Cannot observe the AES round plot showed in The Simplest Experiment about screaming_channels HOT 13 CLOSED

Hi @itewqq,

Your hardware setup sounds good, but again it is not exactly the same as the one in the guide (that is a BLE Nano v2), so let's try to figure
out a good configuration to make it work.
I do not have a HackRF and a PCA10056 here with me right now, so sorry if I cannot try what I say before answering.

Regarding the hardware, your setup sounds good.
You can maybe try to get a bit closer at the beginning, or to use a cable connection.
Which antenna do you use?

I would try to play a bit with the settings at reception. We can take inspiration from the configuration of other experiments that were successful before.
Most configuration parameters are in the config.json files. Here is the one we used for the experiments at 10cm with a HackRF and a BLE Nano v2:

> cat ches20_traces/ches20/hackrf_10cm/template_tx_500/tiny_aes_anechoic_10m_080618.json 
{
    "firmware": {
        "mode": "tinyaes",
        "fixed_key": false,
        "modulate": true
    },
    "collection": {
        "target_freq": 2.528e9,
        "sampling_rate": 5e6,
        "num_points": 20000,
        "num_traces_per_point": 500,
        "bandpass_lower": 1.95e6,
        "bandpass_upper": 2.02e6,
        "lowpass_freq": 5e3,
        "drop_start": 50e-3,
        "trigger_rising": true,
        "trigger_offset": 100e-6,
        "signal_length": 300e-6,
        "template_name": "templates/tiny_anechoic_10m_080618.npy",
        "min_correlation": 0.00,
        "hackrf_gain_if": 35,
        "hackrf_gain_bb": 39
    }
}

Could you please try to set the sampling rate in CubicSDR/gqrx to 5MHz and to play with the gains starting from the values in the config?

Another trick could be to first look at 2.4GHz, where the signal is much stronger, to check that you can see a spike appearing when you press 'c' (and disappearing when you press 'e'). Start with a lower gain at 2.4GHz, as the signal is stronger.
(quantitatively, the value in dBm of the power in the firmware should be the one at 2.4GHz).

Then you can move to 2.464GHz and observe a smaller spike.
You might also want to try other multiples of the clock frequency, for example, on the BLE Nano v2 we often use 2.528GHz.

Please let me know if this helps!

from screaming_channels.

@giocamurati The sampling frequency is set to 5M, and I also tried 2.528Ghz, but still unable to reproduce your results. In my opinion, the signal-to-noise ratio here is too low, and I cannot tell the plot of aes encryption from the time domain diagram at all. Do you have external configurations such as electromagnetically isolated rooms? In addition, for the speed of AES encryption, is the sampling frequency insufficient to observe the AES waveform? I very much hope that you can explain in detail the configuration of each row in your picture, such as the hardware configuration scheme of the collection, and the parameter setting of the Cubic software, etc. Thank you very much!

from screaming_channels.

Hi，
I don't understand how to observe the AES waveform because the waveform changes very quickly. I believe it is quite hard to capture the specific waveform of AES process.

I would appreciate it if you could answer my question.
Thank you！

from screaming_channels.

@giocamurati In the frequency bands of 2.464Ghz and 2.528Ghz, I can indeed see spikes, but I cannot demodulate the visible AES waveform from these frequency bands, all of which are noise signals.

from screaming_channels.

I have solved the problem and can capture the traces now. However, I have to put the antenna very close to the RF module of the nRF52840 chip, and the waveform is much worse than yours. So I would like to ask you how to get a better waveform.
Thank you!

from screaming_channels.

Hi @itewqq, @Qtarox,

Good that you solved. Besides distance, may I ask you which was the problem?
From the previous messages I had the feeling that the problem was that you need to run the AES many times in order to see it with the naked eye, while if you run it only once, you can't spot it in the demod window.
Anyhow that's solved now.

Regarding the difference in quality, it might be:

1. I used a BLE Nano v2 with a nRF52832 (all the attacks in the papers are with the nRF52832, a part from Fig. 12 CCS18)
2. The configuration of the reception setup.

Let's work on 2 which is a good thing anyway. The .json files for my datasets is where I store the configurations I used during automated collection.

These are the HackRF RX settigns for the gain (https://pub.nethence.com/radio/hackrf)

RF "amp", 0 or 14 dB
IF "lna", 0 to 40 dB in 8 dB steps
BB "vga", 0 to 62 dB in 2 dB steps

From the json file in the previous message, I see that at 10cm with HackRF and BLE Nano V2 I used:
RF "amp", 0
IF "lna", 35dB
BB "vga", 39dB

Could you please try to tune your gain starting from this values?

Other things you could do to improve your quality could be:

1. Play with the position of the antenna
2. Add an external amplifier

Anyhow, from what I see in the picture, there should be enough signal to start automated collection of traces.
There you can fine grained tune the .json files until you get good traces.

I am also available for "live debug" if sharing a screen and talking might help tuning the setup.

from screaming_channels.

These are two examples of setup with the HackRF and the BLE Nano v2

from screaming_channels.

Thank you very much for your guidance.
I would like to know, does the hackrf antenna have to be a 2.4GHz wifi antenna?

from screaming_channels.

It has to be an antenna that works well around 2.464GHz.
I found that usually WiFi antennas or BLE antennas designed for the 2.4GHz band work well.

You might still be able to see the signal with another antenna for another band, but with a huge loss in comparison.

Which antenna do you use?

from screaming_channels.

Just a ordinary antenna:

from screaming_channels.

I think I have figured out the cause of my problems.
Thank you ver much again and sorry to bother you so many times.

from screaming_channels.

You are welcome, don't hesitate to ask whenever you need!

from screaming_channels.

I have solved the problem and can capture the traces now. However, I have to put the antenna very close to the RF module of the nRF52840 chip, and the waveform is much worse than yours. So I would like to ask you how to get a better waveform.
Thank you!

As you can now see the trace, I will close this specific issue.
But don't hesitate to reopen it for more questions on this part, or to open new issues for new questions.

Have a nice day!

from screaming_channels.