Clock, power, and EM glitching discussions. Does not need to use ChipWhisperer.
#1151 by JoeB
Wed Feb 22, 2017 6:00 am
I bought the chipwhisperer in 2016 with a XMEGA 128D4 target.
it was pretty simple to successfully glitch the XMEGA by following the clock glitching tutorial but now I have a hard time to get the Vcc glitching tutorial works.
I'm following https://wiki.newae.com/Tutorial_A3_VCC_Glitch_Attacks but without success. Using the glitch explorer I let the Capture tool test Width and Offset parameters from 1 to 49 (step 0.5) and -49 to 49 (step 0.5) but didn't get anything from it.
As I'm a newbie and know pretty much nothing in hardware I'm surely missing something obvious. Could someone explain me how to find the correct parameters to glitch this target?

Thanks

Joe
#1154 by gdeon
Wed Feb 22, 2017 9:13 am
Joe,

Glad to hear you're getting some use out of the ChipWhisperer!

Glitching is hard, so don't get too hung up on this. Sometimes I find that my targets just don't care about VCC glitches - they either act normally or turn off. I think there are a few more things you can try, though:
  • Double-check your glitch settings. Do you have one (or both) of the HS-Glitch Out Enable settings turned on? Is your glitch module clock locked to the right input? Do you see some kind of glitch on the power trace?
  • Have you tried changing the Repeat setting in the glitch module? Sometimes, one pulse isn't long enough - if there's too much capacitance around, the target won't even notice that you tried to cut the power. Maybe try sweeping this from, say, 1 to 10 along with the other setting sweeps.
#1156 by JoeB
Wed Feb 22, 2017 9:59 am
Hi gdeon,

Thanks for you answer.

Glitching is hard, so don't get too hung up on this. Sometimes I find that my targets just don't care about VCC glitches


As the hardware comes directly from newae I was expecting it will be easy to glitch it :D

Do you have one (or both) of the HS-Glitch Out Enable settings turned on?

I'm following the tutorial https://wiki.newae.com/Tutorial_A3_VCC_Glitch_Attacks

See section 5.2.b from the tutorial, I checked the box marked "HS-Glitch Out Enable (Low Power)".
Do you mean I should try to check the other or even both? Could you please explain me what will be the effect?

Do you see some kind of glitch on the power trace?

Yeah I see the glitch on the power trace :)

Have you tried changing the Repeat setting in the glitch module? Sometimes, one pulse isn't long enough - if there's too much capacitance around, the target won't even notice that you tried to cut the power. Maybe try sweeping this from, say, 1 to 10 along with the other setting sweeps.


Yes I tried several parameters manually. The board either reset or keep running...
#1157 by gdeon
Wed Feb 22, 2017 11:06 am
JoeB wrote:As the hardware comes directly from newae I was expecting it will be easy to glitch it :D

It's definitely easier with our hardware than it is with any old board! However, these things can still be finicky - some days, the moon is in the wrong phase and it just refuses to glitch.

See section 5.2.b from the tutorial, I checked the box marked "HS-Glitch Out Enable (Low Power)".
Do you mean I should try to check the other or even both? Could you please explain me what will be the effect?

The ChipWhisperer uses a "crowbar" circuit to produce these voltage glitches. There's a picture of the circuit in the tutorial so you can see what's going on: a transistor is used to short the power rail to GND for a very short amount of time. There are two MOSFETs on the CW-Lite that you can use to do this. You can see them beside the glitch connector: there's a big one on the top and little one on the bottom.

If you enable the Low Power option, the glitch module output is connected to the small MOSFET. The High Power option connects to the larger MOSFET. The bigger one can handle more power, so it might be able to drain the power from the XMEGA more quickly. It's worth a try!

Yes I tried several parameters manually. The board either reset or keep running...

The glitch settings that work can be very precise - for example, I've seen glitches that work when the offset is 6 or 7, but not 5 or 8. Don't be surprised if you can't find working parameters manually! It's much easier to just set up the glitch explorer and let it do the hard work :)

Who is online

Users browsing this forum: No registered users and 1 guest