[[File:cwlite_basic.png|image]]
== Quick-Start Guide ==
You can see a [http://www.youtube.com/watch?v= Basic Usage Instructions MJmkYqA-LeM&hd=1 Video] of the quickstart guide, which will take you through all the setup items discussed here:
<blockquote></blockquote>[[File:cwlite_demo_video.png|link== CW-Litehttp: Programming AVR/XMEGA Device /www.youtube.com/watch?v=MJmkYqA-LeM&hd=1]]
The CW1173 has built== Connection Quick-in support Start ==<ol><li>Follow the [[Installing ChipWhisperer]] instructions for programming either Atmel AVR or Atmel XMEGA the ChipWhisperer software and its prerequisites.</li><li>Connect ChipWhisperer-Lite, install USB Drivers:<dl><dt>Windows:</dt><dd><ul><li>Plug micro-USB cable into ChipWhisperer-Lite</li><li>If the "New Hardware Found" wizard doesn't prompt you for drivers, go to the control panel and find the "ChipWhisperer-Lite" device, and select "Update Drivers". This </li><li>You can find drivers in <code>c:\chipwhisperer\hardware\capture\chipwhisperer-lite\</code>. You will likely need to extract them from the <code>cwlite_usb_driver.zip</code> file. If so simply extract them somewhere (i.e. your desktop), and then point the new hardware found wizard to that location.</li></ul></dd><dt>Linux:</dt><dd><ul><li><p>Driver installation is designed not required, but if you do not update the 'udev' system, you will be unable to run ChipWhisperer-Capture as a regular user. To update the udev system, first make sure the ChipWhisperer-Lite is Make a file called <code>/etc/udev/rules.d/99-cwlite.rules</code> . The contents of this file should be:</p><pre># allow you users to program our target boards (either claim the builtdeviceSUBSYSTEM=="usb", ATTRS{idVendor}=="2b3e", ATTRS{idProduct}=="ace2", MODE="0664", GROUP="plugdev"</pre></li><li><p>Add your username to the plugdev group:</p><pre>$ sudo usermod -a -G plugdev YOUR-USERNAME</pre></li><li><p>And reset the udev system:</p><pre>$ sudo udevadm control --reload-rules</pre></li><li>Finally log out & in XMEGA target, or again for the Multigroup change to take effect.</li><li>Connect the micro-Target boardUSB cable</li></ul></dd><dt>MAC:</dt><dd><ul><li>No special installation required - must ensure you have installed libusb via homebrew (see instructions at [[MacOSX_Installation]]).</li></ul></dd></dl></li><li><p>To check for a successful installation Run ChipWhisperer-Capture. This can be done from one of three ways:</p><blockquote><ul><li>Double-click on <code>CWCapture.pyw</code> in the <code>chipwhisperer\software</code> folder. You must have installed Python into your path for this to work.</li><li>run <code>python CWCapture.pyw</code> from the <code>chipwhisperer\software</code> folder using a command prompt with Python in the path.</li><li>run <code>python CWCaptureGUI.py</code> from the <code>chipwhisperer\software\chipwhisperer\capture\ui</code> directory.</li></ul>
Note this programmer <p>The last option is fairly simplethe most reliable, and in that it should always work on all platforms. If it doesn't start look for possible missing modules or other useful errors.</p><blockquote><p>'does not'' provide all hint'''</p><p>The first time you run ChipWhisperer-Capture or -Analyzer, the features default setup of the screen is somewhat insane. You can drag windows around or close them to make it look more like the demos here. See the Video quickstart guide as well for details of that.</p></blockquote></blockquote></li><li><p>From the "Scripts" directory, run the <code>ChipWhisperer-Lite: AES SimpleSerial on XMEGA</code> script:</p><p>[[File:cwlite_simpleserial.png|image]]</p><p>This should connect to the ChipWhisperer-Lite, program the FPGA, and run a standfew captures. Your screen should look something like this now:</p><p>[[File:Step Connection Quick Start 05 02.PNG|1000px|image]]</p></li><li><p>If the previous step fails, you may need to set the path for the "firmware". This is done by going to the "Tools" menu and selecting the "Config CW Firmware" option. Note on MAC OS X a special command is required instead sometimes, see [[MacOSX_Installation]].</p><p>From there, hit the "FIND" button beside the "FPGA .zip (Release)" option. Point it to the file located at <code>chipwhisperer/hardware/capture/chipwhisperer-alone programmerlite/cwlite_firmware.zip</code> on your filesystem.</p></li><li>Your ChipWhisperer-Lite is now connected. See the next section for details of the demo attack.</li></ol>
=== AVR Programmer =Capture and Attack Quickstart ==
The AVR device programmer requires four connections to the target: RESET, MOSI, MISO, SCK. # See [[#20-Pin_ConnectorTutorial_B5_Breaking_AES_(Straightforward)]] for details . Note the hardware setup is slightly different -- but you can skip to step 5.5.3, and should be able to pick up from there. Be sure to use the <code>ChipWhisperer-Lite: AES SimpleSerial on XMEGA</code> script instead of AVR programming pin connectionsthe one referenced in step 5.5.3.
==== Accessing the Programming ==Important Bugs/Caveats ==
To access the AVR Programmer, select the "CW-Lite AVR Programmer" from the pull-down Tools menuThe following includes various things that might trip you up:
[[File:avrprog_menu# If you save the project ''before'' running the capture, you can specify any directory. Traces will be copied to the appropriate location during capture.# If you save the project ''after'' running the capture, you must save the project to the same directory that "default-data-dir" exists in. This is normally the folder from where you invoked the Python GUI.# There are a few warnings/exceptions that come up (i.e. divide-by-zero). Generally just keep going and see if things are still working. A number of those are on the ''TODO'' list to fix but I didn't get around to it yet.# The "Total Ops" window which checks for proper AES operation requires PyCrypto to be installed.# By default the XMEGA device was programmed with a partial AES implementation only. This is done to avoid any crypto export issues. This does not affect your side-channel analysis, but be aware the returned value might not appear to be correct (since only the first couple rounds of AES occurred).png|image]]
Which should give you the AVR Programmer Window.== Basic Usage Instructions ==
{{CollapsibleSection|intro ==== Clock Source Selection AVR Programmer ===|content=CW1173_ChipWhisperer-Lite/AVR Programmer}}
Note to use the AVR programmer you may require a valid clock source for the AVR. It is suggested to select one of the setup scripts (such as <code>ChipWhisperer{{CollapsibleSection|intro = === XMEGA Programmer ===|content= CW1173_ChipWhisperer-Lite: AES Simple-Serial on ATMega328P</code>) which will generate a 7.37 MHz clock.XMEGA Programmer}}
Check if the device is found by pressing the "Check Signature" button. The status window will show the detected device based on the signature.{{CollapsibleSection|intro = === Using Glitch Port ===|content= CW1173_ChipWhisperer-Lite/Glitch Port}}
[[File:avrprog_sigok.png{{CollapsibleSection|image]]intro = === Using Measure Port ===|content= CW1173_ChipWhisperer-Lite/Measure Port}}
If this fails, double{{CollapsibleSection|intro = === 20-check connections, and ensure the clock source to the AVR is suitable. Note some errors will appear as part of the main window log:Pin Connector ===|content= CW1173_ChipWhisperer-Lite/20-Pin Connector}}
[[File:avrprog_fail.png{{CollapsibleSection|image]]intro = === 8-Pin SmartCard Connector ===|content= CW1173_ChipWhisperer-Lite/8-Pin SmartCard Connector}}
The default SPI data rate for the programmer is too fast for devices which are running slower than 2 MHz. If programming a device with a clock source slower than 2 MHz, you will need to enable the "Slow Clock Mode". In "Slow Clock Mode" the entire {{CollapsibleSection|intro = === Upgrading SAM3U and FPGA clock is changed from 96 MHz to 12 MHz. Note the default fuse bytes for a virgin ATMega328P result in a 1 MHz clock, so you will need to use "slow clock mode" to program the correct fuse bytes, after which point you will not need to use "slow clock mode".Firmware ===|content= CW1173_ChipWhisperer-Lite/Upgrading SAM3U Firmware}}
<blockquote>'''note'''{{CollapsibleSection|intro = === Breaking Target Section Apart ===|content= CW1173_ChipWhisperer-Lite/Breaking Target Section Apart}}
The 'slow clock mode' is used to provide a slower SPI clock than would otherwise be possible. When switching into 'slow clock mode' it will cause all DCM blocks in the FPGA to become unlocked. You will need to reset the DCM blocks, or simply restart the CW-Capture software and run the setup script.</blockquote>==== Programming the Fuses ==Advanced Usage ==
By default the AVR programmer allows you to modify the LOW fuse byte only, as this byte controls the clock source selection. To change the value of the fuse byte: # Press the "Read Fuses" button, and the values should be populated# Specify the new low fuse value# Hit "Write Fuses" See [http://eleccelerator.com/fusecalc/fusecalc.php?chip=atmega328p an Online Fuse Calculator] to better understand what the values mean. <blockquote>'''tip''' ; If programming a virgin ATMega328P device, the default low-fuse value of <code>62</code> results in the internal: 8 MHz oscillator being divided down to 1 MHz. Any external clock is ignored. The low fuse byte must be changed to <code>D0</code> to use the external clock provided by the ChipWhisperer toolchain.</blockquote>==== Programming the Flash ==== Programming the flash is accomplished by selecting the new .hex file in the "Find" menu, and pressing the "Erase/Program/Verify FLASH" button. The "Status" line will show the following information: * File programmed into device* Time file was last modified (very useful to confirm you are using changed file when doing development)* Status of verification, and number of bytes programmed/verified [[File:avrprog_progok.png|image]] === XMEGA Programmer === The XMEGA device programmer requires only two connections to the target: clock (PDIC) and data (PDID). The PDIC line is usually shared with the RESET pin, and the PDID pin is a specific pin on the XMEGA device. See [[#20-Pin_Connector]] for details of XMEGA programming pin connections. [[File:xmegaprog_main.png|image]] == Using Glitch Port == The "GLITCH" port is used for voltage glitching. It's connected to two MOSFET elements, as the following figure shows: <blockquote>[[File:glitch_lp_hp.png|image]]</blockquote>The CW1173 glitch output can be commanded to turn on either of those MOSFETs via the "Glitch Out Enable" checkboxes: <blockquote>[[File:glitch_gui.png|image]]</blockquote>Be careful using this feature, as you don't want to short the MOSFETs for too long. It's also possible to damage the ChipWhisperer-Lite by burning these MOSFETs up if used incorrectly. See tutorial #A3 for more information on using this feature. == Using Measure Port == The "MEASURE" port is the input to the low-noise amplifier and ADC. == 20-Pin Connector == The pinout is as follows: {| class="wikitable"! Number! Name! Dir! Description|-| 1| +VUSB (5V)| O| Not Connected on ChipWhisperer-Lite.|-| 2| GND| O| System GND.|-| 3| +3.3V| O| +3.3V to Target Device, can be turned off, 200mA available.|-| 4| FPGA-HS1| I/O| High Speed Input (normally clock in).|-| 5| PROG-RESET| I/O| Target RESET Pin (AVR Programmer).|-| 6| FPGA-HS2| I/O| High Speed Output (normally clock or glitch out).|-| 7| PROG-MISO| I/O| SPI input: MISO (for SPI + AVR Programmer).|-| 8| VTarget| I| Drive this pin with desired I/O voltage in range 1.5V-5V.|-| 9| PROG-MOSI| I/O| SPI output: MOSI (for SPI + AVR Programmer).|-| 10| FPGA-TARG1| I/O| TargetIO Pin 1 - Usually UART TX or RX.|-| 11| PROG-SCK| I/O| SPI output: SCK (for SPI + AVR Programmer).|-| 12| FPGA-TARG2| I/O| TargetIO Pin 2 - Usually UART RX or TX.|-| 13| PROG-PDIC| I/O| PDI Programming Clock (XMEGA Programmer), or CS pin (SPI).|-| 14| FPGA-TARG3| I/O| TargetIO Pin 3 - Usually bidirectional IO for smartcard.|-| 15| PROG-PDID| I/O| PDI Programming Data (XMEGA Programmer).|-| 16| FPGA-TARG4| I/O| TargetIO Pin 4 - Usually trigger input.|-| 17| GND| O| |-| 18| +3.3V| O| |-| 19| GND| O| |-| 20| +VUSB (5V)| O| Not Connected on ChipWhisperer-Lite.|} == 8-Pin SmartCard Connector == The CW1173 contains two 8-pin connectors, which use our standard 8-pin Smart-Card header pinout. One header connects to the SAM3U device (which has ISO-7816 drivers), one header connects to the FPGA. Note there is currently no firmware support for these devices, but the hardware is designed for any of the following: * Emulating a smart card (use interposer board), or fuzzing a smart card reader* Communicating to a smart card* Sniffing traffic between a legitimate reader and smart card* Side-channel analysis of smart card device Header J7 (Connects to SAM3U): {| class="wikitable"! Number! Name! Dir! Description|-| 1| VCCIO| O| 3.3V Supply (from linear regulator, always on)|-| 2| GND| O| System GND|-| 3| RST| I/O| Reset (SAM3U: PA3)|-| 4| PRESENT| I| Used to detect presence of smart card (SAM3U: PA2)|-| 5| CLK| I/O| Clock (SAM3U: PA25, 'CLK2'. FPGA: P131)|-| 6| I/O| I/O| I/O Line (SAM3U: PA22), 10k pull-up|-| 7| AUX1| I/O| Spare line (SAM3U: PA4)|-| 8| AUX2| I/O| Spare line (SAM3U: PA5)|} Header J6 (Connects to FPGA): {| class="wikitable"! Number! Name! Dir! Description|-| 1| VCCIO| O| 3.3V Supply (from FPGA supply)|-| 2| GND| O| System GND|-| 3| RST| I/O| Reset (FPGA: P102)|-| 4| PRESENT/VPP| I| Not Connected (mount R60 to connect to P101)|-| 5| CLK| I/O| Clock (FPGA: P100)|-| 6| I/O| I/O| I/O Line (FPGA: P99), 10k pull-up|-| 7| AUX1| I/O| Spare line (FPGA: P98)|-| 8| AUX2| I/O| Spare line (FPGA: P97)|} == Upgrading SAM3U Firmware == When talking about the ChipWhisperer-Lite's firmware, there is really two parts to this: # The FPGA Bitstream file.# The SAM3U USB interface chip firmware. The FPGA bitstream alone is what is normally configured by the ChipWhisperer-Capture software. This bitstream is always the most up-to-date, since it's automatically reloaded by the computer every time you power cycle the ChipWhisperer-Capture. The SAM3U firmware however is not automatically updated, but it tends to change less frequently. === Checking Firmware Version === The firmware version is printed at start-up. You will see a line that looks like this indicating the version of the SAM3U Firmware: <pre>Found CW-Lite, Serial Number = 442031204630xxxxxxxxxxxSAM3U Firmware version = 0.11 b0Programmed FPGA</pre>If your firmware version is outdated, a warning will be printed. You can also see the firmware version in the ''Config CW Firmware'' dialog: <blockquote>[[File:sam3fwver.png|image]]</blockquote>Note the main version is 0.11 in this example. The "b0" indicates a "build" number. Typically this will be "build 0", but special versions will use a different build number to indicate a variant of a regular version. === Upgrading Firmware === Before updating, you must put your ChipWhisperer-Lite into bootloader mode. Once put into this mode you will need to load a new firmware file. There is two ways of doing it: the ''automatic'' method, and the ''manual'' method. The automatic method is done through the GUI, and works if you have valid firmware image loaded. The ''manual'' method is always guaranteed to work. The automatic method is: Using ChipWhisperer-Capture GUI # Connect to the ChipWhisperer-Lite.# From the ''Tools'' menu select ''Config CW Firmware''# Select the ''Open SAM3U Update Widget'' button.# Press the ''Enable Bootloader Mode'' button.# You will get an error, and the ChipWhisperer-Lite will disconnect. This is normal, and indicates the USB mode changed suddenly.# The blue LED will stop flashing, and the device will reconnect in programmer mode (see below). Once you are in bootloader mode, both the blue and red LED will be very dimmly lit: [[File:lights_prog.jpg|400px]] This indicates it is in bootloader mode. The device will now attach as a serial port. If you are using Windows this may take a few minutes to happen. If using Linux, you can use ''dmesg'' to verify the serial port was connected OK. If this doesn't work, see the page [[Manual SAM3U Firmware Update]] for details on how to manually enter bootloader mode. You can return to this page for the actual programming - you don't need to install/use the BOSSA utility if you follow those manual directions. You simply need to force the system into bootloader mode using those directions. To actually program the file, we use the second part of the dialog box you already had open: [[File:sam3uupdate.png|400px]] Once we are in bootloader mode, you can follow these steps: # Hit "Update List", and select the serial port the SAM3U attached as.# To use the default firmware file, leave the "Built-in" radio-box selected. If you want a custom firmware you can select the "External" mode.# Hit the "Run Program" button# Once completed, unplug/replug your device and it should come to life.# Close the update widgets, and reconnect to your ChipWhisperer-Lite. === Manual Update === If the above instructions fail, there is no big problem. The SAM3U chip contains a hardware-resident bootloader. You may need to follow instructions on the [[Manual SAM3U Firmware Update]] page (including using BOSSA) if you are unable to use the automatic system that is part of ChipWhisperer-Capture. <div id="collapse-pre-one" class="mw-collapsible mw-collapsed"> <div class="mw-collapsible-toggle toccolours" style="float: none;"> <div class="mw-collapsible-toggle-row"> <div class="mw-collapsible-toggle-header">== Breaking Target Section Apart ==</div><div class="mw-collapsible-toggle-indicator">[[File:right-black-arrow.png|150px|link=]]</div> </div> </div><div class="mw-collapsible-content">{{:CW1173_ChipWhisperer-Lite/Breaking Target Section Apart}}</div> = Advanced Usage = == Mounting Jumpers ===
Note the ChipWhisperer-Lite main board and target section contain a number of jumper options. By default these are not mounted, and solder jumper bridges on the PCB have been bridged to select the appropriate options when required. Some options are only solder jumpers, which to move the jumper requires a soldering iron to bridge or clear the appropriate connections.
</span>
{{CollapsibleSection
|intro = === Schematic ===
[https://github.com/newaetech/chipwhisperer/blob/master/hardware/capture/chipwhisperer-lite/pcb/cw-lite-main.pdf Link to PDF]
(Expand for inline images of schematic)
|content= CW1173_ChipWhisperer-Lite/Schematic
}}
== Hardware ==
{{Template:Hardware}}
[[Category:Capture Hardware]]
