458
edits
As of August 2020 the site you are on (wiki.newae.com) is deprecated, and content is now at rtfm.newae.com. |
Changes
no edit summary
<li>
<p>Select the <code>connect_simpleserial.py</code> script</p>
<p>[[File:connect_script.png|400px500px]]</p>
</li>
<li>
<p>Run the <code>connect_simpleserial.py</code> script, by pressing the <b>Run</b> button</p>
<p>[[File:connect_script_preview.png|400px500px]]</p>
</li>
<li>
<p>Setup up the settings by running the appropriate setup script for your device</p>
<p>[[File:setup_script_xmega.png|400px500px]]</p>
</li>
<li>
<p>Run the setup script by pressing the run button, if you want to see what parameters the script changes, inspect the preview</p>
<p>[[File:setup_preview_xmega.png|400px500px]]</p>
</li>
<li>
<p>Open the appropriate programmer from top main menu ''Tools'', and in the dialog press ''Check Signature'' to verify you can connect to the target</p>
<p>[[File:xmega_programmer.png|400px325px]]</p>
</li>
<li>
<p>Find the correct firmware file, previously compiled for the target you are using, and press the ''Erase/Program/Verify FLASH''</p>
<p>[[File:xmega_programmer_press_program.png|400px325px]]</p>
</li>
<li>
<p>Time to setup the voltage glitching parameters. Start with the ''Glitch Module'' section under the ''Scope Settings'' tab</p>
from chipwhisperer.capture.auxiliary.ResetCW1173Read import ResetCW1173
=== Monitoring Glitch Insertion ===
<ol style="list-style-type: decimal;">
<li>Switch to the ''Scope Settings'' tab.</li> <li>Switch the ''ADC Clock Source'' as being ''CLKGEN x4''.</li> <li>Press ''Reset ADC DCM'', confirm the frequency is 29.5 MHz as expected.</li> <li>Switch the ''Trigger Setup'' --> ''Mode'' to be ''Rising Edge''</li> <li>Switch the ''Trigger Setup'' --> ''Total Samples'' to be ''1000''</li> <li>Switch the ''Gain Setting'' --> ''Setting'' to be ''40''. You might need to adjust this for different hardware.</li> <li> <p>Press ''Capture 1'', confirm some waveform is displayed. For example with the NOTDuino Target on the ChipWhisperer-Lite, the waveform looks like this:</p> <p>[[File:waveform-notduino-normal.png|image]]</p> </li> <li>If this does't work: check the trigger in use is the ''Target IO4'' pin.</li> <li> <p>Play around a bit with the glitch width, offset, and repeat. You should see different effects in the power consumption traces. For example the following shows a narrow (15% pulse width) glitch being inserted:</p> <p>[[File:waveform-notduino-glitch1.png|image]]</p> </li></ol>
=== Starting the Glitch Attack ===
Rather than using the manual trigger, we'll jump right into using the Glitch Explorer to break this target. First, we'll setup some basic glitch parameters for your specific target.
<ol style="list-style-type: decimal;"> <li>Switch to the ''Target Settings'' tab, and set the ''Output Format'' to <code>$GLITCH$</code>.</li> <li> <p>Open the ''Glitch Explorer'', and hit ''Capture 1'' a few times. Confirm this populates the table with various examples.</p> <p>[[File:ge-normal.png|image]]</p> </li> <li> <p>We need to setup the ''Normal Response'' and ''Successful Response''. Note in this example the normal response has a little random noise we want to ignore, but we want to capture when the device resets after the glitch and sends the "hello" message twice. We could accomplish this with the following bit of Python code:</p> <pre>s.endswith("hello\nA") and (len(s) < 12)</pre> <p>This looks for both the ending without glitch, and the length of the string isn't too long. In the case of the successful glitch, we just want to see if "1234" is printed. This can be accomplished in Python with:</p> <pre>"1234" in s</pre> <p>You can always experiment using the ''Python Console'' to see how your potential systems work. For example here is checking that the first line works:</p> <pre>>>> s = "\x1ahello\nA"
>>> s.endswith("hello\nA") and (len(s) < 12)
True
>>> s.endswith("hello\nA") and (len(s) < 12)
False</pre>
<p>Finally, configure the Glitch Explorer:</p> <blockquote> <ol style="list-style-type: lower-alpha;"> <li>Set the ''Normal Response'' to <code>s.endswith("hello\nA") and (len(s) < 12)</code></li> <li>Set the ''Successful Response'' to <code>"1234" in s</code></li> </ol> </blockquote> <p>You can test the updated color-coding seems to be working too with a few ''Capture 1'' events.</p> </li> <li> <p>Using the following table, set the ''Glitch Width (as % of period)'' and ''Repeat'' on the ''Scope Settings'' tab:</p>
{| class="wikitable"
! Parameter
| 10
|}
</li> <li> <p>Finally, let's configure the Glitch Explorer to give us the required sweep of the ''Offset'' parameter.<ol style="list-style-type: lower-alpha;"><li>Adjust the and ''Glitch Offset (as % of period)Width'' up or down parameters by 1 in running the ''Glitch Module'' settings. We do this only to get the required string printed to the ''Script Commands'' output.</licode><li>Set the ''Tuning Parameters'' to ''1'' in the Glitch Explorerge_widthoffset_vary.py</licode><li><p>Set . The starting, stopping and step attributes can be changed for both parameters by editing the parameters as appropriate:script</p>{| class <syntaxhighlight lang=python>"wikitable""Glitch Explorer example to modify clock offset & width.! Option! ValueTo use this be sure to set 'Output Format' as $GLITCH$ so data is passed through.|-"""| Name| Offsetclass IterateGlitchWidthOffset(object):| def __init__(self, ge_window): self._starting_offset = -40| Script Command self._starting_width = -40| ['Glitch Module' self.ge_window = ge_window def reset_glitch_to_default(self, 'Glitch Offset scope, target, project): """ Set glitch settings to defaults. """ self.offset = self._starting_offset self.width = self._starting_width def change_glitch_parameters(as % of periodself, scope, target, project)']:|- """ Example of simple glitch parameter modification function. """| Data Format # This value is minimum clock offset/width increment| Float scope.glitch.offset += 0.390624|-| Range if scope.glitch.offset > 40:| -49 scope.glitch.offset = self._starting_offset scope.glitch.width += 0.390624 if scope.glitch.width > 40: 49|- scope.glitch.width = self._starting_width| Value| -49 # Write data to scope|- #scope.glitch.width = self.width| Step #scope.glitch.offset = self.offset| 0 #You MUST tell the glitch explorer about the updated settings if self.5ge_window:|- self.ge_window.add_data("Glitch Width", scope.glitch.width)| Repeat self.ge_window.add_data("Glitch Offset",scope.glitch.offset)| 1|}glitch_iterator = IterateGlitchWidthOffset(self.glitch_explorer)self.aux_list.register(glitch_iterator.change_glitch_parameters, "before_trace")#self.aux_list.register(glitch_iterator.reset_glitch_to_default, "before_capture") </syntaxhighlight> </li> <li> <p> You can again check if the aux module was registered by going to the ''Aux Settings'' tab.</olp> <p>[[File:aux_settings_with_glitch_vary.png|500px]]</p> </li> <li> <p>On the ''General Generic Settings'' tab:</p> <blockquote> <ol style="list-style-type: lower-alpha;"> <li>Ensure the ''Trace Format'' is set to ''None'' (i.e., no traces will be written to disk).</li> <li>Set the ''Number of Traces'' to 200.</li></ol> </blockquote> </li> <li>Press the ''Capture Multi'' button. You will get a warning as there is no trace writer, but can just hit ''Continue Anyway'', since we do not want to store traces to disk.</li> <li> <p>Hopefully you will determine some useful parameters for glitching this target:</p> <blockquote> <p>[[File:ge-success.png|image]]</p> </blockquote> </li> <li>Try reducing the ''Repeat'' parameter in the ''Glitch Module'' settings. See how few cycles you can glitch while still achieving a reliable glitch.</li></ol>
Once you have the glitch parameter determined, you can work on trying to recreate some of the previous tutorials such as glitching passed the password prompt.
<p>The following shows an example of inserting several glitches successfully:</p>
<p>[[File:rpi-glitch.png|image]]</p></li></ol>
== Links ==
{{Template:Tutorials}}
[[Category:Tutorials]]