NewAE CHIPSHOUTER CW520 User Manual
  1. Manuals
  2. Brands
  3. NewAE Manuals
  4. Test Equipment
  5. CHIPSHOUTER CW520
  6. User manual

NewAE CHIPSHOUTER CW520 User Manual

Hide thumbs
Table of Contents

Advertisement

Quick Links

Download this manual
CHIPSHOUTER®
USER MANUAL
Last Update: Sept 3/2019
© 2018-2019 NewAE Technology Inc. All rights reserved. Specifications are subject to change without
notice. All product names are trademarks of their respective companies. ChipSHOUTER is a registered
trademark of NewAE Technology Inc.
NewAE Technology Inc. makes no representations or warranties with respect to the accuracy or completeness
of the contents of this document and reserves the right to make changes to specifications and product
descriptions at any time without notice. NewAE Technology does not make any commitment to update the
information contained herein. NewAE Technology products are not intended, authorized, or warranted for
use as components in applications intended to support or sustain life. NewAE Technology products are
designed solely for teaching purposes.

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the CHIPSHOUTER CW520 and is the answer not in the manual?

Questions and answers

Subscribe to Our Youtube Channel

Summary of Contents for NewAE CHIPSHOUTER CW520

  • Page 1 NewAE Technology does not make any commitment to update the information contained herein. NewAE Technology products are not intended, authorized, or warranted for use as components in applications intended to support or sustain life.
  • Page 2 LIMITED WARRANTY AND LIMITATION OF LIABILITY Each NewAE Technology Inc product is warranted to be free from defects in mate- rial and workmanship under normal use and service. The warranty period is one year and begins on the date of shipment. This warranty extends only to the...

  • Page 3: Table Of Contents

    Table of Contents Introduction............ 5 Safety Information ..........6 High Voltage Warnings .......... 9 Packing Information ........... 11 Background and Quick Start Guide ......14 Device Architecture ........... 15 Specifications..........17 General Specifications ........17 I/O Characteristics ......... 18 High Voltage Characteristics ........ 18 Pulse Source Characteristics ........
  • Page 4 XY(Z) Table Connection ........62 Troubleshooting ..........63 Table of Figures Figure 1: Overview of ChipSHOUTER device architecture..15 Figure 2: 4mm tip pulse width ......... 20 Figure 3: 1mm tip pulse width ......... 21 Figure 4: External connectors on the ChipSHOUTER....22 Figure 5: RJ12 Connector on ChipSHOUTER Panel.

  • Page 5: Introduction

    Introduction ChipSHOUTER Users Manual: Introduction The CW520 (ChipSHOUTER) is a fully-featured Electromagnetic Fault Injection platform that can be used to discover and characterize vulnerabilities in embedded systems. ChipSHOUT- makes EMFI available test labs, engineering development firms, educators, and embedded enthusiasts. With a flexible API and bundled practice targets the system is a platform for experimentation and education right out of the box.

  • Page 6: Safety Information

    Safety Information ChipSHOUTER Users Manual: Safety Information CAREFULLY READ BOTH FOLLOWING GENERAL SAFTEY INFORMATION, AND SAFTEY INFORMATION IN THE SECTION ENTITLED “HIGH VOLTAGE WARNINGS”: • This product generates strong electronic and mag- netic fields: DO NOT use around persons with implanted or attached medical devices such as pace- makers, implanted...
  • Page 7 ChipSHOUTER Users Manual: Safety Information from the ChipSHOUTER by unplugging the power source. Check connections are secure and for dam- age to the probe. If probe is damaged destroy and discard it, and replace with an undamaged probe. • IF you notice smoke or unusual odors emitted from the ChipSHOUTER, immediately discontinue opera- tion and remove power from the ChipSHOUTER by unplugging the power source.
  • Page 8 ChipSHOUTER Users Manual: Safety Information Symbol Description Symbol Description WARNING. HAZARDOUS WARNING. RISK OF DANGER. VOLTAGE. Risk of electric shock. Consult user documenta- DC (Direct Current) tion. Conforms to European AC (Alternating Current) Union directives. For indoor use only. Do not disassemble unit. This product complies with the WEEE directive marking require- ments.

  • Page 9: High Voltage Warnings

    ChipSHOUTER carefully reads understands this manual and the warning instruc- tions. If you have questions about these warnings please contact NewAE immediately. • ChipSHOUTER generate strong magnetic electrical fields. DO NOT use around safety- critical equipment.
  • Page 10 ChipSHOUTER Users Manual: High Voltage Warnings voltages, this may generate U.V. light and other dangerous radiation. ChipSHOUTER will also be se- verely damaged during the discharge process, as the spark-gap discharge exceeds allowed dv/dt ratings of the driver circuit. • The insulation on the injection probes must be unbroken for your protection.

  • Page 11: Packing Information

    Packing Information ChipSHOUTER Users Manual: Packing Information ChipSHOUTER CW520 Main Unit SMB to SMA adapter ① ⑧ 19V / 3.4A Power Adapter SMB to BNC adapter ② ⑨ Injection probe/tips (1mm, 4mm) SMB Cable ③ ⑩ Isolated USB Adapter + RJ12 Cable CW521 Ballistic Gel SRAM ④...
  • Page 12 ChipSHOUTER Users Manual: Packing Information 1. The ChipSHOUTER CW520 main unit is the EMFI fault in- jection platform itself. 2. The 19V power supply provides DC power to the Chip- SHOUTER. 3. The injection probe tips must be added onto the end of the ChipSHOUTER before using the device.
  • Page 13 ChipSHOUTER Users Manual: Packing Information 13. The cooling air adapter allows you to insert dry high- pressure air into the ChipSHOUTER for cooling. The adapter may look different or be of different material thank shown here. We are continuously improving our products. Some of the ac- cessories or the device may look different than the photos used for this manual, but this is part of our continuous re- finement of the product.

  • Page 14: Background And Quick Start Guide

    Background and Quick Start Guide ChipSHOUTER Users Manual: Background and Quick Start Guide Electromagnetic Fault Injection (EMFI) is a way of injecting transient faults into electronic systems without direct electrical contact. This is accomplished by generating a rapidly changing magnetic field directed at the Device under Test (DuT).

  • Page 15: Device Architecture

    Device Architecture ChipSHOUTER Users Manual: Device Architecture Figure 1: Overview of ChipSHOUTER device architecture. Fundamentally, ChipSHOUTER provides high voltage charge that is discharged through an inductor (the “injec- tion tip”). This injection tip generates a powerful magnetic field that can be used to induce faults in a target device. To make using the device easier, the ChipSHOUTER in- cludes a microcontroller that controls device operation.
  • Page 16 ChipSHOUTER Users Manual: Device Architecture active, the device will prevent “arming” (turning on the high-voltage circuit) until the condition is cleared, and possibly acknowledged by the user. This microcontroller can also generate pulse waveforms. These waveforms can either be basic pulses of a specified lengths, or more complicated patterns involving switching the high voltage on/off in 21nS time-steps.

  • Page 17: Specifications

    Specifications ChipSHOUTER Users Manual: Specifications General Specifications Power supply (ChipSHOUTER DC Input) ... 19V DC ±10%, 3.4A Power consumption (standby) ... 0.4W Typical Power consumption (armed) ..... 5W Typical Power consumption (charging/pulsing) .. 5W to 50W Typical Power supply (AC-DC adapter) ..100–240VAC, 50/60Hz, 1.5A Size (ChipSHOUTER main unit) ..

  • Page 18: I/O Characteristics

    ChipSHOUTER Users Manual: Specifications USA (FCC) ......47 CFR 15 subpart B. This product is considered and exempt device per clause 15.103. Operation is subject to the following two conditions: (1) this device may not cause harmful interference and (2) this device must accept any interference re- ceived, including interference...

  • Page 19: Pulse Source Characteristics

    Pulse Source Characteristics ChipSHOUTER Users Manual: Specifications Pulse generator source ....(1) Internal pulse generator, basic (2) Internal pulse generator, programmable pattern (3) External hardware trigger Characteristic Units Basic pulse generator Pulse width range Pulse width resolution Pulse width jitter pS std-dev Pulse dead-time (between repeats) 1000...

  • Page 20: Figure 2: 4Mm Tip Pulse Width

    ChipSHOUTER Users Manual: Specifications While the pulse generator characteristics show that a wide variety of pulses can be applied to the injection tip, the actual resulting pulse characteristics will depend con- siderably on the tip properties itself. It is not possible to achieve every injection result on every tip.

  • Page 21: Figure 3: 1Mm Tip Pulse Width

    ChipSHOUTER Users Manual: Specifications These figures were generated by using the external hardware trigger to sweep a range of input pulse widths over a range of set capacitor bank voltages. They represent typical (not guaranteed) characteristics, taken at 25C. The allowable range is between the minimum and maximum width values at a given voltage.

  • Page 22: External Connections

    External Connections ChipSHOUTER Users Manual: External Connections SMA High Voltage Output Figure 4: External connectors on the ChipSHOUTER. The SMA high voltage output is where injection tips are attached. The outer shell does not directly connect to chas- sis ground, so you MUST NOT attach the outer shell via a metal clamp or similar to any electrical conductor during operation.

  • Page 23: Attaching/Removing Sma Connectors

    ChipSHOUTER Users Manual: External Connections If the SMA saver becomes worn or damaged, remove the SMA saver and replace with a new one. These can be purchased from us, or you can use a high-quality SMA male to female Attaching/Removing SMA Connectors adapter such as Amphenol 132171.
  • Page 24 ChipSHOUTER Users Manual: External Connections The SMB trigger input can be configured in one of three modes: • Active-low pulse, high-impedance (approx. 2KΩ). • Active-high pulse, high-impedance (approx. 2KΩ). • Active-high pulse, 50Ω impedance (DEFAULT). A suitable pulse for this input can be generated by a laboratory pulse generator, a custom FPGA or other board, or the ChipWhisperer.

  • Page 25: Rj12 Expansion Connector

    ChipSHOUTER Users Manual: External Connections if you are using the 50Ω termination mode you can disable this to increase drive levels as a test. When using the hardware trigger, note there is currently no indication that a trigger event is occurring. That is, there is no message printed to serial port as when you press the front-panel button or use the API.

  • Page 26: Dc Power Jack

    Adapter cables are included for connecting to an oscilloscope, use only these matching NewAE cables for this purpose. The external portions of these two probes are iden- tical and can be plugged in to either socket.

  • Page 27: Pulse Generation

    Pulse Generation ChipSHOUTER Users Manual: Pulse Generation The ChipSHOUTER involves an advanced pulse trigger system. This can be used to build a pattern for injecting a fault into a target device, or working with existing laboratory equipment. This section describes some of the pulse genera- tion architecture to help you understand the capabilities of Generated Pulse vs.

  • Page 28: Basic Pulse Generator

    ChipSHOUTER Users Manual: Pulse Generation grammable trigger be sure to switch the external input to “active-high” mode. Note you may see small differences between active-high and active-low mode. The ChipSHOUTER remains an electronic device and is sensitive to the very high-power fields being generated.
  • Page 29 ChipSHOUTER Users Manual: Pulse Generation CAUTION: When writing a pattern, ensure you end with an inactive state. It is suggested to al- so start the pattern with an inactive state for symmetry. The programmable trigger still uses the repeat and dead- time parameters.

  • Page 30: Simple Emfi Target (Cw322)

    Simple EMFI Target (CW322) ChipSHOUTER Users Manual: Simple EMFI Target (CW322) Figure 6: CW322 Simple Target The CW322 (Simple Target) is an easy to use target with the ChipSHOUTER platform, and a good first introduction to EMFI. The board features an STM32F303K8T6 that is pre-programmed with very simple firmware, some of which is shown in Listing 1.
  • Page 31 ChipSHOUTER Users Manual: Simple EMFI Target (CW322) #define RUN_CNT 2000 #define OUTER_LOOP_CNT 300 #define INNER_LOOP_CNT 300 void glitch_loop(void) volatile uint32_t i, j; volatile uint32_t cnt; uint32_t blink_status = 1; uint32_t run_cnt = 0; uint32_t glitch_cnt = 0; for(run_cnt = 0; run_cnt < RUN_CNT; run_cnt++){ //run led on HAL_GPIO_WritePin(GPIOB, GPIO_PIN_4, blink_status);...
  • Page 32 ChipSHOUTER Users Manual: Simple EMFI Target (CW322) The STATUS, FAULT, and OPEN LEDs on the ChipSHOUTER should light up. 3. Screw one of the 4mm injection tips onto the High voltage output connector of the ChipSHOUTER, this should cause the FAULT and OPEN lights to go off. 4.

  • Page 33: Ballistic Gel Emfi Target (Cw522)

    Ballistic Gel EMFI Target (CW522) ChipSHOUTER Users Manual: Ballistic Gel EMFI Target (CW522) Figure 7: CW522 Ballistic Gel The CW522 (Ballistic Gel Target) is an SRAM board with a mi- crocontroller for control and connectivity. The target is called the Ballistic Gel because it records an imprint of the magnetic field injected into it, like a ballistic gel block leaves an imprint of a projectile.
  • Page 34 ChipSHOUTER Users Manual: Ballistic Gel EMFI Target (CW522) 3. Connect the ChipSHOUTER to your computer by first us- ing an RJ12 cable to connect the ChipSHOUTER to the USB interface board, and then connecting the interface board to your computer using a micro-USB cable. 4.
  • Page 35 ChipSHOUTER Users Manual: Ballistic Gel EMFI Target (CW522) 12. Press enter in the Ballistic Gel script terminal to read the injected fault pattern. 13. Change the pulse settings on the ChipSHOUTER using se- rial commands. set voltage 300 will set the capacitor bank voltage to 300V.

  • Page 36: Injection Tip Usage

    Injection Tip Usage ChipSHOUTER Users Manual: Injection Tip Usage There are four injection tips included with the ChipSHOUTER. Two 4mm tips and two 1mm tips, each with both “clockwise” (CW) and “counter-clockwise” (CCW) versions. The size of the tips refers to the diameter of the ferrite core inside the coil, and the CW/CCW refers to the wrap direction of the wire around the ferrite core.

  • Page 37: Figure 9: Detail Of Included Probes

    ChipSHOUTER Users Manual: Injection Tip Usage An example of the four included tips is shown as a photo taken from the probe ends in Figure 9. Note the CW/CCW wrap direction is based on looking into this probe tip. Knowing the outer conductor is the lower voltage, and using the right-hand rule, you can infer that the CCW tip results in a magnetic field coming out of the tip, and CW results in a...

  • Page 38: Avoiding Spark Discharge

    ChipSHOUTER Users Manual: Injection Tip Usage The tip size will affect your actual pulse inserted, it is always suggested to use the pulse shape monitoring output to better understand the injected pulse. You can see addi- tional documentation and examples of the pulse shapes from Avoiding Spark Discharge the app-notes on our website.

  • Page 39: Oscilloscope Pulse Shape Monitoring

    Oscilloscope Pulse Shape Monitoring ChipSHOUTER Users Manual: Oscilloscope Pulse Shape Monitoring To monitor the injected pulse, two oscilloscope adapter probes are included. These adapters are based on standard oscilloscope probes, but with the business end of the probe built into the ChipSHOUTER itself. Figure 10: Inserted pulse viewed on oscilloscope screen.
  • Page 40 25V. Due to ringing at the tip voltages may exceed 500V, so a ±30V rating is recommended. NewAE Technology Inc. cannot ac- cept any liability for damage to your oscilloscope or other connected equipment, and you use this monitor at your own risk.

  • Page 41: Adjusting For Oscilloscope Setting

    ChipSHOUTER Users Manual: Oscilloscope Pulse Shape Adjusting for Oscilloscope Setting Monitoring You will need to adjust the probe for your specific oscillo- scope. This can be done by adjusting the small compensation trimmer that is located on the BNC body (see Figure 11). Figure 11: Tuning oscilloscope probe.

  • Page 42: Figure 10: Example Calibration Waveform

    ChipSHOUTER Users Manual: Oscilloscope Pulse Shape Monitoring low number of samples (8 works well). While pulsing the ChipSHOUTER adjust the small trimmer in the probe body until the maximum pulse amplitude reads 350 volts. Your probe is now calibrated. The measured voltage is not 400V as the os- cilloscope measures the voltage at the probe output, and there is some drop across the internal protection resistors.

  • Page 43: Forced-Air Cooling

    Forced-Air Cooling ChipSHOUTER Users Manual: Forced-Air Cooling During regular operation, the ChipSHOUTER will heat up if using continuous discharge. When internal temperatures reach a set point, the device will go into a thermal shut-down and wait for natural cooling to take the device into safe oper- ating range.

  • Page 44: Figure 11: Removing Blanking Plug

    ChipSHOUTER Users Manual: Forced-Air Cooling Figure 13: Removing blanking plug. The blanking plug is a M8x1.25 x 16mm set screw, and if the blanking plug is lost a M8x1.25 bolt can be used until the proper replacement is procured. The air inlet must never be left open.
  • Page 45 ChipSHOUTER Users Manual: Forced-Air Cooling When a hose is not connected, connect either a blanking port to the hose connection OR remove the hose adapter and replace with the blanking port screw. Failure to do so leaves high voltage exposed through the cooling hole, and you must never operate the device without the blanking plug or hose present.

  • Page 46: Fault Modes

    Fault Modes ChipSHOUTER Users Manual: Fault Modes ChipSHOUTER faults indicate unexpected operat- ing conditions. If faults occur, carefully read and understand this section of the user manual to take the proper corrective action. If it is not clear what fault has occurred, please discontinue use of the device and contact us immediately.

  • Page 47: Probe Disconnected Fault

    ChipSHOUTER Users Manual: Fault Modes Sensor Fault Temperature sensors not communicating, possibly trigger occurring too frequen- cy without arm ready check. Any active fault will prevent the ChipSHOUTER from arm- ing (prevents the high voltage charge from becoming active), and the fault condition must be fixed before you attempt to arm the device.

  • Page 48: Over-Temperature Fault

    ChipSHOUTER Users Manual: Fault Modes If the ChipSHOUTER is armed when a probe is removed, this immediately causes a latched fault. As the probe SHOULD NEVER be removed from the ChipSHOUTER when armed, this is a serious fault condition. When switching probe tips, note it is much quicker to disarm the ChipSHOUTER, switch tops, and re-arm it.

  • Page 49: Triggered When Disarmed

    ChipSHOUTER Users Manual: Fault Modes ing times the trigger is known to be inactive. This command tells ChipSHOUTER that it can perform the required self- checks (including temperature checks), and will not be in- terrupted by the discharge event. See the API documentation (online) for more details of Triggered when Disarmed this, or the serial interface documentation on page 52.

  • Page 50: Internal Faults

    ChipSHOUTER Users Manual: Fault Modes stead you must first disarm the ChipSHOUTER before turning Internal Faults off the trigger generation device. The device has a variety of internal faults. If these faults become persistent it indicates a likely hardware failure that requires repair of the ChipSHOUTER.

  • Page 51: Serial Interface

    Serial Interface ChipSHOUTER Users Manual: Serial Interface The ChipSHOUTER has a simple 3.3V TTL serial interface, which you can connect to at 115200 baud, 8N1. The serial in- terface presents a console that includes the current state of the device. This is useful to watch for the device enter- ing a fault state indicating device errors are occurring.

  • Page 52: Command List

    Command List ChipSHOUTER Users Manual: Serial Interface The commands available are listed below. A similar list can be generated at any time by sending the word help to the ChipSHOUTER interface. help Prints the help menu. get id Print board ID (required for firmware updates). get state Print arm of device (arm/disarmed/fault).
  • Page 53 ChipSHOUTER Users Manual: Serial Interface Example: # disarmed: set pulse width 120 # pulse width 120ns ...[pulse width (nS)] # pulse width 80ns(measured) ..[pulse width (nS)] # disarmed: s p w 200 # pulse width 200ns ...[pulse width (nS)] # pulse width 160ns(measured) .[pulse width (nS)] # armed: g p w...
  • Page 54 ChipSHOUTER Users Manual: Serial Interface [get / set] hwtrig_term [1/0] [g / s] hwt Configure hardware trigger (SMB connector) as high impedance [0] or 50Ω [1]. The 50Ω impedance option puts a 50Ω resistor to ground. If you are not us- ing the hardware trigger it is suggested to set this ON, as it will reduce potential noise on the hardware trigger causing glitches.
  • Page 55 ChipSHOUTER Users Manual: Serial Interface get fault_active g fa Print any active faults, for example the current state of the probe open detection. get fault_latch g fl Print any latched faults, which may not be cur- rently active occurred once must cleared manually.
  • Page 56 ChipSHOUTER Users Manual: Serial Interface get temperature <sensor> g temp <s> Print temperature reading from one of the sensors. Sensors are mosfet, xformer, and diode with asso- ciated shorthand versions m, x, and d. get triggersafe g ts Print confirmation that device is ready to be triggered.
  • Page 57 ChipSHOUTER Users Manual: Serial Interface [get / set] pat_wave [011100…0] [g / s] w Configure pulse pattern, takes binary string as input. There is a maximum length of 67 characters due to internal buffers, you can extend the wave further using the pat_append command. If using long pattern triggers the API allows easier down- loading of complex waveforms.
  • Page 58 ChipSHOUTER Users Manual: Serial Interface Arms device (charges high voltage capacitor bank). If no trigger occurs the device will automatically disarm after arm_timeout seconds. If arming fails, the device may have an active fault. Check active and latched faults with the get fault command.

  • Page 59: Usb Interface

    USB Interface ChipSHOUTER Users Manual: Serial Interface Figure 15: USB Interface for ChipSHOUTER The provided USB to serial interface provides a simple meth- od of using the ChipSHOUTER, the USB interface is shown in Figure 15. This USB interface features: 1.
  • Page 60 ChipSHOUTER Users Manual: Serial Interface vide the power for the isolator to translate this sig- nal, even if only using the jumper. The USB interface uses a FTDI FT230X chip. To ensure maximum cross-platform compatibility, the default FTDI VID/PID has been maintained.

  • Page 61: Python Api Interface

    Python API Interface ChipSHOUTER Users Manual: Python API Interface The ChipSHOUTER can be manipulated via python which allows the device to be incorporated into more complex test setups. By writing custom python scripts the ChipSHOUTER can be used in conjunction with the chipwhisperer platform, oscillo- scopes, and anything else that can be hooked into python.

  • Page 62: Xy(Z) Table Connection

    It is also recommended to include positioning ability, to more precisely adjust the location of the Chip- SHOUTER on the chip surface. NewAE Technology Inc provides the ChipShover™ which has included mounting brackets and easy integration with the ChipSHOUTER environment. NewAE Technology Inc also provides a manual XY table, which can be later upgraded to the elec- tronic version.

  • Page 63: Troubleshooting

    Troubleshooting ChipSHOUTER Users Manual: Troubleshooting Symptom Possible Cause Solution Arming fails. • Active fault condi- • Check faults via serial tion. port or API. • Check temperature of unit. • Check for toggling sig- nal on external inputs. Device resets during •...
  • Page 64 ChipSHOUTER Users Manual: Troubleshooting Symptom Possible Cause Solution Charge fault occurs. • Power supply is in- • Use different outlet. sufficient. • Replace 19V AC-DC power supply. Device does not boot • Internal FLASH cor- • Perform firmware up- (check serial output). ruption.
  • Page 65 Serial Command Short Form help get id get state [get / set] voltage [150..500] [g / s] v [get / set] pulse width [80..1000] [g / s] p w [get / set] pulse repeat [1..10000] [g / s] p r [get / set] pulse deadtime [1..1000] [g / s] p d [get / set] arm_timeout [0…60]...
  • Page 66 -New York Times -Washington Post About the Author Luna is QA Manager for NewAE Technology Inc. When not performing important electro-static discharge testing duties she enjoys chasing squirrels and upcycling found organic material into new perfume lines. In her spare time she leads an initiative to reduce food waste in her local community.

Table of Contents