Changes

Tutorial CW305-3 Clock Glitching

2,473 bytes added, 14:39, 18 January 2017
Glitch Setup
= Glitch Setup =
== Hardware /Software Setup ==- The hardware setup for this tutorial is largely the same as [[Tutorial Cw305CW305-1- Run Building a Project]]. Start the hardware setup by following those steps (connect the boards, run the example script, and upload the bitstream). Then, we need to make a few changes to our setup.- Clock switchesIn the previous examples, we wanted to clock our Artix- 7 from the target board's PLL. Now, we want to inject glitches into this clock, so we want to use the clock generated by our capture hardware. To do this, we need to change switch '''J16''' to '''1'''. This switch will force the FPGA to use the ChipWhisperer 's input clock instead of the PLL. Next, we need to generate our own clock signal. Set up the ChipWhisperer's CLKGEN output (to run at 10 MHz, and use CLKGEN x4 as the ADC clock source: [[File:CW305Clkgen.PNG]] Then, set up the glitch moduleto use CLKGEN as the input clock and set the glitch trigger to external single-shot. We'll be playing with the rest of the settings later. [[File:CW305GlitchModule.PNG]] Finally, under CW Extra Settings, change the Target HS IO-Out to use the Glitch Module output. Capture a trace and make sure you can see a glitch in the power. For example, here is a trace with a visible glitch from samples 30 to 35. (You might need to change the glitch width and offset - this screenshot was captured using 30% and 10%.[[File:CW305GlitchExample.PNG]]
== Glitch Explorer ==
- Fixed Once we've gotten clock glitches working, the objective is to find a set of glitch parameters that cause the encryption process to fail. We can do this automatically using the glitch explorer, so let's set this up to search for glitches. The first thing we need to do is get our FPGA to use a fixed plaintext and key. If we change the inputs on every capture, it'll be more difficult to tell when a glitch was successful. The rest of this tutorial will use the fixed key <code>2B 7E 15 16 28 AE D2 A6 AB F7 15 88 09 CF 4F 3C</code> and the fixed plaintext <code>5C 69 2F 91 03 B2 30 29 14 D7 E5 55 E4 DC EE 49</code>, but you can use any key and plaintext.- Look for exact Using our fixed key and plaintext, we can set up the glitch explorer to detect when we've successfully glitched the FPGA. Open the glitch explorer, then click Capture 1 to see the format of the output match for "normal" . With the plaintext and key mentioned above, the received output- Everything else is success- Ranges <code>'06f36a65e8a99ff8907b2e5e5ddd77de'</code>. Set the glitch explorer's normal/successful responses to check for this string. Then, set up two tuning parameters to sweep the glitch module's width/and offset. When everything is set up, your glitch explorer should look like: [[File:CW305GlitchExplorer.PNG]] Once everything is ready, click <code>Use this value</code> and start capturing.
= Results =
Approved_users
510
edits