|capture hardware = CW-Lite
|Target Device =
|Target Architecture = XMEGA
|Hardware Crypto = No
|Purchase Hardware =
=== Disassembly ===
As a final step, let's check the assembly code to see exactly what we're trying to glitch through.
Run the command< pre> avr-objdump -m avr -D bootloader. hex > disassembly.txt</ pre> and open <code> disassembly. txt</code>. If you know what to look for , you should find a snippet that looks something like:<pre>
376: 89 91 ld r24, Y+
378: 0e 94 06 02 call 0x40c ; 0x40c
* Call the function in location <code>0x40c</code>. Presumably, this is the location of the <code>putch()</code> function.
* Compare <code>r28</code> and <code>r29</code> to <code>0x7F</code> and <code>0x20</code>. Unless they're equal, go back to the top of the loop.
There's one quirk to notice in this code. In the C source, the for loop checks whether <code>i < ascii_idx</code>. However, in the assembly code, the check is effectively whether <code>i == ascii_idx</code>! This is even easier to glitch - as long as we can break past the <code>brne</code> instruction ''once'', we'll get to the data buffer.
== Attack Script & Results ==
To speed up the tutorial, the script in [[#Appendix: Setup Script]] will open the ChipWhisperer Capture software and fill in all of the appropriate settings. Copy this code into a Python script and run it. Then, open the serial terminal and connect to the target, using the ASCII with Hex display mode. If everything is set up correctly, the Capture 1 button should cause the text <code>r0</code> to appear in the terminal. This is the bootloader's response to a block of ciphertext.
If you can't get this to work, remember that glitching is a very sensitive operation - one glitch timing will probably not work for every board on every day. Try using the glitch explorer to attack different ''Glitch Width''s, ''Glitch Offset''s, and ''Ext Trigger Offset''s. The built-in Glitch Explorer will be very useful here - take a read through [[Tutorial A2 Introduction to Glitch Attacks (including Glitch Explorer)]] if you need a refresher.
== Ideas ==
The following script is used to set up the ChipWhisperer-Lite with all of the necessary settings:
# GUI compatibility
target.key_cmd = ""
target.output_cmd = ""