Tutorial B3-1 Timing Analysis with Power for Password Bypass

Reset via Spare IO Lines

TODO - see reset via programming interface for now

Reset via Auxiliary Module

1. Scroll down the list of scripts, and you'll find one labeled "aux_reset_cw1173.py". This script has a simple function of attempting to reset the XMEGA device using the programmer:
   
2. Hit the "Run" button. If you switch to the "Auxilary Module" tab, you'll see it's been added to the list of modules at the specified location.:
   
3. Looking at the code of the script, you can see how this script is using an external module & linking it to a specific auxilary module trigger:

   from chipwhisperer.capture.auxiliary.ResetCW1173Read import ResetCW1173
   
   # GUI compatibility
   try:
       aux_list = self.aux_list
   except NameError:
       pass
   
   # Delay between arming and resetting, in ms
   delay_ms = 1000
   
   # Reset XMEGA device
   Resetter = ResetCW1173(pin='pdic', delay_ms=delay_ms)
   # Reset STM32Fx device
   #Resetter = ResetCW1173(pin='pdic', delay_ms=delay_ms)
   # Reset AVR
   #Resetter = ResetCW1173(pin='nrst', delay_ms=delay_ms)
   
   # Reset before arming
   # avoids possibility of false triggers
   # need delay in target firmware to avoid race condition
   aux_list.register(Resetter.resetThenDelay, "before_trace")
   
   # Reset after arming
   # scope can catch entire reset
   # avoids race condition
   # target reset can cause false triggers (usually not an issue)
   #aux_list.register(Resetter.delayThenReset, "after_arm")
   

   Make sure to uncomment the correct reset line (shown in the example above) and comment out the other one using a #

4. You can edit the values required such as reset time & location by changing the script (using an external editor). But an easier method is to insert it into our attack script itself. As a test we'll see if the default values work.
5. Press Capture 1. The target will automatically reset, with the Safe-o-matic 3000 boot sequence appearing in the console. Then, 1 second later, the program will send the password to the target and record a power trace.

Now, confirm that you can try different passwords (in Target Settings) and see how the power trace changes when your password has 0, 1, 2... correct characters.

Once done, use the *Remove* button to get rid of the auxiliary module, as we are going to add it instead to our script.

Scripting the Setup

Our first step will be to write a script that automatically sets up the ChipWhisperer Capture software with all of the settings we've tested above. We'll do this by modifying an existing script with our own settings.

1. Make a copy of an existing ChipWhisperer script. The example scripts are located at chipwhisperer\software\chipwhisperer\capture\scripts; for example, the default one for the XMEGA device is called setup_cwlite_xmega.py. Make a copy of this script in the same directory (or copy it somewhere else

2. Rename the script something else - for example, cwlite-passwordcrack.py - and open it for editing. You'll notice that a large chunk of the code is used to set configuration information:

   scope.gain.gain = 45
   scope.adc.samples = 25000
   scope.adc.offset = 0
   scope.adc.basic_mode = "rising_edge"
   scope.clock.clkgen_freq = 7370000
   scope.clock.adc_src = "clkgen_x4"
   scope.trigger.triggers = "tio4"
   scope.io.tio1 = "serial_rx"
   scope.io.tio2 = "serial_tx"
   scope.io.hs2 = "clkgen"
   

   Those parameters come from the API. You can print for example the scope parameters by running "self.scope" to see various elements:

   >>> self.scope
   cwlite Device
   gain = 
       mode = low
       gain = 45
       db   = 22.50390625
   adc = 
       state      = False
       basic_mode = rising_edge
       timeout    = 2
       offset     = 0
       presamples = 0
       samples    = 25000
       decimate   = 1
       trig_count = 3084728877
   clock = 
       adc_src       = clkgen_x4
       adc_phase     = 0
       adc_freq      = 29538459
       adc_rate      = 29538459
       adc_locked    = True
       freq_ctr      = 0
       freq_ctr_src  = extclk
       clkgen_src    = system
       extclk_freq   = 10000000
       clkgen_mul    = 2
       clkgen_div    = 26
       clkgen_freq   = 7384615
       clkgen_locked = True
   trigger = 
       triggers = tio4
       module   = basic
   io = 
       tio1       = serial_rx
       tio2       = serial_tx
       tio3       = high_z
       tio4       = high_z
       pdid       = high_z
       pdic       = high_z
       nrst       = high_z
       glitch_hp  = 0
       glitch_lp  = 0
       extclk_src = hs1
       hs2        = clkgen
       target_pwr = True
   glitch = 
       clk_src     = target
       width       = 10.15625
       width_fine  = 0
       offset      = 10.15625
       offset_fine = 0
       trigger_src = manual
       arm_timing  = after_scope
       ext_offset  = 0
       repeat      = 1
       output      = clock_xor
   

4. Next, append the required commands to clear the simpleserial commands and to enable the automatic resets. Doing so will require two steps: (1) figuring out the target settings and adjusting them, and (2) inserting our code to perform the device reset.

   Using the console, you can dump parameters of the simpleserial target (assuming you are still connected):

   >>> target
   init_cmd   = 
   key_cmd    = k$KEY$\n
   input_cmd  = 
   go_cmd     = p$TEXT$\n
   output_cmd = r$RESPONSE$\n
   baud       = 38400
   protver    =
   

5. You should be able to see how you can simply clear all of the above settings using the script. This would mean adding some lines as follows to the script:

   target.key_cmd = ''
   target.go_cmd = ''
   target.output_cmd = ''
   

6. Remembering the auxilary module, you can also add the lines to perform this task as well to your script:

   from chipwhisperer.capture.auxiliary.ResetCW1173Read import ResetCW1173
   Resetter = ResetCW1173(xmega=True, delay_ms=1200)
   aux_list.register(Resetter.resetThenDelay, "before_trace")
   

7. We will need to set the password guess so we can observe different traces. You can enter the password in the Capture Target Settings tab, or simply use a command like target.go_cmd = 'h0p3\n'.

8. Finally, run the script you made. It should load all settings & on hitting capture-1 you will get a waveform related to the power measurement during the comparison.

Running a Single Capture

With our settings prepared, the next step is to use our script to record and analyze a power trace. We need to be able to get the trace data into our Python script so we can analyze it for the timing attack.

The API allows us to press the Capture 1 button and view the power trace without using the GUI. There are two relevant commands here. First, we'll need to import ChipWhisperer:

• import chipwhisperer as cw

Then, we can build our own "capture controller". This controller deals with talking to the scope and target for you. To capture a single trace you could perform the following steps:

# Test one capture
cw.captureN(self.scope, self.target, None, self.aux_list, self.ktp, 1)
trace = scope.getLastTrace()

We want to test these two commands. After the setup portion of your script, add some code similar to the following:

#Put this at beginning of script
import chipwhisperer as cw

#Put this later on after setup happens
cw.captureN(self.scope, self.target, None, self.aux_list, self.ktp, 1)
trace = scope.getLastTrace()
print trace

Run your script. The ChipWhisperer should automatically capture one trace and print out some datapoints.

Attacking a Single Letter

Now that we can record one power trace, we can start the timing attack. Our goal here is to automatically find the first letter of the Super Secret (tm) password.

Look at this example of the power traces when 0 and 1 bytes are correct. We can see a clear point that appears to shift forward in time:

When we guess the first byte incorrectly, there is a distinct power spike at sample number 153. However, when we guess correctly, the target spends more time processing the password, and this spike moves 72 samples forward. This means that we can check if our first byte is correct by checking this data point: if we're right, it will have an amplitude greater than -0.2. Note the specific point will change for different hardware, and may also change if you use different versions of avr-gcc to compile the target code. The example code here was compiled with WinAVR 20100110, which has avr-gcc 4.3.3. If you view the video version of this tutorial the point numbers are different for example, so be sure to check what they are for your specific system.

Add a loop to your script that does the following:

• Sets the Go Command to the next character we want to try
• Captures a power trace
• Checks if sample 153 is above -0.2 (fill in the appropriate numbers here)
• Repeats for all characters we want to try

An example of this loop is:

trylist = 'abcdefghijklmnopqrstuvwxyz0123456789'

  
for c in trylist:
    # Get a power trace using our next attempt
    nextPass = password + '{}'.format(c) + "\n"
    target.go_cmd = nextPass
    cw.captureN(self.scope, self.target, None, self.aux_list, self.ktp, 1)
        
    # Grab the trace and check data[153]
    nextTrace = scope.getLastTrace()
    if nextTrace[153] > -0.2:
        print "Success: " + c

This script will eventually stop, but you can use Ctrl+C on the command line to kill it. Make sure your script prints "Success: h"!

Attacking the Full Password

The last step is to attack the entire password, one letter at a time. The procedure to do this is:

• Start with a blank password string
• Loop through all of the characters we want to try:
  • Add the next character to the end of the password
  • Test this new candidate password using code similar to the above
  • If the new password is correct up to character (1, 2, ..., 5), add it to the end of the password
• Repeat until we've cracked all 5 characters.

Note that the point of interest is no longer at sample 153. We noticed earlier that this key point moves 72 samples forward for every correct character, so we'll have to check location 153 for character 0, 153 + 72 for character 1, and 153 + i*72 for character i.

An example of this loop is:

# Crack the first letter
password = ''
trylist = 'abcdefghijklmnopqrstuvwxyz0123456789'
  
for i in range(5):
    for c in trylist:
        # Get a power trace using our next attempt
        nextPass = password + '{}'.format(c) + "\n"
        target.go_cmd = nextPass
        cw.captureN(self.scope, self.target, None, self.aux_list, self.ktp, 1)
        
        # Grab the trace
        nextTrace = scope.getLastTrace()
        
        # Check location 153, 225, etc. If it's too low, we've failed
        if nextTrace[153 + 72*i] < -0.2:
            continue
            
        # If we got here, we've found the right letter
        password += c
        print '{} characters: {}'.format(i+1, password)
        break

After some time, this prints 5 characters: h0px3 -- it automatically finds the correct password.

That's it! You should have successfully cracked a password using the timing attack. Some notes on this method:

• The target device has a finite start-up time, which slows down the attack. If you wish, remove some of the printf()'s from the target code, recompile and reprogram, and see how quickly you can do this attack.
• The current script doesn't look for the "WELCOME" message when the password is OK. That is an extension that allows it to crack any size password.
• If there was a lock-out on a wrong password, the system would ignore it, as it resets the target after every attempt.