Changes

This board uses NewAE Technology Inc's custom USB interface firmware. This firmware gives you a simple data/address bus, which you can read/write to the FPGA. The USB chip also controls FPGA configuration (which for the 7A35T device takes just under 2 seconds), the PLL, and the VCC-INT regulator. This makes it easy to script complex jobs like performing measurements at different frequencies or voltages, or reconfiguring the FPGA after a fault attempt to avoid issues with SRAM corruption.

The CDCE906 PLL means you can easily output frequencies from about 5-160 MHz (a larger range is possible but may require more care). The PLL is programmed over USB, and 3 output channels are provided (each which can be set to a different frequency). 2 route to the FPGA and 1 routes to a SMA connector. This allows you to synchronize external devices or boards to the oscillator driving your FPGA design.

Three switching regulators are provided - two fixed for VCC-AUX and VCC-IO, along with a VCC-INT supply which can be programmed over the range of 0.8V-1.10V (this is a software limit to prevent you from damaging the FPGA, this can be overridden if you need to provide about a 0.65-1.5V range). Optional linear regulators can plug into the VCC-AUX and VCC-IO supplies which provide lower-noise operation (but with a reduced current limit compared to the switching supplies).

An on-board DMM measures the VCC-INT supply and provides easy visual feedback so you can confirm settings without needing to attach a meter.

A resistive shunt is provided in the VCC-INT supply, with an optional shunt in the VCC-AUX line. The resistive shunt can be measured using a differential probe on 0.1" spacing, using the SMAs, or using the on-board 20dB LNA. The LNA makes it easier to measure with standard oscilloscopes that don't measure the very small variations you find in power analysis.

This board is designed to facilitate all forms of fault injection. Resitive and diode protection prevents transients on the VCC-IO of the FPGA from affecting the USB interface chip. The USB chip itself provides high-speed FPGA reconfiguration to simplify repetitive fault attacks where you need to reconfigure the FPGA. The USB interface can also monitor the INITB pin of the FPGA, which can be used with the continous CRC verification feature to determine when reconfiguration is required.

The ChipWhisperer Crowbar fault injection can also be used with this board, which requires either the ChipWhisperer-Lite 2-Part version (CW1173-2PART) or CW1200.

The following shows details of how the power supplies are routed on the CW305 board:

Details of each section are shown here:

There are two main sources of power which can be used for ''all'' FPGA power supplies (VCC-INT, VCC-IO, and VCC-AUX). By default this is the USB connector, but this is limited by USB specs to a maximum of 500 mA.

[[File:psw_1.jpg|100px]]

The internal power supply provides a source of 1.0V for the VCC-INT. This supply can be programmed slightly above/below 1.0V to compare the effects of different VCC-INT supplies on the FPGA design. Details of the power supply are given in section TODO XREF. The internal supply can provide up to 6.0A for the VCC-INT rail.

[[File:psw_2.jpg|200px]]

The following shows the components around the shunt resistor:

A brief description of each element is given below.

The SMA connectors provide access to both sides of the shunt. The "high side" comes from the power supply with substantial filter capacitors, and the "low side" goes directly to the FPGA VCC-INT network. The VCC-INT network may or may not have decoupling capacitors mounted (this is an ordering option).

The SMA connector can also be used when inserting faults into the FPGA. If using the ChipWhisperer crowbar fault generator, simply connect the crowbar output to connector X3. If using an external fault amplifier, you will also connect to X3 but will also need to remove the jumper (described below).

In some circumstances you may wish to entirely remove the shunt resistor. This is typically the case when performing fault insertion, where the large "filter" capacitors present on the high side of the shunt resistor will drastically reduce the slew rate of your fault amplifier.

The gold-plated nails that require soldering are used instead of a switch or jumper to reduce the resistance in the measurement path. Typical switches provide too high of a contact resistance for the potential current draw of a large design in the FPGA, which would reduce the SNR at the measurement point.

The shunt resistor is a 1206 size resistor mounted at position R27. The value of this resistor will vary between the various variants of the assembled board.

|}

The optional decoupling capacitors for the VCC-INT rail are shown on the underside of the PCB here:

This capacitors are typically not mounted when using the shunt resistor to measure power waveforms.

The VCC-INT shunt is the primarily power measurement point, as it provides power measurement for both designs inside the FPGA, along with the logic responsible for decrypting bitstreams (as reported at https://eprint.iacr.org/2016/249.pdf).

If using this shunt, you must '''remove''' resistor R26 (which has a metal slug 0-ohm resistor mounted) and replace with an appropriately sized 0805 resistor (suggested: 1 ohm). You must also remove capacitor C98, C95, C97, C94, and C93. They can be seen in the above photo.

Three switching power supplies are present on the board, which provide the VCC-INT (1.0V), VCC-AUX (1.8V), and VCC-IO (3.3V) supplies. The external IO on the board are all operated at 3.3V.

You can turn the power to the FPGA on or off using the following switch:

When in the "AUTO" mode, the state of the power supplies can be controlled from the computer. Typically "AUTO" mode is used as it allows the computer to power cycle the device.

Optional low-noise linear power supplies are available, which fit into the connectors around the switch-mode power supply. They have less power handling capabilities than the on-board switch-mode supplies, but have reduced noise that ends up injected into the PCB (and thus on the power traces).

If you wish to have the lowest-noise power source, you must mount the VCC-IO and VCC-AUX low-noise supplies, and also use an external supply for the VCC-INT supply.

The board contains a number of additional headers.

A 40-pin header is mounted at JP3. This female header also comes with a dual-sided male 40-pin header which ships which each PCB, allowing you to use either gender of connectors with this header.

* NewAE OpenADC Module

The bottom right side of the PCB contains a 20-pin connector that follows the standard ChipWhisperer pinout. This connector has ESD diodes present on the PCB to protect both the FPGA from external transients, and from glitches inserted into the FPGA from exiting the board and damaging external test gear.

Three SMA connectors are present on the board. Two are routed to IO pins on the FPGA, and one routes directly to the on-board PLL.

Two user switches are provided: one push-button, and one 4-item DIP switch.

See the example design documentation for more details.

There are three modes you can use to configure the FPGA:

|}

The ChipWhisperer software is used to communicate with this board. This can be used either as part of the GUI (i.e., using the CW305 within the ChipWhisperer-Capture), or by importing Python modules and communicating with the CW305.

Signed Windows drivers are provided in the GIT repository, or can be [https://github.com/newaetech/chipwhisperer/raw/master/hardware/victims/cw305_artixtarget/usb_driver.zip downloaded from here]. To install drivers:

Note you can also try using the installer present in this folder, but it's suggested instead to point the Windows installer to the driver folder.

If you have previously setup the CW-Lite or CW-1200 on Linux, you should already have a rules.d file with some NewAE products. You can add the following to get the CW305 working:

If you haven't previously set this up, see the page [[Linux Driver Setup]] for details.

{{Warningbox|The following examples assume you are using the 35T sized FPGA. You will have to change the bitstream location if using the 100T - see details of example projects above. The short answer is you should be able to change "35t" to "100t" in the example paths. }}

You can connect to the board using the following command:<syntaxhighlight lang="python">

from chipwhisperer.capture.targets.CW305 import CW305

If doing development, you probably want to set the force flag to "True". This will ensure you always get a newly programmed FPGA with the latest bitstream.

You can run the AES-128 example code (the cw305_top.bit file) with the following example:<syntaxhighlight lang="python">

from chipwhisperer.capture.targets.CW305 import CW305

See the FPGA Projects section for important details of the FPGA design framework.

You can disable the USB interface clock (i.e., the clock used by Address/Data lines). Generally this is recommended during the power measurement, as a separate clock is provided for clocking the cryptographic module. The clock can be turned off with:

You may also need to add a delay after triggering the pin - you don't want to turn the clock back on right away, but depending on your scope module it may report the trigger event has occurred before the capture is complete.

The CW305 contains a 3-channel PLL. This is provided by a CDCE906 chip, which as the following routing diagram shows contains an extremely flexible architecture:

</syntaxhighlight>

You can adjust the VCC-INT voltage using the following command:

</syntaxhighlight>

In addition to adjusting the VCC-INT supply, you can power cycle the FPGA target section. This can be used when you might expect faults to occur (such as after performing a glitch attack), where you want to ensure there are no errors such as CMOS latch-up occurring that can only be cleared by a power cycle.

The provided modules are written in Python, but any language which is supported by libusb can talk to the hardware. This will require you to write your own lower-layer driver and is officially unsupported by NewAE.

If using from other software (such as MATLAB), it is suggested to use the existing Python interface, which can be done via a simple command-line interface too. The Python interface is guaranteed to maintain compatibility with future changes in the SAM3U firmware.

[https://app.assembla.com/spaces/chipwhisperer/git/source/master/hardware/victims/cw305_artixtarget/NAE-CW305-Schematic.pdf?_format=raw Download Schematic from GIT]

Under construction!