Searching \ for 'Measurement of a single CMOS gate switching or not' in subject line. ()
Make payments with PayPal - it's fast, free and secure! Help us get a faster server
FAQ page: www.piclist.com/techref/power/priswitch.htm?key=switching
Search entire site for: 'Measurement of a single CMOS gate switching or not'.

Truncated match.
PICList Thread
'Measurement of a single CMOS gate switching or not'
1999\03\18@091129 by Marc

flavicon
face
Hi.

Currently I'm evaluating an absurd project which probably turns out to
be completely lunatic. But nevertheless I like to hear your comments on
it..

The goal is to make a CMOS device reveal its internal structure by
power consumption.  It will be put into a state where I can apply a
single trigger to start a cascade of internal events (CMOS gates
switching).  The current consumed to carry this out is to be
measured very exactly.  The event lasts only a couple of 10ns.

Then, the same event with slightly different starting vector will
be triggered again - it will have very few or maybe even just
one single CMOS gate switch more/less. This difference is to be
detected by the measurement device.

I can carry out those measurements several times to average out measurement
errors. The measurement result does not need to be absolutely correct,
just the differential between the two must reveal the desired
"before-after" result (were both events identical, or have few gates
behaved differently).


Still I have no idea on how to design this measurement device, my
current thought is to charge a small cap to contain a know charge,
and then let the target draw current from it during the test. The
remaining charge in the cap can be measured to give a numeric
equivalent of the current used in the test.

Probably this turns out to be way too insensitive :(

Basically I wish I could count the electrons that enter the VCC
pin of the CMOS target.....


Any opinions?

1999\03\18@093006 by Michael Rigby-Jones

flavicon
face
> Basically I wish I could count the electrons that enter the VCC
> pin of the CMOS target.....
>
> Any opinions?
>
If you want to know the number of electrons passing in a wire in a certain
time you want to know the total charge.  First principles states that charge
= current x time.  So you need to measure current and integrate it with
respect to time.  As for measuring currents with that sort of
resolution....you could use the classic voltage accross a resistor technique
with a relatively high gain differential amp across the resistor.  There is
no way that you are going to be able to digitaly integrate the voltage, the
sampling speed would have to be in the Gigahertz range.  You will probably
need a highly accurate analogue integrator.  The design of this type of
thing is in no way trivial, you will need highly accurate op-amps and
precision capacitors etc.  You can buy coulomb meters that do all this.

By the way, electrons come OUT of the Vcc pin, not go INTO it :o)

Mike Rigby-Jones
spam_OUTmrjonesTakeThisOuTspamnortelnetworks.com

1999\03\18@093804 by Andy Kunz

flavicon
face
>Basically I wish I could count the electrons that enter the VCC
>pin of the CMOS target.....

WHy don't you just dissolve the epoxy and use an SEM to look at the
individual gates?

Andy


  \-----------------/
   \     /---\     /
    \    |   |    /          Andy Kunz
     \   /---\   /           Montana Design
/---------+   +---------\     http://www.montanadesign.com
| /  |----|___|----|  \ |
\/___|      *      |___\/     Go fast, turn right,
                              and keep the wet side down!

1999\03\18@110117 by Wagner Lipnharski

picon face
> > Basically I wish I could count the electrons that enter the VCC
> > pin of the CMOS target.....
> >
> > Any opinions?

Try to research at IBM library, years ago they made a device
to count atoms and electrons jumps.  It was a specially sharp
test probe that could feel when a single electron jump in or
out of the probe... It was used to "read" the atomic distribution
in any material and plot it in paper.  I already saw a picture.

What you want to do is not easy.  Even sampling the current,
it can has zillions of changes per second, so your result
accuracy will be as good as using a 3.5 digits fluke meter.

Remember that is not only at the VCC pin that you have electrons
going out, but at all the other chip pins too, whenever the
internal voltage is lower than the external.

Wagner

1999\03\18@125018 by mlsirton

flavicon
face
Hi,

On 18 Mar 99 at 14:35, Marc wrote:
<snip>
> Basically I wish I could count the electrons that enter the VCC
> pin of the CMOS target.....
> Any opinions?

If you could convert every electron to a photon (light frequency) you
could use some sort of photo-multiplier like used in night-vision
equipment...  Just a silly thought.

You need to ask an experimental physicist, try your nearest
univ. physics department... This is the kind of thing they would
do... :-)  E-mail me if you want me to ask around...

I think the IBM reference someone mentioned was of a STM (Scanning
Tunnelling Microscope) which uses the Tunnelling effect of a tiny probe
to scan atomic structures... I don't think this would help in this
application... (Maybe they deal with ultra low currents too?)

Hope this helps,
Guy

1999\03\19@035706 by Holger Morgen

flavicon
face
Hi -

This is close to becoming an [OT] - ting...

Marc, how about just using a >100 Mhz digital storage osc.?

/holger



> On 18 Mar 99 at 14:35, Marc wrote:
> <snip>
> > Basically I wish I could count the electrons that enter the VCC
> > pin of the CMOS target.....
> > Any opinions?
>
>

1999\03\19@102337 by Marc

flavicon
face
> Marc, how about just using a >100 Mhz digital storage osc.?

What bandwidth do you think I would need?

In AoE I found a precision auto-nulling amplifier, which could be used
to boost the voltage drop across a shunt. However I suspect that the
difference of 100 CMOS gates charging silicon traces on a chip against 105
doing so in the second measurement run won't be visible on a 256 dot
Y axis? It's a non-linear process, so auto-null can only account for
the leakage current of the chip under test.

I'd really prefer to integrate the consumption with a linear circuit
and precision-A/D it afterwards.  I have done mostly digital stuff
before so I'm a bit lost..

1999\03\19@151644 by John Payson

flavicon
face
|I'd really prefer to integrate the consumption with a linear circuit
|and precision-A/D it afterwards.  I have done mostly digital stuff
|before so I'm a bit lost..

Seems simple enough.  I think all you really need to do is...



5.25V + -----R-----+-------- VDD
                  |
                  C
                  |
Return- -----------+-------- VSS

Depending upon what sort of events you're looking for, the "static"
power consumption of the device, and the frequency with which you
need to repeat your "trials" R could be anywhere from 1K to 1M, and
C probably anywhere from 100pF to 100,000pF.

Basically, any current drawn from the device is going to be taken from
the cap (the R, if sized appropriately, will refill the cap but not very
quickly).  The goal is to try to have VDD sag as much as possible when
the device switches without affecting device operation (i.e. probably
looking for a change of about 0.25V).

Note that this sort of thing is sometimes useful when trying to read out
code-protected chips or hack things like the Keyloq designs [does anyone
know if Microchip took care to ensure that the VDD current-signature of
an ahead-of-window valid packet matches that of an invalid packet?  If
not, the following procedure could be used to produce a valid code for
a lock, given a previously-used code for that lock:

[1] Set one or more Keyloq receivers to "learn" mode, and have them learn
   the captured waveform.

[2] Start feeding packets with 32 bits of random data in the encrypted
   part.  About 1 in 130,000 packets will register a "partial match".
   Make careful note of these.

[3] Since there are about 32,000 partial matches, there's a 50% likeli-
   hood that if 213 "partial match" codes are found two of them will
   work together to open the lock.  If 388 codes are found, the odds
   go up to 90%.  Simply try code-pairs until one works.

Note that the adversary still has to run a somewhat annoying number of
decrypt-attemps to spring the lock, but the above procedure was devised
using no "inside" information about the KeyLoq algorithm; if 100 keys
can be tested per second (perhaps using multiple KeyLoq chips), spring-
ing a lock will require about 80 hours.  A fair amount of time, but not
all that long.  Without the ability to detect partial matches, though,
it would be much longer.


Attachment converted: wonderland:WINMAIL.DAT (????/----) (0002CAD9)

1999\03\19@161043 by Marc

flavicon
face
> Seems simple enough.  I think all you really need to do is...


Hm, say I use a small Ctest, and charge that to 5.00V.  The device
under test is run from a normal 5.00V supply. At the point of interest,
it is switched over to Ctest using mosfets. A few 10ns later, it is
switched back. The voltage of Ctest now tells me how much energy
has been used.

When I use low-leakage components, and a very small capacity for Ctest
(to achieve a significant voltage drop in such a short time), may that
be a good solution to the problem?

What about clock jitter, does an XTAL suffer from that? The test duration
would be very critical in such a setup.


              low-leakage p-ch
              logic mosfet

        +5V -----+  ^  +----------+--------------- VCC of device-under-test
                 |  |  |          |
                ---------   +-----+
                 +------    |     |
                 |          |    --- Ctest
                 |          |    --- low-leakage
0V = Supply  -----+          |     |
5V = Ctest                   |     +--------------- GND
                            |
                   measurement point



Is there any good reason why this will not work, or give only rough
figures?  Probably there is..


How many gates switch in a microcontroller for example, when it is
executing a NOP?   I roughly know how I would build one from scratch
using logic gates, but that doesn't necessarily match any real-world
part :-)


> Note that this sort of thing is sometimes useful when trying to read out
> code-protected chips or hack things like the Keyloq designs

I have read that pay-tv protection systems have been attacked by power
consumption measurements.  A hacker once told me that some version of
Skys chips was two-fold, one side was the CPU, and the other part of the
die was wasting the exact complement of energy - to always consume
exactly 11mA! I don't know how that was defeated, but I'm convinced it
was - probably cut off in a chip lab.

1999\03\22@144122 by John Payson

flavicon
face
|I have read that pay-tv protection systems have been attacked by power
|consumption measurements.  A hacker once told me that some version of
|Skys chips was two-fold, one side was the CPU, and the other part of the
|die was wasting the exact complement of energy - to always consume
|exactly 11mA! I don't know how that was defeated, but I'm convinced it
|was - probably cut off in a chip lab.

>From what I've been told, the power consumption of the Cray I was
remarkably uniform and independent of the code being executed (it
was also rather high--about 450KW if I remember right!  There's a
reason Cray Research isn't in the southern US).  The machine con-
sists almost entirely of balanced ECL logic to do everything: each
signal is sent using two wires outputting non-inverted and inverted
logic levels.  About 90% of the chips, if I remember right, are of
the same type: a dual 2-input gate [whether it's AND, NAND, OR, NOR,
etc. is determined by whether the input and output wires are swapped
going to other gates].

While I wouldn't suggest using ECL for everything, the approach of
using balanced signals is probably good from the standpoint of making
power-supply analysis difficult. [btw, a couple of other good techni-
ques are:

 [1] Use a device that adds random noise to the current consumption.
     The effects of this may be undone by statistical analysis, but
     not terribly easily.

 [2] Avoid doing anything easily traceable that you don't have to.
     For example, when trying to read out a code-protected chip,
     reading the memory internally but gating the output isn't as
     secure as disabling the read.

1999\03\22@151114 by Wagner Lipnharski
picon face
> (it was also rather high--about 450KW if I remember right!

What is 450 Kelvin Watts?

1999\03\22@151512 by Andy Kunz

flavicon
face
At 03:08 PM 3/22/99 -0500, you wrote:
>> (it was also rather high--about 450KW if I remember right!
>
>What is 450 Kelvin Watts?

Kilo watts!  450,000 W.

Andy

  \-----------------/
   \     /---\     /
    \    |   |    /          Andy Kunz
     \   /---\   /           Montana Design
/---------+   +---------\     http://www.montanadesign.com
| /  |----|___|----|  \ |
\/___|      *      |___\/     Go fast, turn right,
                              and keep the wet side down!

1999\03\22@152132 by Dave VanHorn

flavicon
face
>At 03:08 PM 3/22/99 -0500, you wrote:
>>> (it was also rather high--about 450KW if I remember right!
>>
>>What is 450 Kelvin Watts?
>
>Kilo watts!  450,000 W.


Um, kilo Watts would be kW, as in kHz, kA, kPascals etc.
Same form as dB (deci-Bells)

1999\03\22@155403 by Wagner Lipnharski

picon face
Dave VanHorn wrote:
>
> >At 03:08 PM 3/22/99 -0500, you wrote:
> >>> (it was also rather high--about 450KW if I remember right!
> >>
> >>What is 450 Kelvin Watts?
> >
> >Kilo watts!  450,000 W.
>
> Um, kilo Watts would be kW, as in kHz, kA, kPascals etc.
> Same form as dB (deci-Bells)

We just discussed widely about uppercase K is the only
temperature measurement that doesn't need the "¡" degree
symbol, since Kelvin is a physical unit, not a scale
step as ¡C or ¡F, so KW has the same wrong meaning as
"370Ma" would mean 370 Massachusetts? instead of 370 mA...,
or a recently battery cells Gerhard bought as 1.5V 700MA,
he could travel from Georgia to Salt Lake city in his
electric car using only those little AA cells, it would
be 1,050,000,000 Watts, 1.05 Billion Watts for americans,
or 0.00105 Billion Watts for the Brits..., so be careful
with those physical measurement units, or you can be sued
by customers who bought your wall wart power supply that
according to the label you made, it should supply 12Vdc
at 500MA (Mega Amperes), and they are trying to power a
small city with that...
Wagner

More... (looser matching)
- Last day of these posts
- In 1999 , 2000 only
- Today
- New search...