As of August 2020 the site you are on (wiki.newae.com) is deprecated, and content is now at rtfm.newae.com.

Difference between revisions of "Tutorial CW305-4 Voltage Glitching with Crowbars"

From ChipWhisperer Wiki
Jump to: navigation, search
(Hardware Setup)
(Hardware Setup)
Line 16: Line 16:
 
To set up the hardware for voltage glitching, only one extra connection is required. Connect an SMA cable between the ChipWhisperer's glitch output and the CW305 connector labeled X3:
 
To set up the hardware for voltage glitching, only one extra connection is required. Connect an SMA cable between the ChipWhisperer's glitch output and the CW305 connector labeled X3:
  
[[File:CW305VCCSetup.jpg]]
+
[[File:CW305VCCSetup.jpg|800px]]
  
 
Note that the original SMA cable (connected to the ChipWhisperer's Measure input) is not required for voltage glitching - if you only have one cable, you can just move it over. However, it is helpful to have power traces to see what effects the voltage glitches are having on the power rails, so connect both if you can.
 
Note that the original SMA cable (connected to the ChipWhisperer's Measure input) is not required for voltage glitching - if you only have one cable, you can just move it over. However, it is helpful to have power traces to see what effects the voltage glitches are having on the power rails, so connect both if you can.

Revision as of 11:18, 18 January 2017

Our final goal with the CW305 Artix target is to experiment with voltage glitching. This is the CW305 equivalent of the VCC glitch attack done in Tutorial A3 VCC Glitch Attacks.

Background Information

The ChipWhisperer capture hardware comes with a glitch output, which is connected to a power MOSFET in the following configuration:

(image)

This circuit allows us to temporarily ground the Artix power rails. If these short-circuit events are timed very precisely, they can cause all kinds of fun effects in the FPGA's operation.

Voltage glitching works quite well against microcontrollers: it's pretty straightforward to use these glitches to target a specific point in an algorithm's execution. However, voltage glitching is not as easy on an FPGA target. FPGAs can perform many operations in parallel: they are not limited to one instruction of arithmetic per clock cycle. This parallel execution makes it very tricky to focus on a specific operation. There are also some serious practical concerns:

  • The Artix-7 uses SRAM to store its configuration files (ie: the contents of the bitstream). SRAM is a form of volatile memory, which means that it only stores data until the device is turned off. If we cut off the power to our FPGA for too long, it's possible for some of this configuration data to be lost. We've found that around 1000 bits can be corrupted with a 600 ns glitch, but this will be device- and environment-dependent. If you find that your device isn't working properly, your first thought should be to reprogram the bitstream.
  • If we ground the FPGA's power pins, then the power supply will effectively be driving the shunt resistor. With a supply voltage of 1.0 V and a 0.5 ohm shunt, this is a 2 A current; with a 0.1 ohm shunt, this is 10 A. It's probably a good idea to use an external power supply for this type of glitch.

Setup

Hardware Setup

To set up the hardware for voltage glitching, only one extra connection is required. Connect an SMA cable between the ChipWhisperer's glitch output and the CW305 connector labeled X3:

CW305VCCSetup.jpg

Note that the original SMA cable (connected to the ChipWhisperer's Measure input) is not required for voltage glitching - if you only have one cable, you can just move it over. However, it is helpful to have power traces to see what effects the voltage glitches are having on the power rails, so connect both if you can.

Software Setup

- Script - Bitstream (same as Tutorial 1) - Glitch module setup

 - Glitch only
 - HS-Glitch

- Same idea as Tutorial 3

Hints

- Might be easier on the edge of working conditions - Changing core voltage level - Changing clock speed

 - CLKGEN output
 - CW305 PLL
 - Max speed depends on FPGA implementation

- Enable-only output

 - Only use repeat and offset
 - EXTCLK for speed-up