## JTAG Tests: Glitch Sensitivity

This requires the following hardware setup:

* CW-Husky, SAM4S2AA Target, CW313 board
* 20-pin cable from front panel (UserIO) to "JTAG" header, OR use the mixer board (mixer board has series resistors on TDI/TDO which seemed to result in better high-frequency results)
* 20-pin cable from ChipWhisperer connector (side panel on CW) to target board
* No SMA cable connected
* No HS1/HS2 jumpers (clock won't be used from the target).
* Trigger jumper routing GPIO4 to trigger (default for CW313 / ChipWhisperer)

These tests were run with the jumper mounted on HDR1, which shorts out the shunt resistor. This reduces the shunt resistor signal (but does not eliminate it fully).

Decoupling capacitors C1 & C2 were mounted (100nF) on the ATSAM4S2A.

In [None]:
import numpy as np
import chipwhisperer as cw
import os

In [None]:
%run "functions.ipynb"

In [None]:
data_dir = "data_store"

In [None]:
def capture_ttest_jtag(N, splot=None, repeat=1, resync=True, xorinout=False):
    """Captures a T-Test (Modified for Logic Analyzer Block Instead)"""
    import numpy as np
    from tqdm.autonotebook import trange
    ktp = cw.ktp.TVLATTest()
    ktp.init(N)

    group1 = []
    group2 = []
    g1_i = 0
    g2_i = 0
    for i in trange(2*N, desc='Capturing traces'):
        key, text = ktp.next()  # TVLA T-Test changes PT between two options
        
        temp_wave = []
        for j in range(0, repeat):

            scope.LA.arm()

            trace = cw.capture_trace(scope, target, text, key)


            if trace is None:
                print("Serial Error - dropped trace")
                continue

            raw = scope.LA.read_capture_data()
            tck = scope.LA.extract(raw, 5)
            tdo = scope.LA.extract(raw, 3)
            tdi = scope.LA.extract(raw, 7)
            tms = scope.LA.extract(raw, 6)

            wave = tdo
            
            if xorinout:
                wave = wave ^ tdi
            #wave = trace.wave

            #Deal with phase offset issue
            if resync:
                if tdi[0] == 0:
                    wave = wave[0:-1]
                else:
                    wave = wave[1:]
                
            temp_wave.append(wave)
        
        wave = np.mean(temp_wave, axis=0)
            
        if i % 25 == 0:
            if splot:
                splot.update(wave) # wave is the name for the data for our power trace
            
     
        if trace.textin == bytearray([0xda, 0x39, 0xa3, 0xee, 0x5e, 0x6b, 0x4b, 0x0d, 0x32, 0x55, 0xbf, 0xef, 0x95, 0x60, 0x18, 0x90]):
            group1.append(wave)
            g1_i += 1
        else:
            group2.append(wave)
            g2_i += 1

    group1 = np.array(group1)
    print(len(group1))
    group2 = np.array(group2)
    print(len(group2))
    
    return (group1, group2)

## ChipWhisperer Configuration (Shared)

In [None]:
# Set hardware settings
SCOPETYPE = 'OPENADC'
PLATFORM = 'CW308_SAM4S'
CRYPTO_TARGET='TINYAES128C' # 'TINYAES128C' or 'MBEDTLS'
SS_VER='SS_VER_2_1'

In [None]:
# Connect to ChipWhisperer
scope = cw.scope(bitstream = r"firmwares/cwhusky_top_latriggeredwithoffset.bit")
target = cw.target(scope, cw.targets.SimpleSerial2)

In [None]:
scope.default_setup()

In [None]:
def jtag_clkout(enabled):
    if enabled:
        data = 0x08
    else:
        data = 0x00

    CODE_READ = 0x80
    CODE_WRITE = 0xC0
    scope.userio.oa.sendMessage(CODE_WRITE, "USERIO_DEBUG_DRIVEN", [data])
    
    # Can use this to check write worked
    #scope.userio.oa.sendMessage(CODE_READ, "USERIO_DEBUG_DRIVEN")

def jtag_glitchout(enabled):
    if enabled:
        data = 0x10
    else:
        data = 0x00

    CODE_READ = 0x80
    CODE_WRITE = 0xC0
    scope.userio.oa.sendMessage(CODE_WRITE, "USERIO_DEBUG_DRIVEN", [data])
    
    # Can use this to check write worked
    #scope.userio.oa.sendMessage(CODE_READ, "USERIO_DEBUG_DRIVEN")
    

In [None]:
jtag_clkout(False)

## Build Firmware - 15 MHz Internal Clock

In [None]:
# program firmware onto target
prog = cw.programmers.SAM4SProgrammer
cw.program_target(scope, prog, "firmwares/fw-15mhz.hex")

In [None]:
import time
scope.io.target_pwr = False
time.sleep(0.5)
scope.io.target_pwr = True

In [None]:
# Baud is lower so it works from internal oscillator which isn't as precise
target.baud = 38400

In [None]:
# When device is running at 2 MHz baud calculation is off - measuring actual baud shows this is correct:
# Uncomment this when compiling for 2 MHz firmware
#target.baud = 62750

In [None]:
#We don't use the clock output
scope.io.hs2 = None

In [None]:
# We don't care about the ADC sampling rate, set this low.
# Should actually turn off the ADC as we are way overclocking it in some cells.
# But I think it's fine?
scope.clock.adc_mul = 1

## JTAG Function Definitions

It's assumed you've already seen the previous JTAG notebooks, so these will not be described here.

In [None]:
def read_tdo_status():
    pins = scope.userio.status
    if pins & (1<<3):
        return True
    else:
        return False
    
def write(tms, tdi):
    old = scope.userio.drive_data
    old &= ~(1<<6 | 1<<7)
    if tms:
        old |= 1<<6
    if tdi:
        old |= 1<<7
    
    scope.userio.drive_data = old
    scope.userio.drive_data = old | (1<<5)
    scope.userio.drive_data = old & ~(1<<5)

In [None]:
def setup_bypass(verbose=True):
    #Take control of TDI, TMS, TCK
    scope.userio.direction = 0b11100000
    
    write(1, 1)
    write(1, 1)
    write(1, 1)
    write(1, 1)
    write(1, 1)

    write(0, 1) #
    write(1, 1)
    write(1, 1)
    write(0, 1)
    write(0, 1)

    #Send a bunch of 1's to force bypass mode
    for i in range(0, 10):
        write(0, 1)

    #exit shift-IR state
    write(1,1)

    write(1, 1)
    write(1, 1)
    write(0, 1)
    write(0, 1)

    for i in range(0, 10):
        write(0, 0)

    tdo_result = []

    for i in range(0, 10):
        tdo_result.append(read_tdo_status())
        if i == 0:
            write(0, 1)
        else:
            write(0, 0)

    if tdo_result[0:10] == [False, True, False, False, False, False, False, False, False, False]:
        if verbose:
            print("JTAG Setup successful - bypass mode enabled, saw '1' sequence successfuly")
        return True
    else:
        if verbose:
            print("JTAG Setup not successful")
            print(tdo_result)
        return False

## Logic Analyzer Setup

In [None]:
help(scope.LA)
print(scope.LA.max_capture_depth)

In [None]:
assert scope.LA.present, 'There is no logic analyzer in this FPGA bitfile!'

In [None]:
import time

scope.LA.enabled = False
scope.clock.clkgen_freq = 200E6
scope.clock.reset_dcms()
#scope.LA.enabled = True
#scope.LA.clk_source = "pll"
#scope.LA.reset_MMCM()
#scope.clock.pll._warning_freq = 400E6

scope.LA.enabled = True
scope.LA._warning_frequency = 401e6 # prevent warning message that we're setting the sampling clock too high
scope.LA.oversampling_factor = 1
scope.LA.downsample = 1
scope.LA.capture_group = 'USERIO 20-pin'
scope.LA.trigger_source = "capture"
scope.LA.capture_depth = 16376

In [None]:
scope.clock.clkgen_freq = 50E6

In [None]:
scope.LA.reset_MMCM()

In [None]:
assert scope.LA.locked

In [None]:
#Turn on the output clock - we won't see feedback yet as haven't turned on JTAG bypass mode
jtag_clkout(True)
scope.userio.direction = 0b11100000

In [None]:
scope.LA.arm()

In [None]:
scope.LA.trigger_now()

In [None]:
scope.LA.errors

### Testing JTAG Feedthrough

Watch the following says `JTAG Setup successful - bypass mode enabled, saw '1' sequence successfuly`.

In [None]:
jtag_clkout(False)
setup_bypass()
jtag_clkout(True)

Alright, now we can do a new capture:

In [None]:
assert scope.LA.locked

In [None]:
scope.LA.arm()
scope.LA.trigger_now()
time.sleep(0.1)

In [None]:
print(scope.LA.errors)
raw = scope.LA.read_capture_data()
tck = scope.LA.extract(raw, 5)
tdo = scope.LA.extract(raw, 3)
tdi = scope.LA.extract(raw, 7)
tms = scope.LA.extract(raw, 6)

In [None]:
print(tdo)
print(tdi)

These should all match up - you may get a phase shift so you'll see the 1/0 offset.
```
[0 1 0 ... 1 0 1]
[0 1 0 ... 1 0 1]
```
We can compare all of the inputs & outputs to check they are matching, either directly OR with an offset of one cycle:

In [None]:
print(np.all(tdi == tdo))
print(np.all(tdi[0:-1] == tdo[1:]))

In [None]:
scope.clock.pll._warning_freq = 400E6

In [None]:
scope.LA

### Checking Maximum TDI->TDO Frequency

The following will test the TDI->TDO path and will help see how well the received data matches the expected 1/0 split.

In [None]:
max_freq = 300
frequency_sweep_list = []
try:
    for i in range(50, max_freq, 1):
        scope.clock.clkgen_freq = i * 1E6
        time.sleep(0.01)
        scope.LA.reset_MMCM()
        time.sleep(0.01)
        assert scope.LA.locked

        scope.LA.arm()
        scope.LA.trigger_now()
        time.sleep(0.1)
        raw = scope.LA.read_capture_data()
        tdo = scope.LA.extract(raw, 3)
        tdi = scope.LA.extract(raw, 7)

        result = tdo ^ tdi
        
        zeros = np.sum(result == 0)
        ones = np.sum(result == 1)

        print("{:d} zeros, {:d} ones at {:d} MHz".format(zeros, ones, i))
        frequency_sweep_list.append( (zeros, ones, i)  )
except:
    scope.clock.clkgen_freq = 10E6
    raise

In [None]:
#np.save("jtag_frequency_sweep_april42024_withdecouplingcaps_newLAbuild_xorout.npy", frequency_sweep_list)

Due to phase shifts you'll see various results that are "naturally" faulty, as the S&H times at the TCK/TDI input are being violated. Ideally we'd like to see such violations near the upper end of the sampling frequency.

```
8188 zeros, 8188 ones at 211 MHz
8188 zeros, 8188 ones at 212 MHz
8188 zeros, 8188 ones at 213 MHz
8188 zeros, 8188 ones at 214 MHz
8188 zeros, 8188 ones at 215 MHz
8188 zeros, 8188 ones at 216 MHz
8188 zeros, 8188 ones at 217 MHz
8188 zeros, 8188 ones at 218 MHz
8185 zeros, 8191 ones at 219 MHz
8067 zeros, 8309 ones at 220 MHz
7665 zeros, 8711 ones at 221 MHz
7755 zeros, 8621 ones at 222 MHz
8076 zeros, 8300 ones at 223 MHz
8477 zeros, 7899 ones at 224 MHz
8915 zeros, 7461 ones at 225 MHz
9573 zeros, 6803 ones at 226 MHz
2465 zeros, 13911 ones at 227 MHz
0 zeros, 16376 ones at 228 MHz
0 zeros, 16376 ones at 229 MHz
16376 zeros, 0 ones at 230 MHz
0 zeros, 16376 ones at 231 MHz
0 zeros, 16376 ones at 232 MHz
16376 zeros, 0 ones at 233 MHz
```


## T-Testing

In [None]:
jtag_clkout(True)

In [None]:
scope.io.nrst = None

In [None]:
scope.clock.clkgen_freq = 159E6

In [None]:
print(scope.clock)
print(scope.adc)
print(scope.LA)

In [None]:
#Setting an offset here will sweep through
#scope.adc.offset = 6500

#Set to 10K offset for 180MS/s
scope.adc.offset = 10000

#Set to 10K for 158MS/s
#scope.adc.offset = 10000

#Set to 8K for 109MS/s
#scope.adc.offset = 5000

# Samples doesn't matter, but code downloads data by default, so keep this lower to avoid wasting too much time.
# Should probably avoid downloading ADC data eventually since it's not used at all.
scope.adc.samples = 1000

In [None]:
N = 10000
group1, group2 = capture_ttest_jtag(N, repeat=1, resync=False, xorinout=True)

**IMPORTANT**: If the above capture isn't working & you reset the device, be sure you also configure the JTAG bypass mode to be enabled again!

In [None]:
nptsave("jtag_offset10000_clock159E6_10k_xor_async", group1, group2)

In [None]:
#group1, group2, N = nptload("jtag_offset10000_clock158E6_10k_1avg_xor_extclock")

In [None]:
import numpy as np
mean1 = np.mean(group1, axis=0)
mean2 = np.mean(group2, axis=0)
cw.plot(mean2) * cw.plot(mean1)

In [None]:
#from scipy import signal
#sos = signal.butter(5, 0.05, 'highpass', output='sos')

#group11 = signal.sosfilt(sos, group1)
#group12 = signal.sosfilt(sos, group2)

In [None]:
from scipy.stats import ttest_ind
M = int(N/2)
t1_val = ttest_ind(group1[:M], group2[:M], axis=0, equal_var=False)[0]
t2_val = ttest_ind(group1[M:], group2[M:], axis=0, equal_var=False)[0]

#t1_val = ttest_ind(group1, group2, axis=0, equal_var=False)[0]
#t2_val = ttest_ind(group11, group22, axis=0, equal_var=False)[0]

In [None]:
%matplotlib notebook
plot_t(t1_val, M, "JTAG Glitch Experiments")
plot_t(t2_val, M, "JTAG Glitch Experiments")

In [None]:
from scipy.stats import ttest_ind
t_val = ttest_ind(group1, group2, axis=0, equal_var=False)[0]

In [None]:
import matplotlib.pylab as plt
plt.figure()
plot_t(t_val, N, "JTAG Glitch Experiments")

In [None]:
# Plotting glitches over time

In [None]:
%matplotlib notebook
import matplotlib.pylab as plt
plt.plot(np.sum(group1, axis=0))

### SCA Results

In [None]:
scope.LA

In [None]:
scope.adc.offset = 10000

In [None]:
splot = cw.StreamPlot()
splot.plot()

In [None]:
from tqdm.notebook import trange
import numpy as np
import time

ktp = cw.ktp.Basic() # default - fixed key, random plaintext

textins = []
textouts = []
waves = []
keys = []

N = 500000
for i in trange(N, desc='Capturing traces'):
    key, text = ktp.next() # new plaintext, same key
    #ps.runBlock()
    scope.LA.arm()
    trace = cw.capture_trace(scope, target, text, key) # set key, send plaintext, receive ciphertext, capture power trace
    if not trace:
        continue
    raw = scope.LA.read_capture_data()
    tck = scope.LA.extract(raw, 5)
    tdo = scope.LA.extract(raw, 3)
    tdi = scope.LA.extract(raw, 7)
    tms = scope.LA.extract(raw, 6)

    wave = tdo
            
    wave = wave ^ tdi  
    
    #wave = trace.wave
 
    waves.append(wave)
    textins.append(trace.textin)
    textouts.append(trace.textout)
    keys.append(trace.key)

    # Update our plot with a new trace
    if i % 100 == 0:
        splot.update(wave) # wave is the name for the data for our power trace
        
    if i % 10000 == 0:
        try:
            print("Attempting save at {:d}".format(i))
            #raise IOError("Change 'False' to True and run this again")
            save_ets(waves, textins, textouts, keys, "d:/data_store/jtagglitch_15MHzCPU_159MHz_async_10koffsetLA_mixerjtagboard_jtaglaresults_k.ets", overwrite=True)
            print("phew")
        except:
            print("Hmm... save failed, skipped!")
            pass

In [None]:
save_ets(waves, textins, textouts, keys, "d:/data_store/jtagglitch_15MHzCPU_159MHz_async_10koffsetLA_mixerjtagboard_jtaglaresults_k.ets", overwrite=True)