As of August 2020 the site you are on (wiki.newae.com) is deprecated, and content is now at rtfm.newae.com. |
Difference between revisions of "CW1101 ChipWhisperer-Nano"
Line 28: | Line 28: | ||
* Perform a power analysis attack on a FPGA target. | * Perform a power analysis attack on a FPGA target. | ||
* Perform the LPC1114 tutorial. | * Perform the LPC1114 tutorial. | ||
+ | * Connect to CW308 UFO Board for use with a wide variety of targets. | ||
=== Limitations compared to ChipWhisperer-Lite and Pro === | === Limitations compared to ChipWhisperer-Lite and Pro === | ||
Line 45: | Line 46: | ||
Note that despite these limitations, ChipWhisperer-Nano can be used for attacking real devices. You can attack hardware crypto running on a microcontroller, or use power-analysis to recover a bootloader password or key. The fundamental synchronous architecture of the device (which powers all of our capture hardware tools) means it achieves considerably better performance than a regular asynchronous oscilloscope, even when that oscilloscope is running 5-20x faster. | Note that despite these limitations, ChipWhisperer-Nano can be used for attacking real devices. You can attack hardware crypto running on a microcontroller, or use power-analysis to recover a bootloader password or key. The fundamental synchronous architecture of the device (which powers all of our capture hardware tools) means it achieves considerably better performance than a regular asynchronous oscilloscope, even when that oscilloscope is running 5-20x faster. | ||
+ | |||
+ | == Connecting to External Targets == | ||
+ | |||
+ | You have two options for connecting to external targets: to either break off the STM32F0 end, or to program it with a loop that keeps all I/O in tristate mode. Either way you will also need to add the following connectors: | ||
+ | |||
+ | * 20-pin connector (follows standard 20-pin pinout). | ||
+ | * Either 3-pin headers on MEASURE and GLITCH, or SMA connectors (only if end is broken off). | ||
+ | |||
+ | === Tri-State via Program === | ||
+ | |||
+ | If using the tri-state mode, you should ensure the PDIC line is held LOW to avoid accidentally entering bootloader mode on the STM32F0. | ||
+ | |||
+ | There will be some additional noise due to the STM32F0 being on the power line. You can reduce this by opening the solder jumper that links the STM32F0 to the input stage. | ||
+ | |||
+ | === Cutting end Off === | ||
+ | |||
+ | Similar to the ChipWhisperer-Lite, you can break off the end section. To do that, you will have to do the following: | ||
+ | |||
+ | # Use an xacto knife or similar to deeply score along the perforated holes on both top and bottom, being very careful not to cut towards or near your hand. You will need to hold the CWNANO in an appropriate jig or vice. | ||
+ | # Align the holes on the edge of a hard surface (suggested: block of wood), and firmly push down on the target end while pushing against down the PCB against the edge. The objective is to avoid flexing the PCB which is likely to break components or solder joints. | ||
+ | # With appropriate protection from the fiberglass dust, lightly sand the broken edges. |
Revision as of 05:57, 1 October 2018
Contents
ChipWhisperer Nano (CWNANO) Background
ChipWhisperer-Nano is an ultra low-cost platform for side-channel power analysis & voltage fault injection. It has the following features:
- ADC capable of sampling up to 20 MS/s, using either external clock (synchronous to device) or internal clock (both synchronous and asynchronous).
- ADC hardware trigger uses rising-edge input and starts sampling on first device clock after trigger line going high, samples for user-configurable length.
- STM32F030 target for loading example code onto, including a programmer built into the ChipWhisperer-Nano.
- Crowbar based VCC glitching, approx 10nS resolution on glitch width and offset (glitch offset from trigger with up to 200nS jitter).
It is primarily designed for power analysis demonstrations and training programs. It is also available as a module without a target for integration onto a target board, as one option for ChipWhisperer-Enabling your development platforms.
Examples of Tutorials you can Run
ChipWhisperer-Nano is a complete tutorial platform. You could run the following tutorials on it for example (using the included target):
- Perform a CPA (power analysis) attack on a textbook AES implementation.
- Perform a CPA attack on MBED-TLS AES implementation.
- Perform a DPA attack on an XOR password check.
- Perform a SPA attack on an RSA library.
- Perform a timing attack on a password check.
- Perform fault injection attacks to demonstrate corrupting a variable (NB: not as reliable due to limitations listed below).
If you were to attach an external target, you could also do the following:
- Perform a CPA attack on a hardware AES accelerator.
- Perform a power analysis attack on a FPGA target.
- Perform the LPC1114 tutorial.
- Connect to CW308 UFO Board for use with a wide variety of targets.
Limitations compared to ChipWhisperer-Lite and Pro
The ChipWhisperer-Lite and Pro both use an FPGA for performing all clock routing, in addition to using better ADCs and analog front ends. Fundamentally, the design of the ChipWhisperer-Nano means it has the following major limitations:
- Sampling clock in external mode directly follows the input clock (no ability to multiply/divide/offset clock as in CW1173/CW1200).
- Sampling clock in internal mode limited to specific fixed divisions of 240 MHz PLL clock.
- Fixed analog front-end gain of approx 10dB.
- ADC limited to 20MS/s (can be overclocked slightly, up to 30MS/s but not guaranteed).
- No ADC offset to delay capture for some specific number of cycles after the trigger.
- Cannot generate clock glitching waveforms.
- VCC crowbar limited to coarse offset and width steps.
- Considerable jitter on glitch offset (due to interrupt-based source).
- Rising edge trigger only.
- Full-speed USB instead of high-speed USB.
Note that despite these limitations, ChipWhisperer-Nano can be used for attacking real devices. You can attack hardware crypto running on a microcontroller, or use power-analysis to recover a bootloader password or key. The fundamental synchronous architecture of the device (which powers all of our capture hardware tools) means it achieves considerably better performance than a regular asynchronous oscilloscope, even when that oscilloscope is running 5-20x faster.
Connecting to External Targets
You have two options for connecting to external targets: to either break off the STM32F0 end, or to program it with a loop that keeps all I/O in tristate mode. Either way you will also need to add the following connectors:
- 20-pin connector (follows standard 20-pin pinout).
- Either 3-pin headers on MEASURE and GLITCH, or SMA connectors (only if end is broken off).
Tri-State via Program
If using the tri-state mode, you should ensure the PDIC line is held LOW to avoid accidentally entering bootloader mode on the STM32F0.
There will be some additional noise due to the STM32F0 being on the power line. You can reduce this by opening the solder jumper that links the STM32F0 to the input stage.
Cutting end Off
Similar to the ChipWhisperer-Lite, you can break off the end section. To do that, you will have to do the following:
- Use an xacto knife or similar to deeply score along the perforated holes on both top and bottom, being very careful not to cut towards or near your hand. You will need to hold the CWNANO in an appropriate jig or vice.
- Align the holes on the edge of a hard surface (suggested: block of wood), and firmly push down on the target end while pushing against down the PCB against the edge. The objective is to avoid flexing the PCB which is likely to break components or solder joints.
- With appropriate protection from the fiberglass dust, lightly sand the broken edges.