Faultapp1 python errors

Side note:
I’m running through the fault1 app. I cannot use the the CWNANO, as I cannot get a good hardware test run on them. I have tried 3 different Nanos. That is in thread [Problem with CWNANO course SCA-101 - #2 by osok].

So I’m using my CWLite. I only call this out because maybe it has an impact on some of the default settings. I’m not aware that that is leading to the cause of my problems, it’s just a thought.

I have multiple LPC1114 boards.
I have one that is fully modified as show in the instructions, either on this workbook and in the Hardware Hacking Book.
I have a few others that are not modified

Using 1 that is not modified, I can run everything in step 3. I do get an error in the third block of step three.

scope.glitch.width = 40
scope.io.tio1 = "serial_rx"
scope.io.tio2 = "serial_tx"
scope.adc.basic_mode = "rising_edge"
scope.clock.clkgen_freq = 100000000 * freq_multiplier
scope.glitch.clk_src = "clkgen"
scope.glitch.trigger_src = "ext_single"
scope.glitch.output = "enable_only"

target.baud = 38400
#target.key_cmd = ""
#target.go_cmd = ""
#target.output_cmd = ""

I had to comment out the three commands at the end because I was getting an error if I didn’t.

---------------------------------------------------------------------------
AttributeError                            Traceback (most recent call last)
<ipython-input-45-a94bd34db73a> in <module>
      9 
     10 target.baud = 38400
---> 11 target.key_cmd = ""
     12 #target.go_cmd = ""
     13 #target.output_cmd = ""

~/work/projects/chipwhisperer/software/chipwhisperer/common/utils/util.py in __setattr__(self, name, value)
    350     def __setattr__(self, name, value):
    351         if hasattr(self, '_new_attributes_disabled') and self._new_attributes_disabled and not hasattr(self, name):  # would this create a new attribute?
--> 352             raise AttributeError("Attempt to set unknown attribute in %s"%self.__class__, name)
    353         super(DisableNewAttr, self).__setattr__(name, value)
    354 

AttributeError: ("Attempt to set unknown attribute in <class 'chipwhisperer.capture.targets.SimpleSerial.SimpleSerial'>", 'key_cmd')

The fourth block runs ok.

The fifth block, the one that tests communication using nxpprog.

• That worked with the non modified LPC1114 dev board,
• but didn’t work with the Modified board.

Step 4

block two

%matplotlib notebook
import matplotlib.pylab as plt
import numpy as np

nxpdev = CWDevice(scope, target)

trace_1s = capture_crp(nxpdev, 0xffffffff)
trace_0s = capture_crp(nxpdev, 0)

plt.plot(trace_1s - trace_0s)

I got the following errors

---------------------------------------------------------------------------
OSError                                   Traceback (most recent call last)
<ipython-input-47-75eb550200cc> in <module>
      5 nxpdev = CWDevice(scope, target)
      6 
----> 7 trace_1s = capture_crp(nxpdev, 0xffffffff)
      8 trace_0s = capture_crp(nxpdev, 0)
      9 

<ipython-input-46-7f86f2b960e4> in capture_crp(nxpdev, value, num_tries, bypass_oserror)
     34     """    
     35     nxpdev.isp_mode()
---> 36     nxpp = nxpprog.NXP_Programmer("lpc1114", nxpdev, 12000)
     37     try:
     38         set_crp(nxpp, value)

~/work/projects/chipwhisperer/jupyter/courses/faultapp1/external/nxpprog.py in __init__(self, cpu, device, osc_freq, verify)
    520         self.cpu = cpu
    521 
--> 522         self.connection_init(osc_freq)
    523 
    524         self.banks = self.get_cpu_parm("flash_bank_addr", 0)

~/work/projects/chipwhisperer/jupyter/courses/faultapp1/external/nxpprog.py in connection_init(self, osc_freq)
    530 
    531     def connection_init(self, osc_freq):
--> 532         self.sync(osc_freq)
    533 
    534         if self.cpu == "autodetect":

~/work/projects/chipwhisperer/jupyter/courses/faultapp1/external/nxpprog.py in sync(self, osc)
    627         s = self.dev_readline()
    628         if not s:
--> 629             panic("Sync timeout")
    630         if s != self.sync_str:
    631             panic("No sync string")

~/work/projects/chipwhisperer/jupyter/courses/faultapp1/external/nxpprog.py in panic(str)
    394 
    395 def panic(str):
--> 396     raise IOError(str)
    397 
    398 

OSError: Sync timeout

I get the following error when running the next block

`---------------------------------------------------------------------------
OSError                                   Traceback (most recent call last)
<ipython-input-43-9b1bd305865f> in <module>
      5 nxpdev = CWDevice(scope, target)
      6 
----> 7 trace_unlocked = capture_crp(nxpdev, 0x87654321) #Wrong order - unlocked

<ipython-input-39-7f86f2b960e4> in capture_crp(nxpdev, value, num_tries, bypass_oserror)
     34     """    
     35     nxpdev.isp_mode()
---> 36     nxpp = nxpprog.NXP_Programmer("lpc1114", nxpdev, 12000)
     37     try:
     38         set_crp(nxpp, value)

~/work/projects/chipwhisperer/jupyter/courses/faultapp1/external/nxpprog.py in __init__(self, cpu, device, osc_freq, verify)
    520         self.cpu = cpu
    521 
--> 522         self.connection_init(osc_freq)
    523 
    524         self.banks = self.get_cpu_parm("flash_bank_addr", 0)

~/work/projects/chipwhisperer/jupyter/courses/faultapp1/external/nxpprog.py in connection_init(self, osc_freq)
    530 
    531     def connection_init(self, osc_freq):
--> 532         self.sync(osc_freq)
    533 
    534         if self.cpu == "autodetect":

~/work/projects/chipwhisperer/jupyter/courses/faultapp1/external/nxpprog.py in sync(self, osc)
    627         s = self.dev_readline()
    628         if not s:
--> 629             panic("Sync timeout")
    630         if s != self.sync_str:
    631             panic("No sync string")

~/work/projects/chipwhisperer/jupyter/courses/faultapp1/external/nxpprog.py in panic(str)
    394 
    395 def panic(str):
--> 396     raise IOError(str)
    397 
    398 

OSError: Sync timeout

I both of those I see

 ~/work/projects/chipwhisperer/jupyter/courses/faultapp1/external/nxpprog.py in __init__(self, cpu, device, osc_freq, verify)
    520         self.cpu = cpu
    521 
**--> 522         self.connection_init(osc_freq)**
    523 
    524         self.banks = self.get_cpu_parm("flash_bank_addr", 0)

The osc_frequency is set here

nxpp = nxpprog.NXP_Programmer("lpc1114", nxpdev, 12000)

Hi,

My guess is that you’re running into some sort of hardware issue stemming from the modifications. I’d suggest checking the power pins of the modified board to start with.

Alex

power pins show 3.3 volts. I’m checking the at the header pin I soldered in. I double checked all the modifications. If it is that, then I’ll have to wait until I get more boards in to modify one of them.

I still cannot communicate with the modified board, but I can communicate with a non modified board.

I hooked the modified board up to a pemicro SWD interface and tried to connect, it will not connect so maybe one of the write commands actually locked it.

If that is the case then I should be able move on: Hoever when I run

%matplotlib notebook
import matplotlib.pylab as plt
import numpy as np

nxpdev = CWDevice(scope, target)

trace_1s = capture_crp(nxpdev, 0xffffffff)
trace_0s = capture_crp(nxpdev, 0)

plt.plot(trace_1s - trace_0s)

I get

---------------------------------------------------------------------------
OSError                                   Traceback (most recent call last)
<ipython-input-30-75eb550200cc> in <module>
      5 nxpdev = CWDevice(scope, target)
      6 
----> 7 trace_1s = capture_crp(nxpdev, 0xffffffff)
      8 trace_0s = capture_crp(nxpdev, 0)
      9 

<ipython-input-29-7f86f2b960e4> in capture_crp(nxpdev, value, num_tries, bypass_oserror)
     34     """    
     35     nxpdev.isp_mode()
---> 36     nxpp = nxpprog.NXP_Programmer("lpc1114", nxpdev, 12000)
     37     try:
     38         set_crp(nxpp, value)

~/work/projects/chipwhisperer/jupyter/courses/faultapp1/external/nxpprog.py in __init__(self, cpu, device, osc_freq, verify)
    520         self.cpu = cpu
    521 
--> 522         self.connection_init(osc_freq)
    523 
    524         self.banks = self.get_cpu_parm("flash_bank_addr", 0)

~/work/projects/chipwhisperer/jupyter/courses/faultapp1/external/nxpprog.py in connection_init(self, osc_freq)
    530 
    531     def connection_init(self, osc_freq):
**--> 532         self.sync(osc_freq)**
    533 
    534         if self.cpu == "autodetect":

~/work/projects/chipwhisperer/jupyter/courses/faultapp1/external/nxpprog.py in sync(self, osc)
    627         s = self.dev_readline()
    628         if not s:
--> 629             panic("Sync timeout")
    630         if s != self.sync_str:
    631             panic("No sync string")

~/work/projects/chipwhisperer/jupyter/courses/faultapp1/external/nxpprog.py in panic(str)
    394 
    395 def panic(str):
--> 396     raise IOError(str)
    397 
    398 

OSError: Sync timeout

again the issue is

--> 532         self.sync(osc_freq)

If it’s already locked, then you should skip that step and move to Glitching Fuse Bytes. That part writes 1’s and 0’s to the CRP bytes to try to figure out when in time the read of the CRP bytes occurs, but you won’t be able to write to that area if the device is already locked.

Alex

I should be able to run this, right?

%matplotlib notebook
import matplotlib.pylab as plt
import numpy as np

nxpdev = CWDevice(scope, target)

trace_1s = capture_crp(nxpdev, 0xffffffff)
trace_0s = capture_crp(nxpdev, 0)

plt.plot(trace_1s - trace_0s)

but I get this error

OSError                                   Traceback (most recent call last)
<ipython-input-30-75eb550200cc> in <module>
      5 nxpdev = CWDevice(scope, target)
      6 
----> 7 trace_1s = capture_crp(nxpdev, 0xffffffff)
      8 trace_0s = capture_crp(nxpdev, 0)
      9 

<ipython-input-29-7f86f2b960e4> in capture_crp(nxpdev, value, num_tries, bypass_oserror)
     34     """    
     35     nxpdev.isp_mode()
---> 36     nxpp = nxpprog.NXP_Programmer("lpc1114", nxpdev, 12000)
     37     try:
     38         set_crp(nxpp, value)

~/work/projects/chipwhisperer/jupyter/courses/faultapp1/external/nxpprog.py in __init__(self, cpu, device, osc_freq, verify)
    520         self.cpu = cpu
    521 
--> 522         self.connection_init(osc_freq)
    523 
    524         self.banks = self.get_cpu_parm("flash_bank_addr", 0)

~/work/projects/chipwhisperer/jupyter/courses/faultapp1/external/nxpprog.py in connection_init(self, osc_freq)
    530 
    531     def connection_init(self, osc_freq):
--> 532         self.sync(osc_freq)
    533 
    534         if self.cpu == "autodetect":

~/work/projects/chipwhisperer/jupyter/courses/faultapp1/external/nxpprog.py in sync(self, osc)
    627         s = self.dev_readline()
    628         if not s:
--> 629             panic("Sync timeout")
    630         if s != self.sync_str:
    631             panic("No sync string")

~/work/projects/chipwhisperer/jupyter/courses/faultapp1/external/nxpprog.py in panic(str)
    394 
    395 def panic(str):
--> 396     raise IOError(str)
    397 
    398 

OSError: Sync timeout

No, that’s the part where you write different values to the CRP bytes and check the result in the power trace. If it’s locked, it’s impossible to do that until you unlock the device via a glitch. The next code you can run is:

nxpdev = CWDevice(scope, target, print_debug=True)

#Need to enter ISP mode before initializing programmer object
nxpdev.isp_mode()
nxpp = nxpprog.NXP_Programmer("lpc1114", nxpdev, 12000)

#Examples of stuff you can do:
print(nxpp.get_serial_number())
print(nxpp.read_block(0, 4))

Alex

That code failed. Presumably because it is locked.

OSError                                   Traceback (most recent call last)
<ipython-input-39-42e9b413cde3> in <module>
      3 #Need to enter ISP mode before initializing programmer object
      4 nxpdev.isp_mode()
----> 5 nxpp = nxpprog.NXP_Programmer("lpc1114", nxpdev, 12000)
      6 
      7 #Examples of stuff you can do:

~/work/projects/chipwhisperer/jupyter/courses/faultapp1/external/nxpprog.py in __init__(self, cpu, device, osc_freq, verify)
    520         self.cpu = cpu
    521 
--> 522         self.connection_init(osc_freq)
    523 
    524         self.banks = self.get_cpu_parm("flash_bank_addr", 0)

~/work/projects/chipwhisperer/jupyter/courses/faultapp1/external/nxpprog.py in connection_init(self, osc_freq)
    530 
    531     def connection_init(self, osc_freq):
--> 532         self.sync(osc_freq)
    533 
    534         if self.cpu == "autodetect":

~/work/projects/chipwhisperer/jupyter/courses/faultapp1/external/nxpprog.py in sync(self, osc)
    627         s = self.dev_readline()
    628         if not s:
--> 629             panic("Sync timeout")
    630         if s != self.sync_str:
    631             panic("No sync string")

~/work/projects/chipwhisperer/jupyter/courses/faultapp1/external/nxpprog.py in panic(str)
    394 
    395 def panic(str):
--> 396     raise IOError(str)
    397 
    398 

OSError: Sync timeout

I hooked an OScope probe A to GND/Reset and probe B across the 12 Ohm (10 Ohm in my case) resistor that was soldered at the trace I cut.

When I run the Glitch code, I see the reset but I never see anything happing in probe B.

I also never get SUCCESS.

I expanded the range from 5100 to 5300 and let it run over night. Nothing.

Hm, no I don’t think you’re getting that error because your device is locked. That synchronization step should complete regardless of the lock status, with the CRP lock instead causing an error when you try to do anything once the bootloader is up.

Can you try probing the serial lines to see if communication looks okay?

Alex

I ran it on the board that I think is locked, and I got this Blue is on pin 3 of UETX (TX) and red is pin 4 of UETX (RX)

image896×445 23 KB

I then switched to a dev board that is not locked (verified with pemicro)

image901×460 23.5 KB

the output is

Write: ?
Read: Synchronized
Write: b'Synchronized\r\n'
Read: Synchronized
Read: OK
Write: b'12000\r\n'
Read: 12000
Read: OK
Write: b'A 0\r\n'
Read: A 0
Read: 0
Write: b'U 23130\r\n'
Read: 0
Reading Serial number...
Write: b'N\r\n'
Read: 0
Read: 218415169
Read: 2935817382
Read: 1480767819
Read: 4110424384
218415169 2935817382 1480767819 4110424384
Reading bytes
Write: b'R 0 4\r\n'
Read: 0
Read: $``@`$!`0
Read: 24
Write: b'OK\r\n'


I haven’t run through this lab in a while so I could be wrong, but I believe that, even when locked, you should be seeing some stuff on the RX line. I’m pretty sure that in CRP3 you can still get into the bootloader, but every command returns an error code of 19.

The LPC also has a NO_ISP lock mode which disables the bootloader, but leaves JTAG/SWD unlocked. You might be in that mode. Do you have a debugger you could try?

Alex

CRP3 turns everything off

image920×162 8.56 KB

Ok, I found that while the 10 ohm resistor (12 Ohms is suggested) was connected properly at the onset, it looks like it wiggled its way out. I re soldered it. Now I’m getting something from the dev board. Serial port is working. So while I cannot use the swd port I can use the serial bootloader as you suggested. That said this card is not locked. So let me run the code to lock it and try glitching again.

I was getting [FAILED], now I"m getting [NORMAL]. That is a move in the right direction, I suppose.

Glitch offset 5182, width 39........[NORMAL]
Glitch offset 5183, width 39........[NORMAL]
Glitch offset 5184, width 39........[NORMAL]
Glitch offset 5180, width 7........[NORMAL]
Glitch offset 5181, width 7........[NORMAL]
Glitch offset 5182, width 7........[NORMAL]
Glitch offset 5183, width 7........[NORMAL]

So should I expand the range? I’m using a ChipWhisperer Lite instead of the Nano.

Here is the scope of the run

Red is the Reset and Blue is across the resistor I added.

image1003×614 22 KB

I’m definitely not getting a glitch. I tested all the lines. Ground is connected to ground and the center pin of the SMA connector is connected to the pad where I removed both caps as shown in the picture.

If I temporally short V+ to Gnd then I see the dip in the blue as expected with a glitch.

I DO NOT understand why this is so flaky.

I switched from CWLITE to CWNANO. This lab was setup to run from a NANO, so I’m not sure why I get these errors. Step one works, but step 2

first with

# Original attack done with 100 MHz clock - can be helpful to run this
# 2x faster to get better resolution, which seems useful for glitching certain boards.
# But if you want to use DPA you need to leave this set to '1'
freq_multiplier = 1

#Initial Setup
#scope.adc.samples = 10000   #CWNANO
scope.adc.samples = 10000    #CWLITE
scope.adc.offset = 0
scope.clock.adc_src = "clkgen_x1"
scope.trigger.triggers = "tio4"
scope.io.glitch_lp = True
scope.io.hs2 = None

I get

---------------------------------------------------------------------------
AttributeError                            Traceback (most recent call last)
<ipython-input-7-6366e168f088> in <module>
      8 scope.adc.samples = 10000    #CWLITE
      9 scope.adc.offset = 0
---> 10 scope.clock.adc_src = "clkgen_x1"
     11 scope.trigger.triggers = "tio4"
     12 scope.io.glitch_lp = True

AttributeError: 'CWNano' object has no attribute 'clock'

Then with

freq_multiplier = 1

#Initial Setup
#scope.adc.samples = 10000   #CWNANO
scope.adc.samples = 10000    #CWLITE
scope.adc.offset = 0
#scope.clock.adc_src = "clkgen_x1"
scope.trigger.triggers = "tio4"
scope.io.glitch_lp = True
scope.io.hs2 = None

Notice I commented out the clock.

I get

---------------------------------------------------------------------------
AttributeError                            Traceback (most recent call last)
<ipython-input-8-7d9f182548f3> in <module>
      9 scope.adc.offset = 0
     10 #scope.clock.adc_src = "clkgen_x1"
---> 11 scope.trigger.triggers = "tio4"
     12 scope.io.glitch_lp = True
     13 scope.io.hs2 = None

AttributeError: 'CWNano' object has no attribute 'trigger'

Then with

freq_multiplier = 1

#Initial Setup
#scope.adc.samples = 10000   #CWNANO
scope.adc.samples = 10000    #CWLITE
scope.adc.offset = 0
#scope.clock.adc_src = "clkgen_x1"
#scope.trigger.triggers = "tio4"
scope.io.glitch_lp = True
scope.io.hs2 = None

Last time I got an error about the last two lines. This time it worked.

Then in step 3

scope.glitch.width = 40
scope.io.tio1 = "serial_rx"
scope.io.tio2 = "serial_tx"
scope.adc.basic_mode = "rising_edge"
scope.clock.clkgen_freq = 100000000 * freq_multiplier
scope.glitch.clk_src = "clkgen"
scope.glitch.trigger_src = "ext_single"
scope.glitch.output = "enable_only"

target.baud = 38400
#target.key_cmd = ""
#target.go_cmd = ""
#target.output_cmd = ""

I get

ERROR:ChipWhisperer Other:Setting unknown attribute width in <class 'chipwhisperer.capture.scopes.cwnano.GlitchSettings'>
ERROR:ChipWhisperer Other:Setting unknown attribute basic_mode in <class 'chipwhisperer.capture.scopes.cwnano.ADCSettings'>
---------------------------------------------------------------------------
AttributeError                            Traceback (most recent call last)
<ipython-input-11-c94a385bf6ec> in <module>
      3 scope.io.tio2 = "serial_tx"
      4 scope.adc.basic_mode = "rising_edge"
----> 5 scope.clock.clkgen_freq = 100000000 * freq_multiplier
      6 scope.glitch.clk_src = "clkgen"
      7 scope.glitch.trigger_src = "ext_single"

AttributeError: 'CWNano' object has no attribute 'clock'

it only works if If I use this

scope.glitch.width = 40
scope.io.tio1 = "serial_rx"
scope.io.tio2 = "serial_tx"
scope.adc.basic_mode = "rising_edge"
#scope.clock.clkgen_freq = 100000000 * freq_multiplier
#scope.glitch.clk_src = "clkgen"
#scope.glitch.trigger_src = "ext_single"
#scope.glitch.output = "enable_only"

target.baud = 38400
#target.key_cmd = ""
#target.go_cmd = ""
#target.output_cmd = ""

Still no glitch.

That’s because this lab doesn’t support the Nano - you need to use a CW-Lite or a CW-Pro. The glitch itself is quite precise, so I’d recommend going back to the first block and changing freq_multiplier to 2, which will increase the resolution of the glitch width/offset steps.

Alex

OK, I got the notion that it was designed for the NANO from the book. Chapter 6 explains that you can use a Nano and on page 196, it shows a NANO.

I’m fine with just using the CWLITE.

On that note.

I was getting [NORMAL] at the end of the attempts. Each attempt was like 500ms apart, now they are ~8 Seconds apart and I’m seeing [FAILED].

The LPC1114 is mounted and has not moved. The only thing that has changed it I’ve tried different cards.

After resetting and setting the multiplier to equal 2 I re ran this and now I’m getting [NORMAL] again. Still no glitch. According to the book on page 204 I should be able to see it measuring across the 12 Ohm Resistor.

Well I started over again and now all I see is [Failed]. I reset again same. I’ll reboot my computer. This is absolutely frustrating.

So I rebooted my computer and the [Failed] change back to [NORMAL]. I happened to see a small dip in the reading across the resistor, then it started to fail again. I have to reboot my computer again so I can do more testing.

I also happened to notice a solid red led next to the USB port. I’m not sure what that means, but I think it is relevant.

Now that I said that, it isn’t working at all.

I rebooted the VM twice , unplugged and plugged in after logging into the VM and I cannot connect to the CWLITE.

third time was the charm, but I still ONLY get [FAILED].

Since this is associated with the nxpprog connection I can only assume it has to do with the serial connection.

this time I don’t have the red LED.