As of August 2020 the site you are on (wiki.newae.com) is deprecated, and content is now at rtfm.newae.com.

CW308T-87C51

From ChipWhisperer Wiki
Revision as of 11:36, 12 August 2016 by Gdeon (Talk | contribs)

Jump to: navigation, search

The 87C51 target is designed for a line of 8051 processors made by Intel in PLCC44 package, although other manufactures make equivalent devices as well (notably NXP as well). This target board allows for two types of side channel attacks:

  1. Regular power analysis or glitching on the 87C51 firmware (ex: attacking an AES key while the 87C51 performs AES encryption)
  2. Attacks on the verification process in order to bypass the device's encryption table or security fuses

Project Build Notes

Example projects can be built with MCU 8051 IDE - it's free for Linux platforms, and for Windows is approx 10EUR. See MCU 8051 IDE to download. This includes a simulator with virtual hardware, which is very useful for initial analysis.

This also requires installing SDCC for the C compilation, see the Sourceforge Page to download.

You can also simply run the Makefiles to build the project.

Example Project

The default device is programmed with a simple test program. This allows testing of side-channel power analysis and clock glitching. The mode of operation is selected by mounting jumpers at H1/H3/H5 which short to H2/H4/H6.

H1 H3 H5 Mode
0 0 0 Glitch loop (counter)
1 0 0 Glitch bootloader test.
0 1 0 Glitch password test.
1 1 0 SCA Test #1

A '1' in the above table indicates the associated pin should be shorted with a jumper to H2/H4/H6 respectively, the following for example shows selecting the bootloader test:

<TODO>

Hardware Specifics

Programming Microcontroller

The target board contains an ATMega165PA/ATMega325PA (referred to as the 'AVR' hereafter), which can be used for performing program verification. It is also used to generate trigger points for attacks such as encryption table read-out & inserting glitches into the program read logic. The programming interface contains the following limitations:

  • No programming is possible as there is no VPP generation.
  • Address lines A0 - A13 are mapped to the AVR. The upper two lines are shared with LED1/LED2 outputs.

Target Microcontroller

The default target device is an Intel EE87C51RB1 (16K EPROM, 512 RAM). Useful references:

NOTE: The Intel datasheet is fairly short (20 pages) and does not include full details of the programming. This can be found in the NXP datasheet.

Jumpers

A number of jumpers are present on the target board. They are mostly used to select different features and options. A brief description of them is below:

  • J1: Selects if the AVR is enabled or not. When not enabled (J1 in "RUN" mode), the AVR shuts down and it's oscillator is disabled (to reduce any noise).
  • J2: Selects the EA pin connection. When running a program must be set to "RUN" mode to run program memory from internal EPROM.
  • J3 & J4: Select if the serial port connects to the 8051 chip (at P3.0/P3.1) or to the AVR.
  • J5: Select if GPIO4 (normally trigger-in to CW-Lite) goes to the 8051 chip (at P1.0) or the AVR. When connected to the 8051 this allows usage of trigger from code in the 8051. When connected to the AVR allows a trigger to come from programming logic.
  • J6: Select if GPIO3 connects to the 8051 reset pin or to the
  • J7: If using the AVR, selects the "mode". This is used to enable optional logic, and should normally be in "NORM" mode.

The "Target-Defined Header" at J15 is used to set pins P3.3/P3.4/P3.5 to high/low. These pins each contain pull-downs, and mounting a header will set the associated pin high as shown below:

Shunt Location 8051 Pin
H1 - H2 P3.3 = 1 when jumper mounted, 0 when jumper not mounted.
H3 - H4 P3.4 = 1 when jumper mounted, 0 when jumper not mounted.
H5 - H6 P3.5 = 1 when jumper mounted, 0 when jumper not mounted.

These pins are used to specify the operating mode of the main test processor.

If using the program/verification mode, the following additional settings allow indexing of the full 16K-bytes of the 87C51RB device:

  • Jumper from LED2 to LED3.
  • Jumper from LED1 to Pin 1 of J6 (the left-most pin).