About Circuit Cellar Staff

Circuit Cellar's editorial team comprises professional engineers, technical editors, and digital media specialists. You can reach the Editorial Department at editorial@circuitcellar.com, @circuitcellar, and facebook.com/circuitcellar

Breaking a Password with Power Analysis Attacks

Breaking a Password  with Power Analysis Attacks

In his previous column, Colin showed how timing attacks could be used to break a password check. This article brings out a more advanced type of attack called a power analysis attack, which exploits small leaks about internal states of a microcontroller to recover the password.

By Colin O’Flynn

Article originally published in Circuit Cellar June 2017, Issue #323

Last month, I introduced a type of attacks on embedded systems called power analysis attacks. I used these to attack a simple PIN code check, where the power analysis attack told us what steps the code was performing. This was possible because different instructions had unique signatures we could see in a detailed measurement of the power of the device as it was performing operations. I won’t replicate the hardware setup I discussed in the previous column, but again the example figures here will be measured on my open-source ChipWhisperer-Lite platform.

I’ll be returning to the PIN code check I have in Listing 1. This code uses an XOR of the input PIN code (could be a password or anything else) with the correct code. If the input and correct code are the same value, the result of all the XORs will be zero. If a single bit differs, the XOR will output a 1 for that bit. The accumulating OR circuit will then keep that bit set to “1” for the remainder of the comparisons.

int check_pin( uint8_t entered_pin[]){
 uint8_t correct_pin[4] = {1,2,3,4};

 uint8_t pin_fail = 0;

 for (int i = 0; i < 4; i++){
 pin_fail |= correct_pin[i] ^ entered_pin[i];
 }
 
 if(pin_fail){
 return 0;
 } else {
 return 1;
 }
}
Listing 1
This password check code came from my previous column, as it was written to avoid timing attacks. We’re going to use a more advanced type of attack in this column to break the code.

BACKGROUND
Let’s begin with a little background. Consider a digital device like our microcontroller. Internally, it has a data bus, which moves data from one section (e.g., a register) to another section (e.g., the arithmetic logic unit, or ALU).

Is there some way an external observer could detect details of that data? It turns out there might be, and it might be a lot easier than you expect. That data bus contains a number of lines, which we can model as capacitors. Changing the logic state of those lines is the same as changing the voltage on those lines, as in Figure 1.

OFlynn #323 - Figure 1

Figure 1
Changing the voltage on an internal data bus is equivalent to charging or discharging a capacitor, something that takes a tiny amount of energy.

While changing the voltage on a capacitor takes energy—a tiny amount of energy—but it still physically requires a little bit of power. When four data lines change from a 0 to a 1 state, it actually takes more power than when only one of the data lines change state. And when it comes to a microcontroller, as we make a more complete picture, things get even easier for us. Most buses on microcontrollers use a precharge state, which you can consider a state partway between a 0 and a 1.

To transfer data on the bus, the bus goes from this intermediate state, to the final state, and then back to the intermediate state. What this means for us is the amount of power consumed may depend not on the difference between number of bits set in the data, but in fact just on the number of bits in the data. For example, if you transfer 0xFF on the data bus, you’ll see a slightly higher spike at that instant in time than if you transferred 0x00 on the data bus. This probably still seems a little abstract, so let’s keep working and see two different ways this can be used to break the XOR code of Listing 1.

DPA ATTACK
The first attack I’ll discuss will be the “classic” differential power analysis (DPA) attack, which was published by Paul Kocher, Joshua Jaffee, and Benjamin Jun in the paper entitled “Differential Power Analysis” around 1999. For this attack to work, assume we have a method of sending in a four-digit guess for the pin-code of Listing 1, and we can trigger such that we can record the power consumption around when the XOR is happening. We don’t need to guarantee we get the exact moment; just that we know roughly when the XOR test is happening. Practically, this can be pretty easy. You know at some point after sending the input data the XOR will happen, so you just need to record a section of power after sending the input data.

Next, assume we could send a bunch of wrong guesses. For each wrong guess, we record the guess and the power trace of the system processing this guess. Figure 2 shows a number of such power traces overlaid on each other. Notice that the traces are mostly uniform, but certain small areas seem to have minor differences.

OFlynn-323-F2

Figure 2
An example power trace as the code in Listing 1 is executed an a XMEGA device.

Next, we’ll do the most important part, which is to take the power traces and move them into two groups. Our attack will work by looking at a single bit of the secret pin at a time. Let’s say we want to get the value of byte 0, bit 0. Taking our set of known inputs and associated power traces, we can split them into two groups—one where byte 0, bit 0 is “0” and one where that same bit is “1.” We’ll take the average of these two groups to end up with two traces. Finally, taking the difference between these “average” traces (a difference of means) tells us specifically where the amount of power varied for each operation.

What has all this fuss accomplished? First off, we’d expect to see a very small spike in power consumption at the point that byte 0 is manipulated. If bit 0 of byte 0 is “1,” it will take a tiny bit more power than when that bit is “0.” “But what about the other bits?” you might ask, as they are also being flipped. The rest of the bits are set to random values, so the average of them should be the same between the two groups. The only difference between those groups was the value of byte 0, bit 0. And it’s that bit we are concentrating on.

Then there will be a second spike, as the “correct” PIN code is a constant that will basically either flip (if the bit of the pin-code is “1”) or not flip (if the bit of the PIN code is “0”) that spike. This is shown in Figure 3, where the bit of the secret key is “1,” so we see two opposite polarity spikes. These are from real measurements performed on Listing 1 running on an Atmel XMEGA microcontroller measured with my ChipWhisperer-Lite. These tiny differences are clear as day—it might seem impossible from the text, but it works in real life!

OFlynn-323-F3

Figure 3
This shows the power difference when attacking a single bit of a password byte. I’ve averaged two groups of traces and subtracted them to see the difference between the groups. See Listing 2 for the code that generated this plot.

And as in my other article, I encourage you to try this yourself. This is something you can measure with a regular oscilloscope and using a shunt resistor in the voltage line of a microcontroller, as discussed in my April 2017 column.

If you need a hint, the code in Listing 2 shows a simple Python listing that performs this splitting of an array of data into two groups, averages them, does the difference, and plots this for you. This will give the value of a single bit of the secret key.

from chipwhisperer.common.api.CWCoreAPI import CWCoreAPI
from matplotlib.pylab import *

cwapi = CWCoreAPI()
cwapi.openProject(‘xortest_1000.cwp’)

tm = cwapi.project().traceManager()
number_traces = tm.numTraces()

zerolist = []
onelist = []

for tnum in range(0, number_traces):
 entered_pin = tm.getTextin(tnum)
 trace_data = tm.getTrace(tnum)

 #Get value of bit 1 in data we sent
 bit_value = entered_pin[0] & 0x02
 
 #Seperate into group based on bit value
 if bit_value:
 onelist.append(trace_data)
 else:
 zerolist.append(trace_data)
 
#Take mean of both groups of traces
one_mean = np.mean(onelist, axis=0)
zero_mean = np.mean(zerolist, axis=0) 

#Get difference
diff = one_mean - zero_mean

plot(diff)
Listing 2
This Python code performs a single-bit DPA attack, by attempting to determine the value of bit 0 of the key. The resulting plot is given in Figure 3.

BREAKING A REAL SYSTEM
Moving from that single-bit break to a real system requires little more than taking the same power traces, and iterating through each bit and byte to recover the complete value. You’ll be able to get the entire PIN code (or password) out of the system, even though there appears to be no timing or similar errors.

As a test, we can do this for the case where we know the “secret key.” I’ve done this for Byte 0 in Figure 4, where you can see all the bits with a certain state have a positive power difference, and all the bits with the opposite state have a negative power difference. The red and blue coloring is only possible as I know the secret key, if I hadn’t known it we would recover it based on the difference direction.

OFlynn-323-F4

Figure 4
This shows differences for all 8 bits of a guessed password byte, where red power traces are bits where the value of the key-bit ‘0’, and blue power traces are values of the key are ‘1’. You can see all the bits of each value go in opposite directions.

A complete attack is shown in Listing 3. Note that I just consider a single point to determine if the bit is a “0” or a “1.” This point moves for each byte. Because this is an 8-bit microcontroller, the byte moves further in time every 8 bits that are processed. If I had a 32-bit microcontroller then it could have processed 4 bytes at once, for example. But looking at the difference traces (such as in Figure 3) helps you determine where exactly to look for a large difference, even if you don’t know much about the device you are attacking or how the code works. The only tricky part is getting a nice trigger. In many systems, this can be done by triggering on the communication line. For example, if you have a UART protocol to send the password, you can trigger when you see the last byte go over the UART.

from chipwhisperer.common.api.CWCoreAPI import CWCoreAPI
from matplotlib.pylab import *

cwapi = CWCoreAPI()
cwapi.openProject(‘xortest_1000.cwp’)

tm = cwapi.project().traceManager()
number_traces = tm.numTraces()

for byte in range(0, 4):
    recovered_byte = 0
    for bit in range(0, 8):
        zerolist = []
        onelist = []
        for tnum in range(0, number_traces):
            entered_pin = tm.getTextin(tnum)
            trace_data = tm.getTrace(tnum)
            
            #Get value of bit in input guess for this trace            
            bit_value = entered_pin[byte] & (1<<bit)
            
            #Seperate into group based on bit value
            if bit_value:
                onelist.append(trace_data)
            else:
                zerolist.append(trace_data)
        #Take mean of all traces where one, all traces where zero
        one_mean = np.mean(onelist, axis=0)
        zero_mean = np.mean(zerolist, axis=0)        
        #Get difference
        diff = one_mean - zero_mean
        
        #Based on our graphical plotting, we identified point 129 in byte 0
        #and that point occurs 92 samples later in each successive byte
        print “byte %d, bit %d = “%(byte, bit),
        if diff[129 + 92*byte] < 0:
            print “0”            
        else:
            print “1”
            recovered_byte |= (1<<bit)
    print “Guess for byte %d: 0x%02x”%(byte, recovered_byte)
}
Listing 3
This is Python code for breaking complete system iterates through the test done in Listing 2. (See text for details.)

You can even get fancy by triggering on patterns in the analog waveform. Certain oscilloscopes provide this capability, and it’s possible with custom hardware such as I built for the ChipWhisperer-Pro (a higher-end version of the same capture hardware). But in most practical cases it’s enough to trigger on communication lines that are already present. The open-source ChipWhisperer software I’m using here also has capabilities to resynchronize traces with some “jitter” in them by looking for patterns that appear in both traces and lining them up.

Hopefully, this article has opened your eyes to how it’s possible to attack real systems using side-channel power analysis. This is just the tip of the iceberg for advanced hardware attacks that are possible, and I’ll be sharing more of these with you in the coming columns.

If you want more detailed examples, I’ll link them from a blog post for this article on oflynn.com, but they are all part of the open-source ChipWhisperer project. I’m creating some unique examples for my columns here, but the overall goals will be the same.

Read this article in the June #323 issue of Circuit Cellar

Stay informed, subscribe today:

 

Single issues can be purchased in the  CC-Webshop

Keysight and Sequans Team for IoT Deployment Test Offering

Keysight Technologies has announced an agreement with Sequans Communications whereby Keysight will use Sequans’ Monarch LTE for IoT chip platform to provide support for NB-IoT and LTE-M customers using Keysight’s E7515A UXM wireless test set (shown). The integration assures customers that they have their test needs covered for IoT deployments and are in compliance with 3GPP standards. Keysight and Sequans are developing products and solutions that are tailored for the IoT ecosystem and the companies are now working closely together to accelerate the deployment of IoT technologies in the industry.

4c1602a54580fcd6baf3a1c31521e39a

The combined solution addresses users’ deployment test needs and ensures compliance with 3GPP standards. Keysight’s UXM Wireless Test Set integrated with Sequans’ Monarch LTE for IoT platform supports testing needs of NarrowBand-Internet of Things (NB-IoT) and enhanced Machine-Type Communication (eMTC) Cat-M1 customers. Keysight is testing for 3GPP RF/RRM compliance for NB-IoT and Cat-M1 using the Sequans Monarch chip.

Keysight Technologies | www.keysight.com

Sequans Communications | www.sequans.com

EXPIRED -3 Hour – Friday Flash Sale!

THIS OFFER HAS EXPIRED.
One more way Friday’s are great! For the next 3 HOURS enjoy half price subscriptions.
Click Here to get yours.

CC-2017-08-Issue-325Circuit Cellar is the premier media resource for professional engineers, academic technologists and other electronics technology decision makers worldwide involved in the design and development of embedded processor- and microcontroller-based systems across a broad range of applications. Produced monthly (print and digital), Circuit Cellar provides critical information on embedded, electronics technology and does so at level of depth and detail tailored specifically for our readers. Our mission is tackle the key what, why and how issues of technology to help readers make smart choices with their engineering projects—all the way from prototype to production.

Offer valid on 8-18-2017 from 1-4pm EST

IoT Gateway Sports Intel Atom E3800 SoC Processor

WIN Enterprises has announced the WIN IoT-380 Gateway, an entry-level embedded IoT device designed for device control and the streaming of data from sensors and components deployed on a manufacturing line. Communications are via wired or wireless links to back-end servers located at the network’s edge. The edge servers are used for more comprehensive analytics, data aggregation and filtering, and issuing M2M or human alerts and so on. These back-end servers, in turn, pass filtered data to a cloud-based server for additional analytics, reporting, and archiving. These four technology layers create an integrated IIoT system for more efficient manufacturing.

image002

The WIN IoT-380 is a production line gateway that interfaces with sensors and actuators on the manufacturing line and an edge gateway that is used to further refine data and pass it on to a cloud-based server for storage and further analytics.

Features:

  • Intel Atom Processor E3800 SoC
  • 1 x HDMI, 1 x VGA
  • 1 x SATA III, 1 x Half-size mSATA
  • 2 x Intel i210AT Gigabit Ethernet
  • 4 x COM, USB 2.0, USB 3.0
  • 1 x Full-size mini-PCIe, 1 x Half-size mini-PCIe (mSATA)
  • DC 5V-32V input

The WIN IoT-380 gateway is configured with CPU, memory and connectivity to flexibly address a host of IoT needs. The processor is the Intel Atom E3826 an energy-efficient CPU which supports virtualization and Enhanced Intel SpeedStep Technology. These gateways are designed to operate in environments such as manufacturing facilities, oil rigs, remote power stations, and transportation systems where wide operating temperature ranges and tolerance for high levels of shock and vibration are required. The IoT-380 gateways are complete solutions designed to be easy-to-use and quick-to deploy. A wide range DC power input (DC 5V-32V) and wall or VESA mounting allows for flexible installation.

WIN Enterprises | www.win-ent.com

USB Protocol Analyzer Sports Type-C Connection

Saelig has announced the availability of the Mercury T2C USB 2.0 and Power Delivery Protocol Analyzer that offers the newest USB Type-C connection. The Mercury T2C is a small and affordable hardware-based USB protocol analyzer. Saelig claims it is the industry’s first ultra-portable, hardware-based, USB and Power Delivery protocol analyzer. It combines the de-facto standard CATC Trace display, comprehensive USB class decoding, and PD 2.0 protocol analysis. The pocket-sized, bus-powered Mercury T2C sits in-line between host and device and provides transparent capture of all USB transactions.

Saelig t2c

With event triggering and real-time spool-to-disk capture the T2C has advanced capabilities that reduce time to market for USB systems and software. It graphically decodes logical protocol events to show the underlying transactions and packets. Decoding of upper level transactions allows users to see logical protocol events within the trace, eliminating the manual decoding of device-specific commands.

The Mercury T2C includes hardware-based event triggering, 256 Mbytes of memory, and spool-to-disk capture for extended recording. It includes cables to interface directly with USB 2.0 devices and the new Type-C devices. Available with USB 2.0 only, USB PD only, or both USB and PD analysis, the Mercury T2C features non-intrusive probing to preserve real-world signal and timing conditions.

Saelig | www.saelig.com

September Circuit Cellar: A Sneak Preview

The September (326) issue of Circuit Cellar magazine serves up a meaty selection of useful technology resources along with inspiring, interesting embedded electronics design articles.

Not a Circuit Cellar subscriber?  Don’t be left out! Sign up today:

cclogo_2013_header

Here’s a sneak preview of September Circuit Cellar:

FOCUS ON MICROCONTROLLERS

Getting Started with PSoC Microcontrollers (Part 3): Data Conversion, Capacitive Sensing and More
In Part 3, Nishant Mittal gets into some if the PSoC’s more complex features like Data Conversion.

Implementing a Time-Oriented Task Manager for 8-bit PIC Microcontrollers
Pedro Bertoleti shows readers how to build a time-oriented task manager using Microchip’s PIC 16F628A 8-bit microcontroller.

SPECIAL SECTION: EMBEDDED SECURITY

Microcontrollers Beef Up Security Features: Defense in a Connected World
Jeff Child explores the various flavors of embedded security features that microcontroller vendors are adding to their devices.

Resources for Embedded Security: Hardware, Software and Services
Circuit Cellar collects four pages worth of info about companies that provide embedded security products, tools and services.

TECHNOLOGY FEATURES

Using Power Audio Amplifiers in Untypical Ways (Part 1): Best Building Blocks
Petre Petrov shows readers how to use PAAs as universal building blocks to create analog signal generators, analog power supplies, voltage splitters and more.

Data Acquisition Advances Focus on Interfacing
Jeff Child discusses the latest data acquisition solutions, with a look at how interface technologies have evolved.

Future of IoT Communications: Will Upgraded Cellular Networks Benefit IoT?
This guest essay by Andrew Girson, CEO of Barr Group, explores how IoT will fare in the 5G network era.

MORE FROM OUR EXPERT COLUMNISTS:

Block Diagram Reduction and Automatic Tuning
George Novacek steps through how to think in terms of block diagrams to help you reduce system complexity early on in a design.

Numeric Precision vs. DDS Calculations
Using the full frequency resolution of a DDS chip outstrips the capabilities of floating point numbers. Ed Nisley looks at high-res frequency calibration and measurements in the DDS realm.

Deadbolt the Uninvited: Locked Out of My Home
In this Part 2 of Jeff Bachiochi’s electronic lock story, he gets into some of the power and remote-control issues of his electronic deadbolt lock project.

Diagnosing Performance Variations in HPC
Ayse K. Coskun delves into how application performance variations can cause inefficiency
in high-performance computing (HPC) systems and how to diagnose these variations.

Microchip Launched Two New MCU Families

Microchip Technology has made available its new SAM D5x and SAM E5x microcontroller (MCU) families. These new 32-bit MCU families offer extensive connectivity interfaces, high performance and robust hardware-based security for a wide variety of applications. The SAM D5/E5 MCUs combine the performance of an ARM Cortex-M4 processor with a Floating Point Unit (FPU). This combination offloads the Central Processing Unit (CPU), increasing system efficiency and enabling process-intensive applications on a low-power platform.

35352057604_77bb4aab93_m

Running at up to 120 MHz, the D5x and E5x MCUs feature up to 1 MB of dual-panel Flash with Error Correction Code (ECC), easily enabling live updates with no interruption to the running system. Additionally, these families are available with up to 256 KB of SRAM with ECC, vital to mission-critical applications such as medical devices or server systems.

These new MCUs have multiple interfaces that provide design flexibility for even the most demanding connectivity needs. Both families include a Quad Serial Peripheral Interface (QSPI) with an Execute in Place (XIP) feature. This allows the system to use high-performance serial Flash memories, which are both small and inexpensive compared to traditional pin parallel Flash, for external memory needs.

The SAM D5/E5 devices also feature a Secure Digital Host Controller (SDHC) for data logging, a Peripheral Touch Controller (PTC) for capacitive touch capabilities and best-in-class active power performance (65 microA/MHz) for applications requiring power efficiency. Additionally, the SAM E5 family includes two CAN-FD ports and a 10/100 Mbps Ethernet Media Access Controller (MAC) with IEEE 1588 support, making it well-suited for industrial automation, connected home and other Internet of Things (IoT) applications.

Both the SAM D5x and E5x families contain comprehensive cryptographic hardware and software support, enabling developers to incorporate security measures at a design’s inception. Hardware-based security features include a Public Key Cryptographic Controller (PUKCC) supporting Elliptic Curve Cryptography (ECC) and RSA schemes as well as an Advanced Encryption Standard (AES) cipher and Secure Hash Algorithms (SHA).

The SAM E54 Xplained Pro Evaluation Kit is available to kick-start development. The kit incorporates an on-board debugger, as well as additional peripherals, to further ease the design process. All SAM D5x/E5x MCUs are supported by the Atmel Studio 7 Integrated Development Environment (IDE) as well as Atmel START, a free online tool to configure peripherals and software that accelerates development. SAM D5x and SAM E5x devices are available today in a variety of pin counts and package options in volume production quantities. Devices in the SAM D5/E5 series are available starting at $2.43 each in 10,000 unit quantities. The SAM E54 Xplained Pro Evaluation Kit is available for $84.99 each.

Microchip | www.microchip.com

Don’t Miss Our Newsletter: IoT Technology Focus

In tommorrow’s IoT Technology Focus newsletter you’ll get news and trends about the products and technologies needed to build IoT implementations and devices.LoRa-NNNCo-PR-graphic-press

Bonus: We’ve added Drawings for Free Stuff to our weekly newsletters. Make sure you’ve subscribed to the newsletter so you can participate.

Already a Circuit Cellar Newsletter subscriber? Great!
You’ll get your “IoT Technology Focus” themed newsletter issue tomorrow.

Not a Circuit Cellar Newsletter subscriber?
Don’t be left out! Sign up now:

Remember, our new enhanced weekly CC Newsletter will switch its theme each week, so look for these in upcoming weeks:

Embedded Boards. This content looks at embedded board-level computers. The focus here is on modules—Arduino, Raspberry Pi, COM Express, and other small-form-factor —that ease prototyping efforts and let you smoothly scale up production volumes.

Analog & Power. This newsletter content zeros in on the latest developments in analog and power technologies including DC-DC converters, AD-DC converters, power supplies, op-amps, batteries, and more.

Microcontroller Watch. This newsletter keeps you up-to-date on latest microcontroller news. In this section, we examine the microcontrollers along with their associated tools and support products.

…and…

August has a 5th Tuesday. So look for a bonus Newsletter this  month!

Cypress MCUs Selected for Toyota Camry Instrument Cluster

Cypress Semiconductor has announced that global automotive supplier DENSO has selected Cypress’ Traveo automotive microcontroller (MCU) family and FL-S Serial NOR Flash memory family to drive the advanced graphics in its instrument cluster for the 2017 Toyota Camry. The DENSO instrument cluster uses Traveo devices that Cypress says were the industry’s first 3D-capable ARM Cortex-R5 cluster MCUs.

Denso Instrument Cluster

The FL-S memory in the cluster is based on Cypress’ proprietary MirrorBit NOR Flash process technology, which enables high density serial NOR Flash memory by storing two bits per cell. The DENSO instrument cluster has 4.2- and 7.0-inch screens capable of audio, video and navigation in the center display of the 2017 Toyota Camry.

Cypress works with the world’s top automotive companies to support automotive systems including Advanced Driver Assistance Systems (ADAS), 3-D graphics displays, wireless connectivity, full-featured touchscreens and superior body electronics. Cypress’ automotive portfolio includes the Traveo MCU family, power-management ICs (PMICs), PSoC programmable system-on-chip solutions, CapSense capacitive-sensing solutions, TrueTouch touchscreens, NOR flash, F-RAM and SRAM memories, and USB, Wi-Fi and Bluetooth connectivity solutions. The portfolio is backed by Cypress’ commitment to zero defects, excellent service and adherence to the most stringent industry standards, such as the ISO/TS 16949 quality management system, the Automotive Electronics Council (AEC) guidelines for ICs and the Production Part Approval Process (PPAP).

Cypress Semiconductor | www.cypress.com

Digital Guitar Amplifier/Effects Processor

Part 2: Design and Construction

In the first part of this series, Brian introduced the Teensy 3.2 MCU module. Now he presents a digital guitar amplifier/effects unit that he built around two Teensy modules.

By Brian Millier

In the first part of this series, I introduced the PJRC Teensy family of Kinetis ARM-based modules. I emphasized how they are particularly well suited to audio applications due to the availability of a good audio library. In addition, they are supported by the Teensyduino add-in to the Arduino IDE. This month, I’ll describe the digital guitar amplifier/effects unit that I built around two Teensy modules.

The guitar amplifier/effects unit design is about 60% software and 40% hardware. The analog part of the audio signal chain is made up of a simple, one-transistor input buffer and a 20-W output amplifier (using an automotive audio power amplifier IC). A Teensy 3.2 MCU module and a Teensy Audio Adapter module handle all the audio signal processing…..

Read this article in the August 325 issue of Circuit Cellar

Not a Subscriber yet? Become one today:

 

Or purchase the August 2017 issue at the  CC-Webshop

Smart Power Switches Meet Automotive Needs

Infineon Technologies offers power IC manufacturing technology: SMART7. Infineon designed it specifically for automotive applications such as Body Control Modules or Power Distribution Centers. SMART7 power ICs drive, diagnose and protect loads in applications like heating, power distribution, air-conditioning, exterior and interior lighting, seat and mirror adjustment. They also provide a cost-effective and robust replacement of electromechanical relays and fuses. SMART7 is based on thin-wafer technology that reduces power losses and chip sizes. Based on SMART7, Infineon has introduced the two high-side power switch families PROFET+2 and High Current PROFET. The SPOC+2 multichannel SPI high-side power controllers will follow within a year.

Infineon High Res PROFET TSDSO-14

The PROFET+2 family was developed for automotive 12 V lighting load applications and capacitive loads. These comprise e. g. halogen bulbs in external lighting control, interior lighting and dimming, as well as LED lighting. PROFET+2 devices provide state-of-the-art diagnostics and protection features. They maintain pin-out compatibility with their predecessor family PROFET+ for zero-cost migration. There is no ECU layout change needed, if single-channel devices are replaced by dual-channel variants and vice versa. Compared to their predecessor family, the PROFET+2 devices are up to 40 percent smaller in package size and improve energy efficiency with 50 percent lower current consumption. Their mass production is planned to start as of Q4 2017 and later. All high-side switches will be qualified in accordance with AEC Q100.

Infineon Technologies | www.infineon.com

High Isolation DC/DC Converters Target Industrial Power

Murata has introduced a series of high isolation DC/DC converters developed by Murata Power Solutions. The MGJ6 wide, low-profile series converters feature a 14 mm creepage and clearance distance for use in reinforced-rated isolated-gate drive-power applications in higher efficiency 690 VAC industrial electrical distribution systems. They provide optimized voltages for best system performance and efficiency.

Murata mgj6_lp_14mm_pr

This high isolation DC-DC converter series is designed for powering high- and low-side gate-drive circuits for IGBTs and silicon and silicon carbide MOSFETs in bridge circuits used in motor control applications and industrial power installations. Rated at 6 W, the dual output converters provide a wide 2:1 input voltage range with nominal values of 5, 12 and 24 V, and with output voltages of 15/-10 V, 20/-5 V and 15/-5 V.

Suitable for power applications that require a DC link voltage up to 3 kVDC, asymmetric outputs provide an optimum drive level to maintain a high system efficiency with low EMI levels. With their frequency synchronization-capability and very low coupling capacitance, typically 13 pF, EMC compliance is easier

The converters’ compact design reduces board space and development time, whilst their characterized dV/dt immunity of 80 kV/microsecond gives users confidence in a long service life, and similarly the use of planar magnetics increases product reliability and repeatability of performance. Typical applications include motor drives/motion control, solar inverters, UPS, alternative energy (wind-power generators), high-power AC-DC conversion, traction, EV/HEV and welding.

The MGJ6 series converters offer an operating temperature range of -40 to 105 °C, with derating above 90 °C. Standard features of the patent protected converters include enable pin, short-circuit and overload protection, and a frequency synchronization pin that simplifies EMC filter design.

The series is pending IEC 61800-5-1 approval based on a high working voltage of 690 Vrms maximum between primary and secondary, and similarly is also pending UL approval to UL 60950 for reinforced insulation to a working voltage of 690 Vrms.

Murata Power Solutions | www.murata-ps.com

Kickstarter Enables Building LoRa IoT Gear in 3 Steps

Electronic Cats has launched a Kickstarter campaign called LoRaCatKitty to enable the building of Internet of Things (IoT) applications with LoRa in just three steps. LoRaCatKitty is designed to simplify the development of IoT applications using LoRa technology. It has based its development on the ESP8266 WiFi module and the LoRa RN2903 or RN2483 Microchip module.

LoRAKitty

The mobile application for LoRaCatKitty, allows you to generate and compile the firmware in the cloud and use your smartphone to transfer and the firmware to the board. All the necessary hardware libraries are accessible through the app so you can select, download and transfer them to your LoRa device directly. The solution uses Grove connectors that allow easy and quick use of sensors, actuators or external elements without the need for soldering. Users can just connect the blocks and build their project. LoRaCatKitty supports a long list of sensor modules with Grove connectors.

The LoRaCatKitty app for Android is used to wirelessly program the device and will allow beginners to develop an infinite number of applications in an easy and intuitive way. LoRaCatKitty is completely compatible with LoRaWAN platforms like The Things Network, Beelan and others, allowing you to access RESTful API resources which can be used to develop IoT apps easily with the sensors and actuators visualized.

Technical specs of the hardware:

  •     Class A LoRaWAN Soon support of Class C LoRaWAN
  •     Wi-Fi: 802.11b/g/n Encryption
  •     Wi-Fi: WEP/TKIP/AES
  •     Module ESP8266-12E Certified FCC
  •     Module RN2903 Certified FCC
  •     Power supply:battery port: 3.4 V to 4.2 V
  •     Micro USB: 5 V
  •     Output current: 1000 mA MAX
  •     Operating voltaje : 3.3 V
  •     Charging current: 500 mA MAX
  •     Flash memory: 4 MB
  •     Size: 50 mm x 50 mm
  •     Weight: 26 g

Don’t Miss Our Newsletter: Microcontroller Watch

In tommorrow’s Microcontroller Watch we’ll feature key updates on the latest microcontroller technology  — the latest MCU design wins — new MCU product announcements — MCU industry events –and more.35352057604_77bb4aab93_m

Plus: we’ve added Drawings for Free Stuff to our weekly newsletters. Make sure you’ve subscribed to the newsletter so you can participate.

Already a Circuit Cellar Newsletter subscriber? Great!
You’ll get your “Microcontroller Watch” themed newsletter issue tomorrow.

Not a Circuit Cellar Newsletter subscriber?
Don’t be left out! Sign up now:

Remember, our new enhanced weekly CC Newsletter will switch its theme each week, so look for these in upcoming weeks:

IoT Technology Focus. The Internet-of-Things (IoT) phenomenon is rich with opportunity. This newsletter tackles news and trends about the products and technologies needed to build IoT implementations and devices.

Embedded Boards. This content looks at embedded board-level computers. The focus here is on modules—Arduino, Raspberry Pi, COM Express, and other small-form-factor —that ease prototyping efforts and let you smoothly scale up production volumes.

Analog & Power. This newsletter content zeros in on the latest developments in analog and power technologies including DC-DC converters, AD-DC converters, power supplies, op-amps, batteries, and more.

…and…

August has a 5th Tuesday. So look for a bonus Newsletter this  month!

Find and Eliminate Ground Loops

Everything had been fine with my home entertainment center—comprising a TV, surround-sound amplifier, an AM/FM tuner, a ROKU, and a CD/DVD/BlueRay player—until I connected my desktop PC, which stores many of my music and video files on one of its hard drives. With the PC connected, the speakers put out a low level, annoying, 60-Hz hum—a clear indication of a ground loop. All my audio and video (AV) devices are fairly new, quality, brand-name products equipped with two-prong power cords, so even though the PC has a three-prong plug, there should not be multiple signal returns causing the ground loop. This article describes an approach to eliminating ground loops in analog AV systems.

GROUND LOOPS

By definition, ground loops bring about unwanted currents flowing through two or more signal return paths. Thus induction coils are formed, usually of one turn only. These loops pick up interference signals from the environment. Because every conductor has a finite impedance, a voltage potential—Vi = Ig(R1 + R2)—develops between the two connected signal return points. This voltage is the source of the interference: a hum, hiss noise that high-frequency signals pick up (e.g., a local AM station), and so forth. A simplified example is illustrated in Figure 1.

FIGURE 1: Cause of the ground loop interference.

FIGURE 1: Cause of the ground loop interference.

An audio signal source VS in Figure 1—an audio card inside the PC, for example—is connected to an amplifier via a shielded cable. The shield is grounded at both ends to the chassis of both devices. Three-prong power plugs connect the chassis of both AV components to the house power distribution ground wire. Let’s consider the amplifier ground to be the reference point. (It doesn’t matter which point in the loop we pick.) The loop, comprising the cable shield and the power distribution ground wire, picks up all kinds of signals causing loop current Ig to flow and as a result interference voltage Vi to be generated.

Vi is added to the signal from the audio card. The Ig current induced into the loop comes from many potential sources. It can be induced in the ground wire by the current flowing in the 120-VAC hot and its return neutral wires, acting like a transformer. There can be leakages, induction by magnetic fields, capacitive coupling, or an electromagnetic interference (EMI) induction into the loop. Once Vi is added to the signal it is generally impossible to filter it out.

Much of electrical equipment requires the third power prong for safety. This is connected to the chassis and at the electrical distribution panel to the neutral (white wire) and the local ground—usually a metal stake buried in the earth. The earth ground is there to dissipate lightning strikes but has no effect on the ground loops we are discussing.
The ground wire’s primary purpose is safety plus transient and lightning diversion to ground. Under normal circumstances no current should flow through this wire. Should an internal fault in an appliance connect either the neutral (white) or the hot (black or red) wire to the chassis, the green wire shunts the chassis to the ground. Ground fault interrupters (GFI) compare the current through the hot wire to the return through the neutral. If not identical, the GFI disconnects.

Manufacturers of audio equipment know that grounding sensitive equipment at different places along the ground wire results in multiple returns causing ground loops. These facilitate the interference noise to enter the system. From the perspective of electrical safety, the small currents induced in the ground loop can be ignored. Unfortunately, they are large enough to play havoc with sensitive electronics. The simplest solution to the dilemma is to avoid creating ground loops by not grounding the AV equipment. Thus the two-prong plugs have been used on such equipment. To satisfy the safety requirements, the equipment is designed with double insulation, meaning that even in case of an internal fault, a person cannot come to contact with a live metallic part by touching anywhere on the surface of the equipment.

My PC, like most desktops, has a three-prong plug. Figure 2 shows the arrangement. The PC is grounded through its power cord. Unfortunately, the cable TV (CATV) introduces a second ground connection through its coax connector. I measured the resistance between the coax shield as it entered the house and the house power distribution ground wire. The resistance was 340 mΩ, indicating a hard connection between the coax shield and the house ground, the cause of the ground loop. I was unable to establish where that connection was made, but it wasn’t through the earth.

FIGURE 2: Ground loop in my entertainment system

FIGURE 2: Ground loop in my entertainment system

There can be multiple ground loops around a computer system if you have hard-wired peripherals with three-prong plugs, such as some printers, scanners and so forth. Digital circuits are much less sensitive to ground loops than the analog ones, but it is a good idea to minimize potential loops by connecting all your peripherals, other than wireless, into a single power bar.

Ground loops may also be created when long shielded cables are used to interface the PC and the home theatre box. Two shielded cables needed for stereo represent two signal returns creating a ground loop of their own. And then there are video cables. Another loop. Fortunately, connectors on the back of the PC and AV equipment are very close to each other, which means a minimal potential difference between them at low frequencies. Stereo cables keep the loop small. To minimize all the loops’ areas for interference pick-up, I have bundled the interface cables very close to each other with plastic wire ties. In severe situations re-routing the cables or the use of a metal conduit or wireless interfaces may be needed to kill the interference.

FIXES

Having disconnected the CATV cable from the TV, the hum went away. As well, temporarily replacing the PC with a laptop, which is not grounded, also fixed the problem. So how else can we fix those offending multiple returns?

The obvious answer is to break the loop. I strongly suggest you don’t disconnect the PC from the ground by using a two-prong plug adapter or just cutting the ground prong off. It will render your system unsafe. What you need is a ground isolator. Jensen Transformers, for example, sell isolators such as VRD-IFF or PC-2XR to break the ground connection, but you can build one for a small fraction of the purchase price. Figure 3 and Figure 4 show you how.

FIGURE 3: Ground isolator for CATV coax

FIGURE 3: Ground isolator for CATV coax

To break the ground loop caused by the CATV, you can make a little gizmo shown in Figure 3. J1 and J2 are widely available cable TV female connectors. C1 and C2 capacitors placed between them should be about 0.01 µF each. The assembly does not require a printed circuit board. You might place it in a tiny box or just solder everything together, wrap it with electrical tape, and put it somewhere out of the way. Remember that the capacitors’ working voltage must be at least double the power distribution voltage. That is 250 V in North America and more than 500 V elsewhere in the world.

FIGURE 4: Ground isolator for three-prong powered appliances

FIGURE 4: Ground isolator for three-prong powered appliances

Figure 4 shows how to break ground for appliances, such as a PC, with three-prong plugs. You can build this circuit into a computer or another appliance, but I find it better to build it as an independent break-out box. The diodes provide open loop for signals up to about 1.3 VPP. A hum is usually of a substantially lower amplitude. C1, 0.01 µF, provides bypass for high-frequency EMI to ground. The loop would be closed for voltages higher than 1.3 VPP, such as the ones due to isolation fault of the hot wire to the chassis. For 120 VAC distribution, D1, D2, and C1 should be rated for 250 V at a minimum. In a circuit branch with a 15-A breaker or fuse, the diodes need to be rated for a minimum of 20 A so that the breaker opens up before the diodes blow. If the appliance takes only a fraction of the rated fuse current, say 2 A, you could use 5-A diodes and include an optional fuse rated for 2 A. For countries with 230-VAC power, the components must be rated accordingly.

You can also break the ground loop by using a power isolation transformer between the power line and the PC, or quality signal transformers on the signal lines. The downside of this is that good isolation and signal transformers are costly and not widely available. Equipment powered from wall warts—and especially those with optically coupled inputs and outputs, common today—is inherently ground loop impervious.

TRIAL & ERROR

This article describes an approach to eliminating ground loops in analog AV systems. While you need to understand how ground loops occur, finding them and eliminating their effects may turn out to be a matter of frustrating trial and error.

George Novacek is a professional engineer with a degree in Cybernetics and Closed-Loop Control. Now retired, he was most recently president of a multinational manufacturer for embedded control systems for aerospace applications. George wrote 26 feature articles for Circuit Cellar between 1999 and 2004. Contact him at gnovacek@nexicom.net with “Circuit Cellar” in the subject line.

This article appears in Circuit Cellar 301 August 2015.