# Connecting to Hardware

**SUMMARY**: *In this lab, you'll learn how to setup and connect to your ChipWhisperer hardware. We'll also cover how to build firmware for your target microcontroller, how to capture power traces, and how to communicate with target devices.*

*All the API calls we'll be using here are documented on the [ChipWhisperer readthedocs page](https://chipwhisperer.readthedocs.io/en/latest/api.html), so feel free to open it in another tab and follow along there as well.*

**Goals:**
* Setting up your ChipWhisperer Hardware
* Using the ChipWhisperer Python API to connect to your hardware
* Communication with the target
* Capturing a power trace

#### Prerequisites
- [x] *START_HERE* notebook
- [x] *0_A - Introduction to Jupyter Notebooks* notebook
- [x] *chipWhisperer updating* notebook
- [x] *0_B - ChipWhisperer Setup Test* notebook

## Physical Setup
The Chipwhisperer device we will use in the KUL-UH tutorials is the Chipwhisperer lite board with an attached target (XMEGA 8-bit microcontroller). Plugged in, the device looks like the image below. The pcb consists of two parts: the chipwhisperer board and the target board. The target board is wired up to the CW-board through the pcb. (If you would want to do so, you can seperate the boards via the perforated line. That way you can connect the chipwhisperer to your own target).

#### The Chipwhisperer board
The Chipwhisperer part of the pcb board contains the micro-usb port. The usb port is used to flash firmware onto the target, send input to thet target and to configure the Chipwhisperer. In the following tutorials we will primarily use the chipwhisperer to measure the power consumption of the target while it is performing some kind of encryption.
<img src="src/images/cwlite_plugged.jpg" alt="CW-Lite XMEGA vs Arm Board" width=300>

#### The target (XMEGA 8-bit)
The target device is just a microcontroller that is connected to the Chipwhisperer. In the following notebooks we will flash firmware onto the microcontroller. We basically program the target to accept some input text and a crypto key and perform the programmed encryption.

#### CW-Lite single board: XMEGA vs ARM
There are two CW-Lite single boards that look very similar. To make sure you have the right one, take a good look at the image below. Note the only difference is in the target section on the right.

<img src="src/images/cwlitearm_vs_cwlitexmega.jpg" alt="CW-Lite XMEGA vs Arm Board" width=500>

## Connecting to ChipWhisperer

Now that your hardware is all setup, we can now learn how to connect to it. Firtly we need the correct parameter values for our board.

In [None]:
SCOPETYPE = 'OPENADC'
PLATFORM = 'CWLITEXMEGA'

We can then connect to the ChipWhisperer with:

In [None]:
import chipwhisperer as cw
scope = cw.scope()

By default, ChipWhisperer will try to autodetect the type of device your're running (CWLite/CW1200 or CWNano), see API documentation for manually specifying the scope type.

Connecting to the target device is simple as well:

In [None]:
target = cw.target(scope, cw.targets.SimpleSerial) #cw.targets.SimpleSerial can be omitted

We'll only be using the default target type, which is SimpleSerial. 

Some sane default settings can be set using:

In [None]:
scope.default_setup()

which from its [documentation](https://chipwhisperer.readthedocs.io/en/latest/api.html#chipwhisperer.capture.scopes.OpenADC.OpenADC.default_setup) you can see does the following for the CWLite:

* Sets the scope gain to 45dB
* Sets the scope to capture 5000 samples
* Sets the scope offset to 0 (aka it will begin capturing as soon as it is triggered)
* Sets the scope trigger to rising edge
* Outputs a 7.37MHz clock to the target on HS2
* Clocks the scope ADC at 4\*7.37MHz. Note that this is *synchronous* to the target clock on HS2
* Assigns GPIO1 as serial RX
* Assigns GPIO2 as serial TX

And that's it! Your ChipWhisperer is now setup and ready to attack a target. 

**NOTE: You'll need to disconnect the scope/target before connecting again, like you would in another notebook. This can be done with `scope.dis()` and `target.dis()`**

## Building and Uploading Firmware

The next step in attacking a target is to get some firmware built and uploaded onto the target. Most firmware for ChipWhisperer targets can be built using the Neweatech build system, provided you have the correct compiler installed (see https://chipwhisperer.readthedocs.io/en/latest/prerequisites.html#prerequisites for info about compilers).

Firmware must be built on the command line. Luckily, thanks to Jupyter, we can run a command within a notebook as follows:
(You might get an error `warning: "CRC" redefined` but you can ignore that)

In [None]:
%%bash
cd ../../chipwhisperer/hardware/victims/firmware/simpleserial-base/
make PLATFORM=CWLITEXMEGA CRYPTO_TARGET=NONE

Now that we have compiled the correct firmware, we need to program the built file onto the XMEGA microcontroller. The ChipWhisperer has built in support for programming our XMEGA. Use the following code block to upload the correct firmware to the target:


In [None]:
#cw.program_target(scope, cw.programmers.XMEGAProgrammer, "path/to/firmware.hex")
cw.program_target(scope, cw.programmers.XMEGAProgrammer, "../../chipwhisperer/hardware/victims/firmware/simpleserial-base/simpleserial-base-CWLITEXMEGA.hex")

Congratulations, you just uploaded the `simpleserial-base` firmware onto your target. That piece of firmware lets us communicatie with the target device. The next section will show you how to do this.

## Communication with the Target

Communication with targets, which is done through the `SimpleSerial target`object we got earlier:
```python
    target = cw.target(scope, cw.targets.SimpleSerial)
```

We can use two types of serial protocols to communicate: 
1. Raw serial via `target.read()`, `target.write()`, `target.flush()`, etc. 

1. SimpleSerial commands via `target.simpleserial_read()`, `target.simpleserial_write()`, `target.simpleserial_wait_ack()`, etc.

The firmware we uploaded uses the simpleserial protocol (https://wiki.newae.com/SimpleSerial), so we'll start off with simpleserial. Later, we'll use the raw serial commands to send the same message.

#### SimpleSerial

If you check the simpleserial-base firmware [(`simpleserial-base.c`)](../../chipwhisperer/hardware/victims/firmware/simpleserial-base/simpleserial-base.c) you'll find that for the simpleserial `'p'` command, the target will echo back the command. Let's try that out now:

In [None]:
msg = bytearray([0]*16) #simpleserial uses bytearrays
print("Our send msg looks like this: "+ str(msg))
target.simpleserial_write('p', msg)

Let's check if we got a response:

In [None]:
received_msg = target.simpleserial_read('r', 16)
print("Our received msg looks like this: "+ str(received_msg))

It also has a `'k'` command. Try sending that now using the same `msg` as before:

In [None]:
target.simpleserial_write('k', msg)

That command doesn't return anything to us, so we can't use the `target.simpleserial_read` command. But it should acknowledge and give us an error return. We can get that error message using `target.simpleserial_wait_ack()`. If the target acknowleged without an error occuring the return value of that function should be 0. We can check this with the following code:

In [None]:
#print(target.simpleserial_read('r', 16))
print(target.simpleserial_wait_ack()) #should return 0

#### Raw Serial
Simpleserial messages are just converted into a specific form and then send using the Raw Serial protocol. Generally simpleserial messages take the form:

```python
command_character + ascii_encoded_bytes + '\n'
# e.g. "p00000000000000000000000000000000\n"
```

For our first command, `command_character='p'` and `ascii_encoded_bytes="00"*16` (keep in mind this isn't a binary `0x00`, it's ASCII `"00"`, which has a binary value of `0x3030`). Try resending the `'p'` command from earlier using `target.write()`:

In [None]:
target.write('p' + "00"*16 + '\n') # Raw serial write command

A raw `target.read()` will return all the characters that have been sent back from the target so far (so you might have to run the second block a few times to get the full message). Let's see what the device returned to us:

In [None]:
recv_msg = ""

In [None]:
recv_msg += target.read() #you might have to run this block a few times to get the full message
print(recv_msg)

You should get the following response:
```python
    r00000000000000000000000000000000
    z00
```
The part after `r` is the received message from the target and `z00` shows that the full message was received.
The simpleserial commands are usually sufficient for talking to the simpleserial firmware. In the KUL-UH tutorials we will only use the simpleserial commands since they are easier to use.

## Capturing Traces (Power consumptiom measurements) from the target

Now that the target is programmed and we know how to communicate with it, let's start recording some power traces! The following steps show you how to capture traces:

1. Arm the ChipWhisperer with `scope.arm()`. It will begin capturing as soon as it is triggered (which in our case is a rising edge on `gpio4`.(In a later tutorial we will change this triggering)
1. `scope.capture()` will read back the captured power trace, blocking until either ChipWhisperer is done recording, or the scope times out. **Note that the error return will tell you whether or not the scope timed out.** It does not return the captured scope data.
1. You can read back the captured power trace with `scope.get_last_trace()`. The object that this function returns is a list which contains one power measurement per index. You can view this as follows: The value of `scope.get_last_trace()[0]` is the power measurement at 'time' `t0`, The value of `scope.get_last_trace()[1]` is the power measurement at 'time' `t1`, ... Where the 'time' between each measurement is roughly the same.

**A trace is thus defined as a list of powermeasurements at certain time intervals**

Try capturing a trace now by sending a `simpleserial_base 'p'` command. That command triggers the Chipwhisperer:

In [None]:
scope.arm()
msg = bytearray([0]*16)
target.simpleserial_write('p', msg)
# Write your code here ...
### BEGIN SOLUTION
scope.capture()
trace = scope.get_last_trace()
print(trace)
### END SOLUTION

By plotting the list of powermeasurements we can also view a trace as the curve defined by all measurements. Run the code below to plot your captured trace:

In [None]:
%matplotlib notebook
import matplotlib.pylab as plt

plt.figure()
plt.plot(trace, 'r')
plt.show()

ChipWhisperer also has a `capture_trace()` convience function that:
```python
    cw.capture_trace(scope, target, msg).wave
```

1. Optionally sends the `'k'` command
1. Arms the scope
1. Sends the `'p'` command
1. Captures the trace
1. Reads the return `'r'` message
1. Returns a `Trace` class that groups the trace data, `'p'` message, the `'r'` message, and the `'k'` message
1. The trace class has an attribute called `wave` which holds the trace lists.

It isn't always the best option to use, but it's usually sufficient for most simpleserial applications
Rewrite the example of capturing traces from the `p` command and plotting the trace, using the `capture_trace()` function:

In [None]:
# Write your code here ...
###BEGIN SOLUTION###
msg = bytearray([0]*16)
trace = cw.capture_trace(scope, target, msg).wave
print(trace)

%matplotlib notebook
import matplotlib.pylab as plt

plt.figure()
plt.plot(trace, 'r')
plt.show()
###END SOLUTION###

### Final step
As a final step, we should disconnect from the hardware so it doesn't stay "in use" by this notebook.

In [None]:
scope.dis()
target.dis()

## Next step
Now that you know how to:
* build firmware for the target
* flash the firmware onto the target
* send commands to the target using Simpleserial
* capture powermeasurements with the chipwhisperer into a list

We can start learning about the assymetric cryptographic algorithm known as RSA. And of course try to crack the encryption using our new found skills.

**Next notebook click here: [1_A - Correlation between tasks being performed by the target and its power consumption.ipynb](./1_A%20-%20Correlation%20between%20tasks%20being%20performed%20by%20the%20target%20and%20its%20power%20consumption.ipynb)**


### Supplemental Reading
We've glossed over some stuff here, so consult the [API documentation](https://chipwhisperer.readthedocs.io/en/latest/api.html) 