Differences

This shows you the differences between two versions of the page.

--- project:chipwhisperer:start [2019/01/14 20:32] – [Links] eagle schematics + board layout abyssal
+++ project:chipwhisperer:start [2025/03/13 14:20] (current) – fix templatere plugin invocation root
@@ Line 1: / Line 1: @@
 ====== Chipwhisperer ======
-{{template>infobox|
+{{template>~infobox|
 name=Chipwhisperer|
 image=chipwhisperer-project-logo.png?200|
@@ Line 33: / Line 33: @@
   * [[https://wiki.newae.com/Tutorial_Map|Chipwhisperer tutorials]]
   * [[https://github.com/newaetech/chipwhisperer/tree/develop/hardware/capture/chipwhisperer-lite/pcb/eagle | Eagle schematics and board layout]]
+  * [[https://wiki.newae.com/CW506_Advanced_Breakout_Board | Advanced breakout board with voltage translation]]
+  * [[https://wiki.newae.com/CW301_Multi-Target | Multi-target board, unfortunately discontinued and with no schematics available]]
+  * [[https://wiki.newae.com/CW308_UFO_Target | UFO board for various targets, partially replacing multi-target board, but no smartcard slot available]]
+==== Related stuff ====
+  * [[https://is.muni.cz/th/dcv4s/bc.pdf | The use of a power analysis for influencing PIN verification on cryptographic smart card]]
+  * [[https://media.ccc.de/v/35c3-9563-wallet_fail | wallet.fail - using glitching and other side channels for extraction of secrets from Trezor 1 and Ledger Nano]]
+  * [[https://wiki.newae.com/Tutorial_A9_Bypassing_LPC1114_Read_Protect | Glitching LPC1114 to remove read protect]]
+===== Schematics and board layouts =====
+Schematics and board layouts can be viewed under the chipwhisperer checked out directory, in various directories (victims, tools, etc). There are .sch, .brd and generated .pdf files for schematics.
+  * [[https://github.com/newaetech/chipwhisperer/tree/develop/hardware/capture/chipwhisperer-lite/pcb/eagle | ChipWhisperer Lite]]
+  * [[https://github.com/newaetech/chipwhisperer/tree/develop/hardware/victims/smartcard_simple | Smartcard schematics]]
+  * [[https://github.com/newaetech/chipwhisperer/tree/develop/hardware/tools/papillio_target | Pappilio FPGA target]]
 ===== Chipwhisperer password cracking based on timing/power analysis =====
@@ Line 74: / Line 91: @@
+===== Glitching STM32 external board through UFO-board interface =====
+Glitching an STM32F429 discovery evaluation board. The board required resoldering of some solder bridges (SB18, SB19, removing X3 crystal oscillator) so that we can input glitch signal without interference from the STLink integrated SWD or any other clock signal, using PH0 as input from Chipwhisperer.
+The chip has VBAT input, unfortunately it's not connected to any of the output pins, so powering the board from outside without using the STM32F0 SWD STLink is a bit challenge.
+Unfortunately the [[https://wiki.newae.com/CW308T-STM32F | board templates for STM32 for UFO boards are too small for this chip]], which is not made in the smallest TQFP-64 package.
+{{:project:chipwhisperer:chipwhisperer_ufo_stm32f429.jpg?1200|}}
+It'd might work better if SDRAM and display was desoldered as well. By comparing various STM32F4 (415, 427, 429) in STM32CubeMx it reveals that the clock circuits are very different.
+FYI: just keep all the relevants part of pinout connected (GPIO4-trigger, RX/TX). Use 7.37 MHz clock instead of 8 MHz clock provided by the crystal oscillator or MCO from STLink so that the UART doesn't break. For anyone wondering why 7.37 MHz instead of 8 MHz, is that 7.3728e6/38400 == 192 and 7.3728e6/115200 == 64 precisely which is why 7.37 MHz is used for "industrial" UART clock generators. The chip will of course let you reconfigure the clock network, but for the usage with Chipwhisperer, using 7.37 Mhz is much easier.
+====== STM32CubeMX ======
+When you look at the clock networks of various STM32, you will find that each chip has different clock network, STM32F427 cannot be easily replaced with STM32F429.
+====== UART bootROM protocol of STM32s via Chipwhisperer ======
+Chipwhisperer has [[https://github.com/newaetech/chipwhisperer/blob/develop/software/chipwhisperer/hardware/naeusb/programmer_stm32fserial.py | STM32 serial programmer]] which can do more stuff than just erase and flash new program (refer to AN 3155 and AN 2606 STM32 datasheet).
+To get into the bootROM you need to trigger the right pattern (depends on specific STM32, but generally needs BOOT0 pin high with some extra conditions).
+Once bootROM is running, you can issue commands like erase, write, protect/unprotect and others.
+Some commands can be stacked, e.g. (extended) erase with write, some like (un)protect commands cause system reset of STM32 and you need to reopen the programmer.
+An unfortunate side effect of pulling nRST (either from outside or from firmware) is that gdb connected to SWD as external target aborts.
+I would highly recommend using logic analyzer to check result since the STM32 programmer is PITA. Order of connection of SWD/JTAG and logic analyzer seems to matter. Once nRST is pulled, SWD/JTAG seems to lose ability to do proper system reset.
+{{:project:chipwhisperer:chipwhisperer_nano_stm32f0_bootrom.jpg?800|}}