458
edits
| As of August 2020 the site you are on (wiki.newae.com) is deprecated, and content is now at rtfm.newae.com. |
Changes
no edit summary
Our final goal with the CW305 Artix target is to experiment with voltage glitching. This is the CW305 equivalent of the VCC glitch attack done in [[Tutorial A3 VCC Glitch Attacks]].
== Background Information ==
The ChipWhisperer capture hardware comes with a glitch output, which is connected to a power MOSFET in the following configuration:
* If we ground the FPGA's power pins, then the power supply will effectively be driving the shunt resistor. With a supply voltage of 1.0 V and a 0.5 ohm shunt, this is a 2 A current; with a 0.1 ohm shunt, this is 10 A. It's probably a good idea to use an external power supply for this type of glitch.
== Setup ===== Hardware Setup ===To set up the hardware for voltage glitching, only one extra connection is requiredcompared to the setup for power analysis. Connect an SMA cable between the ChipWhisperer's glitch output and the CW305 connector labeled X3:
[[File:CW305VCCSetupCW305_CWLite_VCCGlitch.jpg|800px]]
Note that the original SMA cable (connected to the ChipWhisperer's Measure input) is not required for voltage glitching - if you only have one cable, you can just move it over. However, it is helpful to have power traces to see what effects the voltage glitches are having on the power rails, so connect both if you can.
=== Software Setup ===
As in the previous tutorial, we can use the CW305 example script to get us started. Follow the instructions from [[Tutorial CW305-1 Building a Project]] to connect to the target and load the bitstream onto the FPGA.
From here, you can use the Glitch Explorer to sweep the glitch settings and search for a successful glitch, as we did in [[Tutorial CW305-3 Clock Glitching]]. Good luck!
== Hints ==We had a lot of trouble creating a successful voltage glitch. If you're stuck, this section has a few ideas that you can try. '''Core voltage''': the CW305 board has a programmable power supply with an adjustable output voltage. This voltage level can be modified in the Target Settings tab: the VCC- Might INT field can be easier adjusted to any level from 0.6 to 1.1 V. [[File:CW305VCCTargetSettings.PNG]] You might find that your glitch attacks work better when the target is on the edge of its operating limits. For example, we found that our AES implementation stops working conditionswhen VCC- Changing core INT is below 0.75 V, and it was much easier to produce effective glitching with the voltage at this level.- Changing clock speed '''Clock speed''': The onboard PLL is also programmable to produce a range of clock frequencies. This setting can be accessed from the same tab as the core voltage - CLKGEN outputthe relevant field is the PLL1 Frequency. - CW305 PLL - Max speed The maximum frequency that the FPGA can use depends on FPGA the details of the program's implementation. The internal connections inside the FPGA cause a non- zero amount of delay, and running at very high speeds can cause things to go haywire. Again, you can sweep this setting to find the highest working frequency and try your glitch attacks at the highest working speed to increase your chances of success. '''Enable-only glitches''': During our tests, we found that the Glitch Only output was too soft - we couldn't get any useful glitches out of this. As an alternative method, you can try the Enable Only use repeat output setting. This effectively causes the glitch signal to have a duty cycle of 100%, so the glitch width and offsethave no effect. Then, this pulse can be adjusted with the Ext Trigger Offset and Repeat settings. Be warned that this type of glitch is more likely to corrupt the FPGA configuration with its longer pulses! '''High- EXTCLK for speedglitches''': There is one extra trick that can help with the Enable Only output mode. Try the following:* Make sure that the Artix-7 is being driven by its onboard PLL, not the CLKGEN output.* Under CLKGEN Settings, change the Input Source to <code>extclk</code>. Now, the CLKGEN clock will be a multiple of the EXTCLK clock.* Adjust the CLKGEN speed with the Multiply and Divide settings. It might be helpful to use the Frequency Counter here to make sure that the CLKGEN frequency is as fast as you think it is.* Set upthe ADC to use EXTCLK (x1 or x4) as its source - CLKGEN will probably be too fast for the ADC.* Set the glitch module's clock source to CLKGEN.Now, you can run the glitch module as fast as you want! This allows for better resolution while working with Enable Only mode: one extra "clock cycle" of glitch output is a much shorter period of time. Make sure that all of the clocks are locked when you're working with this setup, as it's very easy for them to become unlocked. For reference, we successfully glitched the AES implementation with the following setup:* CLKGEN running from EXTCLK with Multiply = 8 and Divide = 2* Glitch module running from CLKGEN with Repeat = 9 and Offset = 0* Target running at VCC-INT = 0.75 V and PLL1 = 50 MHz == Links ==
{{Template:Tutorials}}
[[Category:Tutorials]]
