NewAE Technology Inc., creators of ChipWhisperer, the first open-source embedded security ecosystem, has a new compact power analysis and fault injection tool loaded with new features.
ChipWhisperer-Husky draws on NewAE Technology’s years of experience developing the popular ChipWhisperer-Lite and the lab-grade ChipWhisperer-Pro, while adding new features like high-speed logic analyzers (to visualize glitches), real-time data streaming for attacking asymmetric algorithms, support for JTAG/SWD programming with an FTDI-compatible mode, and additional I/O expansion pins. ChipWhisperer-Husky is designed to be highly accessible to researchers while maintaining NewAE Technology’s commitment to offering long-term support to all users. This means that, while the entire product is not OSHW-certified, the core—including the FPGA logic, microcontroller firmware, and computer code—is open-source, so you can make modifications and add features.
Aligning with NewAE Technology’s focus on education and spreading embedded security awareness, ChipWhisperer-Husky works with a variety of free educational resources already built and organized into self-taught “courses”. You can see examples of these courses as part of the ChipWhisperer Project.If you need more help, there is a video series on ChipWhisperer.io, and The Hardware Hacking Handbook has numerous examples that are compatible with ChipWhisperer-Husky.
Supply chain delays throughout the past two years have delayed the release (until now!) and have given the NewAE pack more time to work on the FPGA code. This means you’ll already see ChipWhisperer-Husky being used by the OpenTitan team and showing up in research papers.
Get a new leash on your hardware hacking life! ChipWhisperer-Husky “starter kits” are priced at $549 USD through Crowd Supply. Orders placed on Crowd Supply will ship in early 2023.
Power-Analysis & Fault-Injection Research
ChipWhisperer-Husky is designed to perform power analysis and fault injection. It benefits from numerous architecture-level decisions that give you a more stable and reliable experience compared to other off-the-shelf test gear (such as oscilloscopes and function generators). One such feature is synchronous sampling, which means the sample clock of your target device and the sample clock of ChipWhisperer-Husky can be perfectly aligned. ChipWhisperer-Husky can of course act like a normal “asynchronous” oscilloscope, instead, allowing you to specify any sample frequency within its range.
The unique design of ChipWhisperer-Husky also lets it generate various glitches, including clock glitches, which may be less than a nanosecond wide. Generating such a short pulse with a standard function generator would require a unit in the range of 1 GS/s (and an even higher analog bandwidth). Then you’d still need to write all the interface code and would struggle to achieve the level of community reproducibility that ChipWhisperer provides.
Another new feature of ChipWhisperer-Husky is a built-in logic analyzer that you can use to visualize glitches and other digital signals.
Triggering & More
Because it was designed specifically for power analysis and fault injection, ChipWhisperer-Husky has a huge range of triggering mechanisms. These mechanisms run “on the hardware” in the FPGA and allow you to trigger on things like:
- Level / Edge: Trigger on digital rising or falling edge or when passing a specific analog value. This is the normal triggering mechanism you’ll find in every oscilloscope. To see how it works, have a look at the open-source Verilog core.
- Analog Waveform: Trigger when matching a specific pattern in the waveform, not just when crossing a threshold. This allows you to trigger on specific code that you previously identified, even without any external digital signal. This feature was previously exclusive to ChipWhisperer-Pro and certain application-specific products such as Riscure icWaves. You can see how it works in the open-source Verilog core.
- UART Bytes: Trigger on a specific UART character, which allows you to time things relative to a specific boot message or as part of a protocol. This is part of the core trigger unit linked above.
- Edge Count: Trigger on a number of rising edges, which can be useful to trigger on digital protocols for which no specific decoder yet exists. Learn more in the open-source Verilog core.
- Arm Trace: ChipWhisperer-Husky understands the Arm trace format, with messages coming from both SWO (serial trace) and parallel trace pins. This advanced feature—which was designed specifically for white-box evaluations in which you have full control of the target—makes it trivial to understand new algorithms and libraries. The triggering feature means you can trigger when the code hits specific Program Counter (PC) values. This is part of our open-source TraceWhisperer core.
- FPGA Fun: Not only is the ChipWhisperer-Husky FPGA design fully open, it supports extensive test benches, including Verilator simulation-based test benches, so you can add new modules and features as well.
ChipWhisperer-Husky ships with two “targets” on which you can run various code, including all ChipWhisperer tutorials. The targets represent typical embedded systems you might be working with when trying to protect against these attacks, and they give you a known starting point so you don’t have to waste time getting the instrumentation setup. Instead, you can jump right into the interesting part of the work: exploring power analysis and fault injection.
The microcontroller-based target is a Microchip SAM4S2A, which has 128 KBytes of FLASH and 64 KBytes of SRAM. It is large enough to run most algorithms you throw at it, including AES, RSA, and ECC.
The other target uses the popular Lattice iCE40 FPGA. The tutorial has already been setup to run NEORV32, a soft-core RISC-V processor. This means you can use the iCE40 target as a RISC-V microcontroller target out of the box. You can also run some cryptographic cores on it—an AES core fits, for example—which allows you to perform attacks on hardware-based cryptographic implementations.
Features & Specifications
- Sample Rate & ADC: 200 MS/s, 12-bit
- Sample Buffer Size: > 80 KSample
- Streaming Support (limited by computer buffer): >20 MS/s, 8-bit data can stream back for unlimited capture sizes.
- Voltage Glitching: 2-size Crowbar glitch
- Clock Glitching: High resolution glitch generation based on phase-shift architecture (sub nS resolution)
- I/O Pins: ChipWhisperer 20-pin header, additional 8 data + 1 clock line. All I/O pins 3.3 V.
- FPGA: Artix A35
Documentation & Source
ChipWhisperer-Husky development is found here:
- The Documentation Page includes the ChipWhisperer-Husky specific docs.
- The main ChipWhisperer-Husky GitHub repo includes firmware running on the device.
- The ChipWhisperer repository includes Husky interface code.
- The ChipWhisperer-Jupyter repository includes all our tutorials (be sure to see the specific ChipWhisperer-Husky Demos).
Learn more about ChipWhisperer-Husky and get campaign updates on Crowd Supply.