How can I use phoenixAES to attack the AES white-box decryption function to obtain the key

The ciphertext is issued by the server and uses a different set of keys than the AES encryption. When I injected faults during the 8th round of decryption, the decrypted plaintext was correctly modified in 4 bits, but I couldn't make any deductions using phoenixAES, as it didn't return anything. What should I do?