Microcontroller Exploits

Microcontroller Exploits

by Travis Goodspeed
Released September 2024
Publisher(s): No Starch Press
ISBN: 9781718503885

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

In this advanced guide to hardware hacking, you’ll learn how to read the software out of single chip computers, especially when they are configured not to allow the firmware to be extracted.

This book documents a very wide variety of microchip hacking techniques; it’s not a beginner’s first introduction.

You’ll start off by exploring detailed techniques for hacking real-world chips, such as how the STM32F0 allows for one word to be dumped after every reset. You’ll see how the STM32F1’s exception handling can slowly leak the firmware out over an hour, and how the Texas Instruments MSP430 firmware can be extracted by a camera flash.

For each exploit, you’ll learn how to reproduce the results, dumping a chip in your own lab.

In the second half of the book, you’ll find an encyclopedic survey of vulnerabilities, indexed and cross-referenced for use in practicing hardware security.

Publisher resources

View/Submit Errata

Table of contents

  1. Cover Page
  2. Title Page
  3. Copyright Page
  4. Dedication Page
  5. Contents
  6. Introduction
  7. 1 Basics of Memory Extraction
    1. JTAG
    2. ROM Bootloaders
    3. Flash Bootloaders
  8. 2 STM32F217 DFU Exit
    1. JTAG and Bootloaders
    2. The USB DFU Bootloader
    3. The Bug
    4. Exploitation
  9. 3 MD380 Null Pointer, DFU
    1. Reading a Null Pointer
    2. Patching Out Protections
    3. Cracking the Update Cryptography
  10. 4 LPC1343 Call Stack
    1. Getting Started
    2. UART Protocol in Brief
    3. Reverse Engineering the Bootloader
    4. Controlling the Program Counter
    5. Shellcode for Privilege Escalation
  11. 5 Ledger Nano S, 0xF00DBABE
    1. Rashid’s Attestation Exploit
    2. Roth’s Bootloader Exploit
    3. Roth’s Payload
  12. 6 NipPEr Is a buTt liCkeR
    1. The Bug
    2. NipperClauz Exploit
    3. NDS Headend Exploit
    4. A Modern Exploit in Go
  13. 7 RF430 Backdoors
    1. RF430FRL152, Commercial Variant
    2. NFC-V from Android
    3. Shellcode on the FRL152
    4. RF430TAL152, Medical Variant
      1. Sniffing the Readers
      2. Inside the TAL152 ROM
    5. Some Other Unlocking Techniques
  14. 8 Basics of JTAG and ICSP
    1. JTAG Adapters and Software
    2. Discovering the Pinout
    3. Total JTAG Locks
    4. Partial JTAG Locks
  15. 9 nRF51 Gadgets in ROM
    1. Learning All the Rules
    2. Bypassing the Rules
  16. 10 STM32F0 SWD Word Leak
    1. The Bug
    2. The Exploit
  17. 11 STM32F1 Interrupt Jigsaw
    1. The First Two Words
    2. The Rest of Memory
    3. Triggering Interrupts
    4. Counting the External Interrupts
    5. Performance
  18. 12 PIC18F452 ICSP and HID
    1. Meriac’s Boot Block Exploit
    2. Huffstutter’s ICSP SRAM Exploit
  19. 13 Basics of Glitching
    1. Clock Glitching
    2. Voltage Glitching
  20. 14 MC13224, the Simplest Fault Injection
  21. 15 LPC1114 Bootloader Glitch
    1. Hardware Modifications
    2. How Hard to Glitch?
    3. When to Glitch?
  22. 16 nRF52 APPROTECT Glitch
  23. 17 STM32 FPB Glitch
  24. 18 Chip Decapsulation
    1. Lab Supplies and Equipment
    2. HNO3 Bath Method
    3. H2SO4 Bath Method
    4. Aqua Regia for Gold
    5. RFNA Drip Method
    6. Rosin or Colophony
    7. Other Techniques
  25. 19 PIC Ultraviolet Unlock
  26. 20 MSP430 Paparazzi Attack
    1. Live Decapsulation with RFNA
    2. Fuse Check Sequence
  27. 21 CMOS VLSI Interlude
    1. Process Layers
    2. NMOS and PMOS Transistors
    3. Basic Blocks
    4. Large Structures
    5. Reverse Engineering
  28. 22 Mask ROM Photography
    1. Microscopy
    2. Delayering with Hydrofluoric Acid
    3. Dash Etching for Implant ROMs
    4. From Photographs to Bits
    5. From Bits to Bytes
  29. 23 Game Boy Via ROM
    1. Decapsulation
    2. Photography
    3. Bit Extraction
    4. Bit Decoding
  30. 24 Clipper Chip Diffusion ROM
  31. 25 Nintendo CIC and Clones
    1. Glitching the Console’s CIC
    2. Tengen’s Rabbit: A CIC Clone
    3. A Modern Rabbit Clone
    4. Cloning Nintendo’s CIC
    5. Sharp SM590 Backdoor
  32. A More Bootloader Vulns
    1. A.1 PN553 Signature Bypass
    2. A.2 Tegra X1, Fusée Gelée
    3. A.3 LPC55S69, K82 USB Overread
    4. A.4 CH552 Verify Command
    5. A.5 BCM61650/PRC6000 Headers
    6. A.6 PSoC4 Flash Doubler
    7. A.7 i.MX53 Overflow in Bootloader
    8. A.8 M16C Bootloader Timing Attack
    9. A.9 IC204 Bypass by Magic Number
    10. A.10 Zynq 7000 Bootloader Dumping
    11. A.11 Zynq 7000 NAND/ONFI
    12. A.12 Zynq 7000 BOOT.BIN Parsing
    13. A.13 TMP91 Password
  33. B More Debugger Attacks
    1. B.1 STM32 Clones
    2. B.2 GD32 GigaVulnerability
    3. B.3 Xilinx Bitstream Decryption Oracle
    4. B.4 CC2510, CC1110
  34. C More Privilege Escalation
    1. C.1 Game Boy Advance BIOS
      1. MidiKey2Freq Method
      2. Endrift Method
      3. Executing Missing Memory
    2. C.2 MSP432 IP Encapsulation
    3. C.3 BCM11123 U-Boot and TrustZone
    4. C.4 LPC55S69 Hardware and Software
    5. C.5 FM3 Flash Patching
  35. D More Invasive Attacks
    1. D.1 Atmega, AT90 Backside FIB
    2. D.2 GD32F130 QSPI Sniffing, Injection
    3. D.3 STM32 Ultraviolet Downgrade
    4. D.4 MT1335WE Kamikaze
    5. D.5 Xilinx XCKU040 Backside Laser Injection
  36. E More Fault Injections
    1. E.1 Java Card Invalid Bytecode
    2. E.2 L11, M2351, LPC55 CrowRBAR
    3. E.3 68HC705 and 6805
    4. E.4 Super Game Boy and GB Color
    5. E.5 STM32F2 Chip.Fail and Kraken
    6. E.6 STM8 Bootloader and SWIM
    7. E.7 STM32F1/F3 Shaping the Glitch
    8. E.8 MSP430F5172 Glitch Per Word
    9. E.9 CC2640 CC2652 eFuses
      1. Customer Configuration (CCFG)
      2. Factory Test Mode (FCFG)
    10. E.10 LC87 Unlooping over USB
    11. E.11 78K0 Glitching Checksums
    12. E.12 RX65 Bootloader Glitching
    13. E.13 GPLB52X Tamagotchi
    14. E.14 MC9S12 Reset Glitch
    15. E.15 Nvidia Tegra X2
    16. E.16 Zynq 7000 ROM Dump Glitch
    17. E.17 STM32 Body Biasing Injection
    18. E.18 PCF7941 Erasure
    19. E.19 EFM32WG without a Brownout
    20. E.20 MPC55 by EMFI
  37. F More Test Modes
    1. F.1 8051 External Memory
    2. F.2 TMS320C15, BSMT2000 !MP Pin
    3. F.3 6500/1 Ten Volts
    4. F.4 TMP90 External Memory
    5. F.5 Mostek 3870 (Fairchild F8)
    6. F.6 MC6801 Test Mode
    7. F.7 NEC uCOM4 Test Mode
    8. F.8 AMI S2000 and Iskra EMZ1001
    9. F.9 TMS1000 Test Mode
    10. F.10 Z8 Test ROM
  38. G More ROM Photography
    1. G.1 TMS320M10, C15, C25, C5x
    2. G.2 CH340 Unknown Architecture
    3. G.3 Intel 8271 New ISA
    4. G.4 Nintendo 64 CIC
  39. H Unsorted Attacks
    1. H.1 PIC16C84 PicBuster
    2. H.2 PIC Checksums
    3. H.3 ESP32 TOCTOU for XIP
    4. H.4 DS5002 Chosen Ciphertext
    5. H.5 SAMA5 CMAC, SPA, Keys
  40. I Other Chips
    1. I.1 PAL Truth Tables
    2. I.2 Mifare Classic Gate Recovery
  41. Thank you, kindly
  42. Bibliography
  43. Index
  44. Colophon
  45. Footnotes

Product information

  • Title: Microcontroller Exploits
  • Author(s): Travis Goodspeed
  • Release date: September 2024
  • Publisher(s): No Starch Press
  • ISBN: 9781718503885