Settings', 'Auxiliary Module', 'Reset AVR/XMEGA via CW-Lite'],<br />
['Aux Settings', 'Reset AVR/XMEGA via CW-Lite', 'Delay (Post-Arm)', 1200],<br />
]<br />
<br />
#Download all hardware setup parameters<br />
for cmd in lstexample: <br />
self.api.setParameter(cmd)<br />
<br />
# Get one capture for fun<br />
self.api.capture1()<br />
data = self.api.getScope().channels[0].getTrace()<br />
print data<br />
<br />
<br />
# Crack the first letter<br />
password = ''<br />
trylist = 'abcdefghijklmnopqrstuvwxyz0123456789'<br />
<br />
for i in range(5):<br />
for c in trylist:<br />
# Get a power trace using our next attempt<br />
nextPass = password + '{}'.format(c)<br />
self.api.setParameter(['Simple Serial', 'Go Command', '{}\n'.format(nextPass)])<br />
self.api.capture1()<br />
<br />
# Grab the trace<br />
nextTrace = self.api.getScope().channels[0].getTrace()<br />
<br />
# Check location 153, 225, etc. If it's too low, we've failed<br />
if nextTrace[153 + 72*i] < -0.2:<br />
continue<br />
<br />
# If we got here, we've found the right letter<br />
password += c<br />
print '{} characters: {}'.format(i+1, password)<br />
break<br />
</pre><br />
<br />
{{Template:Tutorials}}<br />
[[Category:Tutorials]]</div>Gdeonhttp://wiki.newae.com/index.php?title=Installing_ChipWhisperer/Installing_ChipWhisperer_from_Git&diff=2663Installing ChipWhisperer/Installing ChipWhisperer from Git2017-07-10T17:33:10Z<p>Gdeon: Use git submodule commands instead of manually cloning</p>
<hr />
<div>If you want the cutting-edge version of ChipWhisperer, you can clone the repository. If you have Git already set up, this is easy to do:<br />
<pre><br />
git clone git@github.com:newaetech/chipwhisperer.git<br />
cd chipwhisperer/software<br />
python setup.py develop<br />
</pre><br />
<br />
You may also want the OpenADC software, which is necessary to build new firmware for the ChipWhisperer FPGA. This is unnecessary for most users. If you need it:<br />
<pre><br />
cd ..<br />
git submodule init<br />
git submodule update<br />
cd openadc/controlsw/python<br />
python setup.py develop<br />
</pre></div>Gdeonhttp://wiki.newae.com/index.php?title=Installing_ChipWhisperer&diff=2575Installing ChipWhisperer2017-05-19T17:30:21Z<p>Gdeon: </p>
<hr />
<div><span class="expandall"></span><br />
<br />
This page describes how to install the ChipWhisperer software. <br />
<br />
There are four ways to set up ChipWhisperer:<br />
* '''VMWare Virtual Machine:''' Get a pre-prepared virtual machine image with all of the required tools already installed. ''Recommended for beginners.''<br />
* '''ChipWhisperer Releases:''' Get a zip file with the latest stable ChipWhisperer code and run it on your own environment. <br />
* '''PyPi Package:''' <code>pip install chipwhisperer</code>. Only includes the software - doesn't come with the hardware source files.<br />
* '''Git Repository:''' Get the latest, bleeding-edge features and bugs. Recommended if you're an experienced developer and you want to contribute to ChipWhisperer.<br />
<br />
{{TOC|limit=3}}<br />
<br />
{{CollapsibleSection<br />
|intro = = Using VMWare Virtual Machine =<br />
|content= Installing ChipWhisperer/Using VMWare Virtual Machine}}<br />
<br />
{{CollapsibleSection<br />
|intro= = Required Tools - Windows =<br />
|content= Installing ChipWhisperer/Required Tools - Windows}}<br />
<br />
{{CollapsibleSection<br />
|intro= = Required Tools - Linux =<br />
|content= Installing ChipWhisperer/Required Tools - Linux}}<br />
<br />
{{CollapsibleSection<br />
|intro= = Required Tools - Mac OS X =<br />
|content= Installing ChipWhisperer/Required Tools - Mac OS X}}<br />
<br />
{{CollapsibleSection<br />
|intro= = Installing ChipWhisperer from Releases =<br />
|content= Installing ChipWhisperer/Installing ChipWhisperer from Releases}}<br />
<br />
{{CollapsibleSection<br />
|intro= = Installing ChipWhisperer from PyPi =<br />
|content= Installing ChipWhisperer/Installing ChipWhisperer from PyPi}}<br />
<br />
{{CollapsibleSection<br />
|intro= = Installing ChipWhisperer from Git =<br />
|content= Installing ChipWhisperer/Installing ChipWhisperer from Git}}<br />
<br />
{{CollapsibleSection<br />
|intro= = Quick Tests =<br />
|content= Installing ChipWhisperer/Quick Tests}}<br />
<br />
[[Category:Introduction]]</div>Gdeonhttp://wiki.newae.com/index.php?title=Installing_ChipWhisperer/Required_Tools_-_Windows&diff=2574Installing ChipWhisperer/Required Tools - Windows2017-05-19T17:29:34Z<p>Gdeon: </p>
<hr />
<div><h2> Python </h2><br />
For any of the other installation methods, you'll need to have Python 2 installed on your computer. If you already a recent version of Python installed (2.7.x), you can skip this step. Note that Python 3.x will not work with this codebase. There's also a bit of setup that's needed to get other tools and prepare other drivers.<br />
<br />
The recommend method of installing Python is to use a distribution called [http://winpython.github.io/ WinPython]. This setup avoids installing Python globally, and includes most of the software you will need. In addition it makes it possible to install 32-bit and 64-bit Python on the same system with minimal problems. This can be very useful as the 64-bit version is handy for doing analysis on large data sets.<br />
<br />
To install WinPython 2.7.x, Download a release in the 2.7.x branch from the [http://winpython.github.io/ WinPython] site. It's recommended to use the 32-bit version, but you can also use the 64-bit version. Also, note that the recent releases (like WinPython-32bit-2.7.13.0Zero) don't come with any pre-installed packages. We recommend [https://sourceforge.net/projects/winpython/files/WinPython_2.7/2.7.10.3/ WinPython 2.7.10.3].<br />
<br />
Note that certain drivers (such as the SmartCard driver) ''do not'' work on the 64-bit version. Choose a reasonable location to install this to - note the default is simply in the download directory. Instead it's recommended to find a directory such as <code>c:\WinPython32bit-2.7.10.3</code>, or into your local directory such as <code>c:\Users\yourname\WinPython-32bit-2.7.10.3</code>.<br />
<br />
Go to your installation directory for WinPython, and run the shortcut called '''WinPython Command Prompt.exe'''. This will give you a command prompt which is setup to run Python along with associated scripts.<br />
<br />
''Optional'': You can add the python.exe you just installed to your PATH. To do so navigate to your installation folder, and run the '''WinPython Control Panel.exe''' program. Then select ''Advanced -> Register distribution...''. If you do not do this, you will have to run all commands in this document via the '''WinPython Command Prompt.exe'''. If you plan on running both 32-bit and 64-bit Python, you should not register them. Instead explicitly call the correct Python by always running the '''WinPython Command Prompt.exe''', and then calling specific programs (such as CW Capture or Analyzer) from that command prompt.<br />
<br />
<h2> Python Packages </h2><br />
There are a number of packages that the ChipWhisperer project uses. You'll need to install these so that the software can run. Note that the PyPi install process should automatically install these, so you shouldn't need to manually install everything there.<br />
<br />
Run the following commands to get the needed packages:<br />
* '''PyQTGraph:''' <code>pip install pyqtgraph</code><br />
* '''ConfigObj:''' <code>pip install configobj</code><br />
<br />
You might also need some extra packages. Generally you can avoid them unless you have specific need of the features they enable:<br />
<br />
'''PyUSB:''' if you're planning to use the ChipWhisperer Capture Rev2 hardware, this is necessary. You can install this using pip:<br />
* <code>pip install pyusb</code><br />
* If that fails, try specifying the latest version, like: <code>pip install pyusb==1.0.0b1</code><br />
<br />
'''FTD2XX:''' [https://github.com/snmishra/ftd2xx ftd2xx] is required for SASEBO-W, SAKURA-G, and SASEBO-GII Support. To install this package, [https://github.com/snmishra/ftd2xx/archive/master.zip download a copy of the ftd2xx repository] and unzip it somewhere. Then run the following where you unzipped it:<br />
<br />
<pre>python setup.py install</pre><br />
This package will also require you to install the [http://www.ftdichip.com/Drivers/D2XX.htm FTDI D2XX Drivers]. In the preceeding link simply find the correct driver for your OS Version and install that.<br />
<br />
'''MYSQL:''' If you want to use the MySQL trace format (not used by default), you'll need to install [https://pypi.python.org/pypi/umysql umysql]:<br />
<br />
<pre>pip install umysql</pre><br />
<br />
'''PYSCARD:''' If planning on using a PS/SC smartcard reader (i.e. standard USB-connected reader), you will need to install [https://sourceforge.net/projects/pyscard/files/pyscard/ pyscard].<br />
<br />
<h2> Installing Hardware Drivers </h2><br />
<br />
Details of driver installation are on specific pages for supported hardware (such as cwcapturerev2 and naecw1173_cwlite). Drivers are available from [http://chipwhisperer.com ChipWhisperer] release section.<br />
<br />
<h2> Getting AVR Compiler Toolchain </h2><br />
<br />
The following section is not required for your first attack - you can jump right to the tutorial if you wish. However you'll ultimately wish to modify the code of the device under test, and these instructions tell you how. You should first follow the tutorial to confirm your system is working before modifying the code however!<br />
<br />
To build the code, you'll need to install avr-gcc on Windows (if using the Virtual Machine, the following is ''not required'', as the VM comes setup with the AVR compiler already). On Windows, you could choose to install:<br />
<br />
* Atmel AVR-GCC standalone - see [http://www.atmel.com/tools/atmelavrtoolchainforwindows.aspx Atmel avr-gcc standalone] (registration required)<br />
* WinAVR. Last release - 2010, see [https://sourceforge.net/projects/winavr/files/latest/download?source=typ_redirect WinAVR Page] (no registration required)<br />
<br />
To test the code build, follow these steps:<br />
<br />
<p><code>cd</code> to the directory with the avr-serial example, and run <code>make</code>:</p><br />
<pre>cd c:\chipwhisperer\hardware\victims\firmware\simpleserial-aes<br />
make</pre><br />
<p>If this is successful, you'll see an output like the following:</p><br />
<p>[[File:Avr-build-ok.png|image]]</p><br />
<p>If instead you get an error something like <code>make: *** No rule to make target `simpleserial.elf', needed by `elf'. Stop.</code>, this means a required file was missing.</p><br />
Programming the target AVR is accomplished in one of two methods depending on your hardware. The ChipWhisperer Capture Rev 2 uses the external "AVR Studio" program, whereas the CW1173 and CW1200 use a programmer menu from the ChipWhisperer-Capture software. <br />
<br />
For details about programming the targets, see [[Tutorial B1 Building a SimpleSerial Project]].<br />
<br />
<h3> WinAVR Path Settings </h3><br />
<br />
By default, WinAVR is added to your system path. This means you can run avr-gcc, make and other programs from your normal Windows command line. You may not want this on certain systems where you already have similar tools installed. In which case either uncheck the Add WinAVR to Path option, or edit your system path to remove the WinAVR directories.<br />
<br />
If you do not add it to the system path, you’ll need a method of readding the WinAVR directories when you want to use WinAVR. To do so create a file called winavr.bat in C:\WinAVR-20100110 with the following contents:<br />
<br />
set PATH=%PATH%;C:\WinAVR-20100110\bin;C:\WinAVR-20100110\utils\bin<br />
cmd<br />
<br />
Now when you want to run WinAVR (e.g. to continue the examples here), you can simply double-click on the winavr.bat file. This will configure the path for just that terminal, rather than every terminal you open.<br />
<br />
Note if using WinAVR on Windows 8.1, you must replace the dll msys-1.0.dll with an updated version. See [http://www.avrfreaks.net/forum/windows-81-compilation-error Windows 8.1 Fix] for a link to this DLL replacement.</div>Gdeonhttp://wiki.newae.com/index.php?title=Dynamic_Time_Warp&diff=2543Dynamic Time Warp2017-05-16T20:46:17Z<p>Gdeon: </p>
<hr />
<div>Dynamic Time Warp gives the ability to automatically resyncronize traces. This uses the Dynamic Time Warp (DTW), which was suggested in the paper [https://www.riscure.com/benzine/documents/elastic_ctrsa_final.pdf Elastic Alignment]. The result is something like the following, showing traces going from unaligned to aligned, where sections of "dead space" are detected:<br />
<br />
[[File:alignfull.gif]]<br />
<br />
The DTW algorithm has one parameter that can be adjusted. The ''radius'' describes how wide the search should be: with a larger radius, the DTW process will allow larger gaps in the synchronized traces. The maximum allowed gap does not increase one-to-one with the radius, but in general a larger radius will produce a better match with a slightly longer processing time.<br />
<br />
== Important Notes ==<br />
<br />
Every time the redraw happens, the entire realignment is run. To avoid this you should set the [[Trace Cache]] module as a preprocessing module immediately after the "Dynamic Time Warp". Be sure to enable that module first on the ''Preprocessing Module'' tab. The results should be the DTW is only run when needed, and not EVERY time you redraw traces.<br />
<br />
[[File:dtwcache.png|400px]]<br />
<br />
You can specify further modules after the trace cache, for example a digital filter. If you adjust the settings of the digital filter (or any other module after the cache), traces will be read from the cache instead of the DTW process rerunning. If you adjust settings of a module infront of the cache (such as a digital filter before the DTW process) the cache is invalidated and the DTW process runs again.<br />
<br />
== Known Issues ==<br />
<br />
* Current progress bar is nonsensical, and only present to give you some idea of processing status.<br />
<br />
<br />
[[Category: Preprocessing Module]]</div>Gdeonhttp://wiki.newae.com/index.php?title=Installing_ChipWhisperer/Required_Tools_-_Windows&diff=2521Installing ChipWhisperer/Required Tools - Windows2017-05-16T19:47:43Z<p>Gdeon: </p>
<hr />
<div>== Python ==<br />
For any of the other installation methods, you'll need to have Python 2 installed on your computer. If you already a recent version of Python installed (2.7.x), you can skip this step. Note that Python 3.x will not work with this codebase. There's also a bit of setup that's needed to get other tools and prepare other drivers.<br />
<br />
The recommend method of installing Python is to use a distribution called [http://winpython.github.io/ WinPython]. This setup avoids installing Python globally, and includes most of the software you will need. In addition it makes it possible to install 32-bit and 64-bit Python on the same system with minimal problems. This can be very useful as the 64-bit version is handy for doing analysis on large data sets.<br />
<br />
To install WinPython 2.7.x, Download a release in the 2.7.x branch from the [http://winpython.github.io/ WinPython] site. It's recommended to use the 32-bit version, but you can also use the 64-bit version. Also, note that the recent releases (like WinPython-32bit-2.7.13.0Zero) don't come with any pre-installed packages. We recommend [https://sourceforge.net/projects/winpython/files/WinPython_2.7/2.7.10.3/ WinPython 2.7.10.3].<br />
<br />
Note that certain drivers (such as the SmartCard driver) ''do not'' work on the 64-bit version. Choose a reasonable location to install this to - note the default is simply in the download directory. Instead it's recommended to find a directory such as <code>c:\WinPython32bit-2.7.10.3</code>, or into your local directory such as <code>c:\Users\yourname\WinPython-32bit-2.7.10.3</code>.<br />
<br />
Go to your installation directory for WinPython, and run the shortcut called '''WinPython Command Prompt.exe'''. This will give you a command prompt which is setup to run Python along with associated scripts.<br />
<br />
''Optional'': You can add the python.exe you just installed to your PATH. To do so navigate to your installation folder, and run the '''WinPython Control Panel.exe''' program. Then select ''Advanced -> Register distribution...''. If you do not do this, you will have to run all commands in this document via the '''WinPython Command Prompt.exe'''. If you plan on running both 32-bit and 64-bit Python, you should not register them. Instead explicitly call the correct Python by always running the '''WinPython Command Prompt.exe''', and then calling specific programs (such as CW Capture or Analyzer) from that command prompt.<br />
<br />
== Python Packages ==<br />
There are a number of packages that the ChipWhisperer project uses. You'll need to install these so that the software can run. Note that the PyPi install process should automatically install these, so you shouldn't need to manually install everything there.<br />
<br />
Run the following commands to get the needed packages:<br />
* '''PyQTGraph:''' <code>pip install pyqtgraph</code><br />
* '''ConfigObj:''' <code>pip install configobj</code><br />
<br />
You might also need some extra packages. Generally you can avoid them unless you have specific need of the features they enable:<br />
<br />
'''PyUSB:''' if you're planning to use the ChipWhisperer Capture Rev2 hardware, this is necessary. You can install this using pip:<br />
* <code>pip install pyusb</code><br />
* If that fails, try specifying the latest version, like: <code>pip install pyusb==1.0.0b1</code><br />
<br />
'''FTD2XX:''' [https://github.com/snmishra/ftd2xx ftd2xx] is required for SASEBO-W, SAKURA-G, and SASEBO-GII Support. To install this package, [https://github.com/snmishra/ftd2xx/archive/master.zip download a copy of the ftd2xx repository] and unzip it somewhere. Then run the following where you unzipped it:<br />
<br />
<pre>python setup.py install</pre><br />
This package will also require you to install the [http://www.ftdichip.com/Drivers/D2XX.htm FTDI D2XX Drivers]. In the preceeding link simply find the correct driver for your OS Version and install that.<br />
<br />
'''MYSQL:''' If you want to use the MySQL trace format (not used by default), you'll need to install [https://pypi.python.org/pypi/umysql umysql]:<br />
<br />
<pre>pip install umysql</pre><br />
<br />
'''PYSCARD:''' If planning on using a PS/SC smartcard reader (i.e. standard USB-connected reader), you will need to install [https://sourceforge.net/projects/pyscard/files/pyscard/ pyscard].<br />
<br />
== Installing Hardware Drivers ==<br />
<br />
Details of driver installation are on specific pages for supported hardware (such as hwcapturerev2 and naecw1173_cwlite). Drivers are available from [http://chipwhisperer.com ChipWhisperer] release section.<br />
<br />
== Getting AVR Compiler Toolchain ==<br />
<br />
The following section is not required for your first attack - you can jump right to the tutorial if you wish. However you'll ultimately wish to modify the code of the device under test, and these instructions tell you how. You should first follow the tutorial to confirm your system is working before modifying the code however!<br />
<br />
To build the code, you'll need to install avr-gcc on Windows (if using the Virtual Machine, the following is ''not required'', as the VM comes setup with the AVR compiler already). On Windows, you could choose to install:<br />
<br />
* Atmel AVR-GCC standalone - see [http://www.atmel.com/tools/atmelavrtoolchainforwindows.aspx Atmel avr-gcc standalone] (registration required)<br />
* WinAVR. Last release - 2010, see [https://sourceforge.net/projects/winavr/files/latest/download?source=typ_redirect WinAVR Page] (no registration required)<br />
<br />
To test the code build, follow these steps:<br />
<br />
<p><code>cd</code> to the directory with the avr-serial example, and run <code>make</code>:</p><br />
<pre>cd c:\chipwhisperer\hardware\victims\firmware\simpleserial-aes<br />
make</pre><br />
<p>If this is successful, you'll see an output like the following:</p><br />
<p>[[File:Avr-build-ok.png|image]]</p><br />
<p>If instead you get an error something like <code>make: *** No rule to make target `simpleserial.elf', needed by `elf'. Stop.</code>, this means a required file was missing.</p><br />
Programming the target AVR is accomplished in one of two methods depending on your hardware. The ChipWhisperer Capture Rev 2 uses the external "AVR Studio" program, whereas the CW1173 and CW1200 use a programmer menu from the ChipWhisperer-Capture software. <br />
<br />
For details about programming the targets, see [[Tutorial B1 Building a SimpleSerial Project]].<br />
<br />
=== WinAVR Path Settings ===<br />
<br />
By default, WinAVR is added to your system path. This means you can run avr-gcc, make and other programs from your normal Windows command line. You may not want this on certain systems where you already have similar tools installed. In which case either uncheck the Add WinAVR to Path option, or edit your system path to remove the WinAVR directories.<br />
<br />
If you do not add it to the system path, you’ll need a method of readding the WinAVR directories when you want to use WinAVR. To do so create a file called winavr.bat in C:\WinAVR-20100110 with the following contents:<br />
<br />
set PATH=%PATH%;C:\WinAVR-20100110\bin;C:\WinAVR-20100110\utils\bin<br />
cmd<br />
<br />
Now when you want to run WinAVR (e.g. to continue the examples here), you can simply double-click on the winavr.bat file. This will configure the path for just that terminal, rather than every terminal you open.<br />
<br />
Note if using WinAVR on Windows 8.1, you must replace the dll msys-1.0.dll with an updated version. See [http://www.avrfreaks.net/forum/windows-81-compilation-error Windows 8.1 Fix] for a link to this DLL replacement.</div>Gdeonhttp://wiki.newae.com/index.php?title=Installing_ChipWhisperer/Required_Tools_-_Windows&diff=2520Installing ChipWhisperer/Required Tools - Windows2017-05-16T19:46:37Z<p>Gdeon: </p>
<hr />
<div>== Python ==<br />
For any of the other installation methods, you'll need to have Python 2 installed on your computer. If you already a recent version of Python installed (2.7.x), you can skip this step. Note that Python 3.x will not work with this codebase. There's also a bit of setup that's needed to get other tools and prepare other drivers.<br />
<br />
The recommend method of installing Python is to use a distribution called [http://winpython.github.io/ WinPython]. This setup avoids installing Python globally, and includes most of the software you will need. In addition it makes it possible to install 32-bit and 64-bit Python on the same system with minimal problems. This can be very useful as the 64-bit version is handy for doing analysis on large data sets.<br />
<br />
To install WinPython 2.7.x, Download a release in the 2.7.x branch from the [http://winpython.github.io/ WinPython] site. It's recommended to use the 32-bit version, but you can also use the 64-bit version. Also, note that the recent releases (like WinPython-32bit-2.7.13.0Zero) don't come with any pre-installed packages. We recommend [https://sourceforge.net/projects/winpython/files/WinPython_2.7/2.7.10.3/ WinPython 2.7.10.3].<br />
<br />
Note that certain drivers (such as the SmartCard driver) ''do not'' work on the 64-bit version. Choose a reasonable location to install this to - note the default is simply in the download directory. Instead it's recommended to find a directory such as <code>c:\WinPython32bit-2.7.10.3</code>, or into your local directory such as <code>c:\Users\yourname\WinPython-32bit-2.7.10.3</code>.<br />
<br />
Go to your installation directory for WinPython, and run the shortcut called '''WinPython Command Prompt.exe'''. This will give you a command prompt which is setup to run Python along with associated scripts.<br />
<br />
''Optional'': You can add the python.exe you just installed to your PATH. To do so navigate to your installation folder, and run the '''WinPython Control Panel.exe''' program. Then select ''Advanced -> Register distribution...''. If you do not do this, you will have to run all commands in this document via the '''WinPython Command Prompt.exe'''. If you plan on running both 32-bit and 64-bit Python, you should not register them. Instead explicitly call the correct Python by always running the '''WinPython Command Prompt.exe''', and then calling specific programs (such as CW Capture or Analyzer) from that command prompt.<br />
<br />
== Python Packages ==<br />
There are a number of packages that the ChipWhisperer project uses. You'll need to install these so that the software can run. Note that the PyPi install process should automatically install these, so you shouldn't need to manually install everything there.<br />
<br />
Run the following commands to get the needed packages:<br />
* '''PyQTGraph:''' <code>pip install pyqtgraph</code><br />
* '''ConfigObj:''' <code>pip install configobj</code><br />
<br />
You might also need some extra packages. Generally you can avoid them unless you have specific need of the features they enable:<br />
<br />
'''PyUSB:''' if you're planning to use the ChipWhisperer Capture Rev2 hardware, this is necessary. You can install this using pip:<br />
* <code>pip install pyusb</code><br />
* If that fails, try specifying the latest version, like: <code>pip install pyusb==1.0.0b1</code><br />
<br />
'''FTD2XX:''' [https://github.com/snmishra/ftd2xx ftd2xx] is required for SASEBO-W, SAKURA-G, and SASEBO-GII Support. To install this package, [https://github.com/snmishra/ftd2xx/archive/master.zip download a copy of the ftd2xx repository] and unzip it somewhere. Then run the following where you unzipped it:<br />
<br />
<pre>python setup.py install</pre><br />
This package will also require you to install the [http://www.ftdichip.com/Drivers/D2XX.htm FTDI D2XX Drivers]. In the preceeding link simply find the correct driver for your OS Version and install that.<br />
<br />
'''MYSQL:''' If you want to use the MySQL trace format (not used by default), you'll need to install [https://pypi.python.org/pypi/umysql umysql]:<br />
<br />
<pre>pip install umysql</pre><br />
<br />
'''PYSCARD:''' If planning on using a PS/SC smartcard reader (i.e. standard USB-connected reader), you will need to install [https://sourceforge.net/projects/pyscard/files/pyscard/ pyscard].<br />
<br />
== Installing Hardware Drivers ==<br />
<br />
Details of driver installation are on specific pages for supported hardware (such as hwcapturerev2 and naecw1173_cwlite). Drivers are available from [http://chipwhisperer.com ChipWhisperer] release section.<br />
<br />
== Getting AVR Compiler Toolchain ==<br />
<br />
The following section is not required for your first attack - you can jump right to the tutorial if you wish. However you'll ultimately wish to modify the code of the device under test, and these instructions tell you how. You should first follow the tutorial to confirm your system is working before modifying the code however!<br />
<br />
To build the code, you'll need to install avr-gcc on Windows (if using the Virtual Machine, the following is ''not required'', as the VM comes setup with the AVR compiler already). On Windows, you could choose to install:<br />
<br />
* Atmel AVR-GCC standalone - see [http://www.atmel.com/tools/atmelavrtoolchainforwindows.aspx Atmel avr-gcc standalone] (registration required)<br />
* WinAVR. Last release - 2010, see [https://sourceforge.net/projects/winavr/files/latest/download?source=typ_redirect WinAVR Page] (no registration required)<br />
<br />
To test the code build, follow these steps:<br />
<br />
<p><code>cd</code> to the directory with the avr-serial example, and run <code>make</code>:</p><br />
<pre>cd c:\chipwhisperer\hardware\victims\firmware\simpleserial-aes<br />
make</pre><br />
<p>If this is successful, you'll see an output like the following:</p><br />
<p>[[File:Avr-build-ok.png|image]]</p><br />
<p>If instead you get an error something like <code>make: *** No rule to make target `simpleserial.elf', needed by `elf'. Stop.</code>, this means a required file was missing.</p></li><br />
Programming the target AVR is accomplished in one of two methods depending on your hardware. The ChipWhisperer Capture Rev 2 uses the external "AVR Studio" program, whereas the CW1173 and CW1200 use a programmer menu from the ChipWhisperer-Capture software. <br />
<br />
For details about programming the targets, see [[Tutorial B1 Building a SimpleSerial Project]].<br />
<br />
=== WinAVR Path Settings ===<br />
<br />
By default, WinAVR is added to your system path. This means you can run avr-gcc, make and other programs from your normal Windows command line. You may not want this on certain systems where you already have similar tools installed. In which case either uncheck the Add WinAVR to Path option, or edit your system path to remove the WinAVR directories.<br />
<br />
If you do not add it to the system path, you’ll need a method of readding the WinAVR directories when you want to use WinAVR. To do so create a file called winavr.bat in C:\WinAVR-20100110 with the following contents:<br />
<br />
set PATH=%PATH%;C:\WinAVR-20100110\bin;C:\WinAVR-20100110\utils\bin<br />
cmd<br />
<br />
Now when you want to run WinAVR (e.g. to continue the examples here), you can simply double-click on the winavr.bat file. This will configure the path for just that terminal, rather than every terminal you open.<br />
<br />
Note if using WinAVR on Windows 8.1, you must replace the dll msys-1.0.dll with an updated version. See [http://www.avrfreaks.net/forum/windows-81-compilation-error Windows 8.1 Fix] for a link to this DLL replacement.</div>Gdeonhttp://wiki.newae.com/index.php?title=Installing_ChipWhisperer/Required_Tools_-_Windows&diff=2503Installing ChipWhisperer/Required Tools - Windows2017-05-16T18:08:07Z<p>Gdeon: </p>
<hr />
<div>== Python ==<br />
For any of the other installation methods, you'll need to have Python 2 installed on your computer. If you already a recent version of Python installed (2.7.x), you can skip this step. Note that Python 3.x will not work with this codebase. There's also a bit of setup that's needed to get other tools and prepare other drivers.<br />
<br />
The recommend method of installing Python is to use a distribution called [http://winpython.github.io/ WinPython]. This setup avoids installing Python globally, and includes most of the software you will need. In addition it makes it possible to install 32-bit and 64-bit Python on the same system with minimal problems. This can be very useful as the 64-bit version is handy for doing analysis on large data sets.<br />
<br />
To install WinPython 2.7.x, Download a release in the 2.7.x branch from the [http://winpython.github.io/ WinPython] site. It's recommended to use the 32-bit version, but you can also use the 64-bit version. Also, note that the recent releases (like WinPython-32bit-2.7.13.0Zero) don't come with any pre-installed packages. We recommend [https://sourceforge.net/projects/winpython/files/WinPython_2.7/2.7.10.3/ WinPython 2.7.10.3].<br />
<br />
Note that certain drivers (such as the SmartCard driver) ''do not'' work on the 64-bit version. Choose a reasonable location to install this to - note the default is simply in the download directory. Instead it's recommended to find a directory such as <code>c:\WinPython32bit-2.7.10.3</code>, or into your local directory such as <code>c:\Users\yourname\WinPython-32bit-2.7.10.3</code>.<br />
<br />
Go to your installation directory for WinPython, and run the shortcut called '''WinPython Command Prompt.exe'''. This will give you a command prompt which is setup to run Python along with associated scripts.<br />
<br />
''Optional'': You can add the python.exe you just installed to your PATH. To do so navigate to your installation folder, and run the '''WinPython Control Panel.exe''' program. Then select ''Advanced -> Register distribution...''. If you do not do this, you will have to run all commands in this document via the '''WinPython Command Prompt.exe'''. If you plan on running both 32-bit and 64-bit Python, you should not register them. Instead explicitly call the correct Python by always running the '''WinPython Command Prompt.exe''', and then calling specific programs (such as CW Capture or Analyzer) from that command prompt.<br />
<br />
== Python Packages ==<br />
There are a number of packages that the ChipWhisperer project uses. You'll need to install these so that the software can run. Note that the PyPi install process should automatically install these, so you shouldn't need to manually install everything there.<br />
<br />
Run the following commands to get the needed packages:<br />
* '''PyQTGraph:''' <code>pip install pyqtgraph</code><br />
* '''ConfigObj:''' <code>pip install configobj</code><br />
<br />
You might also need some extra packages. Generally you can avoid them unless you have specific need of the features they enable:<br />
<br />
'''PyUSB:''' if you're planning to use the ChipWhisperer Capture Rev2 hardware, this is necessary. You can install this using pip:<br />
* <code>pip install pyusb</code><br />
* If that fails, try specifying the latest version, like: <code>pip install pyusb==1.0.0b1</code><br />
<br />
'''FTD2XX:''' [https://github.com/snmishra/ftd2xx ftd2xx] is required for SASEBO-W, SAKURA-G, and SASEBO-GII Support. To install this package, [https://github.com/snmishra/ftd2xx/archive/master.zip download a copy of the ftd2xx repository] and unzip it somewhere. Then run the following where you unzipped it:<br />
<br />
<pre>python setup.py install</pre><br />
This package will also require you to install the [http://www.ftdichip.com/Drivers/D2XX.htm FTDI D2XX Drivers]. In the preceeding link simply find the correct driver for your OS Version and install that.<br />
<br />
'''MYSQL:''' If you want to use the MySQL trace format (not used by default), you'll need to install [https://pypi.python.org/pypi/umysql umysql]:<br />
<br />
<pre>pip install umysql</pre><br />
<br />
'''PYSCARD:''' If planning on using a PS/SC smartcard reader (i.e. standard USB-connected reader), you will need to install [https://sourceforge.net/projects/pyscard/files/pyscard/ pyscard].<br />
<br />
== Installing Hardware Drivers ==<br />
<br />
Details of driver installation are on specific pages for supported hardware (such as hwcapturerev2 and naecw1173_cwlite). Drivers are available from [http://chipwhisperer.com ChipWhisperer] release section.<br />
<br />
== Getting AVR Compiler Toolchain ==<br />
<br />
The following section is not required for your first attack - you can jump right to the tutorial if you wish. However you'll ultimately wish to modify the code of the device under test, and these instructions tell you how. You should first follow the tutorial to confirm your system is working before modifying the code however!<br />
<br />
To build the code, you'll need to install avr-gcc on Windows (if using the Virtual Machine, the following is ''not required'', as the VM comes setup with the AVR compiler already). On Windows, you could choose to install:<br />
<br />
* Atmel AVR-GCC standalone - see [http://www.atmel.com/tools/atmelavrtoolchainforwindows.aspx Atmel avr-gcc standalone] (registration required)<br />
* WinAVR. Last release - 2010, see [https://sourceforge.net/projects/winavr/files/latest/download?source=typ_redirect WinAVR Page] (no registration required)<br />
<br />
To test the code build, follow these steps:<br />
<br />
<ol style="list-style-type: decimal;"><br />
<li><p><code>cd</code> to the directory with the avr-serial example, and run <code>make</code>:</p><br />
<pre>cd c:\chipwhisperer\hardware\victims\firmware\simpleserial-aes<br />
make</pre><br />
<p>If this is successful, you'll see an output like the following:</p><br />
<p>[[File:Avr-build-ok.png|image]]</p><br />
<p>If instead you get an error something like <code>make: *** No rule to make target `simpleserial.elf', needed by `elf'. Stop.</code>, this means a required file was missing.</p></li><br />
<li>Programming the target AVR is accomplished in one of two methods depending on your hardware. The ChipWhisperer Capture Rev 2 uses the external "AVR Studio" program, whereas the CW1173 and CW1200 use a programmer menu from the ChipWhisperer-Capture software. <br />
<br />
For details about programming the targets, see [[Tutorial B1 Building a SimpleSerial Project]].<br />
<br />
=== WinAVR Path Settings ===<br />
<br />
By default, WinAVR is added to your system path. This means you can run avr-gcc, make and other programs from your normal Windows command line. You may not want this on certain systems where you already have similar tools installed. In which case either uncheck the Add WinAVR to Path option, or edit your system path to remove the WinAVR directories.<br />
<br />
If you do not add it to the system path, you’ll need a method of readding the WinAVR directories when you want to use WinAVR. To do so create a file called winavr.bat in C:\WinAVR-20100110 with the following contents:<br />
<br />
set PATH=%PATH%;C:\WinAVR-20100110\bin;C:\WinAVR-20100110\utils\bin<br />
cmd<br />
<br />
Now when you want to run WinAVR (e.g. to continue the examples here), you can simply double-click on the winavr.bat file. This will configure the path for just that terminal, rather than every terminal you open.<br />
<br />
Note if using WinAVR on Windows 8.1, you must replace the dll msys-1.0.dll with an updated version. See [http://www.avrfreaks.net/forum/windows-81-compilation-error Windows 8.1 Fix] for a link to this DLL replacement.</div>Gdeonhttp://wiki.newae.com/index.php?title=Installing_ChipWhisperer/Required_Tools_-_Windows&diff=2501Installing ChipWhisperer/Required Tools - Windows2017-05-16T18:02:23Z<p>Gdeon: </p>
<hr />
<div>Test<br />
<br />
== Python ==<br />
For any of the other installation methods, you'll need to have Python 2 installed on your computer. If you already a recent version of Python installed (2.7.x), you can skip this step. Note that Python 3.x will not work with this codebase. There's also a bit of setup that's needed to get other tools and prepare other drivers.<br />
<br />
The recommend method of installing Python is to use a distribution called [http://winpython.github.io/ WinPython]. This setup avoids installing Python globally, and includes most of the software you will need. In addition it makes it possible to install 32-bit and 64-bit Python on the same system with minimal problems. This can be very useful as the 64-bit version is handy for doing analysis on large data sets.<br />
<br />
To install WinPython 2.7.x, Download a release in the 2.7.x branch from the [http://winpython.github.io/ WinPython] site. It's recommended to use the 32-bit version, but you can also use the 64-bit version. Also, note that the recent releases (like WinPython-32bit-2.7.13.0Zero) don't come with any pre-installed packages. We recommend [https://sourceforge.net/projects/winpython/files/WinPython_2.7/2.7.10.3/ WinPython 2.7.10.3].<br />
<br />
Note that certain drivers (such as the SmartCard driver) ''do not'' work on the 64-bit version. Choose a reasonable location to install this to - note the default is simply in the download directory. Instead it's recommended to find a directory such as <code>c:\WinPython32bit-2.7.10.3</code>, or into your local directory such as <code>c:\Users\yourname\WinPython-32bit-2.7.10.3</code>.<br />
<br />
Go to your installation directory for WinPython, and run the shortcut called '''WinPython Command Prompt.exe'''. This will give you a command prompt which is setup to run Python along with associated scripts.<br />
<br />
''Optional'': You can add the python.exe you just installed to your PATH. To do so navigate to your installation folder, and run the '''WinPython Control Panel.exe''' program. Then select ''Advanced -> Register distribution...''. If you do not do this, you will have to run all commands in this document via the '''WinPython Command Prompt.exe'''. If you plan on running both 32-bit and 64-bit Python, you should not register them. Instead explicitly call the correct Python by always running the '''WinPython Command Prompt.exe''', and then calling specific programs (such as CW Capture or Analyzer) from that command prompt.<br />
<br />
== Python Packages ==<br />
There are a number of packages that the ChipWhisperer project uses. You'll need to install these so that the software can run. Note that the PyPi install process should automatically install these, so you shouldn't need to manually install everything there.<br />
<br />
Run the following commands to get the needed packages:<br />
* '''PyQTGraph:''' <code>pip install pyqtgraph</code><br />
* '''ConfigObj:''' <code>pip install configobj</code><br />
<br />
You might also need some extra packages. Generally you can avoid them unless you have specific need of the features they enable:<br />
<br />
'''PyUSB:''' if you're planning to use the ChipWhisperer Capture Rev2 hardware, this is necessary. You can install this using pip:<br />
* <code>pip install pyusb</code><br />
* If that fails, try specifying the latest version, like: <code>pip install pyusb==1.0.0b1</code><br />
<br />
'''FTD2XX:''' [https://github.com/snmishra/ftd2xx ftd2xx] is required for SASEBO-W, SAKURA-G, and SASEBO-GII Support. To install this package, [https://github.com/snmishra/ftd2xx/archive/master.zip download a copy of the ftd2xx repository] and unzip it somewhere. Then run the following where you unzipped it:<br />
<br />
<pre>python setup.py install</pre><br />
This package will also require you to install the [http://www.ftdichip.com/Drivers/D2XX.htm FTDI D2XX Drivers]. In the preceeding link simply find the correct driver for your OS Version and install that.<br />
<br />
'''MYSQL:''' If you want to use the MySQL trace format (not used by default), you'll need to install [https://pypi.python.org/pypi/umysql umysql]:<br />
<br />
<pre>pip install umysql</pre><br />
<br />
'''PYSCARD:''' If planning on using a PS/SC smartcard reader (i.e. standard USB-connected reader), you will need to install [https://sourceforge.net/projects/pyscard/files/pyscard/ pyscard].<br />
<br />
== Installing Hardware Drivers ==<br />
<br />
Details of driver installation are on specific pages for supported hardware (such as hwcapturerev2 and naecw1173_cwlite). Drivers are available from [http://chipwhisperer.com ChipWhisperer] release section.<br />
<br />
== Getting AVR Compiler Toolchain ==<br />
<br />
The following section is not required for your first attack - you can jump right to the tutorial if you wish. However you'll ultimately wish to modify the code of the device under test, and these instructions tell you how. You should first follow the tutorial to confirm your system is working before modifying the code however!<br />
<br />
To build the code, you'll need to install avr-gcc on Windows (if using the Virtual Machine, the following is ''not required'', as the VM comes setup with the AVR compiler already). On Windows, you could choose to install:<br />
<br />
* Atmel AVR-GCC standalone - see [http://www.atmel.com/tools/atmelavrtoolchainforwindows.aspx Atmel avr-gcc standalone] (registration required)<br />
* WinAVR. Last release - 2010, see [https://sourceforge.net/projects/winavr/files/latest/download?source=typ_redirect WinAVR Page] (no registration required)<br />
<br />
To test the code build, follow these steps:<br />
<br />
<ol style="list-style-type: decimal;"><br />
<li><p><code>cd</code> to the directory with the avr-serial example, and run <code>make</code>:</p><br />
<pre>cd c:\chipwhisperer\hardware\victims\firmware\simpleserial-aes<br />
make</pre><br />
<p>If this is successful, you'll see an output like the following:</p><br />
<p>[[File:Avr-build-ok.png|image]]</p><br />
<p>If instead you get an error something like <code>make: *** No rule to make target `simpleserial.elf', needed by `elf'. Stop.</code>, this means a required file was missing.</p></li><br />
<li>Programming the target AVR is accomplished in one of two methods depending on your hardware. The ChipWhisperer Capture Rev 2 uses the external "AVR Studio" program, whereas the CW1173 and CW1200 use a programmer menu from the ChipWhisperer-Capture software. <br />
<br />
For details about programming the targets, see [[Tutorial B1 Building a SimpleSerial Project]].<br />
<br />
=== WinAVR Path Settings ===<br />
<br />
By default, WinAVR is added to your system path. This means you can run avr-gcc, make and other programs from your normal Windows command line. You may not want this on certain systems where you already have similar tools installed. In which case either uncheck the Add WinAVR to Path option, or edit your system path to remove the WinAVR directories.<br />
<br />
If you do not add it to the system path, you’ll need a method of readding the WinAVR directories when you want to use WinAVR. To do so create a file called winavr.bat in C:\WinAVR-20100110 with the following contents:<br />
<br />
set PATH=%PATH%;C:\WinAVR-20100110\bin;C:\WinAVR-20100110\utils\bin<br />
cmd<br />
<br />
Now when you want to run WinAVR (e.g. to continue the examples here), you can simply double-click on the winavr.bat file. This will configure the path for just that terminal, rather than every terminal you open.<br />
<br />
Note if using WinAVR on Windows 8.1, you must replace the dll msys-1.0.dll with an updated version. See [http://www.avrfreaks.net/forum/windows-81-compilation-error Windows 8.1 Fix] for a link to this DLL replacement.</div>Gdeonhttp://wiki.newae.com/index.php?title=Installing_ChipWhisperer/Required_Tools_-_Windows&diff=2500Installing ChipWhisperer/Required Tools - Windows2017-05-16T18:01:59Z<p>Gdeon: </p>
<hr />
<div>=== Python ===<br />
For any of the other installation methods, you'll need to have Python 2 installed on your computer. If you already a recent version of Python installed (2.7.x), you can skip this step. Note that Python 3.x will not work with this codebase. There's also a bit of setup that's needed to get other tools and prepare other drivers.<br />
<br />
The recommend method of installing Python is to use a distribution called [http://winpython.github.io/ WinPython]. This setup avoids installing Python globally, and includes most of the software you will need. In addition it makes it possible to install 32-bit and 64-bit Python on the same system with minimal problems. This can be very useful as the 64-bit version is handy for doing analysis on large data sets.<br />
<br />
To install WinPython 2.7.x, Download a release in the 2.7.x branch from the [http://winpython.github.io/ WinPython] site. It's recommended to use the 32-bit version, but you can also use the 64-bit version. Also, note that the recent releases (like WinPython-32bit-2.7.13.0Zero) don't come with any pre-installed packages. We recommend [https://sourceforge.net/projects/winpython/files/WinPython_2.7/2.7.10.3/ WinPython 2.7.10.3].<br />
<br />
Note that certain drivers (such as the SmartCard driver) ''do not'' work on the 64-bit version. Choose a reasonable location to install this to - note the default is simply in the download directory. Instead it's recommended to find a directory such as <code>c:\WinPython32bit-2.7.10.3</code>, or into your local directory such as <code>c:\Users\yourname\WinPython-32bit-2.7.10.3</code>.<br />
<br />
Go to your installation directory for WinPython, and run the shortcut called '''WinPython Command Prompt.exe'''. This will give you a command prompt which is setup to run Python along with associated scripts.<br />
<br />
''Optional'': You can add the python.exe you just installed to your PATH. To do so navigate to your installation folder, and run the '''WinPython Control Panel.exe''' program. Then select ''Advanced -> Register distribution...''. If you do not do this, you will have to run all commands in this document via the '''WinPython Command Prompt.exe'''. If you plan on running both 32-bit and 64-bit Python, you should not register them. Instead explicitly call the correct Python by always running the '''WinPython Command Prompt.exe''', and then calling specific programs (such as CW Capture or Analyzer) from that command prompt.<br />
<br />
== Python Packages ==<br />
There are a number of packages that the ChipWhisperer project uses. You'll need to install these so that the software can run. Note that the PyPi install process should automatically install these, so you shouldn't need to manually install everything there.<br />
<br />
Run the following commands to get the needed packages:<br />
* '''PyQTGraph:''' <code>pip install pyqtgraph</code><br />
* '''ConfigObj:''' <code>pip install configobj</code><br />
<br />
You might also need some extra packages. Generally you can avoid them unless you have specific need of the features they enable:<br />
<br />
'''PyUSB:''' if you're planning to use the ChipWhisperer Capture Rev2 hardware, this is necessary. You can install this using pip:<br />
* <code>pip install pyusb</code><br />
* If that fails, try specifying the latest version, like: <code>pip install pyusb==1.0.0b1</code><br />
<br />
'''FTD2XX:''' [https://github.com/snmishra/ftd2xx ftd2xx] is required for SASEBO-W, SAKURA-G, and SASEBO-GII Support. To install this package, [https://github.com/snmishra/ftd2xx/archive/master.zip download a copy of the ftd2xx repository] and unzip it somewhere. Then run the following where you unzipped it:<br />
<br />
<pre>python setup.py install</pre><br />
This package will also require you to install the [http://www.ftdichip.com/Drivers/D2XX.htm FTDI D2XX Drivers]. In the preceeding link simply find the correct driver for your OS Version and install that.<br />
<br />
'''MYSQL:''' If you want to use the MySQL trace format (not used by default), you'll need to install [https://pypi.python.org/pypi/umysql umysql]:<br />
<br />
<pre>pip install umysql</pre><br />
<br />
'''PYSCARD:''' If planning on using a PS/SC smartcard reader (i.e. standard USB-connected reader), you will need to install [https://sourceforge.net/projects/pyscard/files/pyscard/ pyscard].<br />
<br />
== Installing Hardware Drivers ==<br />
<br />
Details of driver installation are on specific pages for supported hardware (such as hwcapturerev2 and naecw1173_cwlite). Drivers are available from [http://chipwhisperer.com ChipWhisperer] release section.<br />
<br />
== Getting AVR Compiler Toolchain ==<br />
<br />
The following section is not required for your first attack - you can jump right to the tutorial if you wish. However you'll ultimately wish to modify the code of the device under test, and these instructions tell you how. You should first follow the tutorial to confirm your system is working before modifying the code however!<br />
<br />
To build the code, you'll need to install avr-gcc on Windows (if using the Virtual Machine, the following is ''not required'', as the VM comes setup with the AVR compiler already). On Windows, you could choose to install:<br />
<br />
* Atmel AVR-GCC standalone - see [http://www.atmel.com/tools/atmelavrtoolchainforwindows.aspx Atmel avr-gcc standalone] (registration required)<br />
* WinAVR. Last release - 2010, see [https://sourceforge.net/projects/winavr/files/latest/download?source=typ_redirect WinAVR Page] (no registration required)<br />
<br />
To test the code build, follow these steps:<br />
<br />
<ol style="list-style-type: decimal;"><br />
<li><p><code>cd</code> to the directory with the avr-serial example, and run <code>make</code>:</p><br />
<pre>cd c:\chipwhisperer\hardware\victims\firmware\simpleserial-aes<br />
make</pre><br />
<p>If this is successful, you'll see an output like the following:</p><br />
<p>[[File:Avr-build-ok.png|image]]</p><br />
<p>If instead you get an error something like <code>make: *** No rule to make target `simpleserial.elf', needed by `elf'. Stop.</code>, this means a required file was missing.</p></li><br />
<li>Programming the target AVR is accomplished in one of two methods depending on your hardware. The ChipWhisperer Capture Rev 2 uses the external "AVR Studio" program, whereas the CW1173 and CW1200 use a programmer menu from the ChipWhisperer-Capture software. <br />
<br />
For details about programming the targets, see [[Tutorial B1 Building a SimpleSerial Project]].<br />
<br />
=== WinAVR Path Settings ===<br />
<br />
By default, WinAVR is added to your system path. This means you can run avr-gcc, make and other programs from your normal Windows command line. You may not want this on certain systems where you already have similar tools installed. In which case either uncheck the Add WinAVR to Path option, or edit your system path to remove the WinAVR directories.<br />
<br />
If you do not add it to the system path, you’ll need a method of readding the WinAVR directories when you want to use WinAVR. To do so create a file called winavr.bat in C:\WinAVR-20100110 with the following contents:<br />
<br />
set PATH=%PATH%;C:\WinAVR-20100110\bin;C:\WinAVR-20100110\utils\bin<br />
cmd<br />
<br />
Now when you want to run WinAVR (e.g. to continue the examples here), you can simply double-click on the winavr.bat file. This will configure the path for just that terminal, rather than every terminal you open.<br />
<br />
Note if using WinAVR on Windows 8.1, you must replace the dll msys-1.0.dll with an updated version. See [http://www.avrfreaks.net/forum/windows-81-compilation-error Windows 8.1 Fix] for a link to this DLL replacement.</div>Gdeonhttp://wiki.newae.com/index.php?title=Template:CollapsibleSection&diff=2499Template:CollapsibleSection2017-05-16T18:00:01Z<p>Gdeon: Undo revision 2498 by Gdeon (talk)</p>
<hr />
<div><includeonly><br />
<div id="collapse-pre-one{{{content|collapsible-id-default}}}" class="desktoponly mw-collapsible {{{uncollapsed|mw-collapsed}}}" style="line-height:inherit;margin-left:{{{indentation|-5}}}px"><br />
<div id="{{{content|collapsible-id-default}}}" class="mw-collapsible-toggle toccolours" style="float: none;border:none;background-color:transparent;"><br />
<div class="mw-collapsible-toggle-row"><br />
<div class="mw-collapsible-toggle-header" style="padding:0;"><br />
{{{intro|}}}<br />
</div><br />
<div class="mw-collapsible-toggle-indicator" style="width:30px;">[[File:right-black-arrow.png|20px|link=]]</div><br />
</div><br />
</div><br />
<div class="mw-collapsible-content"><br />
{{:{{{content|}}}}}<br />
</div><br />
</div><br />
<div class="mobileonly"><br />
{{{intro|}}} {{:{{{content|}}}}}<br />
</div><br />
</includeonly></div>Gdeonhttp://wiki.newae.com/index.php?title=Template:CollapsibleSection&diff=2498Template:CollapsibleSection2017-05-16T17:52:13Z<p>Gdeon: Undo revision 2484 by Dsevastian (talk)</p>
<hr />
<div><includeonly><br />
<div id="collapse-pre-one{{{content|collapsible-id-default}}}" class="mw-collapsible mw-collapsed" style="line-height:inherit;margin-left:{{{indentation|-5}}}px"><br />
<div id="{{{content|collapsible-id-default}}}" class="mw-collapsible-toggle toccolours" style="float: none;border:none;background-color:transparent;"><br />
<div class="mw-collapsible-toggle-row"><br />
<div class="mw-collapsible-toggle-header" style="padding:0;"><br />
{{{intro|}}}<br />
</div><br />
<div class="mw-collapsible-toggle-indicator" style="width:30px;">[[File:right-black-arrow.png|150px|link=]]</div><br />
</div><br />
</div><br />
<div class="mw-collapsible-content"><br />
{{:{{{content|}}}}}<br />
</div><br />
</div></includeonly></div>Gdeonhttp://wiki.newae.com/index.php?title=Template:CollapsibleSection&diff=2468Template:CollapsibleSection2017-05-15T18:17:41Z<p>Gdeon: </p>
<hr />
<div><includeonly><br />
<div id="collapse-pre-one{{{content|collapsible-id-default}}}" class="mw-collapsible mw-collapsed" style="line-height:inherit;margin-left:{{{indentation|-5}}}px"><br />
<div id="{{{content|collapsible-id-default}}}" class="mw-collapsible-toggle toccolours" style="float: none;border:none;background-color:transparent;"><br />
<div class="mw-collapsible-toggle-row"><br />
<div class="mw-collapsible-toggle-header" style="padding:0;"><br />
{{{intro|}}}<br />
</div><br />
<div class="mw-collapsible-toggle-indicator" style="width:30px;">[[File:right-black-arrow.png|150px|link=]]</div><br />
</div><br />
</div><br />
<div class="mw-collapsible-content"><br />
{{:{{{content|}}}}}<br />
</div><br />
</div></includeonly></div>Gdeonhttp://wiki.newae.com/index.php?title=Template:CollapsibleSection&diff=2467Template:CollapsibleSection2017-05-15T18:16:57Z<p>Gdeon: </p>
<hr />
<div><includeonly><br />
<div id="collapse-pre-one{{{content|collapsible-id-default}}}" class="mw-collapsible mw-collapsed" style="line-height:inherit;margin-left:{{{indentation|0}}}px"><br />
<div id="{{{content|collapsible-id-default}}}" class="mw-collapsible-toggle toccolours" style="float: none;border:none;background-color:transparent;"><br />
<div class="mw-collapsible-toggle-row"><br />
<div class="mw-collapsible-toggle-header" style="padding:0;"><br />
{{{intro|}}}<br />
</div><br />
<div class="mw-collapsible-toggle-indicator" style="width:30px;">[[File:right-black-arrow.png|150px|link=]]</div><br />
</div><br />
</div><br />
<div class="mw-collapsible-content"><br />
{{:{{{content|}}}}}<br />
</div><br />
</div></includeonly></div>Gdeonhttp://wiki.newae.com/index.php?title=Template:CollapsibleSection&diff=2466Template:CollapsibleSection2017-05-15T18:15:45Z<p>Gdeon: </p>
<hr />
<div><includeonly><br />
<div id="collapse-pre-one{{{content|collapsible-id-default}}}" class="mw-collapsible mw-collapsed" style="line-height:inherit;margin-left:{{{indentation|2}}}px"><br />
<div id="{{{content|collapsible-id-default}}}" class="mw-collapsible-toggle toccolours" style="float: none;border:none;background-color:transparent;"><br />
<div class="mw-collapsible-toggle-row"><br />
<div class="mw-collapsible-toggle-header" style="padding:0;"><br />
{{{intro|}}}<br />
</div><br />
<div class="mw-collapsible-toggle-indicator" style="width:30px;">[[File:right-black-arrow.png|150px|link=]]</div><br />
</div><br />
</div><br />
<div class="mw-collapsible-content"><br />
{{:{{{content|}}}}}<br />
</div><br />
</div></includeonly></div>Gdeonhttp://wiki.newae.com/index.php?title=Main_Page&diff=2448Main Page2017-05-09T15:24:24Z<p>Gdeon: /* Recent/Upcoming Events */</p>
<hr />
<div><strong> ChipWhisperer® by NewAE Technology Inc. </strong><br />
<!-- You MUST resave this page for categorytree to update for now --><br />
<!-- <categorytree mode=all depth=4 hideroot='on' style="float:right; clear:right; margin-left:1ex; border:1px solid gray; padding:0.7ex; background-color:white;">TocRoot</categorytree> --><br />
<br />
Welcome to ChipWhisperer - the complete open-source toolchain for side-channel power analysis and glitching attacks. This is the main landing page for ChipWhisperer. ChipWhisperer has been presented at conferences such as DEFCON and Blackhat, had a [https://www.kickstarter.com/projects/coflynn/chipwhisperer-lite-a-new-era-of-hardware-security successful Kickstarter (that delivered ahead of schedule)], and placed 2nd place in the first annual Hackaday Prize. ChipWhisperer has been used in a number of academic articles, and is featured in the Car Hacking Handbook. Portions of the design have even been used by [http://permalink.lanl.gov/object/tr?what=info:lanl-repo/lareport/LA-UR-15-26344 Los Alamos Labs for an electron accelerator]. You can see a full list of references on the [[Press]] page.<br />
<br />
ChipWhisperer is maintained by [https://www.newae.com NewAE Technology Inc.], which sells a combination of open-source hardware, supporting tools, training, and consulting services. ChipWhisperer is trademark of NewAE Technology Inc., registered in the US and Europe. This means only NewAE can sell official products under the ChipWhisperer name, and was done to ensure products meet [[Quality Control Guidelines]], as these fairly complex products require good testing to ensure you don't have a frustrating experience.<br />
<br />
Beyond supporting just the ChipWhisperer project, this wiki is now growing towards the objective of offering a complete reference on embedded security.<br />
<br />
= Getting Started =<br />
<br />
Where to begin? If you're new to this area, see the [[Getting Started]] page, which details how you can get involved in side-channel power analysis. From there you can see the hardware documentation (linked below), or take one of the [http://newae.com/training/ Training Courses].<br />
<br />
If you're stuck, you can also get help on the [https://www.newae.com/forum Discussion Forum].<br />
<br />
= Hardware Documentation =<br />
<br />
{{Template:Hardware}}<br />
<br />
= Software Documentation =<br />
<br />
ChipWhisperer is an open-source project. All of the source code is available from the [https://github.com/newaetech/chipwhisperer Git Repository]. For more information about the software releases, see [https://github.com/newaetech/chipwhisperer/releases Releases] or the installation instructions at [[Installing ChipWhisperer]].<br />
<br />
The following pages document some of the many features of the ChipWhisperer Capture and Analyzer software, along with some other ChipWhisperer interfaces:<br />
<br />
* [[Installing ChipWhisperer]]<br />
* [[Common Tool Information]]<br />
** [[Making Scripts]]<br />
** [[Adding Modules/Parameters]]<br />
* [[CW-Capture Tool]]<br />
** [[Glitch Explorer]]<br />
** [[Serial Terminal]]<br />
* [[CW-Analyzer Tool]]<br />
* [[File Formats]]<br />
* [[MATLAB Control of CW-Lite]]<br />
<br />
The remaining documentation is intended for developers:<br />
<br />
* [[Error Messages / Common Problems]]<br />
* [[FPGA Details]]<br />
* [[CW Release Steps]]<br />
<br />
= Sample Projects and Tutorials =<br />
<br />
== ChipWhisperer Tutorials ==<br />
<br />
The following tutorials use the ChipWhisperer software and/or hardware. They are designed to take you through a complete attack. You may also want to check the page on [[Embedded Attacks]] for more snippets of simple attacks and other things you should verify when making a secure system.<br />
<br />
Not all tutorials are possible with all hardware. See the various tutorial pages for details.<br />
<br />
{{Template:Tutorials}}<br />
<br />
== Example Attacks / Other ==<br />
<br />
While ChipWhisperer started as a side-channel power analysis platform, it has grown to be useful in other attack types. This section is designed to show you a wide variety of attacks on embedded systems, to give you an idea of what is required for building secure embedded systems. These are held on the page [[Embedded Attacks]].<br />
<br />
In 2016, ChipWhisperer was used as part of the CHES2016 CTF challenge. See details of the event on the [[CHES2016 CTF]] page.<br />
<br />
= Recent/Upcoming Events =<br />
<br />
Upcoming events with NewAE:<br />
* Blackhat USA 2017 ([https://www.blackhat.com/us-17/training/advanced-hardware-hacking-hands-on-power-analysis-and-glitching-with-the-chipwhisperer.html Hands-on Power Analysis & Glitching with the ChipWhisperer])<br />
<br />
These are some past events that were attended by someone from NewAE:<br />
* COSADE 2017: Gold sponsor<br />
* Blackhat USA 2016: Training based on ChipWhisperer, 2x talks by Colin, Arsenal<br />
* CHES 2016: Sponsor with exhibit booth<br />
* Blackhat USA 2014: Training class<br />
* RECON 2014: [http://recon.cx/2014/video/recon2014-24-colin-o-flynn-Power-Analysis-and-Clock-Glitching-with-the-Open-Source-ChipWhisperer-Platform.mp4 Video] and [https://www.assembla.com/spaces/chipwhisperer/documents/cnp7Ss_8Sr471aacwqjQXA/download/cnp7Ss_8Sr471aacwqjQXA Slides]<br />
* [http://solidcon.com/solid2014 O'Reilly Solid 2014]: [http://solidcon.com/solid2014/public/schedule/detail/33655 Demo]<br />
* [http://cosade.org/ COSADE] 2014: [http://eprint.iacr.org/2014/204.pdf Paper]<br />
* CHES 2013: [http://www.newae.com/files/CHES2013_Tutorial.pptx Slides] and [http://www.youtube.com/watch?v=UzDx5yx3Qc4&hd=1 Video]<br />
* Blackhat USA 2013 <br />
* iSEC Open Security Forum (April 2013) <br />
* Design West 2013<br />
* Blackhat EU 2013<br />
* AtlSecCon 2013<br />
* Blackhat Abu Dhabi 2012<br />
<br />
= Extra Notes =<br />
<br />
See the page [[Thanks]] for a note about the people who made this project possible.<br />
<br />
<br />
<br />
<br />
ChipWhisperer is a Trademark of NewAE Technology Inc., registered in the U.S and Europe. Used with Permission.</div>Gdeonhttp://wiki.newae.com/index.php?title=CW308T-STM32F&diff=2439CW308T-STM32F2017-04-26T17:17:21Z<p>Gdeon: /* Building and Debugging via ST's System Workbench */</p>
<hr />
<div>{{Infobox cw308target<br />
|name = CW308T-STM32F<br />
|image = cw308_stm32f.jpg<br />
|caption = <br />
|Target Device = ST STM32F<br />
|Target Architecture = Cortex M0,M3,M4<br />
|Hardware Crypto = Possible<br />
|Purchase Hardware = <br />
|Design Files = [https://github.com/newaetech/chipwhisperer/tree/master/hardware/victims/cw308_ufo_target/stm32f GITHub Link]<br />
<br />
[https://wiki.newae.com/CW308T-STM32F OSH Park PCBs]<br />
<br />
|Supported Applications = [[SimpleSerial | Simple Serial Enc/Auth]]<br />
|Programmer = ST-LINK/V2<br />
|Status = Released<br />
}}<br />
<br />
== Supported Devices ==<br />
<br />
The STM32F board supports several STM32F devices in the TQFP-64 package. Various solder jumpers need to bet set to either the "A" or "B" position to select appropriate VCC supply for the different series. The following table summarizes examples of suitable devices:<br />
{| class="wikitable"<br />
!STM32F Series<br />
!Package<br />
!Device<br />
!Hardware AES<br />
!Tested<br />
!Jumper<br />
|-<br />
|F0<br />
|TQFP-64<br />
|STM32F071RBT6<br />
|No<br />
|<br />
|B<br />
|-<br />
|F1<br />
|TQFP-64<br />
|STM32F100RBT6B<br />
|No<br />
|<br />
|B<br />
|-<br />
|F2<br />
|TQFP-64<br />
|STM32F215RET6<br />
|Yes<br />
|Yes<br />
|A<br />
|-<br />
|F3<br />
|TQFP-64<br />
|STM32F303R8T6<br />
|Yes<br />
|No<br />
|B<br />
|-<br />
|F4<br />
|TQFP-64<br />
|STM32F415RGT6<br />
|Yes<br />
|Yes<br />
|A<br />
|-<br />
|F4<br />
|TQFP-64<br />
|STM32F405RGT6<br />
|No<br />
|Yes<br />
|A<br />
|}<br />
<br />
=== VCC-Int Supply ===<br />
Several devices (F2, F4) have internal core voltage regulators. By default the CW308 board attempts to provide power for these pins, but the voltage may not be high enough to cause the internal regulator to disable itself. In this case you can use the VADJ regulator to ensure the internal regulator is disabled. See [[Targets with Internal Regulators]] for details.<br />
<br />
=== Pin-outs across TQFP Devices ===<br />
<br />
The following shows differences in pinouts between three groups of devices. The left-most is the STM32F051RB, which uses the same 3.3V VCORE as the STM32F1/F3. It has fewer VCC pins, so the I/O occupying that are VCC/GND pins on the STM32F1 (such as PF6/PF7) are tied to GND/VCC. The right-most part is the pinout of the STM32F2/F4. It has an internal regulator, where the VCAP pins are the output of this regulator (and input to the internal core logic).<br />
<br />
[[File:power_diffstm32.png|800px]]<br />
<br />
Note for the devices with a 3.3V VCORE, you should not mount decoupling capacitors C5/C6/C7/C8. You will still get some leakage with those capacitors mounted, but a stronger signal is present without them.<br />
<br />
== Hardware AES ==<br />
<br />
The STM32F21x, and STM32F41x/43x have hardware crypto modules (AES, DES, TDES) along with hardware hash (SHA1, MD5).<br />
<br />
== Programming Connection ==<br />
<br />
The 20-pin JTAG port (J6 on CW308 Board) can be used with the [https://www.digikey.com/product-detail/en/stmicroelectronics/ST-LINK-V2/497-10484-ND/2214535 ST-LINK/V2] which is a low-cost JTAG programmer. <br />
<br />
It is also possible to use other JTAG programmers such as OpenOCD. The following command worked with an Olimex OpenOCD programmer and their [https://www.olimex.com/Products/ARM/JTAG/ARM-USB-OCD-H/ OpenOCD for Windows] software:<br />
<pre><br />
openocd <br />
-f path/to/board/files/cw308.cfg <br />
-c init <br />
-c targets <br />
-c "halt" <br />
-c "flash write_image erase path/to/firmware.hex" <br />
-c "verify_image path/to/firmware.hex" <br />
-c "reset run" <br />
-c shutdown<br />
</pre><br />
where the contents of <code>cw308.cfg</code> are<br />
<pre><br />
source [find interface/olimex-arm-usb-ocd-h.cfg]<br />
source [find target/stm32f4x.cfg]<br />
reset_config srst_only<br />
</pre><br />
<br />
== Example Projects ==<br />
<br />
SimpleSerial builds for each of the STM32Fx Devices. Each device is a separate HAL. These HAL modules have been copied from ST's HAL (not the CUBE) and greatly reduced in size by deleting unused files (such as headers for unused devices), and combining several C-source files into a single low-level C-file.<br />
<br />
=== Building ST Example on Command Line ===<br />
The regular firmware build process works with the STM32 devices. For example, to build `simpleserial-aes`, navigate to the folder `chipwhisperer\hardware\victims\firmware\simpleserial-aes` and run the following command on the command line:<br />
<br />
<code><br />
make PLATFORM=CW308_STM32F0 CRYPTO_TARGET=TINYAES128C<br />
</code><br />
<br />
If all goes well, this command will finish by printing the output file size and the platform:<br />
[[File:Stm32-make.png]]<br />
<br />
=== Running ST Example with ST-Link ===<br />
Once you've built a binary to load onto the target, you're ready to program it. Plug your programmer into the 20 pin JTAG connector (J6 on the UFO board):<br />
<br />
[[File:Stm32-jtag.jpg|600px]]<br />
<br />
Then, the details of this step will depend on your programmer. If you're using an ST-Link programmer, open the ST-Link utility and connect to the device:<br />
<br />
[[File:Stm32-connect.png]]<br />
<br />
Load your `.hex` file and program the device with the Program and Verify button:<br />
<br />
[[File:Stm32-program.png]]<br />
<br />
After this, you're ready to go - you can use the ChipWhisperer terminal to talk to your target. You might need to reset the target before you do anything else.<br />
<br />
=== Building and Debugging via ST's System Workbench ===<br />
It's also possible to work on the example projects using [http://www.st.com/en/development-tools/sw4stm32.html ST's System Workbench IDE]. This IDE also supports debugging, which is helpful for working out all the kinks in your firmware.<br />
<br />
To build the ChipWhisperer examples in System Workbench:<br />
<br />
1. Create a ''Makefile Project with Existing Code'' and enter the firmware's location in Existing Code Location:<br />
<br />
[[File:Stm32-st-1.png]]<br />
<br />
2. Link the external files into the project. To do this, under ''File > Import'', select ''File System''. In the `chipwhisperer\hardware\victims\firmware` directory, select all of the relevant files and folders (Makefile in base folder, Makefile in HAL folder, STM32Fx HAL folder). Ensure that make links to these files (instead of directly importing them):<br />
<br />
[[File:Stm32-st-2.png]]<br />
<br />
3. Set up the build command. In ''File > Properties'', go to ''C/C++ Build'' and deselect 'Use default build command'. Enter the command you would normally enter on the command line:<br />
<br />
[[File:Stm32-st-3.png]]<br />
<br />
4. Build the project and confirm that the build works from the output in the IDE console.<br />
<br />
Then, if you want to set up debugging:<br />
<br />
1. Find ST's list of debugging targets (check around `C:\STMicro\Ac6\SystemWorkbench\plugins\fr.ac6.mcu.debug_1.12.1.201703061527\resources\openocd\scripts\board`). Make a config file for your target. This file's contents should be something like (adjust for your board):<br />
<pre><br />
# This is an CW308T_STM32F0 board with a single STM32F071R8Tx chip.<br />
# Generated by System Workbench for STM32<br />
<br />
source [find ../interface/stlink-v2-1.cfg]<br />
<br />
set WORKAREASIZE 0x2000<br />
transport select "hla_swd"<br />
<br />
set CHIPNAME STM32F071R8Tx<br />
<br />
source [find ../target/stm32f0x_stlink.cfg]<br />
<br />
# use hardware reset, connect under reset<br />
reset_config srst_only srst_nogate<br />
</pre><br />
<br />
2. In ''Run > Debug Configurations'', make a new ''Ac6 STM32 Debugging'' configuration. Under the 'Debugger' tab, select ''Use local script'' and select your custom script:<br />
<br />
[[File:Stm32-st-4.png]]<br />
<br />
3. Enter debugging mode. <br />
<br />
'''Caveat''': the I/O register map in the debugger appears to use the last known device (ie: if you debugged an STM32F4 project before your Makefile project, it sticks with F4's registers). Check that the registers' addresses are correct before you trust them!<br />
<br />
== Schematic ==<br />
[[File:CW308T_STM32F_02.png|1100px]]<br />
<br />
<br />
[[Category: CW308 Targets]]</div>Gdeonhttp://wiki.newae.com/index.php?title=File:Stm32-st-4.png&diff=2438File:Stm32-st-4.png2017-04-26T17:17:07Z<p>Gdeon: </p>
<hr />
<div></div>Gdeonhttp://wiki.newae.com/index.php?title=File:Stm32-st-3.png&diff=2437File:Stm32-st-3.png2017-04-26T17:16:54Z<p>Gdeon: </p>
<hr />
<div></div>Gdeonhttp://wiki.newae.com/index.php?title=File:Stm32-st-2.png&diff=2436File:Stm32-st-2.png2017-04-26T17:16:43Z<p>Gdeon: </p>
<hr />
<div></div>Gdeonhttp://wiki.newae.com/index.php?title=File:Stm32-st-1.png&diff=2435File:Stm32-st-1.png2017-04-26T17:15:59Z<p>Gdeon: </p>
<hr />
<div></div>Gdeonhttp://wiki.newae.com/index.php?title=CW308T-STM32F&diff=2434CW308T-STM32F2017-04-25T16:31:39Z<p>Gdeon: /* Building and Debugging via ST's System Workbench */</p>
<hr />
<div>{{Infobox cw308target<br />
|name = CW308T-STM32F<br />
|image = cw308_stm32f.jpg<br />
|caption = <br />
|Target Device = ST STM32F<br />
|Target Architecture = Cortex M0,M3,M4<br />
|Hardware Crypto = Possible<br />
|Purchase Hardware = <br />
|Design Files = [https://github.com/newaetech/chipwhisperer/tree/master/hardware/victims/cw308_ufo_target/stm32f GITHub Link]<br />
<br />
[https://wiki.newae.com/CW308T-STM32F OSH Park PCBs]<br />
<br />
|Supported Applications = [[SimpleSerial | Simple Serial Enc/Auth]]<br />
|Programmer = ST-LINK/V2<br />
|Status = Released<br />
}}<br />
<br />
== Supported Devices ==<br />
<br />
The STM32F board supports several STM32F devices in the TQFP-64 package. Various solder jumpers need to bet set to either the "A" or "B" position to select appropriate VCC supply for the different series. The following table summarizes examples of suitable devices:<br />
{| class="wikitable"<br />
!STM32F Series<br />
!Package<br />
!Device<br />
!Hardware AES<br />
!Tested<br />
!Jumper<br />
|-<br />
|F0<br />
|TQFP-64<br />
|STM32F071RBT6<br />
|No<br />
|<br />
|B<br />
|-<br />
|F1<br />
|TQFP-64<br />
|STM32F100RBT6B<br />
|No<br />
|<br />
|B<br />
|-<br />
|F2<br />
|TQFP-64<br />
|STM32F215RET6<br />
|Yes<br />
|Yes<br />
|A<br />
|-<br />
|F3<br />
|TQFP-64<br />
|STM32F303R8T6<br />
|Yes<br />
|No<br />
|B<br />
|-<br />
|F4<br />
|TQFP-64<br />
|STM32F415RGT6<br />
|Yes<br />
|Yes<br />
|A<br />
|-<br />
|F4<br />
|TQFP-64<br />
|STM32F405RGT6<br />
|No<br />
|Yes<br />
|A<br />
|}<br />
<br />
=== VCC-Int Supply ===<br />
Several devices (F2, F4) have internal core voltage regulators. By default the CW308 board attempts to provide power for these pins, but the voltage may not be high enough to cause the internal regulator to disable itself. In this case you can use the VADJ regulator to ensure the internal regulator is disabled. See [[Targets with Internal Regulators]] for details.<br />
<br />
=== Pin-outs across TQFP Devices ===<br />
<br />
The following shows differences in pinouts between three groups of devices. The left-most is the STM32F051RB, which uses the same 3.3V VCORE as the STM32F1/F3. It has fewer VCC pins, so the I/O occupying that are VCC/GND pins on the STM32F1 (such as PF6/PF7) are tied to GND/VCC. The right-most part is the pinout of the STM32F2/F4. It has an internal regulator, where the VCAP pins are the output of this regulator (and input to the internal core logic).<br />
<br />
[[File:power_diffstm32.png|800px]]<br />
<br />
Note for the devices with a 3.3V VCORE, you should not mount decoupling capacitors C5/C6/C7/C8. You will still get some leakage with those capacitors mounted, but a stronger signal is present without them.<br />
<br />
== Hardware AES ==<br />
<br />
The STM32F21x, and STM32F41x/43x have hardware crypto modules (AES, DES, TDES) along with hardware hash (SHA1, MD5).<br />
<br />
== Programming Connection ==<br />
<br />
The 20-pin JTAG port (J6 on CW308 Board) can be used with the [https://www.digikey.com/product-detail/en/stmicroelectronics/ST-LINK-V2/497-10484-ND/2214535 ST-LINK/V2] which is a low-cost JTAG programmer. <br />
<br />
It is also possible to use other JTAG programmers such as OpenOCD. The following command worked with an Olimex OpenOCD programmer and their [https://www.olimex.com/Products/ARM/JTAG/ARM-USB-OCD-H/ OpenOCD for Windows] software:<br />
<pre><br />
openocd <br />
-f path/to/board/files/cw308.cfg <br />
-c init <br />
-c targets <br />
-c "halt" <br />
-c "flash write_image erase path/to/firmware.hex" <br />
-c "verify_image path/to/firmware.hex" <br />
-c "reset run" <br />
-c shutdown<br />
</pre><br />
where the contents of <code>cw308.cfg</code> are<br />
<pre><br />
source [find interface/olimex-arm-usb-ocd-h.cfg]<br />
source [find target/stm32f4x.cfg]<br />
reset_config srst_only<br />
</pre><br />
<br />
== Example Projects ==<br />
<br />
SimpleSerial builds for each of the STM32Fx Devices. Each device is a separate HAL. These HAL modules have been copied from ST's HAL (not the CUBE) and greatly reduced in size by deleting unused files (such as headers for unused devices), and combining several C-source files into a single low-level C-file.<br />
<br />
=== Building ST Example on Command Line ===<br />
The regular firmware build process works with the STM32 devices. For example, to build `simpleserial-aes`, navigate to the folder `chipwhisperer\hardware\victims\firmware\simpleserial-aes` and run the following command on the command line:<br />
<br />
<code><br />
make PLATFORM=CW308_STM32F0 CRYPTO_TARGET=TINYAES128C<br />
</code><br />
<br />
If all goes well, this command will finish by printing the output file size and the platform:<br />
[[File:Stm32-make.png]]<br />
<br />
=== Running ST Example with ST-Link ===<br />
Once you've built a binary to load onto the target, you're ready to program it. Plug your programmer into the 20 pin JTAG connector (J6 on the UFO board):<br />
<br />
[[File:Stm32-jtag.jpg|600px]]<br />
<br />
Then, the details of this step will depend on your programmer. If you're using an ST-Link programmer, open the ST-Link utility and connect to the device:<br />
<br />
[[File:Stm32-connect.png]]<br />
<br />
Load your `.hex` file and program the device with the Program and Verify button:<br />
<br />
[[File:Stm32-program.png]]<br />
<br />
After this, you're ready to go - you can use the ChipWhisperer terminal to talk to your target. You might need to reset the target before you do anything else.<br />
<br />
=== Building and Debugging via ST's System Workbench ===<br />
It's also possible to work on the example projects using [http://www.st.com/en/development-tools/sw4stm32.html ST's System Workbench IDE]. This IDE also supports debugging, which is helpful for working out all the kinks in your firmware.<br />
<br />
(TODO: details)<br />
<br />
== Schematic ==<br />
[[File:CW308T_STM32F_02.png|1100px]]<br />
<br />
<br />
[[Category: CW308 Targets]]</div>Gdeonhttp://wiki.newae.com/index.php?title=CW308T-STM32F&diff=2433CW308T-STM32F2017-04-25T16:28:38Z<p>Gdeon: /* Running ST Example with ST-Link */</p>
<hr />
<div>{{Infobox cw308target<br />
|name = CW308T-STM32F<br />
|image = cw308_stm32f.jpg<br />
|caption = <br />
|Target Device = ST STM32F<br />
|Target Architecture = Cortex M0,M3,M4<br />
|Hardware Crypto = Possible<br />
|Purchase Hardware = <br />
|Design Files = [https://github.com/newaetech/chipwhisperer/tree/master/hardware/victims/cw308_ufo_target/stm32f GITHub Link]<br />
<br />
[https://wiki.newae.com/CW308T-STM32F OSH Park PCBs]<br />
<br />
|Supported Applications = [[SimpleSerial | Simple Serial Enc/Auth]]<br />
|Programmer = ST-LINK/V2<br />
|Status = Released<br />
}}<br />
<br />
== Supported Devices ==<br />
<br />
The STM32F board supports several STM32F devices in the TQFP-64 package. Various solder jumpers need to bet set to either the "A" or "B" position to select appropriate VCC supply for the different series. The following table summarizes examples of suitable devices:<br />
{| class="wikitable"<br />
!STM32F Series<br />
!Package<br />
!Device<br />
!Hardware AES<br />
!Tested<br />
!Jumper<br />
|-<br />
|F0<br />
|TQFP-64<br />
|STM32F071RBT6<br />
|No<br />
|<br />
|B<br />
|-<br />
|F1<br />
|TQFP-64<br />
|STM32F100RBT6B<br />
|No<br />
|<br />
|B<br />
|-<br />
|F2<br />
|TQFP-64<br />
|STM32F215RET6<br />
|Yes<br />
|Yes<br />
|A<br />
|-<br />
|F3<br />
|TQFP-64<br />
|STM32F303R8T6<br />
|Yes<br />
|No<br />
|B<br />
|-<br />
|F4<br />
|TQFP-64<br />
|STM32F415RGT6<br />
|Yes<br />
|Yes<br />
|A<br />
|-<br />
|F4<br />
|TQFP-64<br />
|STM32F405RGT6<br />
|No<br />
|Yes<br />
|A<br />
|}<br />
<br />
=== VCC-Int Supply ===<br />
Several devices (F2, F4) have internal core voltage regulators. By default the CW308 board attempts to provide power for these pins, but the voltage may not be high enough to cause the internal regulator to disable itself. In this case you can use the VADJ regulator to ensure the internal regulator is disabled. See [[Targets with Internal Regulators]] for details.<br />
<br />
=== Pin-outs across TQFP Devices ===<br />
<br />
The following shows differences in pinouts between three groups of devices. The left-most is the STM32F051RB, which uses the same 3.3V VCORE as the STM32F1/F3. It has fewer VCC pins, so the I/O occupying that are VCC/GND pins on the STM32F1 (such as PF6/PF7) are tied to GND/VCC. The right-most part is the pinout of the STM32F2/F4. It has an internal regulator, where the VCAP pins are the output of this regulator (and input to the internal core logic).<br />
<br />
[[File:power_diffstm32.png|800px]]<br />
<br />
Note for the devices with a 3.3V VCORE, you should not mount decoupling capacitors C5/C6/C7/C8. You will still get some leakage with those capacitors mounted, but a stronger signal is present without them.<br />
<br />
== Hardware AES ==<br />
<br />
The STM32F21x, and STM32F41x/43x have hardware crypto modules (AES, DES, TDES) along with hardware hash (SHA1, MD5).<br />
<br />
== Programming Connection ==<br />
<br />
The 20-pin JTAG port (J6 on CW308 Board) can be used with the [https://www.digikey.com/product-detail/en/stmicroelectronics/ST-LINK-V2/497-10484-ND/2214535 ST-LINK/V2] which is a low-cost JTAG programmer. <br />
<br />
It is also possible to use other JTAG programmers such as OpenOCD. The following command worked with an Olimex OpenOCD programmer and their [https://www.olimex.com/Products/ARM/JTAG/ARM-USB-OCD-H/ OpenOCD for Windows] software:<br />
<pre><br />
openocd <br />
-f path/to/board/files/cw308.cfg <br />
-c init <br />
-c targets <br />
-c "halt" <br />
-c "flash write_image erase path/to/firmware.hex" <br />
-c "verify_image path/to/firmware.hex" <br />
-c "reset run" <br />
-c shutdown<br />
</pre><br />
where the contents of <code>cw308.cfg</code> are<br />
<pre><br />
source [find interface/olimex-arm-usb-ocd-h.cfg]<br />
source [find target/stm32f4x.cfg]<br />
reset_config srst_only<br />
</pre><br />
<br />
== Example Projects ==<br />
<br />
SimpleSerial builds for each of the STM32Fx Devices. Each device is a separate HAL. These HAL modules have been copied from ST's HAL (not the CUBE) and greatly reduced in size by deleting unused files (such as headers for unused devices), and combining several C-source files into a single low-level C-file.<br />
<br />
=== Building ST Example on Command Line ===<br />
The regular firmware build process works with the STM32 devices. For example, to build `simpleserial-aes`, navigate to the folder `chipwhisperer\hardware\victims\firmware\simpleserial-aes` and run the following command on the command line:<br />
<br />
<code><br />
make PLATFORM=CW308_STM32F0 CRYPTO_TARGET=TINYAES128C<br />
</code><br />
<br />
If all goes well, this command will finish by printing the output file size and the platform:<br />
[[File:Stm32-make.png]]<br />
<br />
=== Running ST Example with ST-Link ===<br />
Once you've built a binary to load onto the target, you're ready to program it. Plug your programmer into the 20 pin JTAG connector (J6 on the UFO board):<br />
<br />
[[File:Stm32-jtag.jpg|600px]]<br />
<br />
Then, the details of this step will depend on your programmer. If you're using an ST-Link programmer, open the ST-Link utility and connect to the device:<br />
<br />
[[File:Stm32-connect.png]]<br />
<br />
Load your `.hex` file and program the device with the Program and Verify button:<br />
<br />
[[File:Stm32-program.png]]<br />
<br />
After this, you're ready to go - you can use the ChipWhisperer terminal to talk to your target. You might need to reset the target before you do anything else.<br />
<br />
=== Building and Debugging via ST's System Workbench ===<br />
<br />
== Schematic ==<br />
[[File:CW308T_STM32F_02.png|1100px]]<br />
<br />
<br />
[[Category: CW308 Targets]]</div>Gdeonhttp://wiki.newae.com/index.php?title=CW308T-STM32F&diff=2432CW308T-STM32F2017-04-25T16:27:57Z<p>Gdeon: /* Running ST Example with ST-Link */</p>
<hr />
<div>{{Infobox cw308target<br />
|name = CW308T-STM32F<br />
|image = cw308_stm32f.jpg<br />
|caption = <br />
|Target Device = ST STM32F<br />
|Target Architecture = Cortex M0,M3,M4<br />
|Hardware Crypto = Possible<br />
|Purchase Hardware = <br />
|Design Files = [https://github.com/newaetech/chipwhisperer/tree/master/hardware/victims/cw308_ufo_target/stm32f GITHub Link]<br />
<br />
[https://wiki.newae.com/CW308T-STM32F OSH Park PCBs]<br />
<br />
|Supported Applications = [[SimpleSerial | Simple Serial Enc/Auth]]<br />
|Programmer = ST-LINK/V2<br />
|Status = Released<br />
}}<br />
<br />
== Supported Devices ==<br />
<br />
The STM32F board supports several STM32F devices in the TQFP-64 package. Various solder jumpers need to bet set to either the "A" or "B" position to select appropriate VCC supply for the different series. The following table summarizes examples of suitable devices:<br />
{| class="wikitable"<br />
!STM32F Series<br />
!Package<br />
!Device<br />
!Hardware AES<br />
!Tested<br />
!Jumper<br />
|-<br />
|F0<br />
|TQFP-64<br />
|STM32F071RBT6<br />
|No<br />
|<br />
|B<br />
|-<br />
|F1<br />
|TQFP-64<br />
|STM32F100RBT6B<br />
|No<br />
|<br />
|B<br />
|-<br />
|F2<br />
|TQFP-64<br />
|STM32F215RET6<br />
|Yes<br />
|Yes<br />
|A<br />
|-<br />
|F3<br />
|TQFP-64<br />
|STM32F303R8T6<br />
|Yes<br />
|No<br />
|B<br />
|-<br />
|F4<br />
|TQFP-64<br />
|STM32F415RGT6<br />
|Yes<br />
|Yes<br />
|A<br />
|-<br />
|F4<br />
|TQFP-64<br />
|STM32F405RGT6<br />
|No<br />
|Yes<br />
|A<br />
|}<br />
<br />
=== VCC-Int Supply ===<br />
Several devices (F2, F4) have internal core voltage regulators. By default the CW308 board attempts to provide power for these pins, but the voltage may not be high enough to cause the internal regulator to disable itself. In this case you can use the VADJ regulator to ensure the internal regulator is disabled. See [[Targets with Internal Regulators]] for details.<br />
<br />
=== Pin-outs across TQFP Devices ===<br />
<br />
The following shows differences in pinouts between three groups of devices. The left-most is the STM32F051RB, which uses the same 3.3V VCORE as the STM32F1/F3. It has fewer VCC pins, so the I/O occupying that are VCC/GND pins on the STM32F1 (such as PF6/PF7) are tied to GND/VCC. The right-most part is the pinout of the STM32F2/F4. It has an internal regulator, where the VCAP pins are the output of this regulator (and input to the internal core logic).<br />
<br />
[[File:power_diffstm32.png|800px]]<br />
<br />
Note for the devices with a 3.3V VCORE, you should not mount decoupling capacitors C5/C6/C7/C8. You will still get some leakage with those capacitors mounted, but a stronger signal is present without them.<br />
<br />
== Hardware AES ==<br />
<br />
The STM32F21x, and STM32F41x/43x have hardware crypto modules (AES, DES, TDES) along with hardware hash (SHA1, MD5).<br />
<br />
== Programming Connection ==<br />
<br />
The 20-pin JTAG port (J6 on CW308 Board) can be used with the [https://www.digikey.com/product-detail/en/stmicroelectronics/ST-LINK-V2/497-10484-ND/2214535 ST-LINK/V2] which is a low-cost JTAG programmer. <br />
<br />
It is also possible to use other JTAG programmers such as OpenOCD. The following command worked with an Olimex OpenOCD programmer and their [https://www.olimex.com/Products/ARM/JTAG/ARM-USB-OCD-H/ OpenOCD for Windows] software:<br />
<pre><br />
openocd <br />
-f path/to/board/files/cw308.cfg <br />
-c init <br />
-c targets <br />
-c "halt" <br />
-c "flash write_image erase path/to/firmware.hex" <br />
-c "verify_image path/to/firmware.hex" <br />
-c "reset run" <br />
-c shutdown<br />
</pre><br />
where the contents of <code>cw308.cfg</code> are<br />
<pre><br />
source [find interface/olimex-arm-usb-ocd-h.cfg]<br />
source [find target/stm32f4x.cfg]<br />
reset_config srst_only<br />
</pre><br />
<br />
== Example Projects ==<br />
<br />
SimpleSerial builds for each of the STM32Fx Devices. Each device is a separate HAL. These HAL modules have been copied from ST's HAL (not the CUBE) and greatly reduced in size by deleting unused files (such as headers for unused devices), and combining several C-source files into a single low-level C-file.<br />
<br />
=== Building ST Example on Command Line ===<br />
The regular firmware build process works with the STM32 devices. For example, to build `simpleserial-aes`, navigate to the folder `chipwhisperer\hardware\victims\firmware\simpleserial-aes` and run the following command on the command line:<br />
<br />
<code><br />
make PLATFORM=CW308_STM32F0 CRYPTO_TARGET=TINYAES128C<br />
</code><br />
<br />
If all goes well, this command will finish by printing the output file size and the platform:<br />
[[File:Stm32-make.png]]<br />
<br />
=== Running ST Example with ST-Link ===<br />
Once you've built a binary to load onto the target, you're ready to program it. Plug your programmer into the 20 pin JTAG connector (J6 on the UFO board):<br />
<br />
[[File:Stm32-jtag.jpg]]<br />
<br />
Then, the details of this step will depend on your programmer. If you're using an ST-Link programmer, open the ST-Link utility and connect to the device:<br />
<br />
[[File:Stm32-connect.png]]<br />
<br />
Load your `.hex` file and program the device with the Program and Verify button:<br />
<br />
[[File:Stm32-program.png]]<br />
<br />
After this, you're ready to go - you can use the ChipWhisperer terminal to talk to your target. You might need to reset the target before you do anything else.<br />
<br />
=== Building and Debugging via ST's System Workbench ===<br />
<br />
== Schematic ==<br />
[[File:CW308T_STM32F_02.png|1100px]]<br />
<br />
<br />
[[Category: CW308 Targets]]</div>Gdeonhttp://wiki.newae.com/index.php?title=File:Stm32-jtag.jpg&diff=2431File:Stm32-jtag.jpg2017-04-25T16:27:29Z<p>Gdeon: </p>
<hr />
<div></div>Gdeonhttp://wiki.newae.com/index.php?title=CW308T-STM32F&diff=2430CW308T-STM32F2017-04-25T16:25:26Z<p>Gdeon: /* Example Projects */</p>
<hr />
<div>{{Infobox cw308target<br />
|name = CW308T-STM32F<br />
|image = cw308_stm32f.jpg<br />
|caption = <br />
|Target Device = ST STM32F<br />
|Target Architecture = Cortex M0,M3,M4<br />
|Hardware Crypto = Possible<br />
|Purchase Hardware = <br />
|Design Files = [https://github.com/newaetech/chipwhisperer/tree/master/hardware/victims/cw308_ufo_target/stm32f GITHub Link]<br />
<br />
[https://wiki.newae.com/CW308T-STM32F OSH Park PCBs]<br />
<br />
|Supported Applications = [[SimpleSerial | Simple Serial Enc/Auth]]<br />
|Programmer = ST-LINK/V2<br />
|Status = Released<br />
}}<br />
<br />
== Supported Devices ==<br />
<br />
The STM32F board supports several STM32F devices in the TQFP-64 package. Various solder jumpers need to bet set to either the "A" or "B" position to select appropriate VCC supply for the different series. The following table summarizes examples of suitable devices:<br />
{| class="wikitable"<br />
!STM32F Series<br />
!Package<br />
!Device<br />
!Hardware AES<br />
!Tested<br />
!Jumper<br />
|-<br />
|F0<br />
|TQFP-64<br />
|STM32F071RBT6<br />
|No<br />
|<br />
|B<br />
|-<br />
|F1<br />
|TQFP-64<br />
|STM32F100RBT6B<br />
|No<br />
|<br />
|B<br />
|-<br />
|F2<br />
|TQFP-64<br />
|STM32F215RET6<br />
|Yes<br />
|Yes<br />
|A<br />
|-<br />
|F3<br />
|TQFP-64<br />
|STM32F303R8T6<br />
|Yes<br />
|No<br />
|B<br />
|-<br />
|F4<br />
|TQFP-64<br />
|STM32F415RGT6<br />
|Yes<br />
|Yes<br />
|A<br />
|-<br />
|F4<br />
|TQFP-64<br />
|STM32F405RGT6<br />
|No<br />
|Yes<br />
|A<br />
|}<br />
<br />
=== VCC-Int Supply ===<br />
Several devices (F2, F4) have internal core voltage regulators. By default the CW308 board attempts to provide power for these pins, but the voltage may not be high enough to cause the internal regulator to disable itself. In this case you can use the VADJ regulator to ensure the internal regulator is disabled. See [[Targets with Internal Regulators]] for details.<br />
<br />
=== Pin-outs across TQFP Devices ===<br />
<br />
The following shows differences in pinouts between three groups of devices. The left-most is the STM32F051RB, which uses the same 3.3V VCORE as the STM32F1/F3. It has fewer VCC pins, so the I/O occupying that are VCC/GND pins on the STM32F1 (such as PF6/PF7) are tied to GND/VCC. The right-most part is the pinout of the STM32F2/F4. It has an internal regulator, where the VCAP pins are the output of this regulator (and input to the internal core logic).<br />
<br />
[[File:power_diffstm32.png|800px]]<br />
<br />
Note for the devices with a 3.3V VCORE, you should not mount decoupling capacitors C5/C6/C7/C8. You will still get some leakage with those capacitors mounted, but a stronger signal is present without them.<br />
<br />
== Hardware AES ==<br />
<br />
The STM32F21x, and STM32F41x/43x have hardware crypto modules (AES, DES, TDES) along with hardware hash (SHA1, MD5).<br />
<br />
== Programming Connection ==<br />
<br />
The 20-pin JTAG port (J6 on CW308 Board) can be used with the [https://www.digikey.com/product-detail/en/stmicroelectronics/ST-LINK-V2/497-10484-ND/2214535 ST-LINK/V2] which is a low-cost JTAG programmer. <br />
<br />
It is also possible to use other JTAG programmers such as OpenOCD. The following command worked with an Olimex OpenOCD programmer and their [https://www.olimex.com/Products/ARM/JTAG/ARM-USB-OCD-H/ OpenOCD for Windows] software:<br />
<pre><br />
openocd <br />
-f path/to/board/files/cw308.cfg <br />
-c init <br />
-c targets <br />
-c "halt" <br />
-c "flash write_image erase path/to/firmware.hex" <br />
-c "verify_image path/to/firmware.hex" <br />
-c "reset run" <br />
-c shutdown<br />
</pre><br />
where the contents of <code>cw308.cfg</code> are<br />
<pre><br />
source [find interface/olimex-arm-usb-ocd-h.cfg]<br />
source [find target/stm32f4x.cfg]<br />
reset_config srst_only<br />
</pre><br />
<br />
== Example Projects ==<br />
<br />
SimpleSerial builds for each of the STM32Fx Devices. Each device is a separate HAL. These HAL modules have been copied from ST's HAL (not the CUBE) and greatly reduced in size by deleting unused files (such as headers for unused devices), and combining several C-source files into a single low-level C-file.<br />
<br />
=== Building ST Example on Command Line ===<br />
The regular firmware build process works with the STM32 devices. For example, to build `simpleserial-aes`, navigate to the folder `chipwhisperer\hardware\victims\firmware\simpleserial-aes` and run the following command on the command line:<br />
<br />
<code><br />
make PLATFORM=CW308_STM32F0 CRYPTO_TARGET=TINYAES128C<br />
</code><br />
<br />
If all goes well, this command will finish by printing the output file size and the platform:<br />
[[File:Stm32-make.png]]<br />
<br />
=== Running ST Example with ST-Link ===<br />
Once you've built a binary to load onto the target, you're ready to program it. Plug your programmer into the 20 pin JTAG connector (J6 on the UFO board):<br />
[[File:]]<br />
<br />
Then, the details of this step will depend on your programmer. If you're using an ST-Link programmer, open the ST-Link utility and connect to the device:<br />
[[File:Stm32-connect.png]]<br />
<br />
Load your `.hex` file and program the device with the Program and Verify button:<br />
[[File:Stm32-program.png]]<br />
<br />
After this, you're ready to go - you can use the ChipWhisperer terminal to talk to your target. You might need to reset the target before you do anything else.<br />
<br />
=== Building and Debugging via ST's System Workbench ===<br />
<br />
== Schematic ==<br />
[[File:CW308T_STM32F_02.png|1100px]]<br />
<br />
<br />
[[Category: CW308 Targets]]</div>Gdeonhttp://wiki.newae.com/index.php?title=File:Stm32-program.png&diff=2428File:Stm32-program.png2017-04-25T16:23:38Z<p>Gdeon: </p>
<hr />
<div></div>Gdeonhttp://wiki.newae.com/index.php?title=File:Stm32-connect.png&diff=2427File:Stm32-connect.png2017-04-25T16:21:42Z<p>Gdeon: </p>
<hr />
<div></div>Gdeonhttp://wiki.newae.com/index.php?title=CW308T-STM32F&diff=2423CW308T-STM32F2017-04-25T15:14:46Z<p>Gdeon: /* Example Projects */</p>
<hr />
<div>{{Infobox cw308target<br />
|name = CW308T-STM32F<br />
|image = cw308_stm32f.jpg<br />
|caption = <br />
|Target Device = ST STM32F<br />
|Target Architecture = Cortex M0,M3,M4<br />
|Hardware Crypto = Possible<br />
|Purchase Hardware = <br />
|Design Files = [https://github.com/newaetech/chipwhisperer/tree/master/hardware/victims/cw308_ufo_target/stm32f GITHub Link]<br />
<br />
[https://wiki.newae.com/CW308T-STM32F OSH Park PCBs]<br />
<br />
|Supported Applications = [[SimpleSerial | Simple Serial Enc/Auth]]<br />
|Programmer = ST-LINK/V2<br />
|Status = Released<br />
}}<br />
<br />
== Supported Devices ==<br />
<br />
The STM32F board supports several STM32F devices in the TQFP-64 package. Various solder jumpers need to bet set to either the "A" or "B" position to select appropriate VCC supply for the different series. The following table summarizes examples of suitable devices:<br />
{| class="wikitable"<br />
!STM32F Series<br />
!Package<br />
!Device<br />
!Hardware AES<br />
!Tested<br />
!Jumper<br />
|-<br />
|F0<br />
|TQFP-64<br />
|STM32F071RBT6<br />
|No<br />
|<br />
|B<br />
|-<br />
|F1<br />
|TQFP-64<br />
|STM32F100RBT6B<br />
|No<br />
|<br />
|B<br />
|-<br />
|F2<br />
|TQFP-64<br />
|STM32F215RET6<br />
|Yes<br />
|Yes<br />
|A<br />
|-<br />
|F3<br />
|TQFP-64<br />
|STM32F303R8T6<br />
|Yes<br />
|No<br />
|B<br />
|-<br />
|F4<br />
|TQFP-64<br />
|STM32F415RGT6<br />
|Yes<br />
|Yes<br />
|A<br />
|-<br />
|F4<br />
|TQFP-64<br />
|STM32F405RGT6<br />
|No<br />
|Yes<br />
|A<br />
|}<br />
<br />
=== VCC-Int Supply ===<br />
Several devices (F2, F4) have internal core voltage regulators. By default the CW308 board attempts to provide power for these pins, but the voltage may not be high enough to cause the internal regulator to disable itself. In this case you can use the VADJ regulator to ensure the internal regulator is disabled. See [[Targets with Internal Regulators]] for details.<br />
<br />
=== Pin-outs across TQFP Devices ===<br />
<br />
The following shows differences in pinouts between three groups of devices. The left-most is the STM32F051RB, which uses the same 3.3V VCORE as the STM32F1/F3. It has fewer VCC pins, so the I/O occupying that are VCC/GND pins on the STM32F1 (such as PF6/PF7) are tied to GND/VCC. The right-most part is the pinout of the STM32F2/F4. It has an internal regulator, where the VCAP pins are the output of this regulator (and input to the internal core logic).<br />
<br />
[[File:power_diffstm32.png|800px]]<br />
<br />
Note for the devices with a 3.3V VCORE, you should not mount decoupling capacitors C5/C6/C7/C8. You will still get some leakage with those capacitors mounted, but a stronger signal is present without them.<br />
<br />
== Hardware AES ==<br />
<br />
The STM32F21x, and STM32F41x/43x have hardware crypto modules (AES, DES, TDES) along with hardware hash (SHA1, MD5).<br />
<br />
== Programming Connection ==<br />
<br />
The 20-pin JTAG port (J6 on CW308 Board) can be used with the [https://www.digikey.com/product-detail/en/stmicroelectronics/ST-LINK-V2/497-10484-ND/2214535 ST-LINK/V2] which is a low-cost JTAG programmer. <br />
<br />
It is also possible to use other JTAG programmers such as OpenOCD. The following command worked with an Olimex OpenOCD programmer and their [https://www.olimex.com/Products/ARM/JTAG/ARM-USB-OCD-H/ OpenOCD for Windows] software:<br />
<pre><br />
openocd <br />
-f path/to/board/files/cw308.cfg <br />
-c init <br />
-c targets <br />
-c "halt" <br />
-c "flash write_image erase path/to/firmware.hex" <br />
-c "verify_image path/to/firmware.hex" <br />
-c "reset run" <br />
-c shutdown<br />
</pre><br />
where the contents of <code>cw308.cfg</code> are<br />
<pre><br />
source [find interface/olimex-arm-usb-ocd-h.cfg]<br />
source [find target/stm32f4x.cfg]<br />
reset_config srst_only<br />
</pre><br />
<br />
== Example Projects ==<br />
<br />
SimpleSerial builds for each of the STM32Fx Devices. Each device is a separate HAL. These HAL modules have been copied from ST's HAL (not the CUBE) and greatly reduced in size by deleting unused files (such as headers for unused devices), and combining several C-source files into a single low-level C-file.<br />
<br />
=== Building ST Example on Command Line ===<br />
The regular firmware build process works with the STM32 devices. For example, to build `simpleserial-aes`, navigate to the folder `chipwhisperer\hardware\victims\firmware\simpleserial-aes` and run the following command on the command line:<br />
<br />
<code><br />
make PLATFORM=CW308_STM32F0 CRYPTO_TARGET=TINYAES128C<br />
</code><br />
<br />
If all goes well, this command will finish by printing the output file size and the platform:<br />
[[File:Stm32-make.png]]<br />
<br />
=== Building ST Example via GUI ===<br />
<br />
=== Running ST Example ===<br />
<br />
== Schematic ==<br />
[[File:CW308T_STM32F_02.png|1100px]]<br />
<br />
<br />
[[Category: CW308 Targets]]</div>Gdeonhttp://wiki.newae.com/index.php?title=File:Stm32-make.png&diff=2422File:Stm32-make.png2017-04-25T15:13:42Z<p>Gdeon: </p>
<hr />
<div></div>Gdeonhttp://wiki.newae.com/index.php?title=SimpleSerial&diff=2421SimpleSerial2017-04-25T14:54:03Z<p>Gdeon: /* Commands */</p>
<hr />
<div>SimpleSerial is the name given to the default communication protocol used by NewAE Technology Inc.'s demos.<br />
<br />
== Commands ==<br />
{| class="wikitable"<br />
!Command<br />
!Example<br />
!Description<br />
!In/Out<br />
!ENC<br />
!AUTH<br />
|-<br />
|h<br />
|h00\n<br />
|Select stack / hardware to use (if supported).<br />
|In<br />
|M<br />
|M<br />
|-<br />
|k<br />
|k2b7e151628aed2a6abf7158809cf4f3c\n<br />
|Set encryption key; possibly trigger key scheduling<br />
|In<br />
|Y<br />
|Y<br />
|-<br />
|m<br />
|m00\n<br />
|Select cipher mode (if supported)<br />
|In<br />
|M<br />
|M<br />
|-<br />
|p<br />
|p126110475e17505a6966be70c89a829c\n<br />
|Send input plain-text, cause encryption<br />
|In<br />
|Y<br />
|Y<br />
|-<br />
|r<br />
|r10000000000000000000000000000000\n<br />
|Result of function - if encryption is encrypted result, if auth is '0..0' or '100..0'.<br />
|Out<br />
|Y<br />
|Y<br />
|-<br />
|t<br />
|t640a4a78332a8dee2bce15132ec44027\n<br />
|Authentication challenge (i.e., expected AES result if using AES as auth-method)<br />
|In<br />
|N<br />
|Y<br />
|-<br />
|v<br />
|v\n<br />
|Check protocol version (no reply on v1.0; ACK on v1.1)<br />
|In<br />
|Y<br />
|Y<br />
|-<br />
|x<br />
|x\n<br />
|Clears Buffers (resets to 'IDLE' state), does not clear any variables.<br />
|In<br />
|Y<br />
|Y<br />
|-<br />
|z<br />
|z00\n<br />
|ACK - Command processing done (with optional status code)<br />
|Out<br />
|Y<br />
|Y<br />
|}<br />
Y = YES, Command support for application.<br />
<br />
N = NO, Command not supported for application.<br />
<br />
M = MAYBE, Command may be supported depending on build target.<br />
<br />
== Encryption Application ==<br />
The encryption application provides a simple method to encrypt a plaintext into a ciphertext. This application was the original "simple serial". The following operations are performed:<br />
# Load encryption key with 'k' command (for example, k2b7e151628aed2a6abf7158809cf4f3c\n sets key to 2b7e151628aed2a6abf7158809cf4f3c).<br />
# Set input text to encryption module with 'p' command. Device encrypts input text, and toggles the I/O trigger line during the encryption operation.<br />
# The ciphertext is returned with the 'r' command.<br />
<br />
== Authentication Application ==<br />
The authentication application does not expose the result of the encryption. Instead, the result is used only in authentication mode, where the following operations are performed:<br />
# Load encryption key with 'k' command (for example, k2b7e151628aed2a6abf7158809cf4f3c\n sets key to 2b7e151628aed2a6abf7158809cf4f3c).<br />
# Set the authentication challenge with 't' command.<br />
# Set input text to encryption module with 'p' command. Device encrypts input text, and toggles the I/O trigger line during the encryption operation.<br />
# Device compares the resulting ciphertext with the challenge set with 't'.<br />
# If challenge and ciphertext match (auth OK), device responds with 'r1000000000000000\n'. If do not match, device response with 'r0000000000000000\n'.<br />
The authentication application is the '''default shipped with ALL programmed modules'''.<br />
<br />
[[Category: Victim Firmware]]</div>Gdeonhttp://wiki.newae.com/index.php?title=SimpleSerial&diff=2414SimpleSerial2017-04-21T15:04:17Z<p>Gdeon: /* Authentication Application */</p>
<hr />
<div>SimpleSerial is the name given to the default communication protocol used by NewAE Technology Inc.'s demos.<br />
<br />
== Commands ==<br />
{| class="wikitable"<br />
!Command<br />
!Example<br />
!Description<br />
!In/Out<br />
!ENC<br />
!AUTH<br />
|-<br />
|h<br />
|h00\n<br />
|Select stack / hardware to use (if supported).<br />
|In<br />
|M<br />
|M<br />
|-<br />
|k<br />
|k2b7e151628aed2a6abf7158809cf4f3c\n<br />
|Set encryption key; possibly trigger key scheduling<br />
|In<br />
|Y<br />
|Y<br />
|-<br />
|m<br />
|m00\n<br />
|Select cipher mode (if supported)<br />
|In<br />
|M<br />
|M<br />
|-<br />
|p<br />
|p126110475e17505a6966be70c89a829c\n<br />
|Send input plain-text, cause encryption<br />
|In<br />
|Y<br />
|Y<br />
|-<br />
|r<br />
|r10000000000000000000000000000000\n<br />
|Result of function - if encryption is encrypted result, if auth is '0..0' or '100..0'.<br />
|Out<br />
|Y<br />
|Y<br />
|-<br />
|t<br />
|t640a4a78332a8dee2bce15132ec44027\n<br />
|Authentication challenge (i.e., expected AES result if using AES as auth-method)<br />
|In<br />
|N<br />
|Y<br />
|-<br />
|v<br />
|v01\n<br />
|Select protocol version (00 = original, 01 = 1.1)<br />
|In<br />
|<br />
|<br />
|-<br />
|x<br />
|xxxxx\n<br />
|Clears Buffers (resets to 'IDLE' state), does not clear any variables.<br />
|In<br />
|Y<br />
|Y<br />
|-<br />
|z<br />
|z00\n<br />
|ACK - Command processing done (with optional status code)<br />
|Out<br />
|Y<br />
|Y<br />
|}<br />
Y = YES, Command support for application.<br />
<br />
N = NO, Command not supported for application.<br />
<br />
M = MAYBE, Command may be supported depending on build target.<br />
<br />
== Encryption Application ==<br />
The encryption application provides a simple method to encrypt a plaintext into a ciphertext. This application was the original "simple serial". The following operations are performed:<br />
# Load encryption key with 'k' command (for example, k2b7e151628aed2a6abf7158809cf4f3c\n sets key to 2b7e151628aed2a6abf7158809cf4f3c).<br />
# Set input text to encryption module with 'p' command. Device encrypts input text, and toggles the I/O trigger line during the encryption operation.<br />
# The ciphertext is returned with the 'r' command.<br />
<br />
== Authentication Application ==<br />
The authentication application does not expose the result of the encryption. Instead, the result is used only in authentication mode, where the following operations are performed:<br />
# Load encryption key with 'k' command (for example, k2b7e151628aed2a6abf7158809cf4f3c\n sets key to 2b7e151628aed2a6abf7158809cf4f3c).<br />
# Set the authentication challenge with 't' command.<br />
# Set input text to encryption module with 'p' command. Device encrypts input text, and toggles the I/O trigger line during the encryption operation.<br />
# Device compares the resulting ciphertext with the challenge set with 't'.<br />
# If challenge and ciphertext match (auth OK), device responds with 'r1000000000000000\n'. If do not match, device response with 'r0000000000000000\n'.<br />
The authentication application is the '''default shipped with ALL programmed modules'''.<br />
<br />
[[Category: Victim Firmware]]</div>Gdeonhttp://wiki.newae.com/index.php?title=SimpleSerial&diff=2411SimpleSerial2017-04-20T15:27:53Z<p>Gdeon: /* Encryption Application */</p>
<hr />
<div>SimpleSerial is the name given to the default communication protocol used by NewAE Technology Inc.'s demos.<br />
<br />
== Commands ==<br />
{| class="wikitable"<br />
!Command<br />
!Example<br />
!Description<br />
!In/Out<br />
!ENC<br />
!AUTH<br />
|-<br />
|h<br />
|h00\n<br />
|Select stack / hardware to use (if supported).<br />
|In<br />
|M<br />
|M<br />
|-<br />
|k<br />
|k2b7e151628aed2a6abf7158809cf4f3c\n<br />
|Set encryption key; possibly trigger key scheduling<br />
|In<br />
|Y<br />
|Y<br />
|-<br />
|m<br />
|m00\n<br />
|Select cipher mode (if supported)<br />
|In<br />
|M<br />
|M<br />
|-<br />
|p<br />
|p126110475e17505a6966be70c89a829c\n<br />
|Send input plain-text, cause encryption<br />
|In<br />
|Y<br />
|Y<br />
|-<br />
|r<br />
|r10000000000000000000000000000000\n<br />
|Result of function - if encryption is encrypted result, if auth is '0..0' or '100..0'.<br />
|Out<br />
|Y<br />
|Y<br />
|-<br />
|t<br />
|t640a4a78332a8dee2bce15132ec44027\n<br />
|Authentication challenge (i.e., expected AES result if using AES as auth-method)<br />
|In<br />
|N<br />
|Y<br />
|-<br />
|v<br />
|v01\n<br />
|Select protocol version (00 = original, 01 = 1.1)<br />
|In<br />
|<br />
|<br />
|-<br />
|x<br />
|xxxxx\n<br />
|Clears Buffers (resets to 'IDLE' state), does not clear any variables.<br />
|In<br />
|Y<br />
|Y<br />
|-<br />
|z<br />
|z00\n<br />
|ACK - Command processing done (with optional status code)<br />
|Out<br />
|Y<br />
|Y<br />
|}<br />
Y = YES, Command support for application.<br />
<br />
N = NO, Command not supported for application.<br />
<br />
M = MAYBE, Command may be supported depending on build target.<br />
<br />
== Encryption Application ==<br />
The encryption application provides a simple method to encrypt a plaintext into a ciphertext. This application was the original "simple serial". The following operations are performed:<br />
# Load encryption key with 'k' command (for example, k2b7e151628aed2a6abf7158809cf4f3c\n sets key to 2b7e151628aed2a6abf7158809cf4f3c).<br />
# Set input text to encryption module with 'p' command. Device encrypts input text, and toggles the I/O trigger line during the encryption operation.<br />
# The ciphertext is returned with the 'r' command.<br />
<br />
== Authentication Application ==<br />
The authentication application does not expose the result of the encryption. Instead, the result is used only in authentication mode, where the following operations are performed:<br />
# Load encryption key with 'k' command (for example, k2b7e151628aed2a6abf7158809cf4f3c\n sets key to k2b7e151628aed2a6abf7158809cf4f3c).<br />
# Set the authentication challenge with 't' command.<br />
# Set input text to encryption module with 'p' command. Device encrypts input text, and toggles the I/O trigger line during the encryption operation.<br />
# Device compares the resulting ciphertext with the challenge set with 't'.<br />
# If challenge and ciphertext match (auth OK), device responds with 'r1000000000000000\n'. If do not match, device response with 'r0000000000000000\n'.<br />
The authentication application is the '''default shipped with ALL programmed modules'''.<br />
<br />
[[Category: Victim Firmware]]</div>Gdeonhttp://wiki.newae.com/index.php?title=SimpleSerial&diff=2410SimpleSerial2017-04-20T14:47:59Z<p>Gdeon: /* Commands */</p>
<hr />
<div>SimpleSerial is the name given to the default communication protocol used by NewAE Technology Inc.'s demos.<br />
<br />
== Commands ==<br />
{| class="wikitable"<br />
!Command<br />
!Example<br />
!Description<br />
!In/Out<br />
!ENC<br />
!AUTH<br />
|-<br />
|h<br />
|h00\n<br />
|Select stack / hardware to use (if supported).<br />
|In<br />
|M<br />
|M<br />
|-<br />
|k<br />
|k2b7e151628aed2a6abf7158809cf4f3c\n<br />
|Set encryption key; possibly trigger key scheduling<br />
|In<br />
|Y<br />
|Y<br />
|-<br />
|m<br />
|m00\n<br />
|Select cipher mode (if supported)<br />
|In<br />
|M<br />
|M<br />
|-<br />
|p<br />
|p126110475e17505a6966be70c89a829c\n<br />
|Send input plain-text, cause encryption<br />
|In<br />
|Y<br />
|Y<br />
|-<br />
|r<br />
|r10000000000000000000000000000000\n<br />
|Result of function - if encryption is encrypted result, if auth is '0..0' or '100..0'.<br />
|Out<br />
|Y<br />
|Y<br />
|-<br />
|t<br />
|t640a4a78332a8dee2bce15132ec44027\n<br />
|Authentication challenge (i.e., expected AES result if using AES as auth-method)<br />
|In<br />
|N<br />
|Y<br />
|-<br />
|v<br />
|v01\n<br />
|Select protocol version (00 = original, 01 = 1.1)<br />
|In<br />
|<br />
|<br />
|-<br />
|x<br />
|xxxxx\n<br />
|Clears Buffers (resets to 'IDLE' state), does not clear any variables.<br />
|In<br />
|Y<br />
|Y<br />
|-<br />
|z<br />
|z00\n<br />
|ACK - Command processing done (with optional status code)<br />
|Out<br />
|Y<br />
|Y<br />
|}<br />
Y = YES, Command support for application.<br />
<br />
N = NO, Command not supported for application.<br />
<br />
M = MAYBE, Command may be supported depending on build target.<br />
<br />
== Encryption Application ==<br />
The encryption application provides a simple method to encrypt a plaintext into a ciphertext. This application was the original "simple serial". The following operations are performed:<br />
# Load encryption key with 'k' command (for example, k2b7e151628aed2a6abf7158809cf4f3c\n sets key to k2b7e151628aed2a6abf7158809cf4f3c).<br />
# Set input text to encryption module with 'p' command. Device encrypts input text, and toggles the I/O trigger line during the encryption operation.<br />
# The ciphertext is returned with the 'r' command.<br />
<br />
== Authentication Application ==<br />
The authentication application does not expose the result of the encryption. Instead, the result is used only in authentication mode, where the following operations are performed:<br />
# Load encryption key with 'k' command (for example, k2b7e151628aed2a6abf7158809cf4f3c\n sets key to k2b7e151628aed2a6abf7158809cf4f3c).<br />
# Set the authentication challenge with 't' command.<br />
# Set input text to encryption module with 'p' command. Device encrypts input text, and toggles the I/O trigger line during the encryption operation.<br />
# Device compares the resulting ciphertext with the challenge set with 't'.<br />
# If challenge and ciphertext match (auth OK), device responds with 'r1000000000000000\n'. If do not match, device response with 'r0000000000000000\n'.<br />
The authentication application is the '''default shipped with ALL programmed modules'''.<br />
<br />
[[Category: Victim Firmware]]</div>Gdeonhttp://wiki.newae.com/index.php?title=SimpleSerial&diff=2409SimpleSerial2017-04-20T14:47:10Z<p>Gdeon: /* Commands */</p>
<hr />
<div>SimpleSerial is the name given to the default communication protocol used by NewAE Technology Inc.'s demos.<br />
<br />
== Commands ==<br />
{| class="wikitable"<br />
!Command<br />
!Example<br />
!Description<br />
!In/Out<br />
!ENC<br />
!AUTH<br />
|-<br />
|h<br />
|h00\n<br />
|Select stack / hardware to use (if supported).<br />
|In<br />
|M<br />
|M<br />
|-<br />
|k<br />
|k2b7e151628aed2a6abf7158809cf4f3c\n<br />
|<br />
|In<br />
|Y<br />
|Y<br />
|-<br />
|m<br />
|m00\n<br />
|Select cipher mode (if supported)<br />
|In<br />
|M<br />
|M<br />
|-<br />
|p<br />
|p126110475e17505a6966be70c89a829c\n<br />
|Send input plain-text, cause encryption<br />
|In<br />
|Y<br />
|Y<br />
|-<br />
|r<br />
|r10000000000000000000000000000000\n<br />
|Result of function - if encryption is encrypted result, if auth is '0..0' or '100..0'.<br />
|Out<br />
|Y<br />
|Y<br />
|-<br />
|t<br />
|t640a4a78332a8dee2bce15132ec44027\n<br />
|Authentication challenge (i.e., expected AES result if using AES as auth-method)<br />
|In<br />
|N<br />
|Y<br />
|-<br />
|v<br />
|v01\n<br />
|Select protocol version (00 = original, 01 = 1.1)<br />
|In<br />
|<br />
|<br />
|-<br />
|x<br />
|xxxxx\n<br />
|Clears Buffers (resets to 'IDLE' state), does not clear any variables.<br />
|In<br />
|Y<br />
|Y<br />
|-<br />
|z<br />
|z00\n<br />
|ACK - Command processing done (with optional status code)<br />
|Out<br />
|Y<br />
|Y<br />
|}<br />
Y = YES, Command support for application.<br />
<br />
N = NO, Command not supported for application.<br />
<br />
M = MAYBE, Command may be supported depending on build target.<br />
<br />
== Encryption Application ==<br />
The encryption application provides a simple method to encrypt a plaintext into a ciphertext. This application was the original "simple serial". The following operations are performed:<br />
# Load encryption key with 'k' command (for example, k2b7e151628aed2a6abf7158809cf4f3c\n sets key to k2b7e151628aed2a6abf7158809cf4f3c).<br />
# Set input text to encryption module with 'p' command. Device encrypts input text, and toggles the I/O trigger line during the encryption operation.<br />
# The ciphertext is returned with the 'r' command.<br />
<br />
== Authentication Application ==<br />
The authentication application does not expose the result of the encryption. Instead, the result is used only in authentication mode, where the following operations are performed:<br />
# Load encryption key with 'k' command (for example, k2b7e151628aed2a6abf7158809cf4f3c\n sets key to k2b7e151628aed2a6abf7158809cf4f3c).<br />
# Set the authentication challenge with 't' command.<br />
# Set input text to encryption module with 'p' command. Device encrypts input text, and toggles the I/O trigger line during the encryption operation.<br />
# Device compares the resulting ciphertext with the challenge set with 't'.<br />
# If challenge and ciphertext match (auth OK), device responds with 'r1000000000000000\n'. If do not match, device response with 'r0000000000000000\n'.<br />
The authentication application is the '''default shipped with ALL programmed modules'''.<br />
<br />
[[Category: Victim Firmware]]</div>Gdeonhttp://wiki.newae.com/index.php?title=SimpleSerial&diff=2408SimpleSerial2017-04-20T14:43:53Z<p>Gdeon: /* Commands */</p>
<hr />
<div>SimpleSerial is the name given to the default communication protocol used by NewAE Technology Inc.'s demos.<br />
<br />
== Commands ==<br />
{| class="wikitable"<br />
!Command<br />
!Example<br />
!Description<br />
!In/Out<br />
!ENC<br />
!AUTH<br />
|-<br />
|h<br />
|h00\n<br />
|Select stack / hardware to use (if supported).<br />
|In<br />
|M<br />
|M<br />
|-<br />
|k<br />
|k2b7e151628aed2a6abf7158809cf4f3c\n<br />
|<br />
|In<br />
|Y<br />
|Y<br />
|-<br />
|m<br />
|m00\n<br />
|Select cipher mode (if supported)<br />
|In<br />
|M<br />
|M<br />
|-<br />
|p<br />
|p126110475e17505a6966be70c89a829c\n<br />
|Send input plain-text, cause encryption<br />
|In<br />
|Y<br />
|Y<br />
|-<br />
|r<br />
|r10000000000000000000000000000000\n<br />
|Result of function - if encryption is encrypted result, if auth is '0..0' or '100..0'.<br />
|Out<br />
|Y<br />
|Y<br />
|-<br />
|t<br />
|t640a4a78332a8dee2bce15132ec44027\n<br />
|Authentication challenge (i.e., expected AES result if using AES as auth-method)<br />
|In<br />
|N<br />
|Y<br />
|-<br />
|v<br />
|v01\n<br />
|Select protocol version (00 = original, 01 = 1.1)<br />
|In<br />
|<br />
|<br />
|-<br />
|x<br />
|xxxxx\n<br />
|Clears Buffers (resets to 'IDLE' state), does not clear any variables.<br />
|In<br />
|Y<br />
|Y<br />
|-<br />
|z<br />
|z\n<br />
|ACK - Command processing done<br />
|Out<br />
|Y<br />
|Y<br />
|}<br />
Y = YES, Command support for application.<br />
<br />
N = NO, Command not supported for application.<br />
<br />
M = MAYBE, Command may be supported depending on build target.<br />
<br />
== Encryption Application ==<br />
The encryption application provides a simple method to encrypt a plaintext into a ciphertext. This application was the original "simple serial". The following operations are performed:<br />
# Load encryption key with 'k' command (for example, k2b7e151628aed2a6abf7158809cf4f3c\n sets key to k2b7e151628aed2a6abf7158809cf4f3c).<br />
# Set input text to encryption module with 'p' command. Device encrypts input text, and toggles the I/O trigger line during the encryption operation.<br />
# The ciphertext is returned with the 'r' command.<br />
<br />
== Authentication Application ==<br />
The authentication application does not expose the result of the encryption. Instead, the result is used only in authentication mode, where the following operations are performed:<br />
# Load encryption key with 'k' command (for example, k2b7e151628aed2a6abf7158809cf4f3c\n sets key to k2b7e151628aed2a6abf7158809cf4f3c).<br />
# Set the authentication challenge with 't' command.<br />
# Set input text to encryption module with 'p' command. Device encrypts input text, and toggles the I/O trigger line during the encryption operation.<br />
# Device compares the resulting ciphertext with the challenge set with 't'.<br />
# If challenge and ciphertext match (auth OK), device responds with 'r1000000000000000\n'. If do not match, device response with 'r0000000000000000\n'.<br />
The authentication application is the '''default shipped with ALL programmed modules'''.<br />
<br />
[[Category: Victim Firmware]]</div>Gdeonhttp://wiki.newae.com/index.php?title=SimpleSerial&diff=2407SimpleSerial2017-04-20T14:39:00Z<p>Gdeon: /* Commands */</p>
<hr />
<div>SimpleSerial is the name given to the default communication protocol used by NewAE Technology Inc.'s demos.<br />
<br />
== Commands ==<br />
{| class="wikitable"<br />
!Command<br />
!Example<br />
!Description<br />
!In/Out<br />
!ENC<br />
!AUTH<br />
|-<br />
|h<br />
|h0\n<br />
|Select stack / hardware to use (if supported).<br />
|In<br />
|M<br />
|M<br />
|-<br />
|k<br />
|k2b7e151628aed2a6abf7158809cf4f3c\n<br />
|<br />
|In<br />
|Y<br />
|Y<br />
|-<br />
|m<br />
|m0\n<br />
|Select cipher mode (if supported)<br />
|In<br />
|M<br />
|M<br />
|-<br />
|p<br />
|p126110475e17505a6966be70c89a829c\n<br />
|Send input plain-text, cause encryption<br />
|In<br />
|Y<br />
|Y<br />
|-<br />
|r<br />
|r10000000000000000000000000000000\n<br />
|Result of function - if encryption is encrypted result, if auth is '0..0' or '100..0'.<br />
|Out<br />
|Y<br />
|Y<br />
|-<br />
|t<br />
|t640a4a78332a8dee2bce15132ec44027\n<br />
|Authentication challenge (i.e., expected AES result if using AES as auth-method)<br />
|In<br />
|N<br />
|Y<br />
|-<br />
|v<br />
|v01\n<br />
|Select protocol version (00 = original, 01 = 1.1)<br />
|In<br />
|<br />
|<br />
|-<br />
|x<br />
|xxxxx\n<br />
|Clears Buffers (resets to 'IDLE' state), does not clear any variables.<br />
|In<br />
|Y<br />
|Y<br />
|-<br />
|z<br />
|z\n<br />
|ACK - Command processing done<br />
|Out<br />
|Y<br />
|Y<br />
|}<br />
Y = YES, Command support for application.<br />
<br />
N = NO, Command not supported for application.<br />
<br />
M = MAYBE, Command may be supported depending on build target.<br />
<br />
== Encryption Application ==<br />
The encryption application provides a simple method to encrypt a plaintext into a ciphertext. This application was the original "simple serial". The following operations are performed:<br />
# Load encryption key with 'k' command (for example, k2b7e151628aed2a6abf7158809cf4f3c\n sets key to k2b7e151628aed2a6abf7158809cf4f3c).<br />
# Set input text to encryption module with 'p' command. Device encrypts input text, and toggles the I/O trigger line during the encryption operation.<br />
# The ciphertext is returned with the 'r' command.<br />
<br />
== Authentication Application ==<br />
The authentication application does not expose the result of the encryption. Instead, the result is used only in authentication mode, where the following operations are performed:<br />
# Load encryption key with 'k' command (for example, k2b7e151628aed2a6abf7158809cf4f3c\n sets key to k2b7e151628aed2a6abf7158809cf4f3c).<br />
# Set the authentication challenge with 't' command.<br />
# Set input text to encryption module with 'p' command. Device encrypts input text, and toggles the I/O trigger line during the encryption operation.<br />
# Device compares the resulting ciphertext with the challenge set with 't'.<br />
# If challenge and ciphertext match (auth OK), device responds with 'r1000000000000000\n'. If do not match, device response with 'r0000000000000000\n'.<br />
The authentication application is the '''default shipped with ALL programmed modules'''.<br />
<br />
[[Category: Victim Firmware]]</div>Gdeonhttp://wiki.newae.com/index.php?title=CW508_SMA_Analog_Filters&diff=2406CW508 SMA Analog Filters2017-04-20T14:11:39Z<p>Gdeon: </p>
<hr />
<div>The CW508 Analog Filters provide an easily method of filtering out noise at both low and high frequency. These two filters serve different purposes:<br />
* The high pass filter helps filter out low frequency noise. A common cause of this is switch-mode power supplies, which typically operate at 50 - 500 kHz. <br />
* The low pass filter helps remove short spikes from the traces. For example, if other peripherals are running on the target, a LPF might help remove their effects from the traces. This is especially helpful for fast hardware crypto with the slow, synchronous captures on the ChipWhisperer. It can be difficult to fix the traces afterwards with a digital filter, so it is much more helpful to use a hardware filter instead.<br />
<br />
These filters can simply be screwed onto the front of the ChipWhisperer capture device:<br />
<br />
[[File:cw508_cwpro.jpg|400px]]<br />
<br />
== HPF 500 KHz Response ==<br />
<br />
[[File:500khzhpf_50khz_5mhz.png|800px]]<br />
<br />
[[File:500khzhpf_50khz_100mhz.png|800px]]<br />
<br />
== LPF 20 MHz Response ==<br />
<br />
<br />
[[File:20mhzlpf_100khz_100mhz.png|800px]]</div>Gdeonhttp://wiki.newae.com/index.php?title=SimpleSerial&diff=2399SimpleSerial2017-04-18T18:17:22Z<p>Gdeon: </p>
<hr />
<div>SimpleSerial is the name given to the default communication protocol used by NewAE Technology Inc.'s demos.<br />
<br />
== Commands ==<br />
{| class="wikitable"<br />
!Command<br />
!Example<br />
!Description<br />
!In/Out<br />
!ENC<br />
!AUTH<br />
|-<br />
|h<br />
|h0\n<br />
|Select stack / hardware to use (if supported).<br />
|In<br />
|M<br />
|M<br />
|-<br />
|k<br />
|k2b7e151628aed2a6abf7158809cf4f3c\n<br />
|<br />
|In<br />
|Y<br />
|Y<br />
|-<br />
|m<br />
|m0\n<br />
|Select cipher mode (if supported)<br />
|In<br />
|M<br />
|M<br />
|-<br />
|p<br />
|p126110475e17505a6966be70c89a829c\n<br />
|Send input plain-text, cause encryption<br />
|In<br />
|Y<br />
|Y<br />
|-<br />
|r<br />
|r10000000000000000000000000000000\n<br />
|Result of function - if encryption is encrypted result, if auth is '0..0' or '100..0'.<br />
|Out<br />
|Y<br />
|Y<br />
|-<br />
|t<br />
|t640a4a78332a8dee2bce15132ec44027\n<br />
|Authentication challenge (i.e., expected AES result if using AES as auth-method)<br />
|In<br />
|N<br />
|Y<br />
|-<br />
|v<br />
|v\n<br />
|Select protocol version (0 = original, 1 = 1.1)<br />
|In<br />
|<br />
|<br />
|-<br />
|x<br />
|xxxxx\n<br />
|Clears Buffers (resets to 'IDLE' state), does not clear any variables.<br />
|In<br />
|Y<br />
|Y<br />
|-<br />
|z<br />
|z\n<br />
|ACK - Command processing done<br />
|Out<br />
|Y<br />
|Y<br />
|}<br />
Y = YES, Command support for application.<br />
<br />
N = NO, Command not supported for application.<br />
<br />
M = MAYBE, Command may be supported depending on build target.<br />
<br />
== Encryption Application ==<br />
The encryption application provides a simple method to encrypt a plaintext into a ciphertext. This application was the original "simple serial". The following operations are performed:<br />
# Load encryption key with 'k' command (for example, k2b7e151628aed2a6abf7158809cf4f3c\n sets key to k2b7e151628aed2a6abf7158809cf4f3c).<br />
# Set input text to encryption module with 'p' command. Device encrypts input text, and toggles the I/O trigger line during the encryption operation.<br />
# The ciphertext is returned with the 'r' command.<br />
<br />
== Authentication Application ==<br />
The authentication application does not expose the result of the encryption. Instead, the result is used only in authentication mode, where the following operations are performed:<br />
# Load encryption key with 'k' command (for example, k2b7e151628aed2a6abf7158809cf4f3c\n sets key to k2b7e151628aed2a6abf7158809cf4f3c).<br />
# Set the authentication challenge with 't' command.<br />
# Set input text to encryption module with 'p' command. Device encrypts input text, and toggles the I/O trigger line during the encryption operation.<br />
# Device compares the resulting ciphertext with the challenge set with 't'.<br />
# If challenge and ciphertext match (auth OK), device responds with 'r1000000000000000\n'. If do not match, device response with 'r0000000000000000\n'.<br />
The authentication application is the '''default shipped with ALL programmed modules'''.<br />
<br />
[[Category: Victim Firmware]]</div>Gdeonhttp://wiki.newae.com/index.php?title=CW308T-STM32F&diff=2378CW308T-STM32F2017-04-10T19:53:02Z<p>Gdeon: /* Programming Connection */</p>
<hr />
<div>{{Infobox cw308target<br />
|name = CW308T-STM32F<br />
|image = <br />
|caption = <br />
|Target Device = ST STM32F<br />
|Target Architecture = Cortex M0,M3,M4<br />
|Hardware Crypto = Possible<br />
|Purchase Hardware = <br />
|Design Files = [https://github.com/newaetech/chipwhisperer/tree/master/hardware/victims/cw308_ufo_target/stm32f GITHub Link]<br />
<br />
|Supported Applications = [[SimpleSerial | Simple Serial Enc/Auth]]<br />
|Programmer = ST-LINK/V2<br />
|Status = Released<br />
}}<br />
<br />
== Supported Devices ==<br />
<br />
The STM32F board supports several STM32F devices in the TQFP-64 package. Various solder jumpers need to bet set to either the "A" or "B" position to select appropriate VCC supply for the different series. The following table summarizes examples of suitable devices:<br />
{| class="wikitable"<br />
!STM32F Series<br />
!Package<br />
!Device<br />
!Hardware AES<br />
!Tested<br />
!Jumper<br />
|-<br />
|F0<br />
|TQFP-64<br />
|<br />
|<br />
|<br />
|B<br />
|-<br />
|F1<br />
|TQFP-64<br />
|<br />
|<br />
|<br />
|B<br />
|-<br />
|F2<br />
|TQFP-64<br />
|<br />
|<br />
|<br />
|A<br />
|-<br />
|F3<br />
|TQFP-64<br />
|<br />
|<br />
|<br />
|B<br />
|-<br />
|F4<br />
|TQFP-64<br />
|STM32F415RGT6<br />
|Yes<br />
|Yes<br />
|A<br />
|}<br />
<br />
=== VCC-Int Supply ===<br />
Several devices (F2, F4) have internal core voltage regulators. By default the CW308 board attempts to provide power for these pins, but the voltage may not be high enough to cause the internal regulator to disable itself. In this case you can use the VADJ regulator to ensure the internal regulator is disabled. See [[Targets with Internal Regulators]] for details.<br />
<br />
== Hardware AES ==<br />
<br />
The STM32F21x, and STM32F41x/43x have hardware crypto modules (AES, DES, TDES) along with hardware hash (SHA1, MD5).<br />
<br />
== Programming Connection ==<br />
<br />
The 20-pin JTAG port (J6 on CW308 Board) can be used with the [https://www.digikey.com/product-detail/en/stmicroelectronics/ST-LINK-V2/497-10484-ND/2214535 ST-LINK/V2] which is a low-cost JTAG programmer. <br />
<br />
It is also possible to use other JTAG programmers such as OpenOCD. The following command worked with an Olimex OpenOCD programmer and their [https://www.olimex.com/Products/ARM/JTAG/ARM-USB-OCD-H/ OpenOCD for Windows] software:<br />
<pre><br />
openocd <br />
-f path/to/board/files/cw308.cfg <br />
-c init <br />
-c targets <br />
-c "halt" <br />
-c "flash write_image erase path/to/firmware.hex" <br />
-c "verify_image path/to/firmware.hex" <br />
-c "reset run" <br />
-c shutdown<br />
</pre><br />
where the contents of <code>cw308.cfg</code> are<br />
<pre><br />
source [find interface/olimex-arm-usb-ocd-h.cfg]<br />
source [find target/stm32f4x.cfg]<br />
reset_config srst_only<br />
</pre><br />
<br />
== Schematic ==<br />
[[File:CW308T_STM32F_02.png|1100px]]<br />
<br />
<br />
[[Category: CW308 Targets]]</div>Gdeonhttp://wiki.newae.com/index.php?title=Downsampling&diff=2354Downsampling2017-04-07T16:36:45Z<p>Gdeon: Created page with "The ChipWhisperer's downsampling factor allows the ADC to discard a number of samples. For example, with a downsampling factor of 4, only every 4th sample is kept - the other..."</p>
<hr />
<div>The ChipWhisperer's downsampling factor allows the ADC to discard a number of samples. For example, with a downsampling factor of 4, only every 4th sample is kept - the other 3 are thrown out before the trace is sent back to the computer. This feature has several uses:<br />
* On the ChipWhisperer Lite, space is very limited - the maximum sample count of 24400 can make it difficult to find interesting features in traces or capture longer operations like ECC. Using downsampling can make it easier to find interesting features in these traces.<br />
* On the ChipWhisperer Pro, the sampling rate in streaming mode is limited by the USB connection's data rate: the maximum sampling rate is approximately 10 MS/s. Using downsampling can make it easier to fit under this limit. <br />
For all of these use cases, make sure you're already running the ADC clock slowly if possible. Don't use a 4x faster ADC just to throw out 3/4 of the samples!<br />
<br />
Caution: be careful using the ChipWhisperer Pro's SAD trigger! The discarded ADC samples are still used as input for the SAD trigger module. If your reference trace was captured using downsampling, then the ChipWhisperer will never find this downsampled pattern in the raw samples.<br />
<br />
[[Category:Tips]]</div>Gdeon