• Brute force

    monte4 days ago 0 comments

    We live in a society

    In a perfect world, you would be able to get any technical data with a snap of your fingers, download firmware for your kettle and install a custom boot logo for your smart fridge, reflow an MCU with a bigger RAM to your roomba and install a chatbot into your doorbell. Alas, the society we live in likes secrets. If you buy a Chinese car battery charger and, while trying to add a remote data logging functionality, break one pin of the main MCU off, while trying to solder a jumper wire to it, you will lose the display functions of that charger. Though the replacement MCU is readily available for purchase it won't help you because you don't have a firmware for it.


    You can imagine my disappointment when I found myself in exactly that situation. Well, I can read the firmware off the broken MCU, can't I? I had a suitable programmer and after soldering a programming header to the pads kindly provided by the manufacturer I pressed a "download firmware" button, but that didn't work. You see, keeping secrets is a lucrative business and if you provide some "security" functionality in your product, people are more likely to choose it over the competition. Thus every MCU on the market nowadays has some kind of "read-out protection" or ROP for short. That's just a bit/byte flag somewhere in the settings section of an MCU flash memory that, if is set during programming, prevents any external reads of the memory. ROP can be turned off by setting that option byte to 0, but that will automatically erase the whole flash - not what we want at this point.
    If you think about it, the only thing more profitable than keeping secrets is uncovering them by breaking any means that sustain the secrecy. And so some clever men thought of a way to circumvent the ROP on an MCU. What if, they thought, we just briefly (very) turn the power off and on again? But in the exact moment when the chip reads its settings to understand how to behave. If we do this fast and precisely enough, the processor won't reboot but will read ``0`` where would be ``1`` and let us download everything it has stored in its flash. I don't remember and can't be bothered to search which processor was the first to experience this sort of attack that was documented and published, but after that many more other models were successfully broken in and it's not hard to find detailed write-ups about the exact model you are dealing with. And that's exactly what I did.

    Research

    I searched if STM8S005K6T6C can be glitched into a submission. And the answer was YES. There are many different models of STM8s but the general consensus is that most of them can be dealt with (yet to be proven). At that time I had no experience or specific knowledge other than watching a few presentations on youtube. But I was encouraged by the blog post I've found. The apparent simplicity of the described procedure inspired me to try to recreate the success with my own hardware.

    Development

    I've designed a simple PCB that broke out necessary connections to the MCU and contained mosfets for VCC, GND, and a mosfet to pull the VCAP pin to GND - that was the proposed way to glitch this MCU. To be able to change the voltage of the VCC if needed I also added a step-down voltage converter module. Also also I needed something to produce the glitch itself. Most hackers who do this kind of stuff go big and use some FPGA for that, but I never used those and didn't want to deal with it for such a minor (yeah sure) project. Other people used anything from arduino to 555 timer to a tumbler switch and were saying that you can do it with enough incentive. But the general suggestion was to use something that can switch GPIOs fast and keep timings tight. I decided to use the RP2040 board for this as I heard that it was capable of both of those things.

    I've ordered two new chips from aliexpress, a Waveshare RP2040-Zero, and etched a PCB. And then let it lay in a box for one and a half years.

    Usually,...

    Read more »