Inspector Data Sheet. EM-FI Transient Probe. High speed pulsed EM fault injection probe for localized glitches. Riscure EM-FI Transient Probe 1/8

Similar documents
icwaves Inspector Data Sheet

Glitch Amplifier. Quick Start Guide. What is in the box What does it do How to build a setup Help and troubleshooting...

Current Probe. Inspector Data Sheet. Low-noise, high quality measurement signal for side channel acquisition on embedded devices.

Transceiver. Quick Start Guide. What is in the box What does it do How to build a setup Verification of the setup...

ElectroMagnetic Fault Injection Characterization

Current Probe. Quick Start Guide. What is in the box What does it do How to build a setup Help and troubleshooting...

MIL-STD-883E METHOD 3024 SIMULTANEOUS SWITCHING NOISE MEASUREMENTS FOR DIGITAL MICROELECTRONIC DEVICES

Effect of Aging on Power Integrity of Digital Integrated Circuits

IOLTS th IEEE International On-Line Testing Symposium

An Analysis of the Fields on the Horizontal Coupling Plane in ESD testing

Local and Direct EM Injection of Power into CMOS Integrated Circuits.

Memo. 1 Summary. 1.1 Introduction. 1.2 Experiments. 1.3 Conclusion

Digital Debug With Oscilloscopes Lab Experiment

Time-Memory Trade-Offs for Side-Channel Resistant Implementations of Block Ciphers. Praveen Vadnala

HAL , 508, 509, HAL Hall Effect Sensor Family

Laser attacks on integrated circuits: from CMOS to FD-SOI

Making sense of electrical signals

Physics 120 Lab 6 (2018) - Field Effect Transistors: Ohmic Region

Model 305 Synchronous Countdown System

A PC-BASED TIME INTERVAL COUNTER WITH 200 PS RESOLUTION

INDIAN INSTITUTE OF TECHNOLOGY BOMBAY

PCS-150 / PCI-200 High Speed Boxcar Modules

Electromagnetic-based Side Channel Attacks

Picosecond Laser Stimulation status, applications & challenges

LM1042 Fluid Level Detector

Electronic Circuits EE359A

Making sense of electrical signals

6. HARDWARE PROTOTYPE AND EXPERIMENTAL RESULTS

Quad, Rail-to-Rail, Fault-Protected, SPST Analog Switches

E"MATA&HARI& Electromagne4c&Analysis,&Deciphering&and& Reverse&Engineering&of&Integrated&Circuits&

GATE & DRAIN Probe heads specifications

Measurement and Analysis for Switchmode Power Design

LeCroy 9304A, 9304AM Digital Oscilloscopes 200 MHz Bandwidth, 100 MS/s. Main Features

Measuring Power Supply Switching Loss with an Oscilloscope

NONDESTRUCTIVE EVALUATION OF CLOSED CRACKS USING AN ULTRASONIC TRANSIT TIMING METHOD J. Takatsubo 1, H. Tsuda 1, B. Wang 1

AC/DC to Logic Interface Optocouplers Technical Data

Laser tests of Wide Band Gap power devices. Using Two photon absorption process

DS1040 Programmable One-Shot Pulse Generator

Effectively Using the EM 6992 Near Field Probe Kit to Troubleshoot EMI Issues

P a g e 1 ST985. TDR Cable Analyzer Instruction Manual. Analog Arts Inc.

DC/DC-Converters in Parallel Operation with Digital Load Distribution Control

Lab 1: Basic Lab Equipment and Measurements

improved stability (compared with

DesignCon Noise Injection for Design Analysis and Debugging

- Datasheet - Features: Version 1.1. Cryogenic Low Pass Filter Unit Type KA-Fil 2a

Guide to OPKUD and OPBOX Ultrasonic testing units Software Revision 3.0 / 2003

Advanced Test Equipment Rentals ATEC (2832)

from signals to sources asa-lab turnkey solution for ERP research

USB-UT350(T) Portable Ultrasonic Pulser/Receiver and Analog to Digital Converter. User s Guide

Number of Lessons:155 #14B (P) Electronics Technology with Digital and Microprocessor Laboratory Completion Time: 42 months

2520 Pulsed Laser Diode Test System

Model 310H Fast 800V Pulse Generator

GFT1504 4/8/10 channel Delay Generator

DCS laser for Thomson scattering diagnostic applications

University of North Carolina-Charlotte Department of Electrical and Computer Engineering ECGR 3157 Electrical Engineering Design II Fall 2013

Hello, and welcome to this presentation of the FlexTimer or FTM module for Kinetis K series MCUs. In this session, you ll learn about the FTM, its

EMC TEST REPORT For MPP SOLAR INC Inverter/ Charger Model Number : PIP 4048HS

TOP VIEW MAX9111 MAX9111

Using X-Y Displays APPLICATION BRIEF LAB WM312. May 29, Introduction. Summary

12/6/2011. Electromagnetic Induction. Electromagnetic Induction and Electromagnetic Waves. Checking Understanding. Magnetic Flux. Lenz s Law.

PE29102 Document Category: Product Specification

HAL , 508, 509, HAL , 523 Hall Effect Sensor Family MICRONAS. Edition Feb. 14, E DS

Basic Logic Circuits

Universal and compact laser stabilization electronics

Lamb Wave Ultrasonic Stylus

ELECTRONICS FOR PULSE PICKERS

DIGITAL INTEGRATED CIRCUITS A DESIGN PERSPECTIVE 2 N D E D I T I O N

Sensors and Sensing Motors, Encoders and Motor Control

Quad SPST JFET Analog Switch SW06

Powering Automotive Cockpit Electronics

Novità sulla IEC ; -10; -12

HAL , 508, 509, HAL , 523 Hall Effect Sensor Family

Picking the Optimal Oscilloscope for Serial Data Signal Integrity Validation and Debug

LM9072 Dual Tracking Low-Dropout System Regulator

LABORATORY 4. Palomar College ENGR210 Spring 2017 ASSIGNED: 3/21/17

Associate In Applied Science In Electronics Engineering Technology Expiration Date:

Fluke 5820A Oscilloscope Calibrator Specifications

Silicon Hall ICs. 6.6 Application Notes: Differential Hall IC TLE U

ModBox-PG-795nm-30ps 795 nm 30 ps Optical Pulse Generator

LABORATORY 3 v1 CIRCUIT ELEMENTS

DATASHEET SMT172. Features and Highlights. Application. Introduction

I DDQ Current Testing

Electron Spin Resonance v2.0

Suggested Drivers for Use with Vixar Products

Testing and Stabilizing Feedback Loops in Today s Power Supplies

Information & Instructions

Surge Generator for MIL-STD 1275

Super Low Noise Preamplifier

CS114 + CS115 + CS116

Overview of EMC Regulations and Testing. Prof. Tzong-Lin Wu Department of Electrical Engineering National Taiwan University

PV-PPV: Parameter Variability Aware, Automatically Extracted, Nonlinear Time-Shifted Oscillator Macromodels

CMOS Digital Integrated Circuits Lec 11 Sequential CMOS Logic Circuits

Multi-function Gain-Phase Analyzer (Frequency Response Analyzer) Model 2505

RC and RL Circuits Prelab

Supertex inc. MD1213DB1 MD TC6320 Demoboard High Speed ±100V 2A Pulser. Block Diagram TC6320 MD1213. Demoboard Features. General Description

Testing and Verification Waveforms of a Small DRSSTC. Part 1. Steven Ward. 6/24/2009

MASSACHUSETTS INSTITUTE OF TECHNOLOGY Hands-On Introduction to EE Lab Skills Laboratory No. 2 BJT, Op Amps IAP 2008

Features. EXTERNAL PULLABLE CRYSTAL (external loop filter) FREQUENCY MULTIPLYING PLL 2

Mhow (MP) PIN c/o 56 APO RFI : PROCUREMENT OF FAST TRANSIENT RESPONSE ELECTROMAGNETIC PULSE (EMP) SIMULATOR

Application Note. Brushless DC Motor Control AN-1114

Transcription:

Inspector Data Sheet EM-FI Transient Probe High speed pulsed EM fault injection probe for localized glitches. Riscure EM-FI Transient Probe 1/8

Introduction With increasingly challenging chip packages and sophisticated light-sensitive sensors to prevent optical laser faults Riscure presents a new testing vector for fault injection scenarios. The EM-FI Transient Probe induces fast, high power, EM pulses on a user-defined location of the chip. EM-FI testing allows bypassing traditional countermeasures and provides the next step in high-end security tests. Key features Does not require de-packaging the chip. EM glitches are not detected by light sensors meshes. Flips value of logic cells on target device. Lower chance of permanent chip damage compared to laser glitching. Adjustable high power pulses. Description The EM-FI Transient probe offers a powerful addition to the fault injection setup. The easy setup and testing make it a relatively easy and time-saving way of performing localized faults on modern chips. The EM-FI transient probe offers a fast and predictable pulse that meets the demands of international testing laboratories and manufacturers. The set of probes, XY table and camera offer a complete and powerful setup that can be controlled and parameterized flexibly through the Inspector FI software. The software allows automation of testing scenarios and easy reporting for further analysis and refinements of the scenario. Like all other hardware components Riscure offers the EM-FI Transient Probe to be used in stand-alone or custom environments as well integrated with your own hardware and software. Different coils included to generate different EM fields over a chip. Optional camera for precise and careful probe positioning. Fast and short pulses configurable from software. Fast and predictable response to trigger. Fits Riscure EM Probe Station and Diode Laser Station for automated scanning. XYZ Positioning The probe is supplied with a holder which fits to the EM Probe Station or Diode Laser Station stand. Optionally the EM-FI can be supplied with either XYZ stage to position the probe through the Inspector software and perform automatic scanning. Existing customers can use the holder to upgrade their set-up without purchasing additional XY hardware. Riscure EM-FI Transient Probe 2/8

Integrated with Inspector or Stand-alone Inspector integration: The VC Glitcher controls the timing and power settings of the probe EM pulse, and performs triggering, synchronous power measurements for card communication. For embedded devices Inspector support a multitude of devices and protocols to generate an environment suitable for your testing setup. A current probe or power probe is recommended for power monitoring of the embedded device. The stage and camera connect to the Inspector FI software for navigation and automated surface scanning. The solution can further be extended with icwaves to trigger faults and to prevent a device from breaking down after an EM attack. Standalone: The EM-FI Transient Probe can be integrated with any fault injection test software and hardware. The stage and camera are optional in this case; they too come with an SDK. Application The EM-FI Transients probe is designed to test devices of the latest generations. Used on a daily basis in the Riscure Security Evaluation Lab, we make sure it meets the highest demands of both the industry and security analysts. This way we ensure the device to be effective in testing both smart card and embedded based products. We have proven that the effects of hardware and software countermeasures available in up-market devices can be challenged successfully. Fine control over all parameters used to execute a Fault Injection scenario in our software and programmability means ensuring a high degree of security in the product under test. User control The user controls the following parameters from the Inspector FI software: Flexible multi-glitch testing Automated testing with randomized or fixed parameters: offset, repetition count, timing Digital scaling of probe power Automatic scanning range EM-FI versus Diode Laser Station EM-FI is a different animal all together: the prerequisites to perform an attack, ie. preparing the chip and/or the packaging and faults induced. For EM-FI removing the packaging is not required to induce a fault. The EM pulse will be traveling through the non-metal material that is used to encapsulate the chip. This saves time and energy of the security analyst but it will also introduce some more uncertainty of how the actual glitch carried through. With the Diode Laser Station it is necessary to remove the packaging but it will provide more reliability and ease of navigation on the chip s surface. Removing the packaging for EM-FI is a good option for organizations that do white box testing or where repeatability is key. Riscure EM-FI Transient Probe 3/8

Laser effects The laser photons generate free electrons in the P- and N-channel of transistors. As a result the conductivity of any transistor inside the laser spot increases and transistors switch to ON state. Conductance of both transistors of a P- and N-channel pair causes short circuiting between VDD and GND which may damage the chip. The laser located above M2 and M1 changes the status of M1 or M2 or both, which depends on laser s wavelength and pulse strength. On a lower level, rather than short circuiting FET s as lasers the faults induced with EM-FI causes the flux to change in a particular part of a circuit changing the state of the FET s. This behavior has also proven to be less destructive for devices saving precious samples and work while performing a testing scenario. Figure 1 VDD M4 M3 GND M2 M1 EM-FI effects EM-FI may follow various principles: magnetic transient pulses or harmonic power injection. The EMFI Transient Probe generates magnetic pulses. The magnetic pulse induces a voltage glitch in any circuit loop under the coil. The voltage glitch may change a transistor status from OFF to ON or vice versa depending of the polarity of the voltage glitch and type of transistor. The voltage glitch will only switch one transistors of a P- and N-channel transistor pair to ON and therefore does not cause short circuit between VDD and GND. The effectivity depends on loop area A and time derivative of magnetic field B. The relation is shown below: VDD M4 M3 GND M2 M1 Figure 2 gives an example of a circuit lay-out. The coil located above M2 (coil not shown in the figure) induces voltage glitches separately in two loops: the loop outlined in red and the loop outlined in orange. Since the loop area in red is much bigger than that in orange, the one loop in red will get most effective glitch. Figure 2 Riscure EM-FI Transient Probe 4/8

Characteristics T1 T2 T3 Figure 3 shows EM-FI behavior under different conditions with a 1.5 mm positive polarity tip. In each picture, the first line is digital glitch on the digital glitch input; the second line is the voltage measured over current monitor from EM-FI transient probe with 90MHz low pass filter with the pulse amplitude set at 0.33 V corresponding to 10% power. The third line is the voltage over the measurement coil (model name EM 6995 1 cm loop H-field sensor by Electro-Metrics) with the pulse amplitude set at 0.03 V corresponding to minimal power. Figure 3 EM-FI transient probe behavior when glitch pulse width is 50 ns T4 The fixed delay between trigger signal and the EM glitch (see Note 5 and 6) is introduced by the electronic circuit. The trigger timing (T1) and trigger width can be set by users while pulse start T2 and T4 and pulse end T3 are fixed relative to trigger start T1. The strength of EM Glitch can be set by users by setting the voltage on Pulse amplitude-1 input. The technical specifications are shown in Figure 3. Figure 4 shows pulse pattern at maximum repetition frequency of 1 MHz. Without a Low Pass filter an oscillation on the waveform at approximately 300 MHz is observed. The oscillation is due to the oscillation between the ground of the EM-FI probe, see Figure 5. This is the measurement artifact. The oscillation is not present in the EM pulse. Figure 4 EM-FI transient probe behavior with maximal switching frequency, 2 pulses with width of 50 ns, the interval time between pulses is 1us The current pulse of the 4 mm tip is weaker and longer due to higher inductance of the larger tip coil (please refer to the Technical Specifications below). However, since the loop area of 4mm tip is 6 times bigger than 1.5 mm tip, the EM pulse will be stronger. For this reason 4mm tip is suggested when target s thickness exceeds 1.5 mm. Otherwise 1.5 mm tip is suggested. The polarity of tips determines the polarity of glitch voltage induces in the TOE. Figure 5 The output waveform of current monitor without low pass filter Riscure EM-FI Transient Probe 5/8

Technical Specifications Input/Output characteristics Input/Output Function Min Max Unit 24 V Power +24 V Pulse amplitude 1 Input 0 3.3 V Digital glitch 1 Input 0 3.3 V Output Current monitor 2 Output -40 A/V 1 CMOS to 1K Ohm 2 Measured with 50 Ohm oscilloscope input impedance Probe tips Diameter Polarity 1 1.5 mm Positive 2 1.5 mm Negative 3 4 mm Positive 4 4 mm Negative Riscure EM-FI Transient Probe 6/8

Characteristics Type Magnetic transient Maximum voltage over coil 450 V (+/-10%) Maximum internal current 1 64A EM pulse power control 5 100% Pulse width at digital glitch input for full power 50 ns Max switching frequency with constant power 2 1 MHz Operating temperature 0-70 C 1.5mm tip 4mm tip Propagation delay 1 3 50ns (+/-10%) 51ns (+/-10%) Propagation delay 2 4 40ns (+/-10%) 42ns (+/-10%) Max current through coil of probe tip 56 A (+/-10%) 48 A (+/-10%) Max voltage at current monitor 5 1.4 V (+/-10%) -1.2 V (+/-10%) Pulse width of the waveform at Current Monitor 6 17ns (+/-10%) 20ns (+/-10%) 1 Measured when probe tip is replaced by short circuit 2 Strength of 2nd pulse at least 90% 3 Propagation delay1 is defined as time difference from 10% of digital glitch to 10% of current monitor T2-T1 (see Figure 3) 4 Propagation delay2 is defined as time difference from 10% of digital glitch r to 10% of EM pulse T4-T1 (see Figure 3) 5 measured with 50 Ohm oscilloscope input impedance 6 Pulse width is defined as time difference from 10% of current monitor amplitude s change at rising edge to 90% at falling edge T3-T2 (see Figure 3) The idea of EM-fault injection is to flip data bits so that it can influence a process at a certain phase. To reach such effect, the strength of EM pulse(s) should exceed a threshold value and the timing of the EM pulse(s) should be selected by setting trigger signal at the appropriate process phase. Riscure EM-FI Transient Probe 7/8

Riscure BV Frontier Building Delftechpark 49 2628 XJ Delft The Netherlands Phone: +31 (0)15 251 4090 Fax: +31 (0)15 251 4099 E-mail: inforequest@riscure.com www.riscure.com EFTP 07.22.2013 Riscure provides these specifications for information only. No rights can be obtained from these specifications. Riscure EM-FI Transient Probe 8/8

2024 © hobbydocbox.com Privacy Policy | Terms of Service | Feedback