Electronics > Microcontrollers

ccc talk - bypassing code protection on multiple MCU types

(1/3) > >>

mikeselectricstuff:
https://media.ccc.de/v/camp2023-57401-unlock_the_door_to_my_secrets_but_don_t_forget_to_glitch#t=213

TL;DR -
Most MCUs have a way to erase a secured part so it can be reprogrammed.
The erase operation happens in multiple stages - erase memory, erase config bits, re-enable access.
Glitching during the first phase prevents the flash erase bit not the later stages.
They only show on ST but sufggest other mfrs parts have similar vulnerabilities.
 

DavidAlfa:
Love those hacking videos!
I guess you first buy few virgin MCUS and do the work on them, when it works consistently then try on the final device.
Still, how many devices will you break before being successful?
The device manufacturer might suspect if you suddenly want to buy 50 mainboards replacements for the machine :D

mikeselectricstuff:

--- Quote from: DavidAlfa on September 11, 2023, 02:39:31 pm ---Love those hacking videos!
I guess you first buy few virgin MCUS and do the work on them, when it works consistently then try on the final device.
Still, how many devices will you break before being successful?
The device manufacturer might suspect if you suddenly want to buy 50 mainboards replacements for the machine :D

--- End quote ---
In one of the questions at the end, he says that once the timings have been established it always works, though not clear if this would apply to different chips of the same type, but seems pretty likely

DavidAlfa:
But there're also device revisions, which might be a nightmware to deal with.
You want to attack a device made in 2013, containing STM32F103 rev. A.
You might only get rev. X , Y, or Z now. Perhabs the revision can't be extracted from the marking, and it's a "Scratch and win" thing.
So a different revision might have a totally different timing, or increased security, whatever, that ensures this can't be done.
But for sure anyone with enough resources will end getting the same chip rev. in their hands :).
Very enjoyable talk!

AMDFX8150:
Need this done for a few Ryobi 40v units

Navigation

[0] Message Index

[#] Next page

There was an error while thanking
Thanking...
Go to full version
Powered by SMFPacks Advanced Attachments Uploader Mod