NewAE CHIPSHOUTER CW520 Скачать руководство пользователя страница 1

Страница: 1 / 66

CHIPSHOUTER®

USER MANUAL

Last Update: Sept 3/2019

notice. All product names are trademarks of their respective companies. ChipSHOUTER is a registered

trademark of NewAE Technology Inc.

NewAE Technology Inc. makes no representations or warranties with respect to the accuracy or completeness

of the contents of this document and reserves the right to make changes to specifications and product

descriptions at any time without notice. NewAE Technology does not make any commitment to update the

information contained herein. NewAE Technology products are not intended, authorized, or warranted for

use as components in applications intended to support or sustain life. NewAE Technology products are

designed solely for teaching purposes.

Содержание CHIPSHOUTER CW520

Страница 1: ...esentations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time wi...

Страница 2: ...To obtain warranty service contact NewAE Technology Inc If NewAE Technology Inc determines that failure was caused by neglect misuse contamination alteration accident or abnormal condition of operati...

Страница 3: ...r Jack 26 RJ12 Expansion Connector 25 Oscilloscope Probe Connectors 26 Pulse Generation 27 Generated Pulse vs Inserted 27 Active High vs Active Low Inputs 27 Basic Pulse Generator 28 Programmable Puls...

Страница 4: ...6 Figure 9 Detail of included probes 37 Figure 8 Inserted pulse viewed on oscilloscope screen 39 Figure 11 Tuning oscilloscope probe 41 Figure 10 Example calibration waveform 42 Figure 11 Removing bla...

Страница 5: ...system is a platform for experimentation and education right out of the box Paired with an X Y table and some basic python script ing the ChipSHOUTER becomes a fully automatable EMFI platform capable...

Страница 6: ...device function would be undesirable DO NOT touch the injection tip or high voltage connector when device is armed or discharging DO NOT aim or position the injection tip onto a person or other livin...

Страница 7: ...operate the product with the air inlet cover removed without connecting an air hose If an air hose is removed immediately replace the air inlet cover Repairs must only be performed by an approved tec...

Страница 8: ...ly Do not disassemble unit This product complies with the WEEE directive marking require ments The affixed label indicates that you must not discard this electronic product in domestic household waste...

Страница 9: ...rson with an implanted or on body medical device near the ChipSHOUTER The SMA center pin has hazardous voltage present DO NOT touch or otherwise expose this connection DO NOT touch the injection probe...

Страница 10: ...fully inspect the probes for damage to the insulation and de stroy to prevent accidental reuse and discard any damaged probes DO NOT position the injection probes in such a manner they will scrape con...

Страница 11: ...V 3 4A Power Adapter SMB to BNC adapter Injection probe tips 1mm 4mm SMB Cable Isolated USB Adapter RJ12 Cable Micro USB Cable CW521 Ballistic Gel SRAM Target USB Cable SMA Saver Installed CW322 Simpl...

Страница 12: ...can easily be replaced in case it is damaged 6 The SMA right angle adapter is used in combination with a horizontal mount XY table 7 The oscilloscope probe adapter allows monitoring of the pulse inse...

Страница 13: ...ling The adapter may look different or be of different material thank shown here We are continuously improving our products Some of the ac cessories or the device may look different than the photos us...

Страница 14: ...memory resetting lock bits skipping instructions and inserting faults into crypto graphic operations are all applications of EMFI This can be used for embedded security research validating fault tole...

Страница 15: ...is discharged through an inductor the injec tion tip This injection tip generates a powerful magnetic field that can be used to induce faults in a target device To make using the device easier the Ch...

Страница 16: ...er is also present that directly drives the high voltage switch This hardware trigger allows entirely arbitrary on off pulses to be sent into the injection tip This hardware trigger can be used with g...

Страница 17: ...ional EN 61326 1 Portable Electromagnetic Environment EN 61326 2 2 CISPR 11 Group 2 Class A Group 2 This equipment intentionally generates RF energy that is used in electromagnetic coupling in ductive...

Страница 18: ...mpt 2 Binary Serial connection RJ12 connector with GND TX RX 3 3V output and switchable pulse arm pin Hardware trigger connector type SMB connector center positive Hardware trigger threshold 2V Hardwa...

Страница 19: ...0 Time steps Total pulse width 0 0208 100 uS Pulse output state per time steps 1 0 Pulse width jitter tested pulse width of 80nS 350 pS std dev Hardware Input Trigger Delay Tested high voltage 150V to...

Страница 20: ...achieved with the monitor port output As an example achieving approximately the same pulses multiple times is shown with the following pattern trigger waveform setting for 1 2 and 3 pulses Note the sp...

Страница 21: ...h charge voltage values The larger 4mm tip allows a wider range of possible pulse widths and more closely follows the commanded input width It is extremely important to use the oscilloscope monitoring...

Страница 22: ...similar to any electrical conductor during operation Note the SMA connector will wear over time and a loose ly attached injection tip can cause arcing which will permanently damage the connector redu...

Страница 23: ...ved firmly while spinning the connector nut using a 8mm wrench if needed to remove or attach If you simply rotate the connector nut without holding the body stationary it is easy to rotate the body of...

Страница 24: ...ow power LP glitch crowbar output The ChipSHOUTER has an internal pull up on the hardware trigger input allowing the LP glitch crowbar output to serve as an open drain output See the online documentat...

Страница 25: ...OUTER can be controlled using asynchronous serial through the RJ12 port on the device DO NOT connect this ca ble to general use ports on other devices like ethernet or phone ports Connection to a comp...

Страница 26: ...ro vided DC power supply with the ChipSHOUTER which has a rating of 19V 3 42A Oscilloscope Probe Connectors Both the voltage and current output of the ChipSHOUTER can be monitored via two probe connec...

Страница 27: ...d 2 limitations of the ChipSHOUTER The physical limitations of the injection tips are responsible for most limitations Issues such as the core material saturation result in limits regarding how many p...

Страница 28: ...be used to generate complex patterns including multiple pulses and delays It also provides a much shorter time resolution than the basic pulse generator The pattern is recorded as a binary pattern whe...

Страница 29: ...eters You may wish to set repeat to 1 to avoid repeating the pattern unexpectedly Some hints about using the pattern trigger 1 You will need to experiment with the pattern to get the desired output Th...

Страница 30: ...ting 1 The microcontroller simply uses two loops to multiply 300 by 300 and check the result The board features 3 LEDs that indicate the state of the device The START LED shows when the device begins...

Страница 31: ...e RUN_CNT 2000 define OUTER_LOOP_CNT 300 define INNER_LOOP_CNT 300 void glitch_loop void volatile uint32_t i j volatile uint32_t cnt uint32_t blink_status 1 uint32_t run_cnt 0 uint32_t glitch_cnt 0 fo...

Страница 32: ...UTER to inject a field pulse 6 Move the probe across the chip while holding the PULSE button and observe the effect on the LEDs In some locations the chip will reset or stop working In others the chip...

Страница 33: ...an imprint of the magnetic field injected into it like a ballistic gel block leaves an imprint of a projectile This acts as an ex ample of memory corruption and this process demonstrates some of the C...

Страница 34: ...f the ChipSHOUTER is 115200 baud 8N1 6 Connect the 19V power adapter to the ChipSHOUTER If your terminal was configured correctly a welcome mes sage should be displayed as the device boots 7 Test conn...

Страница 35: ...10ms Use these settings for the next test 14 Repeat steps 9 12 with the new pulse settings You can adjust these settings more to see how each one affects the injected corruption More data on these ef...

Страница 36: ...direction can be used to specify a positive or negative voltage induced into a specific target you may need to experiment to determine which wrap direction corresponds to positive negative on your sp...

Страница 37: ...manual use and insensitive targets They generate a wide field that is good for discovering new vulnerabilities and they have the best chance to disrupt a circuit in some way The smaller 1mm tips are...

Страница 38: ...d is not designed to generate spark discharge events A spark discharge event causes a very high dV dT which can permanently destroy the output stage of the ChipSHOUTER When attaching tips ensure they...

Страница 39: ...built into the ChipSHOUTER itself This allows you to monitor the high voltage output with out risk of exposing yourself to high voltages These probes are designed only for usage with a standard 1M 10...

Страница 40: ...means your oscilloscope front end will see 25V at the 1M input CAUTION Confirm your oscilloscope 1M maximum voltage rating is at least 25V Due to ringing at the tip voltages may exceed 500V so a 30V r...

Страница 41: ...MA connector output and observing the voltage with an externally calibrated oscillo scope probe on this resistor Doing so requires exposing high voltages and is not covered by this manual Instead we p...

Страница 42: ...V as the os cilloscope measures the voltage at the probe output and there is some drop across the internal protection resistors Due to oscilloscope variation you may not achieve the 350V measurement I...

Страница 43: ...be inserted Dry room temperature forced air may be inserted into the ChipSHOUTER from this port To use this port you will need to use a 4 mm hex wrench provided to remove the blanking port Once you h...

Страница 44: ...blanking plug is a M8x1 25 x 16mm set screw and if the blanking plug is lost a M8x1 25 bolt can be used until the proper replacement is procured The air inlet must never be left open Figure 14 Adding...

Страница 45: ...Even a small airflow such as from an aquarium pump will substantially improve the cooling capability of the ChipSHOUTER If using dried compressed air ensure you are using a pressure regulator to limi...

Страница 46: ...oltage is higher lower than expected RAM CRC RAM CRC failed EEPROM CRC EEPROM CRC failed GPIO GPIO state does not match expected Charge Error Charge circuit error likely DC input voltage out of spec o...

Страница 47: ...ed when certain critical faults occur the fault will latch and the device will dis arm In this case it not enough to simply fix the condition In addition you must clear the latched fault after fixing...

Страница 48: ...the output to only enable faults for short bursts and prove the Chip SHOUTER time to perform safety checks in between bursts Over Temperature Fault The ChipSHOUTER contains three temperature sensors T...

Страница 49: ...triggers could occur during the arming process resulting in malformed pulses The error tone will sound without the fault LED blink ing if you attempt to use the PULSE button or pulse command over the...

Страница 50: ...TER Internal faults in clude RAM CRC error FLASH CRC error or firmware sig nature verification error Measured capacitor bank voltage differs from set voltage Permanent failure of ability to measure te...

Страница 51: ...rmat is shown below armed get voltage Note the armed indicates a state and get voltage is a command to the device The following screenshot shows a typ ical interaction with the ChipSHOUTER console NOT...

Страница 52: ...f the device is in the armed state the actual measured voltage will also be reported When device is disarmed the high voltage is not turned on so reported measure voltages are inva lid Example disarme...

Страница 53: ...t value for number of pulses per trig ger the trigger being the pulse command the front panel button or the RJ12 firmware pulse pin when enabled Example set pulse repeat 1 s p r 5 get set pulse deadti...

Страница 54: ...n configured as active low ensure the pin is externally driven high during operation to prevent false triggers This command switches the entire internal trigger logic When switching hwtrig_mode and us...

Страница 55: ...and must be cleared manually get fault latched current type g f l c t Get the state of a specific fault current or latched type is the fault type and t is the associated shorthand Table of type optio...

Страница 56: ...d safety self checks that cannot be performed during the trigger event If the needed safety checks cannot be performed for a certain length of time the device will en ter fault mode get set absent_tem...

Страница 57: ...tive low the pattern trigger will follow this a 0 causes a pulse The pattern trigger MUST END WITH AN INACTIVE VALUE to prevent a trigger error for example end ing with a 0 when the ChipSHOUTER is in...

Страница 58: ...aults and arms device equivalent to running set fault none followed by arm This command is useful when using the external trigger as you may need to quickly clear a latched fault and arm the device di...

Страница 59: ...ered 3 LED shows when the ChipSHOUTER is armed 4 LED shows when the USB cable is present and power is being supplied to the USB interface from the computer 5 LED shows when data is being transmitted T...

Страница 60: ...cross platform compatibility the default FTDI VID PID has been maintained Drivers for almost any system can be found on the FTDI driver website being sure to specify the Vir tual Com Port VCP option...

Страница 61: ...er platform oscillo scopes and anything else that can be hooked into python Below is a usage example for the Python API For further ex amples and full documentation visit https github com newaetech Ch...

Страница 62: ...OUTER on the chip surface NewAE Technology Inc provides the ChipShover which has included mounting brackets and easy integration with the ChipSHOUTER environment NewAE Technology Inc also provides a m...

Страница 63: ...e com mand before each external trigger event Slow down external triggers Using external hard ware trigger causes probe open fault External trigger is rapidly repeating many times for example being dr...

Страница 64: ...do not load Drivers are not be ing loaded Check FTDI website for latest VCP drivers Use different USB port Continuous trigger faults External trigger pin is being pulled to ac tive state Check if hard...

Страница 65: ...1 0 g s hwt get set hwtrig_mode 1 0 g s hwm get set emode 1 0 g s e get set mute 1 0 g s m get set absent_temp 1 0 g s at get fault g f get fault_active g fa get fault_latch g fl get fault latched cur...

Страница 66: ...e can be found inside this user manual As a special bonus it is printed on a special combustible mate rial that could save your life when hiking and lost in the woods We do not review this type of mat...

Результаты поиска

Содержание CHIPSHOUTER CW520

Отзывы:

Похожие инструкции для CHIPSHOUTER CW520

Бренды по названию

Популярные бренды

NewAE CHIPSHOUTER CW520, Руководство пользователя

Результаты поиска

Содержание CHIPSHOUTER CW520

Отзывы:

Похожие инструкции для CHIPSHOUTER CW520

Бренды по названию

Популярные бренды