As of August 2020 the site you are on ( is deprecated, and content is now at


Jump to: navigation, search

Tutorial B3-1 Timing Analysis with Power for Password Bypass

210 bytes added, 03:44, 23 September 2017
Reset via Auxiliary Module
<ol style="list-style-type: decimal;">
<li> We're going to use Scroll down the ''Reset AVR/XMEGA via CW-Lite'' auxiliary module.Let's get an idea list of how this module works: * Navigate to the auxiliary modules folder (<code>chipwhisperer\software\chipwhisperer\capture\auxiliary\</code>) scripts, and open <code>ResetCW1183Readyou'll find one labeled "</code> in your choice of text editor".* Find the function definition for <code>resetDevice()</code>. It contains This script has a line that looks like: <pre>CWCoreAPI.getInstance().getScope().scopetype.cwliteXMEGA.readSignature()</pre>* Look for the lines where this simple function gets called. You'll find that of attempting to reset the XMEGA device using the function <code>traceArm()</code> uses it likeprogrammer: <prebr>resettiming = self.findParam('resettiming').value()if resettiming == 'Pre-Arm'[[File: self.resetDevice()</pre>Effectively, this code will read the target's signature before we arm the power measurement. This means that the target will automatically be reset before capturing a power traceauxreset_test1.png|600px]]
 <li> Go back to Hit the ChipWhisperer Capture software"Run" button. In If you switch to the ''Generic Settings'' "Auxilary Module" tab, switch the Auxiliary Module to ''Reset AVR/XMEGA via CW-Liteyou'll see it's been added to the list of modules at the specified location.:</libr><li> Now, in the ''Aux Settings'' tab, we can configure our automatic reset[[File:auxreset_test2. Make sure the settings are:* Pre-arm delay: roughly 1200 ms* Post-arm delay: the default (0 ms) is fine* Reset timing: Pre-arm (reset the device before we arm the scope)png|400px]]
<li>Looking at the code of the script, you can see how this script is using an external module & linking it to a specific auxilary module trigger:
<syntaxhighlight lang=python>
from chipwhisperer.capture.auxiliary.ResetCW1173Read import ResetCW1173
# GUI compatibility
aux_list = self.aux_list
except NameError:
# Delay between arming and resetting, in ms
delay_ms = 1000
# Reset XMEGA device
Resetter = ResetCW1173(xmega=True, delay_ms=delay_ms)
# Reset AVR
#Resetter = ResetCW1173(xmega=False, delay_ms=delay_ms)
# Reset before arming - more stable
aux_list.register(Resetter.resetThenDelay, "before_trace")
# Reset after arming - scope can catch entire reset
#aux_list.register(Resetter.delayThenReset, "after_arm")
<li>You can edit the values required such as reset time & location by changing the script (using an external editor). But an easier method is to insert it into our attack script itself. As a test we'll see if the default values work.</li>
<li> Press ''Capture 1''. The target will automatically reset, with the Safe-o-matic 3000 boot sequence appearing in the console. Then, 1 second later, the program will send the password to the target and record a power trace.
Now, confirm that you can try different passwords (in ''Target Settings'') and see how the power trace changes when your password has 0, 1, 2... correct characters.
Once done, use the *Remove* button to get rid of the auxiliary module, as we are going to add it instead to our script.
= Performing the Timing Attack =
Approved_users, bureaucrat, administrator

Navigation menu