Changes

<p>[[File:connect_script.png|400px500px]]</p>

<p>[[File:connect_script_preview.png|400px500px]]</p>

<p>[[File:setup_script_xmega.png|400px500px]]</p>

<p>[[File:setup_preview_xmega.png|400px500px]]</p>

<p>[[File:xmega_programmer.png|400px325px]]</p>

<p>[[File:xmega_programmer_press_program.png|400px325px]]</p>

<ol> <li> <p>Set the ''Clock Source'' as ''CLKGEN'':</p> </li> <li> <p>Setup the Glitch Module to NOT output anything by default '''VERY IMPORTANT TO AVOID DAMAGE'''</p> <p>Set the ''Output Mode'' as ''Glitch Only'', this is the step that insures '''you do not cause constant glitches''':</p> </li> <li> <p>Set the ''Glitch Trigger'' to ''Ext Trigger:Single-Shot''</p> </li> </ol> <p>[[File:glitch_setup.png|500px]]</p> </li> <li> <p>Now activate the lower power glitch module, by enabling the ''HS-Glitch Out Enable (Low Power)'' toggle under ''Trigger Pins'' section in the ''Scope Settings'' tab</p> <p>For the ChipWhisperer-Lite (CW1173/CW1180), set ''Target HS IO-Out'' option to ''CLKGEN''.</p> <p>[[File:low_power_glitch_enable.png|500px]]</p> </li> <li> <p> Navigate to the ''Target Settings'' tab and remove all the text in the ''Load Key Command'', ''Go Command'', and ''Output Format'' fields</p> <p>Set the ''Clock SourceOutput Format'' as field to ''CLKGEN$GLITCH$''</p> <p>[[File:target_output_setting.png|500px]]</p> </li> <li> <olp>Run the aux reset script for the appropriate target. The avr, stm32f and xmega targets use the <code>aux_reset_cw1173.py</code>. '''This scripts needs to be modified for the specific target'''. Uncomment the line for your target and comment out the lines for the other targets. The timing of the reset can also be changed, the comments explain the pros and cons of each. The reset after arm usually works better and needs less setup, but this depends on the target.</p> <syntaxhighlight lang=python>"""Set up resets via CW1173Contains a few adjustable lines to switch between XMEGA/AVR/STM32F and change resettiming (relative to scope arm)"""

<li><p>Setup the CLKGEN Module to Generate a 7.37 MHz clock and route it through the Glitch Generator</p># GUI compatibility<blockquote><ol style="list-style-typetry: decimal;"><li>Switch the ''Freq Counter Src'' to the ''CLKGEN Output''</li><li>Set the ''Desired Frequency'' to 7 aux_list = self.37 MHz. Note you should only adjust the 'frequency' portion of this, if you highlight the entire field you may not be able to type the frequency into the system.</li>aux_list<li>Confirm the ''DCM Locked'' checkbox is checked, if not hit the ''Reset CLKGEN DCM'' box. Check the ''Freq Counter'' to ensure the system is correctly generating about a 7.37 MHz clock.</li><li><p>Under the ''Glitch Module'' set the ''Clock Source'' as ''CLKGEN''except NameError:</p><p>[[File:glitchgen-clkgen.png|image]]</p></li><li><p>Set the ''Target HS IO-Out'' appropriately. This depends on the hardware in use:</p><blockquote><ol style="list-style-type: lower-alpha;"><li>For the ChipWhisperer-Lite (CW1173/CW1180), set ''Target HS IO-Out'' option to ''CLKGEN''.</li> pass

<li><p>Connect the Serial Port</p><blockquote><ol style="list-style-type: decimal;"><li>For the XMEGA Target (including the CW-Lite integrated target), perform the following:<ol style="list-style-type: lower-alpha;"><li>Switch to the ''Scope Settings'' tab, # Delay between arming and scroll down to ''Target IOn Pins''</li><li>Switch the ''Target IO1'' to be ''Serial RXD''</li><li>Switch the ''Target IO2'' to be ''Serial TXD''</li></ol></li><li><p>From the ''Tools'' menu select ''Open Terminal''resetting, and press ''Connect'' on the terminal:</p><blockquote><p>[[File:termconn.png|image]]</p></blockquote></li><li>The baud rate for this system is 38400, which should be the default for the ChipWhisperer serial port.</li></ol></blockquote></li><li><p>Program the <code>.hex</code> file into the target. When programming the AVR, it needs a working clock source before the programming will succeed. Now that this is enabled, you can use the appropriate programmer (such as the AVR or XMEGA programming from the ''Tools'' menu if using a CW-Lite) to program the hex file.</p><p>You should see the &quot;Hello&quot; message printed on the terminal emulator window.</p><blockquote><p>'''warning'''</p><p>Releases of the ChipWhisperer-Capture software prior to 0.13 had a bug in the AVR reset logic, which never released the device from reset. You must update your ChipWhisperer-Capture release in order to complete this tutorial.</p></blockquote></li>ms<li><p>Setup the Glitch Module to NOT output anything by default '''VERY IMPORTANT TO AVOID DAMAGE'''</p><blockquote><ol styledelay_ms ="list-style-type: decimal;"><li><p>Under the ''Glitch Module'' set the ''Output Mode'' as ''Glitch Only'', this is the step that insurances '''you do not cause constant glitches''':</p><blockquote><p>[[File:glitchexample-capsetup1.png|image]]</p></blockquote></li><li><p>For the ChipWhisperer-Lite (CW1173 or CW1180):</p><blockquote><ol style="list-style-type: lower-alpha;"><li><p>Under the ''Glitch Module'' set the ''Clock Source'' as ''CLKGEN''</p><blockquote><p>[[File:glitchexample-capsetupclkgen.png|image]]</p></blockquote></li><li><p>Check the box marked ''HS-Glitch Out Enable (Low Power)'':</p><blockquote><p>[[File:glitchexample-capsetup2B.png|image]]</p></blockquote></li></ol></blockquote></li><li><p>For the ChipWhisperer-Capture Rev 2 (CW1002):</p><blockquote><ol style="list-style-type: lower-alpha;"><li><p>Under the ''Glitch Module'' set the ''Clock Source'' as ''TargetIO-IN'':</p><blockquote><p>[[File:glitchexample-capsetup2.png|image]]</p></blockquote></li><li><p>Under the ''Target HS IO-Out'' option select the ''Glitch Module'', ensuring you've already set the ''Output Mode'' as ''Glitch Only'' under ''Glitch Module'':</p><p>[[File:targioout.png|image]]</p></li></ol></blockquote></li></ol></blockquote></li><li><p>Switch the ''Glitch Trigger'' mode to ''Ext Trigger:Single-Shot'':</p><p>[[File:singleshot.png|image]]</p></li><li><p>Switch to the ''General Settings'' tab, and select the appropriate &quot;Auxiliary Module&quot;:</p><ol style="list-style-type: lower-alpha;"><li>For ChipWhisperer-Lite (CW1173/CW1180), select &quot;Reset AVR/XMEGA via CW-Lite&quot;</li><li>For ChipWhisperer-Capture Rev 2, select &quot;Reset AVR via ISP-MKII&quot;</li></ol>1000

<p>[[File:glitching_aux_1.png|image]]</p></li># Reset XMEGA device<li>Switch to the Resetter = ResetCW1173(pin='pdic'Aux Settings'' tab. Depending on your module you will see different settings here, for example the ChipWhisperer-Lite lets you select between AVR and XMEGA targets. This normally defaults to the &quot;XMEGA&quot; delay_ms=delay_ms)# Reset STM32Fx device, so be sure to switch this to the &quot;AVR&quot; device if using the NOTDuino or Multi-Target boards!</li><li><p>Press the #Resetter = ResetCW1173(pin='nrst'Test Reset'' button in the ''Aux Settings'' tab. This should reset the AVR target. Confirm this by monitoring the terminal emulator window, and check the startup message (of &quot;hello&quot;delay_ms=delay_ms) is printed again.</p><p>You can also use the &quot;# Reset&quot; button on the NOTDuino to confirm the startup message is printed.</p></li>AVR<li>Switch to the #Resetter = ResetCW1173(pin='nrst'Target Settings'' tab, and remove all the text in the ''Load Key Command'', ''Go Command'', and ''Output Format'' fields.</li></ol>delay_ms=delay_ms)

Optionally# Reset before arming# avoids possibility of false triggers# need delay in target firmware to avoid race condition#aux_list.register(Resetter.resetThenDelay, "before_trace") # Reset after arming# scope can catch entire reset# avoids race condition# target reset can cause false triggers (usually not an issue)aux_list.register(Resetter.delayThenReset, "after_arm")  </syntaxhighlight> </li> <li> <p>You can see what aux modules are active in the ''Aux Settings'' tab. Here you can also configure see the power measurement setup toopreview, enable/disable, and remove each module</p> <p>[[File:aux_setting.png|500px]]</p> </li> </ol>

<li>Switch to the ''Scope Settings'' tab.</li> <li>Switch the ''ADC Clock Source'' as being ''CLKGEN x4''.</li> <li>Press ''Reset ADC DCM'', confirm the frequency is 29.5 MHz as expected.</li> <li>Switch the ''Trigger Setup'' --&gt; ''Mode'' to be ''Rising Edge''</li> <li>Switch the ''Trigger Setup'' --&gt; ''Total Samples'' to be ''1000''</li> <li>Switch the ''Gain Setting'' --&gt; ''Setting'' to be ''40''. You might need to adjust this for different hardware.</li> <li> <p>Press ''Capture 1'', confirm some waveform is displayed. For example with the NOTDuino Target on the ChipWhisperer-Lite, the waveform looks like this:</p> <p>[[File:waveform-notduino-normal.png|image]]</p> </li> <li>If this does't work: check the trigger in use is the ''Target IO4'' pin.</li> <li> <p>Play around a bit with the glitch width, offset, and repeat. You should see different effects in the power consumption traces. For example the following shows a narrow (15% pulse width) glitch being inserted:</p> <p>[[File:waveform-notduino-glitch1.png|image]]</p> </li></ol>

<ol style="list-style-type: decimal;"> <li>Switch to the ''Target Settings'' tab, and set the ''Output Format'' to <code>$GLITCH$</code>.</li> <li> <p>Open the ''Glitch Explorer'', and hit ''Capture 1'' a few times. Confirm this populates the table with various examples.</p> <p>[[File:ge-normal.png|image]]</p> </li> <li> <p>We need to setup the ''Normal Response'' and ''Successful Response''. Note in this example the normal response has a little random noise we want to ignore, but we want to capture when the device resets after the glitch and sends the &quot;hello&quot; message twice. We could accomplish this with the following bit of Python code:</p> <pre>s.endswith(&quot;hello\nA&quot;) and (len(s) &lt; 12)</pre> <p>This looks for both the ending without glitch, and the length of the string isn't too long. In the case of the successful glitch, we just want to see if &quot;1234&quot; is printed. This can be accomplished in Python with:</p> <pre>&quot;1234&quot; in s</pre> <p>You can always experiment using the ''Python Console'' to see how your potential systems work. For example here is checking that the first line works:</p> <pre>&gt;&gt;&gt; s = &quot;\x1ahello\nA&quot;

<p>Finally, configure the Glitch Explorer:</p>  <blockquote> <ol style="list-style-type: lower-alpha;"> <li>Set the ''Normal Response'' to <code>s.endswith(&quot;hello\nA&quot;) and (len(s) &lt; 12)</code></li> <li>Set the ''Successful Response'' to <code>&quot;1234&quot; in s</code></li> </ol> </blockquote>  <p>You can test the updated color-coding seems to be working too with a few ''Capture 1'' events.</p> </li>  <li> <p>Using the following table, set the ''Glitch Width (as % of period)'' and ''Repeat'' on the ''Scope Settings'' tab:</p>

</li> <li> <p>Finally, let's configure the Glitch Explorer to give us the required sweep of the ''Offset'' parameter.<ol style="list-style-type: lower-alpha;"><li>Adjust the and ''Glitch Offset (as % of period)Width'' up or down parameters by 1 in running the ''Glitch Module'' settings. We do this only to get the required string printed to the ''Script Commands'' output.</licode><li>Set the ''Tuning Parameters'' to ''1'' in the Glitch Explorerge_widthoffset_vary.py</licode><li><p>Set . The starting, stopping and step attributes can be changed for both parameters by editing the parameters as appropriate:script</p>{| class <syntaxhighlight lang=python>"wikitable""Glitch Explorer example to modify clock offset & width.! Option! ValueTo use this be sure to set 'Output Format' as $GLITCH$ so data is passed through.|-"""| Name| Offsetclass IterateGlitchWidthOffset(object):| def __init__(self, ge_window): self._starting_offset = -40| Script Command self._starting_width = -40| ['Glitch Module' self.ge_window = ge_window  def reset_glitch_to_default(self, 'Glitch Offset scope, target, project): """ Set glitch settings to defaults. """ self.offset = self._starting_offset self.width = self._starting_width  def change_glitch_parameters(as % of periodself, scope, target, project)']:|- """ Example of simple glitch parameter modification function. """| Data Format # This value is minimum clock offset/width increment| Float scope.glitch.offset += 0.390624|-| Range if scope.glitch.offset > 40:| -49 scope.glitch.offset = self._starting_offset scope.glitch.width += 0.390624  if scope.glitch.width > 40: 49|- scope.glitch.width = self._starting_width| Value| -49 # Write data to scope|- #scope.glitch.width = self.width| Step #scope.glitch.offset = self.offset| 0 #You MUST tell the glitch explorer about the updated settings if self.5ge_window:|- self.ge_window.add_data("Glitch Width", scope.glitch.width)| Repeat self.ge_window.add_data("Glitch Offset",scope.glitch.offset)| 1|}glitch_iterator = IterateGlitchWidthOffset(self.glitch_explorer)self.aux_list.register(glitch_iterator.change_glitch_parameters, "before_trace")#self.aux_list.register(glitch_iterator.reset_glitch_to_default, "before_capture") </syntaxhighlight> </li> <li> <p> You can again check if the aux module was registered by going to the ''Aux Settings'' tab.</olp> <p>[[File:aux_settings_with_glitch_vary.png|500px]]</p> </li> <li> <p>On the ''General Generic Settings'' tab:</p> <blockquote> <ol style="list-style-type: lower-alpha;"> <li>Ensure the ''Trace Format'' is set to ''None'' (i.e., no traces will be written to disk).</li> <li>Set the ''Number of Traces'' to 200.</li></ol> </blockquote> </li> <li>Press the ''Capture Multi'' button. You will get a warning as there is no trace writer, but can just hit ''Continue Anyway'', since we do not want to store traces to disk.</li> <li> <p>Hopefully you will determine some useful parameters for glitching this target:</p> <blockquote> <p>[[File:ge-success.png|image]]</p> </blockquote> </li> <li>Try reducing the ''Repeat'' parameter in the ''Glitch Module'' settings. See how few cycles you can glitch while still achieving a reliable glitch.</li></ol>