At times, stability mechanisms can be bypassed if you just do matters a little out of the ordinary. For instance, readout safety on microcontrollers is a offered these days, to the position exactly where it’s intentionally enabled and relied upon as a key technical evaluate to guard mental house. The gist is — when you connect to a microcontroller more than its debug interface and then question to read its flash memory, it will politely refuse. Having said that, [Racerxdl] shows us that in practice, it’s not flawless defense – for specific chips, you just have to have to be a little more rapidly than typical.
Typically, flashing and debugging software will chat with the microcontroller for a little bit, and probe parameters just before going for any direct requests. Nevertheless, if you skip the courtesy and bluntly get to the position right away appropriate soon after electric power is used to the microcontroller, you can intimidate them just ample to give you just one byte of its memory prior to it refuses to cooperate even more. Considering the fact that that can be any byte you desire, you can read the complete flash — a single byte at a time.
You have to have to power cycle the chip before you can development, so the components does contain a little bit much more than just an SWD interface, and it will consider a truthful bit a lot more time than reading out a non-shielded chip the usual way in addition, of program, the debugging interface needs to be lively for this in the initial spot, which is not usually the situation. On the other hand, it however beats paying a several thousand dollars for a manufacturing unit in China to decap your chip and study it out working with a extravagant device.
[Racerxdl] didn’t just write a evidence-of-notion for this assault – they applied it for just one of our favorite chips, the RP2040. As these types of, you no more time have to have an unobtainium STM32 to dump an unobtainium STM32.
To be distinct, [Racerxdl] did not style this assault — it’s been close to for some time now. Credit rating for that goes to Johanes Obermaier. All in all, this is a fantastic reminder that seemingly reputable security mechanisms can be foiled by the simplest methods. For occasion, if your chip erases the flash when you unlock its security, you can just inform it not to.