Approved_users, bureaucrat, administrator
1,956
edits
| As of August 2020 the site you are on (wiki.newae.com) is deprecated, and content is now at rtfm.newae.com. |
Changes
→Scripting the Setup
{{Warningbox|This tutorial has been updated for ChipWhisperer 4.0.0 release. If you are using 3.x.x see the "V3" link in the sidebar.}}
{{Infobox tutorial
|name = B3-1 Timing Analysis with Power for Password Bypass
|image =
|caption =
|software versions =
|capture hardware = CW-Lite, CW-Lite 2-Part, CW-Pro
|Target Device =
|Target Architecture = XMEGA
|Hardware Crypto = No
|Purchase Hardware =
}}
This tutorial will introduce you to breaking devices by determining when a device is performing certain operations. It will use a simple password check, and demonstrate how to perform a basic power analysis.
<ol style="list-style-type: decimal;">
<li>Connect your target hardware (ChipWhisperer-Lite/Pro or ChipWhisperer-Capture Rev 2 with target board).</li>
<li>Open the Start ChipWhisperer-Capture software.</li><li>From Under the ''Example ScriptsPython Console''tab, select one which most closely matches your hardwarefind the ''connect_cwlite_simpleserial. For example here Ipy'm using a ChipWhisperer' script and double-Lite with the XMEGA target, so will select the "ChipWhisperer-Lite: AES SimpleSerial click.</li><li>Check there are no errors on XMEGA" scriptthe connection. Note I</li><li>Under the 'm 'Python Console'NOT'' attacking AEStab, so will need to make some adjustments laterfind the ''setup_cwlite_xmega. (The "Timing Attack on CW-Lite (XMEGA)" py'' script already does most of this for us, so using it would defeat the purpose of this tutorialand double-click.)</li><li>The system Both the Target & Scope should connect switch to your hardware. Remember you have not yet reprogrammed the target so won't 'CON'' and be communicating with the target programgreen circles.</li>
<li>Using the programming tool (such as XMEGA programming dialog), program the file <code>basic-passwdcheck.hex</code> into the target device. This file is located where you ran <code>make</code> previously.</li>
<li><p>Select ''Tools --> Terminal'', and press ''Connect''. You should see a window such as this:</p>
<ol style="list-style-type: decimal;">
<li>Make a copy of an existing ChipWhisperer script. The example scripts are located at <code>chipwhisperer\software\chipwhisperer\capture\scripts</code>; for example, the default one for the XMEGA device is called <code>cwlite-simpleserialxmegasetup_cwlite_xmega.py</code>. Make a copy of this script and put in the same directory (or copy it somewhere memorable.else
</li>
<li><p>Rename the script something else - for example, <code>cwlite-passwordcrack.py</code> - and open it for editing. You'll notice that a large chunk of the code is used to set the parametersconfiguration information:</p><pre>#Example of using a list to set parametersscope. Slightly easier to copy/paste in this formatgain.gain = 45lstexample scope.adc.samples = [['CW Extra', 'CW Extra Settings', 'Trigger Pins', 'Target IO4 (Trigger Line)', True], ['CW Extra', 'CW Extra Settings', 'Target IOn Pins', 'Target IO1', 'Serial RXD'], ['CW Extra', 'CW Extra Settings', 'Target IOn Pins', 'Target IO2', 'Serial TXD'],25000 ['OpenADC', 'Clock Setup', 'CLKGEN Settings', 'Desired Frequency', 7370000scope.adc.offset = 0], ['CW Extra', 'CW Extra Settings', 'Target HS IO-Out', 'CLKGEN'],scope.adc.basic_mode = "rising_edge" ['OpenADC', 'Clock Setup', 'ADC Clock', 'Source', 'CLKGEN x4 via DCM'],scope.clock.clkgen_freq = 7370000 ['OpenADC', 'Trigger Setup', 'Total Samples', 3000],scope.clock.adc_src = "clkgen_x4" ['OpenADC', 'Trigger Setup', 'Offset', 1500],scope.trigger.triggers = "tio4" ['OpenADC', 'Gain Setting', 'Setting', 45],scope.io.tio1 = "serial_rx" ['OpenADC', 'Trigger Setup', 'Mode', 'rising edge'],scope.io.tio2 = "serial_tx" #Final step: make DCMs relock in case they are lostscope.io.hs2 = "clkgen" ['OpenADC', 'Clock Setup', 'ADC Clock', 'Reset ADC DCM', None], ]</pre> <p>Those parameters come from the ''Scripting Parameters'' tabAPI. Switch over to it and notice this tab logs all of the parameter changes, showing you how to change You can print for example the scope parameters through the APIby running "self.scope" to see various elements:</p><blockquote><p>[[File:Scriptcommands.png|image]]</ppre></blockquote>>> self.scopecwlite Devicegain = mode = low gain = 45 db = 22.50390625adc = state = False basic_mode = rising_edge timeout = 2 offset = 0 presamples = 0 samples = 25000 decimate = 1 trig_count = 3084728877clock = adc_src = clkgen_x4 adc_phase = 0 adc_freq = 29538459 adc_rate = 29538459 adc_locked = True freq_ctr = 0 freq_ctr_src = extclk clkgen_src = system extclk_freq = 10000000 clkgen_mul = 2 clkgen_div = 26 clkgen_freq = 7384615 clkgen_locked = Truetrigger = triggers = tio4 module = basicio = tio1 = serial_rx tio2 = serial_tx tio3 = high_z tio4 = high_z pdid = high_z pdic = high_z nrst = high_z glitch_hp = 0 glitch_lp = 0 extclk_src = hs1 hs2 = clkgen target_pwr = Trueglitch = clk_src = target width = 10.15625 width_fine = 0 offset = 10.15625 offset_fine = 0 trigger_src = manual arm_timing = after_scope ext_offset = 0 repeat = 1 output = clock_xor<p/pre>Note that commands run via the script are also printed, so you can see where the values being set are coming from too. </p>
</li>
</ol>
<ol start="4" style="list-style-type: decimal;">
<li>Close any open ChipWhisperer-Capture windows, and run the script as before. You should connect to the target, and be able to press ''Capture 1'' and see the correct waveform.</li>
</ol>
== Running a Single Capture ==
