But there're also device revisions, which might be a nightmware to deal with.
You want to attack a device made in 2013, containing STM32F103 rev. A.
You might only get rev. X , Y, or Z now. Perhabs the revision can't be extracted from the marking, and it's a "Scratch and win" thing.
So a different revision might have a totally different timing, or increased security, whatever, that ensures this can't be done.
But for sure anyone with enough resources will end getting the same chip rev. in their hands
.
Very enjoyable talk!