The instruments in this chapter are exactly the toolkit used in side-channel and fault-injection labs. A few specific patterns:
Power-trace acquisition. A low-value sense resistor (1 to 50 ) in series with the chip's ; a high-bandwidth differential probe across it; a fast scope (1 GHz+) capturing thousands of traces; segmented memory to save the relevant moments. This is the basic DPA setup, and every part of it lives somewhere in this chapter.
EM-emission analysis. A small near-field probe (loop or H-field) placed millimeters above the package; a low-noise pre-amp; the same scope capturing thousands of traces. EM analysis (EMA) often outperforms power analysis because the signal is local rather than averaged across the whole chip.
Bandwidth requirement. To extract sub-clock detail, you need bandwidth at least 5x the chip's clock. A 200 MHz microcontroller pushes you to 1 GHz scopes; an 800 MHz embedded ARM pushes you to 4 GHz scopes.
Glitch generation. An AWG generates a precisely shaped voltage glitch (e.g., a 50 ns dip from 1.2 V to 0.4 V). A trigger circuit fires the glitch synchronously to the target's clock. A scope captures both the glitch and the target's response.
Logic analyzer for protocol-level tamper detection. Capture every UART, SPI, I2C transaction during boot; identify any unexpected access pattern. A Saleae Logic 8 or 16 ($400-700) does this well.
Firmware extraction. A logic analyzer on the SPI flash chip during boot captures every read; firmware is reconstructed from the captured bus traffic. No need to physically remove the chip.
JTAG debug attacks. Bus Pirate, J-Link, or a Raspberry Pi acting as a JTAG host probe the debug port. Often the first step in any black-box hardware reverse engineering.
Reference instruments in DPA labs. LeCroy WaveRunner / WaveMaster (deep memory, segmented memory, fast trigger), Tektronix MSO5/MSO6 (good triggering plus integrated logic), Keysight Infiniium (top-end bandwidth). A side-channel or DPA lab without one of these is uncommon.
Reference instruments in budget labs. Rigol DS1054Z + Saleae Logic 8 + ChipWhisperer-Lite + Fluke 87V is a $1500 starter kit that can attempt many introductory power-analysis attacks.