manualshive.com logo in svg

NewAE CHIPSHOUTER CW520, User Manual

The NewAE CHIPSHOUTER CW520 user manual is available for free download at manualshive.com. This comprehensive manual provides detailed instructions on how to properly use and maintain your CW520 device, ensuring optimal performance and longevity. Download your manual today to get the most out of your product.

Share
Download
background image

ChipSHOUTER Users Manual

: High Voltage Warnings 

 

 

High Voltage Warnings 

In addition to the safety warnings regarding the ChipSHOUTER 

operation, there are some specific additional warnings re-

lated to the high voltage circuitry. Please carefully read 

both the “Safety Information” in addition to these “High 

Voltage Warnings”. All users of the ChipSHOUTER must be 

aware of these warnings. 

 

 

ChipSHOUTER  can generate strong  magnetic and 
electrical fields. DO NOT use around safety-
critical equipment. DO NOT allow a person with an 
implanted or on-body medical device near the 
ChipSHOUTER. 

 

The SMA center pin has hazardous voltage present. 
DO NOT touch or otherwise expose this connection. 

 

DO NOT touch the injection probe or high voltage 
connector when device is armed or discharging. 

 

DO NOT attempt to arm the ChipSHOUTER  without a 
EMFI injection probe attached. 

 

DO NOT use the ChipSHOUTER  to generate a  spark-
gap discharge. In addition to exposing hazardous 

 

ChipSHOUTER can generate hazardous voltages. It 

is very important that everyone who will be operat-

ing the ChipSHOUTER carefully reads and 

understands this manual and the warning instruc-

tions. If you have questions about these warnings 

please contact NewAE immediately.  

 

Summary of Contents for CHIPSHOUTER CW520

Page 1: ...esentations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time wi...

Page 2: ...To obtain warranty service contact NewAE Technology Inc If NewAE Technology Inc determines that failure was caused by neglect misuse contamination alteration accident or abnormal condition of operati...

Page 3: ...r Jack 26 RJ12 Expansion Connector 25 Oscilloscope Probe Connectors 26 Pulse Generation 27 Generated Pulse vs Inserted 27 Active High vs Active Low Inputs 27 Basic Pulse Generator 28 Programmable Puls...

Page 4: ...6 Figure 9 Detail of included probes 37 Figure 8 Inserted pulse viewed on oscilloscope screen 39 Figure 11 Tuning oscilloscope probe 41 Figure 10 Example calibration waveform 42 Figure 11 Removing bla...

Page 5: ...system is a platform for experimentation and education right out of the box Paired with an X Y table and some basic python script ing the ChipSHOUTER becomes a fully automatable EMFI platform capable...

Page 6: ...device function would be undesirable DO NOT touch the injection tip or high voltage connector when device is armed or discharging DO NOT aim or position the injection tip onto a person or other livin...

Page 7: ...operate the product with the air inlet cover removed without connecting an air hose If an air hose is removed immediately replace the air inlet cover Repairs must only be performed by an approved tec...

Page 8: ...ly Do not disassemble unit This product complies with the WEEE directive marking require ments The affixed label indicates that you must not discard this electronic product in domestic household waste...

Page 9: ...rson with an implanted or on body medical device near the ChipSHOUTER The SMA center pin has hazardous voltage present DO NOT touch or otherwise expose this connection DO NOT touch the injection probe...

Page 10: ...fully inspect the probes for damage to the insulation and de stroy to prevent accidental reuse and discard any damaged probes DO NOT position the injection probes in such a manner they will scrape con...

Page 11: ...V 3 4A Power Adapter SMB to BNC adapter Injection probe tips 1mm 4mm SMB Cable Isolated USB Adapter RJ12 Cable Micro USB Cable CW521 Ballistic Gel SRAM Target USB Cable SMA Saver Installed CW322 Simpl...

Page 12: ...can easily be replaced in case it is damaged 6 The SMA right angle adapter is used in combination with a horizontal mount XY table 7 The oscilloscope probe adapter allows monitoring of the pulse inse...

Page 13: ...ling The adapter may look different or be of different material thank shown here We are continuously improving our products Some of the ac cessories or the device may look different than the photos us...

Page 14: ...memory resetting lock bits skipping instructions and inserting faults into crypto graphic operations are all applications of EMFI This can be used for embedded security research validating fault tole...

Page 15: ...is discharged through an inductor the injec tion tip This injection tip generates a powerful magnetic field that can be used to induce faults in a target device To make using the device easier the Ch...

Page 16: ...er is also present that directly drives the high voltage switch This hardware trigger allows entirely arbitrary on off pulses to be sent into the injection tip This hardware trigger can be used with g...

Page 17: ...ional EN 61326 1 Portable Electromagnetic Environment EN 61326 2 2 CISPR 11 Group 2 Class A Group 2 This equipment intentionally generates RF energy that is used in electromagnetic coupling in ductive...

Page 18: ...mpt 2 Binary Serial connection RJ12 connector with GND TX RX 3 3V output and switchable pulse arm pin Hardware trigger connector type SMB connector center positive Hardware trigger threshold 2V Hardwa...

Page 19: ...0 Time steps Total pulse width 0 0208 100 uS Pulse output state per time steps 1 0 Pulse width jitter tested pulse width of 80nS 350 pS std dev Hardware Input Trigger Delay Tested high voltage 150V to...

Page 20: ...achieved with the monitor port output As an example achieving approximately the same pulses multiple times is shown with the following pattern trigger waveform setting for 1 2 and 3 pulses Note the sp...

Page 21: ...h charge voltage values The larger 4mm tip allows a wider range of possible pulse widths and more closely follows the commanded input width It is extremely important to use the oscilloscope monitoring...

Page 22: ...similar to any electrical conductor during operation Note the SMA connector will wear over time and a loose ly attached injection tip can cause arcing which will permanently damage the connector redu...

Page 23: ...ved firmly while spinning the connector nut using a 8mm wrench if needed to remove or attach If you simply rotate the connector nut without holding the body stationary it is easy to rotate the body of...

Page 24: ...ow power LP glitch crowbar output The ChipSHOUTER has an internal pull up on the hardware trigger input allowing the LP glitch crowbar output to serve as an open drain output See the online documentat...

Page 25: ...OUTER can be controlled using asynchronous serial through the RJ12 port on the device DO NOT connect this ca ble to general use ports on other devices like ethernet or phone ports Connection to a comp...

Page 26: ...ro vided DC power supply with the ChipSHOUTER which has a rating of 19V 3 42A Oscilloscope Probe Connectors Both the voltage and current output of the ChipSHOUTER can be monitored via two probe connec...

Page 27: ...d 2 limitations of the ChipSHOUTER The physical limitations of the injection tips are responsible for most limitations Issues such as the core material saturation result in limits regarding how many p...

Page 28: ...be used to generate complex patterns including multiple pulses and delays It also provides a much shorter time resolution than the basic pulse generator The pattern is recorded as a binary pattern whe...

Page 29: ...eters You may wish to set repeat to 1 to avoid repeating the pattern unexpectedly Some hints about using the pattern trigger 1 You will need to experiment with the pattern to get the desired output Th...

Page 30: ...ting 1 The microcontroller simply uses two loops to multiply 300 by 300 and check the result The board features 3 LEDs that indicate the state of the device The START LED shows when the device begins...

Page 31: ...e RUN_CNT 2000 define OUTER_LOOP_CNT 300 define INNER_LOOP_CNT 300 void glitch_loop void volatile uint32_t i j volatile uint32_t cnt uint32_t blink_status 1 uint32_t run_cnt 0 uint32_t glitch_cnt 0 fo...

Page 32: ...UTER to inject a field pulse 6 Move the probe across the chip while holding the PULSE button and observe the effect on the LEDs In some locations the chip will reset or stop working In others the chip...

Page 33: ...an imprint of the magnetic field injected into it like a ballistic gel block leaves an imprint of a projectile This acts as an ex ample of memory corruption and this process demonstrates some of the C...

Page 34: ...f the ChipSHOUTER is 115200 baud 8N1 6 Connect the 19V power adapter to the ChipSHOUTER If your terminal was configured correctly a welcome mes sage should be displayed as the device boots 7 Test conn...

Page 35: ...10ms Use these settings for the next test 14 Repeat steps 9 12 with the new pulse settings You can adjust these settings more to see how each one affects the injected corruption More data on these ef...

Page 36: ...direction can be used to specify a positive or negative voltage induced into a specific target you may need to experiment to determine which wrap direction corresponds to positive negative on your sp...

Page 37: ...manual use and insensitive targets They generate a wide field that is good for discovering new vulnerabilities and they have the best chance to disrupt a circuit in some way The smaller 1mm tips are...

Page 38: ...d is not designed to generate spark discharge events A spark discharge event causes a very high dV dT which can permanently destroy the output stage of the ChipSHOUTER When attaching tips ensure they...

Page 39: ...built into the ChipSHOUTER itself This allows you to monitor the high voltage output with out risk of exposing yourself to high voltages These probes are designed only for usage with a standard 1M 10...

Page 40: ...means your oscilloscope front end will see 25V at the 1M input CAUTION Confirm your oscilloscope 1M maximum voltage rating is at least 25V Due to ringing at the tip voltages may exceed 500V so a 30V r...

Page 41: ...MA connector output and observing the voltage with an externally calibrated oscillo scope probe on this resistor Doing so requires exposing high voltages and is not covered by this manual Instead we p...

Page 42: ...V as the os cilloscope measures the voltage at the probe output and there is some drop across the internal protection resistors Due to oscilloscope variation you may not achieve the 350V measurement I...

Page 43: ...be inserted Dry room temperature forced air may be inserted into the ChipSHOUTER from this port To use this port you will need to use a 4 mm hex wrench provided to remove the blanking port Once you h...

Page 44: ...blanking plug is a M8x1 25 x 16mm set screw and if the blanking plug is lost a M8x1 25 bolt can be used until the proper replacement is procured The air inlet must never be left open Figure 14 Adding...

Page 45: ...Even a small airflow such as from an aquarium pump will substantially improve the cooling capability of the ChipSHOUTER If using dried compressed air ensure you are using a pressure regulator to limi...

Page 46: ...oltage is higher lower than expected RAM CRC RAM CRC failed EEPROM CRC EEPROM CRC failed GPIO GPIO state does not match expected Charge Error Charge circuit error likely DC input voltage out of spec o...

Page 47: ...ed when certain critical faults occur the fault will latch and the device will dis arm In this case it not enough to simply fix the condition In addition you must clear the latched fault after fixing...

Page 48: ...the output to only enable faults for short bursts and prove the Chip SHOUTER time to perform safety checks in between bursts Over Temperature Fault The ChipSHOUTER contains three temperature sensors T...

Page 49: ...triggers could occur during the arming process resulting in malformed pulses The error tone will sound without the fault LED blink ing if you attempt to use the PULSE button or pulse command over the...

Page 50: ...TER Internal faults in clude RAM CRC error FLASH CRC error or firmware sig nature verification error Measured capacitor bank voltage differs from set voltage Permanent failure of ability to measure te...

Page 51: ...rmat is shown below armed get voltage Note the armed indicates a state and get voltage is a command to the device The following screenshot shows a typ ical interaction with the ChipSHOUTER console NOT...

Page 52: ...f the device is in the armed state the actual measured voltage will also be reported When device is disarmed the high voltage is not turned on so reported measure voltages are inva lid Example disarme...

Page 53: ...t value for number of pulses per trig ger the trigger being the pulse command the front panel button or the RJ12 firmware pulse pin when enabled Example set pulse repeat 1 s p r 5 get set pulse deadti...

Page 54: ...n configured as active low ensure the pin is externally driven high during operation to prevent false triggers This command switches the entire internal trigger logic When switching hwtrig_mode and us...

Page 55: ...and must be cleared manually get fault latched current type g f l c t Get the state of a specific fault current or latched type is the fault type and t is the associated shorthand Table of type optio...

Page 56: ...d safety self checks that cannot be performed during the trigger event If the needed safety checks cannot be performed for a certain length of time the device will en ter fault mode get set absent_tem...

Page 57: ...tive low the pattern trigger will follow this a 0 causes a pulse The pattern trigger MUST END WITH AN INACTIVE VALUE to prevent a trigger error for example end ing with a 0 when the ChipSHOUTER is in...

Page 58: ...aults and arms device equivalent to running set fault none followed by arm This command is useful when using the external trigger as you may need to quickly clear a latched fault and arm the device di...

Page 59: ...ered 3 LED shows when the ChipSHOUTER is armed 4 LED shows when the USB cable is present and power is being supplied to the USB interface from the computer 5 LED shows when data is being transmitted T...

Page 60: ...cross platform compatibility the default FTDI VID PID has been maintained Drivers for almost any system can be found on the FTDI driver website being sure to specify the Vir tual Com Port VCP option...

Page 61: ...er platform oscillo scopes and anything else that can be hooked into python Below is a usage example for the Python API For further ex amples and full documentation visit https github com newaetech Ch...

Page 62: ...OUTER on the chip surface NewAE Technology Inc provides the ChipShover which has included mounting brackets and easy integration with the ChipSHOUTER environment NewAE Technology Inc also provides a m...

Page 63: ...e com mand before each external trigger event Slow down external triggers Using external hard ware trigger causes probe open fault External trigger is rapidly repeating many times for example being dr...

Page 64: ...do not load Drivers are not be ing loaded Check FTDI website for latest VCP drivers Use different USB port Continuous trigger faults External trigger pin is being pulled to ac tive state Check if hard...

Page 65: ...1 0 g s hwt get set hwtrig_mode 1 0 g s hwm get set emode 1 0 g s e get set mute 1 0 g s m get set absent_temp 1 0 g s at get fault g f get fault_active g fa get fault_latch g fl get fault latched cur...

Page 66: ...e can be found inside this user manual As a special bonus it is printed on a special combustible mate rial that could save your life when hiking and lost in the woods We do not review this type of mat...

Reviews:

No comments

Related manuals for CHIPSHOUTER CW520

Makita BBX7600N Parts Breakdown preview
BBX7600N
Brand: Makita Pages: 17
Makita BBX7600 Catalog preview
BBX7600
Brand: Makita Pages: 13
Oberheim DSX Service Manual preview
DSX
Brand: Oberheim Pages: 40
Danelec DM800 Installation Manual preview
DM800
Brand: Danelec Pages: 67
FarmTek Growers Supply 109722 Manual preview
Growers Supply 109722
Brand: FarmTek Pages: 9
Garmin PORTABLE ICE FISHING KIT Installation Instructions preview
PORTABLE ICE FISHING KIT
Brand: Garmin Pages: 5
Taylor-Wharton XL Series Instructions Manual preview
XL Series
Brand: Taylor-Wharton Pages: 25
i-CAT FLX V Series User Manual preview
FLX V Series
Brand: i-CAT Pages: 96
Laser BAHIA Hints And Tips preview
BAHIA
Brand: Laser Pages: 2
Lars Thrane LT-1000 NRU User & Installation Manual preview
LT-1000 NRU
Brand: Lars Thrane Pages: 50
Rain-Flo Irrigation 1670 Operating Manual preview
1670
Brand: Rain-Flo Irrigation Pages: 16
Launch X431 V Quick Start Manual preview
X431 V
Brand: Launch Pages: 3
Launch EasyDiag User Manual preview
EasyDiag
Brand: Launch Pages: 43
Launch X-431 Diagun Faq preview
X-431 Diagun
Brand: Launch Pages: 8
Launch X-431 PAD III User Manual preview
X-431 PAD III
Brand: Launch Pages: 67
Launch X-431 PADII User Manual preview
X-431 PADII
Brand: Launch Pages: 55
LAUNCH TECH Creader 629 Quick Start Manual preview
Creader 629
Brand: LAUNCH TECH Pages: 14
Launch X-431 PROS V4.0 User Manual preview
X-431 PROS V4.0
Brand: Launch Pages: 80

Brands by name

Popular brands

Load more brands