Changes

<ol style="list-style-type: decimal;"> <li> <p>Connect to Select the ChipWhisperer device:</pcode>connect_simpleserial.py<blockquote/code>script<ol style="list-style-type: decimal;"/p> <lip>As the ''Scope Module'', select the ''ChipWhisperer/OpenADC'' option[[File:connect_script.png|500px]]</lip><li>As the ''Target Module'', select the ''Simple Serial'' option </li> <li>Switch to the ''Scope Settings'' tab, and as the ''connection'', select the ''ChipWhisperer Rev2'' or ''ChipWhisperer-Lite'' option</li> <lip>Switch to Run the ''Target Settings'' tab, and as the ''connection'', select the ''ChipWhisperer Rev2'' or ''ChipWhisperer-Lite'' option</licode><li>Run connect on both the Scope &amp; Target. They should both switch to green circles indicating the system is connectedconnect_simpleserial.py</licode>script, by pressing the </olb>Run</blockquoteb>button</lip><li> <p>Setup the CLKGEN Module to Generate a 7[[File:connect_script_preview.37 MHz clock and route it through the Glitch Generatorpng|500px]]</p><blockquote><ol style="list-style-type: decimal;"><li>Switch the ''Freq Counter Src'' to the ''CLKGEN Output'' </li> <li>Set the ''Desired Frequency'' to 7.37 MHz. Note you should only adjust the 'frequency' portion of this, if you highlight the entire field you may not be able to type the frequency into the system.</li><li>Confirm the ''DCM Locked'' checkbox is checked, if not hit the ''Reset CLKGEN DCM'' box. Check the ''Freq Counter'' to ensure the system is correctly generating about a 7.37 MHz clock.</li><li> <p>Under Setup up the ''Glitch Module'' set settings by running the ''Clock Source'' as ''CLKGEN'':appropriate setup script for your device</p> <p>[[File:glitchgen-clkgensetup_script_xmega.png|image500px]]</p> </li> <li> <p>Set Run the ''Target HS IO-Out'' appropriately. This depends on setup script by pressing the hardware in use:run button, if you want to see what parameters the script changes, inspect the preview</p> <blockquotep><ol style="list-style-type[[File: lower-alpha;"><li>For the ChipWhisperer-Lite (CW1173/CW1180), set ''Target HS IO-Out'' option to ''CLKGEN''setup_preview_xmega.png|500px]]</lip><li>For the ChipWhisperer-Capture Rev 2 (CW1002), set ''Target HS IO-Out'' option to ''Glitch Module''. </li></ol> </blockquote></li></ol></blockquote></li><li> <p>Connect the Serial Port</p><blockquote><ol style="list-style-type: decimal;"><li>For the XMEGA Target (including the CW-Lite integrated target), perform the following:<ol style="list-style-type: lower-alpha;"><li>Switch to Open the appropriate programmer from top main menu ''Scope SettingsTools'' tab, and scroll down to ''Target IOn Pins''</li><li>Switch in the dialog press ''Target IO1Check Signature'' to be ''Serial RXD''verify you can connect to the target</lip> <lip>Switch the ''Target IO2'' to be ''Serial TXD''[[File:xmega_programmer.png|325px]]</li></olp> </li> <li> <p>From Find the ''Tools'' menu select ''Open Terminal''correct firmware file, previously compiled for the target you are using, and press the ''ConnectErase/Program/Verify FLASH'' on the terminal:</p><blockquote> <p>[[File:termconnxmega_programmer_press_program.png|image325px]]</p></blockquote></li><li>The baud rate for this system is 38400, which should be the default for the ChipWhisperer serial port. </li></ol> </blockquote></li><li> <p>Program Time to setup the <code>voltage glitching parameters.hex</code> file into Start with the target. When programming the AVR, it needs a working clock source before the programming will succeed. Now that this is enabled, you can use the appropriate programmer (such as the AVR or XMEGA programming from ''Glitch Module'' section under the ''ToolsScope Settings'' menu if using a CW-Lite) to program the hex file.tab</p> <pol>You should see the &quot;Hello&quot; message printed on the terminal emulator window. </pli><blockquote> <p>Set the ''Clock Source'warning'as ''CLKGEN'':</p><p>Releases of the ChipWhisperer-Capture software prior to 0.13 had a bug in the AVR reset logic, which never released the device from reset. You must update your ChipWhisperer-Capture release in order to complete this tutorial.</p></blockquote> </li> <li> <p>Setup the Glitch Module to NOT output anything by default '''VERY IMPORTANT TO AVOID DAMAGE'''</p><blockquote><ol style="list-style-type: decimal;"><li> <p>Under the ''Glitch Module'' set Set the ''Output Mode'' as ''Glitch Only'', this is the step that insurances insures '''you do not cause constant glitches''':</p><blockquote><p>[[File:glitchexample-capsetup1.png|image]]</p></blockquote> </li> <li><p>For the ChipWhisperer-Lite (CW1173 or CW1180):</p><blockquote><ol style="list-style-type: lower-alpha;"><li> <p>Under Set the ''Glitch ModuleTrigger'' set the to ''Clock Source'' as ''CLKGENExt Trigger:Single-Shot''</p> <blockquote/li> </ol> <p>[[File:glitchexample-capsetupclkgenglitch_setup.png|image500px]]</p></blockquote> </li> <li> <p>Check Now activate the lower power glitch module, by enabling the box marked ''HS-Glitch Out Enable (Low Power)'':toggle under ''Trigger Pins'' section in the ''Scope Settings'' tab</p><blockquote><p>[[File:glitchexample-capsetup2b.png|image]]</p></blockquote></li></ol></blockquote></li><li> <p>For the ChipWhisperer-Capture Rev 2 Lite (CW1002CW1173/CW1180):</p><blockquote><ol style="list-style-type: lower-alpha;"><li><p>Under the ''Glitch Module'' , set the ''Clock SourceTarget HS IO-Out'' as option to ''TargetIO-INCLKGEN'':.</p><blockquote> <p>[[File:glitchexample-capsetup2low_power_glitch_enable.png|image500px]]</p></blockquote> </li> <li> <p>Under Navigate to the ''Target HS IO-OutSettings'' option select tab and remove all the text in the ''Glitch ModuleLoad Key Command'', ensuring you've already set the 'Go Command'Output Mode', and ' as 'Output Format'Glitch Only'' under ''Glitch Module'':fields</p> <p>[[File:targioout.png|image]]</p></li></ol></blockquote></li></ol></blockquote></li><li><p>Switch Set the ''Glitch TriggerOutput Format'' mode field to ''Ext Trigger:Single-Shot$GLITCH$'':</p> <p>[[File:singleshottarget_output_setting.png|image500px]]</p> </li> <li> <p>Switch to Run the aux reset script for the appropriate target. The avr, stm32f and xmega targets use the <code>aux_reset_cw1173.py</code>. ''General Settings'This scripts needs to be modified for the specific target' tab''. Uncomment the line for your target and comment out the lines for the other targets. The timing of the reset can also be changed, the comments explain the pros and select cons of each. The reset after arm usually works better and needs less setup, but this depends on the appropriate &quot;Auxiliary Module&quot;:target.</p> <ol stylesyntaxhighlight lang="list-style-type: lower-alpha;"python><li>For ChipWhisperer-Lite ("""Set up resets via CW1173Contains a few adjustable lines to switch between XMEGA/CW1180AVR/STM32F and change resettiming (relative to scope arm)""" from chipwhisperer.capture.auxiliary.ResetCW1173Read import ResetCW1173 # GUI compatibilitytry: aux_list = self.aux_listexcept NameError: pass # Delay between arming and resetting, select &quot;in msdelay_ms = 1000 # Reset AVR/XMEGA via CW-Lite&quot;</li>device<li>For ChipWhisperer-Capture Rev 2Resetter = ResetCW1173(pin='pdic', select &quot;delay_ms=delay_ms)# Reset STM32Fx device#Resetter = ResetCW1173(pin='nrst', delay_ms=delay_ms)# Reset AVR via ISP-MKII&quot;</li></ol>#Resetter = ResetCW1173(pin='nrst', delay_ms=delay_ms) # Reset before arming# avoids possibility of false triggers# need delay in target firmware to avoid race condition#aux_list.register(Resetter.resetThenDelay, "before_trace")

<p>[[File:glitching_aux_1.png|image]]</p></li># Reset after arming<li>Switch to the ''Aux Settings'' tab. Depending on your module you will see different settings here, for example the ChipWhisperer-Lite lets you select between AVR and XMEGA targets. This normally defaults to the &quot;XMEGA&quot; device, so be sure to switch this to the &quot;AVR&quot; device if using the NOTDuino or Multi-Target boards!</li># scope can catch entire reset<li><p>Press the ''Test Reset'' button in the ''Aux Settings'' tab. This should # avoids race condition# target reset the AVR target. Confirm this by monitoring the terminal emulator window, and check the startup message can cause false triggers (of &quot;hello&quot;usually not an issue) is printed again.</p><p>You can also use the &quot;Reset&quot; button on the NOTDuino to confirm the startup message is printedaux_list.</p></li><li>Switch to the ''Target Settings'' tabregister(Resetter.delayThenReset, and remove all the text in the ''Load Key Command'', ''Go Command'', and ''Output Format'' fields.</li></ol>"after_arm")

Optionally, </syntaxhighlight> </li> <li> <p>You can see what aux modules are active in the ''Aux Settings'' tab. Here you can also configure see the power measurement setup toopreview, enable/disable, and remove each module</p> <p>[[File:aux_setting.png|500px]]</p> </li> </ol>

<li>Switch to the ''Scope Settings'' tab.</li> <li>Switch the ''ADC Clock Source'' as being ''CLKGEN x4''.</li> <li>Press ''Reset ADC DCM'', confirm the frequency is 29.5 MHz as expected.</li> <li>Switch the ''Trigger Setup'' --&gt; ''Mode'' to be ''Rising Edge''</li> <li>Switch the ''Trigger Setup'' --&gt; ''Total Samples'' to be ''1000''</li> <li>Switch the ''Gain Setting'' --&gt; ''Setting'' to be ''40''. You might need to adjust this for different hardware.</li> <li> <p>Press ''Capture 1'', confirm some waveform is displayed. For example with the NOTDuino Target on the ChipWhisperer-Lite, the waveform looks like this:</p> <p>[[File:waveform-notduino-normal.png|image]]</p> </li> <li>If this does't work: check the trigger in use is the ''Target IO4'' pin.</li> <li> <p>Play around a bit with the glitch width, offset, and repeat. You should see different effects in the power consumption traces. For example the following shows a narrow (15% pulse width) glitch being inserted:</p> <p>[[File:waveform-notduino-glitch1.png|image]]</p> </li></ol>

<ol style="list-style-type: decimal;"> <li>Switch to the ''Target Settings'' tab, and set the ''Output Format'' to <code>$GLITCH$</code>.</li> <li> <p>Open the ''Glitch Explorer'', and hit ''Capture 1'' a few times. Confirm this populates the table with various examples.</p> <p>[[File:ge-normal.png|image]]</p> </li> <li> <p>We need to setup the ''Normal Response'' and ''Successful Response''. Note in this example the normal response has a little random noise we want to ignore, but we want to capture when the device resets after the glitch and sends the &quot;hello&quot; message twice. We could accomplish this with the following bit of Python code:</p> <pre>s.endswith(&quot;hello\nA&quot;) and (len(s) &lt; 12)</pre> <p>This looks for both the ending without glitch, and the length of the string isn't too long. In the case of the successful glitch, we just want to see if &quot;1234&quot; is printed. This can be accomplished in Python with:</p> <pre>&quot;1234&quot; in s</pre> <p>You can always experiment using the ''Python Console'' to see how your potential systems work. For example here is checking that the first line works:</p> <pre>&gt;&gt;&gt; s = &quot;\x1ahello\nA&quot;

<p>Finally, configure the Glitch Explorer:</p>  <blockquote> <ol style="list-style-type: lower-alpha;"> <li>Set the ''Normal Response'' to <code>s.endswith(&quot;hello\nA&quot;) and (len(s) &lt; 12)</code></li> <li>Set the ''Successful Response'' to <code>&quot;1234&quot; in s</code></li> </ol> </blockquote>  <p>You can test the updated color-coding seems to be working too with a few ''Capture 1'' events.</p> </li>  <li> <p>Using the following table, set the ''Glitch Width (as % of period)'' and ''Repeat'' on the ''Scope Settings'' tab:</p>

</li> <li> <p>Finally, let's configure the Glitch Explorer to give us the required sweep of the ''Offset'' parameter.<ol style="list-style-type: lower-alpha;"><li>Adjust the and ''Glitch Offset (as % of period)Width'' up or down parameters by 1 in running the ''Glitch Module'' settings. We do this only to get the required string printed to the ''Script Commands'' output.</licode><li>Set the ''Tuning Parameters'' to ''1'' in the Glitch Explorerge_widthoffset_vary.py</licode><li><p>Set . The starting, stopping and step attributes can be changed for both parameters by editing the parameters as appropriate:script</p>{| class <syntaxhighlight lang=python>"wikitable""Glitch Explorer example to modify clock offset & width.! Option! ValueTo use this be sure to set 'Output Format' as $GLITCH$ so data is passed through.|-"""| Name| Offsetclass IterateGlitchWidthOffset(object):| def __init__(self, ge_window): self._starting_offset = -40| Script Command self._starting_width = -40| ['Glitch Module', 'Glitch Offset self.ge_window = ge_window  def reset_glitch_to_default(as % of periodself, scope, target, project)': """ Set glitch settings to defaults. """ self.offset = self._starting_offset self.width = self._starting_width  def change_glitch_parameters(self, 0scope, target, project): """ Example of simple glitch parameter modification function.""" # This value is minimum clock offset/width increment scope.glitch.offset += 0].390624|-| Data Format if scope.glitch.offset > 40:| Float scope.glitch.offset = self._starting_offset|- scope.glitch.width += 0.390624| Range| -49 if scope.glitch.width > 40: 49|- scope.glitch.width = self._starting_width| Value| -49 # Write data to scope|- #scope.glitch.width = self.width| Step #scope.glitch.offset = self.offset| 0 #You MUST tell the glitch explorer about the updated settings if self.5ge_window:|- self.ge_window.add_data("Glitch Width", scope.glitch.width)| Repeat self.ge_window.add_data("Glitch Offset",scope.glitch.offset)| 1|}glitch_iterator = IterateGlitchWidthOffset(self.glitch_explorer)self.aux_list.register(glitch_iterator.change_glitch_parameters, "before_trace")#self.aux_list.register(glitch_iterator.reset_glitch_to_default, "before_capture") </syntaxhighlight> </li> <li> <p> You can again check if the aux module was registered by going to the ''Aux Settings'' tab.</olp> <p>[[File:aux_settings_with_glitch_vary.png|500px]]</p> </li> <li> <p>On the ''General Generic Settings'' tab:</p> <blockquote> <ol style="list-style-type: lower-alpha;"> <li>Ensure the ''Trace Format'' is set to ''None'' (i.e., no traces will be written to disk).</li> <li>Set the ''Number of Traces'' to 200.</li></ol> </blockquote> </li> <li>Press the ''Capture Multi'' button. You will get a warning as there is no trace writer, but can just hit ''Continue Anyway'', since we do not want to store traces to disk.</li> <li> <p>Hopefully you will determine some useful parameters for glitching this target:</p> <blockquote> <p>[[File:ge-success.png|image]]</p> </blockquote> </li> <li>Try reducing the ''Repeat'' parameter in the ''Glitch Module'' settings. See how few cycles you can glitch while still achieving a reliable glitch.</li></ol>