| As of August 2020 the site you are on (wiki.newae.com) is deprecated, and content is now at rtfm.newae.com. |
Tutorial CW305-4 Voltage Glitching with Crowbars
Our final goal with the CW305 Artix target is to experiment with voltage glitching. This is the CW305 equivalent of the VCC glitch attack done in Tutorial A3 VCC Glitch Attacks.
Background Information
The ChipWhisperer capture hardware comes with a glitch output, which is connected to a power MOSFET in the following configuration:
(image)
This circuit allows us to temporarily ground the Artix power rails. If these short-circuit events are timed very precisely, they can cause all kinds of fun effects in the FPGA's operation.
Voltage glitching works quite well against microcontrollers: it's pretty straightforward to use these glitches to target a specific point in an algorithm's execution. However, voltage glitching is not as easy on an FPGA target. FPGAs can perform many operations in parallel: they are not limited to one instruction of arithmetic per clock cycle. This parallel execution makes it very tricky to focus on a specific operation. There are also some serious practical concerns:
- The Artix-7 uses SRAM to store its configuration files (ie: the contents of the bitstream). SRAM is a form of volatile memory, which means that it only stores data until the device is turned off. If we cut off the power to our FPGA for too long, it's possible for some of this configuration data to be lost. We've found that around 1000 bits can be corrupted with a 600 ns glitch, but this will be device- and environment-dependent. If you find that your device isn't working properly, your first thought should be to reprogram the bitstream.
- If we ground the FPGA's power pins, then the power supply will effectively be driving the shunt resistor. With a supply voltage of 1.0 V and a 0.5 ohm shunt, this is a 2 A current; with a 0.1 ohm shunt, this is 10 A. It's probably a good idea to use an external power supply for this type of glitch.
Setup
Hardware Setup
To set up the hardware for voltage glitching, only one extra connection is required. Connect an SMA cable between the ChipWhisperer's glitch output and the CW305 connector labeled X3:
Note that the original SMA cable (connected to the ChipWhisperer's Measure input) is not required for voltage glitching - if you only have one cable, you can just move it over. However, it is helpful to have power traces to see what effects the voltage glitches are having on the power rails, so connect both if you can.
Software Setup
As in the previous tutorial, we can use the CW305 example script to get us started. Follow the instructions from Tutorial CW305-1 Building a Project to connect to the target and load the bitstream onto the FPGA.
Next, we'll set up the glitch module:
- Make sure the clock source is Target IO-IN
- Set the glitch trigger to Ext Trigger:Single-Shot
- Set the output mode to Glitch Only
- Take a look at the glitch width/offset, the trigger offset, and repeat - feel free to experiment with these throughout the tutorial
Then, in CW Extra Settings, turn on one or both of the HS-Glitch Out Enable checkboxes. These are used to enable low-power and high-power MOSFETs, respectively; we found that the low-power output is powerful enough for this board, but you might see different effects with the different outputs.
That should be everything. Hit Capture 1 and make sure you see a glitch. This picture was taken with a glitch width of 20%:
From here, you can use the Glitch Explorer to sweep the glitch settings and search for a successful glitch, as we did in Tutorial CW305-3 Clock Glitching. Good luck!
Hints
- Might be easier on the edge of working conditions - Changing core voltage level - Changing clock speed
- CLKGEN output - CW305 PLL - Max speed depends on FPGA implementation
- Enable-only output
- Only use repeat and offset - EXTCLK for speed-up
