Frequently Asked Questions

Answers

  • Specifications

    • I want to acquire a Sasebo board, which of the boards is better supported by Inspector?

      Inspector support is developed using the -R and -GII boards. This means it supports all algorithms in the -R (LSI ASIC). The drawback is that the -R has a relatively small FPGA and is mainly meant for analyzing the (static) ASIC. The GII has the larger Virtex5 which allows analyzing larger custom designs.

      A comparison between results on the -R and -G boards can be found in
      www.rcis.aist.go.jp/files/special/SASEBO/CryptoLSI-en/SASEBO_PA_Report_English.pdf

      The -G is the predecessor of the -GII. Currently Inspector has not been used with the –B in our lab.

    • We want to add a computer system, what configuration would you advise?

      As bare minimum requirements we have the following specs:
      2GB mem
      GPU is not required
      Windows XP

      We currently ship the following DELL system:
      Precision T5500
      XEON 2GHz
      4 GB memory
      450Gb SAS hard disk
      +9800 GT video card with GPU

      For working comfortably and be prepared for the future we advise the
      following specs:
      6GB memory (for future 64bit support)
      Fast GPU with >1G mem
      HW RAID-0 or -5 on fast disk

    • Can I run multiple instances of Inspector?

      Yes, you can run up to 3 instances of Inspector with the standard license. After that Inspector will only launch in demo mode. Depending on the tasks that are performed with Inspector, It is not very memory friendly to run more than 3 instances.

    • I have an old Power Tracer. What is the difference with the Power Tracer v3.0?

      The revision history of the Power Tracer can be viewed in the manual, chapter "Hardware components". section "Power Tracer", section "specifications". The revision history for other devices are also present in this hardware chapter, under the specific device section.

      In a nutshell: The quality of the power signal of the new Power Tracer has improved resulting in a higher bandwidth and lower noise. It also has several additional features:

      - It can be used in combination with EM probe to perform EM analysis
      - Software controlled card voltage between 1.8 V and 5 V
      - Software controlled gain and offset of power signal
      - RS232 output to monitor or send I/O
      - 'Clock in' input to run the smart card on other clock frequencies than 4 MHz

    • Can I run Inspector under Linux?

      In principle Java programs can run on other platforms. However, Inspector requires some native functions (for example checking available disk space) which are not portable. Contact us for advice if you have a specific need to run Inspector on a different platform.

    • Does Inspector run on a 64 bit machine or Windows Vista?

      Inspector works fine on Vista 32 bits. For 64 bits (XP or Vista) we anticipate some problems, one of which is that several external device drivers (e.g. for oscilloscopes) will not work. Of course these issues will be addressed in the future, but currently a 32 bit OS is recommended and 32 bit Windows XP will be delivered with your system.

    • Can timing attacks be performed with Inspector?

      Yes. Timing attacks are mostly executed in combination with so-called SPA (Simple Power Analysis). The analyst compares a few traces and by looking at their differences she might infer information related to the key. The precision of finding timing differences depends on the oscilloscope, which could as little as 1 ns. This could for instance reveal a timing problem in PIN or password verification that allows an attacker to retrieve this code with a few attempts. In the context of cryptography, timing attacks are known for parity checks in symmetric algorithms (like DES), or for by measuring execution time of asymmetric algorithms (like RSA). Timing attacks can be automated (similar to DPA), but this is very much dependent on the sort of timing leak. Inspector allows you to implement such a specific attack in a straightforward manner.

    • Does Inspector support GPIB interface?

      With respect to scope interfaces: we don’t support GPIB because it is a relatively old interface. New scopes tend to have a network connection which is faster and more reliable. Nevertheless it is possible to interface with this technology: you would have to write a scope implementation in Java to connect to a GPIB driver that you might have.

    • Can I perform side channel analysis on a USB stick or other embedded electronics?

      Yes. By using the EM Probe Station the electro-magnetic field emanating from an embedded chip can be measured during encryption or decryption. On these measurements an attack can be mounted just as with a smartcard. Power Analysis can also be performed on an embedded device. However, this requires modification of the target by installing a shunt resistor in the power line. With a differential probe the current through this resistor is measured. LeCroy provides differential probes and Riscure is developing a differential probe with gain.
      Additionally two things are needed: communication between the target and Inspector and a trigger  signal from the device for the oscilloscope. If a propriety communication protocol is running on the embedded processor the user can program a communication interface on the processor that communicates over the serial port or over TCPIP. Serial port and TCPIP drivers are included in Inspector. With a propriety communication protocol running on a USB key then the user has to program a communication interface on the USB key and a device driver for Inspector. Example source codes of device drivers are available upon request. This is not required if a standard communication protocol like the PCSC interface is implemented in the USB key (Inspector supports this directly). Please refer to the section “SCA on embedded devices” in the Inspector manual for a more detailed description of configuring embedded devices.

    • Can I perform Fault Injection on a USB stick or other embedded electronics?

      Yes, but it requires the user to make hardware modifications to the VC Glitcher in order to interface with the embedded target. Riscure can provide support to build such setup. Riscure is currently also working on a generic extension to the VC Glitcher for embedded chips (expected release in 2011). For injecting faults with the Diode Laser Station the embedded target also needs to be de-capped, to provide optical access, just like with smart cards. Inspector needs to communicate with the embedded target through an interface. See the answer to the previous question to an insight of the communication interface posibilities with Inspector.

  • General

    • When running Java3d graphics, e.g. spectralIntensity, the following error message occurs: "No compatible device found, please switch to other display mode and try again!"

      This issue most likely occurs on a new installation when there is no 3d graphics support. It can be resolved by (re-) installing the video driver and DirectX.

    • What kind of warranty and support is provided on the LeCroy?

      LeCroy has a standard warranty of 3 years on the oscilloscope and provides worldwide support. For additional parts a one year warranty applies. For technical support questions it is recommended that you inform locally for your most convenient point of contact.

    • Do you use any exceptional computational resources in order to attack some relatively new cards?

      We evaluate relative new smart cards from leading manufacturers for our clients. Sometimes we find data leakage, sometimes we find the key and sometimes we just find correlation with input plain text or output cipher text.  For our clients, we analyze modern smart card chips from the leading manufacturers. We perform side channel analysis on DES, AES, RSA and/or ECC or we perform fault injection on one (or multiple) algorithm(s) or program flow decisions. We may succeed in 0, 1 (or 2) attacks but we never succeed to attack all algorithms using SCA and FI. Hence, it might well be that the HW DES implementation on your card is secure against SCA for 1M traces. It might be interesting to shift focus to another algorithm (if you are using that algorithm in your application...)

    • Why does Inspector say "cannot install PostgreSQL because it is already installed" when trying to reinstall Inspector FI?

      The Inspector FI checks if it is already installed by checking the following file:
      C:\Documents and Settings\<Your username here>\Application
      Data\postgresql\pgpass.conf . This file should be removed before reinstalling Inspector FI.
      In addition, you should remove the PostgresQL user created by the
      PostgreSQL installer:
      - Right click "My Computer"
      - Click "Manage"
      - Click "Users" under "Local users and Groups"
      - Right click "postgres" and click "Delete"

    • Why does the dongle only work on some USB ports and not on other ports?

      The Inspector dongle needs to be installed on all USB hubs, it is possible that you PC contains multiple hubs. Please install or reinstall the driver on the port it is not working on.

    • Inspector gives the “Not enough memory to analyse; need xy, got xz” error on module execution. The PC has 3/4GB RAM available, how can I get Inspector to use all the RAM memory available?

      Java is limited in the max amount of memory that it can claim. The actual limiting factor is the heap and for Windows this is up to 1500Mb, as it reserves half for the kernel. More information can be found at http://forums.sun.com/thread.jspa?threadID=5316101

      You can reduce the amount of memory needed by reducing the number of samples in the trace set. This can be done by either resampling, sampling with a lower sample rate or take less samples (i.e. use only a part of your current trace). See question: How can I solve memory shortage

    • Windows asks for the PowerTracer driver, where can I find this?

      The driver for the PowerTracer is included in the Inspector installation, as are the drivers for the License dongle, the Picoscopes and other Riscure hardware.
      You can find the Power Tracer driver in:
      C:\Program Files\<Inspector folder>\drivers\Win32\PowerTracer

    • I am running Inspector on a Japanese windows version, but the module editor is displaying the wrong font and my cursor is out of sync. How can I fix this?

      - goto <inspector folder>\jdk\jre\lib
      - copy the file fontconfig.properties.src
      - renamed it to fontconfig.properties

      chang the line:
       sequence.monospaced.windows-31j=japanese,alphabetic,dingbats,symbol
      into:
       sequence.monospaced.windows-31j=alphabetic,dingbats,symbol

    • Will a new Inspector installation wipe my data or module files?

      No, a new installation will only update the standard example trace files and the standard Inspector modules and not your user trace files or user module files. Note however that user modifications to the standard modules files will be lost.

    • Can Inspector import an unsigned binary file?

      By default, Inspector supports signed formats only for trs files.

      However, if you have a file that is unsigned and you want to read it anyway, you could give it the extension ‘.bytes’. Next when you push the open button and single click on this file you can tell Inspector how to interpret the samples. You can now select the size and ‘unsigned’ and open the file. If you save it later it will be saved as a signed trs file.

      Other import methods use modules Import for loading comma separated values (CSV) from text files, or Cri-Import to load files created with CRI’s solution DPAWS.

  • Data Acquisition

    • Does EMA give better results than DPA?

      It is difficult to say if the EM will give you an improvement. Often if the chip contains a power buffer, power filter or current flattening circuit then the EM signal may show more data leakage. If the chip contains one or more dense metal shield, then the power signal may show more data leakage. Often you need to try both (EMA and power analysis) in order to find out.

    • Can Inspector work with traces of more than 32 million samples?

      Inspector uses internally 4 bytes for each sample for each trace displayed, but may use temporarily a multiple of that while browsing a set of traces. Furthermore, trace zooming and browsing long traces may become slow due to disk response time and graphics computation overhead. Furthermore, Inspector tries not to consume all your system resources. If your machine contains less than 1 Gb of physical memory we recommend not to exceed a trace length of 32 M samples, and not to display several traces of this length at once.

    • I am using the LeCroy oscilloscope and channel 3 (B) as a trigger, but the scope does not trigger.

      When the scope class is set to trigger on Channel B in the acquisition module, channel B must be set to an impedance of 1000 k Ohm.

    • I have the smart card training cards. How can I use these?

      The smart card training cards are described in the Tutorials document, that is supplied on the installation CD and present on the system where Inspector is installed. This document contains many tutorials that use these sample cards. These tutorials can be practiced on the sample cards, to improve your skills with Inspector.

       

    • How should I connect the power tracer and oscilloscope?

      The information you are looking for is  present in the "Getting Started" document delivered with your equipment and is also described on the hardware chapter of the manual. Inspector supports various oscilloscopes, ranging from the basic PicoScope to a high end LeCroy. Here is a short description for connecting the Power Tracer: 

      The Power Tracer comes with three cables. Two of them (the BNC cables) need to be connected to an oscilloscope; they contain the trigger and signal lines. Make sure not to mix up the cables, the signal cable should be connected to the oscilloscope's signal input (e.g. ‘A’), while the trigger cable should be connected to the oscilloscope's trigger (e.g. 'Ext') input. The third cable (USB) shall be connected to the PC running Inspector. The Power Tracer does not need an external power supply. 

    • I cannot set up the communication between Inspector en the LeCroy oscilloscope

      The setup of the LeCroy oscilloscope is quite elaborate and is fully described in the Inspector manual in the Hardware Components chapter, section Oscilloscopes. For troubleshooting first try to ping the oscilloscope by its IP address and subsequently by name: "Lecroy".

       

    • I have got a new PicoScope 3206 but why does it not connect?

      PicoScope delivers two versions of the 3206: the older version with white housing and the new version with blue housing. The new version does not function with the old driver.

      Under the Inspector home directory you will find a folder named ‘lib’. In this folder there is an old driver file called ps3000.dll. Please remove this file, or rename it to something like ps3000.dll.tmp. Next, when you start Inspector again and start an acquisition session, it will load the newest driver you installed.

    • Inspector reports “Aborted: cannot start device”, why?

      Apparently the communication between Inspector and the card cannot be established.  The Power Tracer does not get a response from the smart card. This can be caused by several reasons.

      1. The card may be inserted upside down. Turn the card with its contact pas down.

      2. Check the operation of the Power Tracer with the trainings cards. The card might be dead or faulty.

      3. Verify that all the smartcard pins inside the power tracer are correctly lined up and all make contact with the pads when the card is inserted.

      4. Inspect the pins and if necessary clean them.

      5. Check the smart card supply voltage in the configuration window of the acquisition dialog window. Set the appropriate voltage.

      Contact smart cards should be operational with a power supply between 4.5 and 5.5 Volt. Outside that range they may refuse to work. Version 1.0 of the Power Tracer (delivered before 1 jan 2008) has offset and gain controls that also affect the power available to the smart card, and may fail when the offset (right knob) and gain (left knob) are too high as this leaves less power for the card. The best practice is to initially turn gain and offset to the left. Then turn gain up to the desired level and turn offset up to the required level. Version 3.0 of the Power Tracer has a software controlled smart card power supply. This may also be set outside the operating voltage of the card. This is easily fixed by setting the control to 5 Volts.

      6. Send an email to us at inspectorsupport@riscure.com and include the results of the steps above,

  • Signal Processing

    • Why does the tutorial not mention the internal clock of the training card?

      Since we do not know the exact frequency used, we look at the spectrum and try to find interesting frequencies. Then we choose one of them and apply SyncResample at that frequency and look for input/output correlation. Of course, we try to make educated guesses because it is always better if you have an idea about the frequency the card may be using...

    • Why do traces acquired with an oscilloscope show an unexpected (slow) periodic wave?

      The signal may have a bandwidth that exceeds the sampling speed and causes interference in the sampled signal. The effect can be reduced by application of a low pass filter before sampling. Additionally the signal may be interfered by other signal sources, such as USB data transfer or card reader control activity.

    • When should I use the BNC-in-line 50 MHz or 90 MHz low pass filter?

      Please refer to the section “Filters” in Hardware Components chapter in the Inspector manual.

    • Why does the alignment only give one trace as result?

      When initiating the alignment there are a few parameters that need to be carefully set. If one of these parameters is incorrect, you will find only one result trace, namely your reference trace.

       

       Reference :  trace number to use as a reference for the other traces to align

       First sample and number of samples :  Static alignment uses a fragment (the selected trace part of the reference trace) to align traces with each other. Usually you would take a part of the trace that is visually recognisable and is expected to be present and similar in all traces.

       Shift max :  to set the maximum number of samples to shift to the left or right. For performance reasons it is good to limit the shift range, but a too small shift range will obviously reject traces that could match.

       Threshold :  the minimal value for the correlation between the reference trace and the trace which is to be aligned.

       

      Consider the following log.

       Excluding trace 30, correlation: 0.949
       Excluding trace 31, correlation: 0.931
       Including trace 32, shift: 44, correlation: 0.955

      You can see that a number of traces are excluded because the correlation was below 0.95. If we had set the deviation to 0.9 instead of 0.95 we would have included these traces. A good procedure would be to do a test alignment on a few traces (e.g. 20). The test alignment should have a wide shift range and a low correlation threshold. This would typically result in a trace set including all selected input traces. Subsequently one would inspect the traces with lower correlation to see if these are acceptable with respect to resemblance to the reference trace. In a second run the shift range would be tuned to match the window of observed shift values for the test run, and the correlation threshold would be set to a value that delivers traces with sufficient resemblance to the reference trace.

       

    • How should I set the parameters for dynamic alignment?

      Dynamic alignment starts after the static alignment, it proceeds from the fragment used for static alignment. It is therefore important that your static alignment results in a reasonable quality.

      Min length: Dynamic alignment assumes that reference-trace and trace-to-align have corresponding fragments that got desynchronized e.g. due to wait states or variable frequency. First you have to select a fragment length (Min Length) of the traces for which you expect similar fragments, e.g. for wait states this would be the number of samples in between two sequential wait states.

      Step: Step is the number of samples to skip when the next option is tried. In the case of wait states it would make sense to set step equal to the number of samples that a wait state takes. When you use a step size bigger than 1 you will notice a much faster performance, but you take the risk of 'stepping' over the best match.

      Range: Range is a bigger part of the trace that you will use for one dynamic alignment cycle. Within range samples the algorithm will try to find the best 'path' where each solution is tried. Ideally you would make range as large as possible, but this devastates your performance.

       

    • How can I solve memory shortage during analysis?

      Here are some ideas to tackle the memory problem:

      1.  Reduce sample scope

      You may be able to get a better idea about the section to mount your attack on. If you select a shorter region of samples your memory need will be much lower. Delay parameters or the icWaves can be used to only start sampling at an interesting position.

      2. Resample

      You may be able to do resampling before analysis.

      For example, if you sample at 2Gs/s but your device under test runs on a clock of 200 MHz you may be able to resample on the device clock and reduce your data size by a factor 10.

      3. Suppress the warning

      You can stop the Inspector warning during crypto analysis about memory shortage by replacing line 75 in modules/analysis/Correlation.java by "return 0;", and recompile this class. If the memory shortage is severe, the application may crash.

      4. Less signals to analyse

      Some analysis methods allow narrowing down the analysis scope to reduce the required memory. The AES analysis module for instance tries to find all key bytes simultaneously by default. By selection of the key byte option we could narrow down the search to one key byte at a time, which reduces the amount of memory with a factor 16 (for 128 bit key). For other modules this option may need additional programming work to become available.

    • Why do I get message: "WARNING: result sample coding too small"?

      Inspector tries to figure out a suitable format for your trace samples. This is performed when the first trace is to be saved. To save disk space it wants to store your traces in the smallest data format. This may cause problems when subsequent traces need a bigger format. For instance, when all samples of the first trace are set to '0', the chosen format will be byte. Subsequent traces having values like '500' or '3.14' may need a short or float format, and are malformed when stored as byte. The warning may be caused by an error in your module that results in a deviating first trace, but may also be an undesired effect of correct signal analysis. In the latter case the you may set the sampleCoding variable in the module to force a specific format. The following formats are supported: TraceSet.BYTE_CODING (1 byte per sample), TraceSet.SHORT_CODING (2 bytes per sample), TraceSet.INT_CODING (4 bytes per sample), TraceSet.FLOAT_CODING (4 bytes per sample).

  • Cryptanalysis

    • Is there no tutorial for the EEPROM noise countermeasure?

      This countermeasure simply adds more power consumption to the device, but it actually doesn't complicate the attack. The attack is basically the same as for the version without countermeasures (although maybe a few more traces are needed).

    • After doing an attack ( for example on DES) the correlation of the candidates is greater than 1. How is this possible?

      If you select to do an attack on all bits (instead of one or hamming weight) all the individual values are added up and the correlation will be higher than 1. This also is the case when you select sum instead of peak for determining the correlation.

    • How can I recognize the several phases in 3G procedures from a power signal trace?

      The first thing you can do is to find the I/O. These can be recognized by the baudrate of the I/O bits (93 microseconds per bit). Then you want to explain remarkable parts of the trace part between Input and Output. Things that you might see by visual inspection:

      EEPROM writing, usually takes 1 to 10 µs (microseconds).

      Cryptographic operation, depend on the cryptography, a hardware DES usually takes a few µs.

      Switching of clock frequency, could be observed in the spectrum

      Switching on/off of noise generator or charge pump, switching on noise generator would increase the overall power consumption.

      Typical security procedures in 3G are:

      • Card management with ENVELOPE command. This involves the use of 3DES several times
      • Network authentication (often prior to a call). This most likely involves the use of AES several times
      • Applet operation. This could relate to a security sensitive applet, e.g. e-purse. Crypto could be any algorithm.

    • How can I code the 3G envelope command during the acquisition process?

      You may use the following code in one of our acquisition applets:

      /** initial processing before entering the main loop
      */

      protected void initAcquisitionProcess () {
      // select application
      response = command("A0 10 00 00 01 17");
      }

      /** actions repeated in the loop

      */

      protected void runAcquisition () {

      arm(); // arm the oscilloscope
      // the next command uses randomized data
      nextCommand = randomize( "A0 C2 00 00 36 D1 34 82 02 83 81 8B 2E 40 08 81 55 66 77 88 7F F6 81 08 12 11 45 00 04 1D 02 70 00 00 18 15 16 01 15 15 00 00 00 B1 AC BE 80 2E 6C B5 09 66 38 EF 5E A4 33 E4 FF 00", 43, 16 );
      setData( nextCommand, 43, 8 ); // save the data included in the APDU
      response = command( nextCommand ); // send the APDU
      nextCommand = "A0 C0 00 00 10";
      command( nextCommand );

      }

       

      The initAcquisitionProcess method is executed once in an acquisition session and contains here the TERMINAL PROFILE command. To my knowledge this command must be executed prior to sending ENVELOPE commands. The runAcquisition method is executed multiple times in the acquisition loop and contains the ENVELOPE command. This command has a rather complex structure, which is documented in GSM standard 03.48 (and its 3G successors), and in the SMS specifications.

      Basically the ENVELOPE command includes an SMS tagged as USIM data that includes a secured packet for the USIM.

      A basic breakdown of the command data:

      D1 34 82 02 83 81 8B 2E 40 08 81 55 66 77 88 7F F6 81 08 12 11 45 00 04 1D // this is the SMS header, the last byte indicates a payload of 29 bytes
      02 70 00 // CPI
      00 18 // packet length: 24 bytes
      15 // length of command header 21 bytes
      16 01 // SPI
      15 // KIc
      15 // KID
      00 00 00 // TAR
      B1 AC BE 80 2E 6C B5 09 66 38 EF 5E A4 33 E4 FF // encrypted data, including CNTR (5 bytes), PCNTR (1 byte), RC/CC/DS and the secured data

      Obviously, when you do not know the keys you cannot create a meaningful content for the secured data, but that is not important:

      Upon receipt of the ENVELOPE the USIM will start to unwrap the SMS and check if it contains a valid structured command packet. After decoding and accepting the header of the command it will do a decryption. After the decryption it will further evaluate its contents, and probably detect that this is garbage. Then the USIM should make a response packet with some error code.

      If you do your measurement during the decryption you can attack the 3DES decryption key. After retrieving the decryption key you may do another session to attack the protection key (for creating CC).

  • Fault Injection

    • Why do I get the error “java.sql.SQLException: Could not connect to the server;” when running a perturbation module?

      A default setting of PostgreSQL is a maximum password age of 42 days. When the password has expired the server cannot be started and Inspector cannot connect to the server.

      If this situation has not yet occurred for you (i.e. the 42 days have not yet passed since the installation) it can be simply avoided by disabling the password expiration for the PostgresSQLInspector user. This can be done in the following way:

      - Right-click "My Computer"
      - Click "Manage"
      - Select "Local Users and Groups" -> "Users"
      - Right-click the "PostgresSQLInspector" user and click "Properties"
      - Click "Password never expires" and click OK (remove the check from "User must change password...")

      When the password has expired and the above error has occurred, the password also needs to be reset. This can be done with the following additional steps:

      - Right-click the "PostgresSQLInspector" user and click "Set Password..."
      - Fill in a random password (remember it though)
      - Select "Services and Application" -> "Services"
      - Right-click "PostgreSQL Database Server 8.3" and select "properties"
      - Click the "Logon" tab
      - Enter the same password twice and click OK
      - Right-click "PostgreSQL Database Server 8.3" and click start.

  • EM measurements

    • Once I’ve determined the highest intensity on the die location, how can I launch the DEMA measurements (i.e., which function?)

      After selecting the optimum location with a left mouse click, press the ‘Move Probe’ button to move the probe towards the selected location. At this point, the location is selected and you may continue with DesAcquistion, AESAcquistion, etc. Please switch of the power supply from the XY stage (by removing the power plug) because the XY stage interferes with the EM measuremement.

    • In the XY acquisition (spectral intensity), is it correct that we should select the frequency around the CPU frequency in order to detect the best location?

      Yes, selecting the CPU frequency is a practical method. This can be determined using the spectrum of Power Acquisition. However, there is one disadvantage: you might select the internal clock generator instead of the crypto processor. Hence, you are actually searching for a location with a strong signal at the CPU frequency but the signal should also show a variation over time (a pattern).

    • How do I determine if the probe is close enough to the smart card?

      Usually we slide the probe tip over the smooth backside of the smartcard. We usually do not remove plastic from the smart card. Lowering the smartcard by the motors is a little dangerous because the motor might press the probe tip onto the smartcard too strongly. For this reason we open the probe holder and shift the probe downward manually. It is sufficient when the probe tip just touches the smartcard surface. Then tighten the probe holder again.

    • Why is the signal level very weak (<10mV) and the trace seemingly incorrect?

      If the EM Probe is powered with a battery, it has run out. Please replace or recharge the battery or use another power source.

    • Is it correct that I do not need the Power Tracer for using the EM Probe Station?

      Yes, it is correct that you do not need the Power Tracer for using the EM Probe Station when you are working on embedded technology (instead of smart cards). You only need an oscilloscope and the EM Probe Station for EM-measurements on your embedded target. The trigger signal for the oscilloscope needs to be generated by your hardware, e.g. on one of the output pins of your target. You also want to do send the decryption or encryption commands to the target from Inspector. Therefore you need to modify an acquisition module. Please refer to the section “SCA on embedded devices” in the Inspector manual.

    • Why do I pick up disturbance with my EM probe?

      This is electromagnetic interference (EMI) generated by devices in the neighbourhood of the test set-up. Cell phones, computers and USB cables are known for relative strong EMI. Naturally the probe tip is highly sensitive to EMI, but also the probe power cable and BNC signal cable can pick up EMI. The best solution to eliminate EMI is to build your set-up inside a Faraday-cage with EMI absorbing internal furnishing. These cases are commercially available from other parties.

      A simpler and cheaper solution is to shift the field deflector over the probe tip. The field deflector is a small metal tube that has been provided with the EM Probe. The bottom of the deflector should be aligned with the end of the probe tip for the shielding of EMI. 

  • Module development

    • Why does my module not show the Open and Save buttons for module parameter management in its dialog?

      These buttons appear automatically when your module registers (method: set) parameters. Check for example the MovingAverage module.

    • Why do I get the warning "Forcing acquisition termination" when running my acquisition applet?

      The oscilloscope is not triggered. Your applet may not have armed the oscilloscope, or the subsequent message from your applet did not cause the device to generate the trigger signal (possibly due to an unsuccessful APDU). Make sure that your triggering APDU is executed successfully.

    • Why do I get an IncompatibleClassChangeError when I run my module?

      Your module was compiled under an older Inspector version while you are now running a newer version where the Module class is updated. Just open the source of your module and recompile. The problem should be solved now.

    • Why does my module not appear in the module menu under the button?

      Your module must extend the Module class and define the moduleDescription String.

    • My module does not terminate, why can't I abort it?

      You may have made an endless loop in your module. It is good practice to check the aborted variable in your loops, otherwise you may have to kill the Inspector application occasionally. Always check arguments before division because dividing by zero may cause Inspector to hang. Ultimately you can terminate Inspector with the Windows Task Manager.

    • I’m familiar with programming in C, but how can I use an unsigned byte in Java?

      In C you can have an unsigned 8 bit number 'unsigned char'. This does not exist in Java, where all numbers (including the byte type) are signed.

      Some examples in C:

      unsigned char c1 = 0x00; // 0
      unsigned char c2 = 0x7F; // 127
      unsigned char c3 = 0x80; // 128
      unsigned char c4 = 0xFF; // 255       

      in Java these numbers have a different value:

      byte b1 = (byte)0x00; // 0
      byte b2 = (byte)0x7F; // 127
      byte b3 = (byte)0x80; // -128
      byte b4 = (byte)0xFF; // -1

       

      You cannot fully represent an unsigned 8 bit number in the Java byte type, as the values in the range 128..255 do not exist.

      Note that the short and int types, can deal with the numbers in the 128..255 range:

      int i1 = 0x00; // 0
      int i2 = 0x7F; // 127
      int i3 = 0x80; // 128
      int i4 = 0xFF; // 255
       

      Also note that with integer arithmetic, numbers are implicitly cast to the 'int' type. If you need another type you must cast explicitly:

      int i5 = b2 + b3; // -1
      int i6 = b2 + (b3 & 0xFF); // 255
      int i7 = b2 + i3; // 255
      byte b5 = (byte)(b2 + i3); // -1

      You may want to preserve the 8 bit coding because it is more efficient than 16 bit coding. But, since the numbers range from 0..255, you need to make an amplitude shift, e.g. subtract the value 128.

      Some examples:

      sample[i] = (b1 & 0xFF) - 0x80; // -128
      sample[i] = (b2 & 0xFF) - 0x80; // -1
      sample[i] = (b3 & 0xFF) - 0x80; // 0
      sample[i] = (b4 & 0xFF) - 0x80; // 127

      This converts samples in the range 0..255 to samples in the range -128 .. +127.

Copyright © 2001 - 2010 | Riscure | Sitemap