As of August 2020 the site you are on (wiki.newae.com) is deprecated, and content is now at rtfm.newae.com.

Changes

Jump to: navigation, search

Tutorial B3-1 Timing Analysis with Power for Password Bypass

243 bytes removed, 04:03, 23 September 2017
Scripting the Setup
Note this is not a prerequisite to the tutorial on breaking AES. You can skip this tutorial if you wish to go ahead with the AES tutorial.
You can also view If you want to get a 53-min rough idea, there is a video of the V3 of the tutorial (which differs from the V4 version). See [https://www.youtube.com/watch?v=h4eAU6vEONs&hd=1 Video Version on YouTube]:
= Prerequisites =
<ol style="list-style-type: decimal;">
<li> We're going to use Scroll down the ''Reset AVR/XMEGA via CW-Lite'' auxiliary module. Let's get an idea list of how this module works: * Navigate to the auxiliary modules folder (<code>chipwhisperer\software\chipwhisperer\capture\auxiliary\</code>) scripts, and open <code>ResetCW1183Readyou'll find one labeled "aux_reset_cw1173.py</code> in your choice of text editor".* Find the function definition for <code>resetDevice()</code>. It contains This script has a line that looks like: <pre>CWCoreAPI.getInstance().getScope().scopetype.cwliteXMEGA.readSignature()</pre>* Look for the lines where this simple function gets called. You'll find that of attempting to reset the XMEGA device using the function <code>traceArm()</code> uses it likeprogrammer: <prebr>resettiming = self.findParam('resettiming').value()if resettiming == 'Pre-Arm'[[File: self.resetDevice()</pre>Effectively, this code will read the target's signature before we arm the power measurement. This means that the target will automatically be reset before capturing a power traceauxreset_test1.png|600px]]
</li>
<li>Hit the "Run" button. If you switch to the "Auxilary Module" tab, you'll see it's been added to the list of modules at the specified location.:
<br>
[[File:auxreset_test2.png|400px]]
</li>
<li>Looking at the code of the script, you can see how this script is using an external module & linking it to a specific auxilary module trigger:
<syntaxhighlight lang=python>
from chipwhisperer.capture.auxiliary.ResetCW1173Read import ResetCW1173
<li> Go back to the ChipWhisperer Capture software# GUI compatibilitytry: aux_list = self. In the ''Generic Settings'' tabaux_listexcept NameError: pass # Delay between arming and resetting, switch the Auxiliary Module to ''in msdelay_ms = 1000 # Reset AVR/XMEGA via CWdeviceResetter = ResetCW1173(xmega=True, delay_ms=delay_ms)# Reset AVR#Resetter = ResetCW1173(xmega=False, delay_ms=delay_ms) # Reset before arming -Lite''more stableaux_list.register(Resetter.resetThenDelay, "before_trace")# Reset after arming - scope can catch entire reset#aux_list.register(Resetter.delayThenReset, "after_arm")</lisyntaxhighlight><li> Now, in the ''Aux Settings'' tab, we You can configure our automatic edit the values required such as reset. Make sure time & location by changing the settings are:* Pre-arm delay: roughly 1200 ms* Post-arm delay: the default script (0 msusing an external editor) . But an easier method is fine* Reset timing: Pre-arm (reset the device before to insert it into our attack script itself. As a test we arm 'll see if the scope)default values work.</li>
<li> Press ''Capture 1''. The target will automatically reset, with the Safe-o-matic 3000 boot sequence appearing in the console. Then, 1 second later, the program will send the password to the target and record a power trace.
</li>
Now, confirm that you can try different passwords (in ''Target Settings'') and see how the power trace changes when your password has 0, 1, 2... correct characters.
 
Once done, use the *Remove* button to get rid of the auxiliary module, as we are going to add it instead to our script.
= Performing the Timing Attack =
</pre>
<p>Those parameters come from the API. You can print for example the scope parameters by running "self.scope" to see various elements:</p><p><pre>
>>> self.scope
cwlite Device
repeat = 1
output = clock_xor
</pre></p></li>
</ol>
<ol start="4" style="list-style-type: decimal;">
<li>Once again on the ''Target Settings'' tab<p>Next, delete append the various required commandsto clear the simpleserial commands and to enable the automatic resets. Make a note of Doing so will require two steps: (1) figuring out the resulting ''Script Commands'' which you will need target settings and adjusting them, and (2) inserting our code to enter to achieve this same goal. Close ChipWhisperer-Captureperform the device reset.</lip><li><p>Continue editing your script. FirstUsing the console, find you can dump parameters of the line setting the Trigger Offsetsimpleserial target (assuming you are still connected):</psyntaxhighlight lang=python><pre>['OpenADC', 'Trigger Setup', 'Offset', 1500],</pre>> target<init_cmd = key_cmd = k$KEY$\ninput_cmd = go_cmd = p>And set this to 0, which we were using previously:</p>$TEXT$\noutput_cmd = r$RESPONSE$\nbaud = 38400protver = <pre>['OpenADC', 'Trigger Setup', 'Offset', 0],</pre></lisyntaxhighlight><li><p>Next, append the required commands to clear the simpleserial commands and to enable the automatic resets:</p><pre/li>#Example of using a list to set parameters. Slightly easier to copy/paste in this formatlstexample = [['CW Extra', 'CW Extra Settings', 'Trigger Pins', 'Target IO4 (Trigger Line)', True], ...BUNCH MORE COMMANDS HERE HAVE BEEN REMOVED... #Final step: make DCMs relock in case they are lost ['OpenADC', 'Clock Setup', 'ADC Clock', 'Reset ADC DCM', None],
#Append your commands here<li>You should be able to see how you can simply clear all of the above settings using the script. This would mean adding some lines as follows to the script: [<syntaxhighlight lang=python>target.key_cmd = 'Simple Serial', target.go_cmd = 'Load Key Command', u''], [target.output_cmd = 'Simple Serial', 'Go Command', u''], ['Simple Serial', 'Output Format', u''], </syntaxhighlight></li>
['Generic Settings', 'Auxiliary Module', 'Reset AVR/XMEGA via CW-Lite']<li>Remembering the auxilary module,you can also add the lines to perform this task as well to your script: ['Aux Settings', 'Reset AVR/XMEGA via CW-Lite', 'Delay <syntaxhighlight lang=python>from chipwhisperer.capture.auxiliary.ResetCW1173Read import ResetCW1173Resetter = ResetCW1173(Post-Arm)'xmega=True, delay_ms=1200])aux_list.register(Resetter.resetThenDelay, "before_trace") ]</presyntaxhighlight></li>
<li><p>Finally, we will set the password. You can enter the password in the Capture ''Target Settings'' tab, and see the following sort of call would set the appropriate password:or simply use a command like </pcode><pre>selftarget.api.setParameter([go_cmd = 'Simple Serial', 'Go Command', u'h0px3\h0p3\n'])</precode>.</p>Note the newline is actually escaped, to set the text equivalent of what will be printed. This will result in an actual newline going out across the serial port. Set that command at some point in your script.</pli><li>Close any open ChipWhisperer-Capture windowsFinally, and run the script as beforeyou made. You It should connect load all settings & on hitting capture-1 you will get a waveform related to the target, and be able to press ''Capture 1'' and see power measurement during the correct waveformcomparison.</li>
</ol>
Coflynn
Approved_users, bureaucrat, administrator
1,956
edits
Retrieved from "http://wiki.newae.com/Special:MobileDiff/2878...2894"

Navigation menu