# Shedding too much Light on a Microcontroller's Firmware Protection Johannes Obermaier, Stefan Tatschner, August 15, 2017 # Shedding too much Light on a Microcontroller's Firmware Protection Microcontrollers and Security The STM32 Security Concept #### Attacking the STM32 Security Concept **Cold-Boot Stepping** Security Downgrade Debug Interface Exploit Conclusion and Outlook #### **Firmware Protection against Product Piracy** - Microcontrollers in a lot of applications - Firmware properties - Contains intellectual property - Might be license-locked - Cryptographic keys are included #### **Firmware Protection against Product Piracy** - Microcontrollers in a lot of applications - Firmware properties - Contains intellectual property - Might be license-locked - Cryptographic keys are included - ⇒ Gaining access becomes more worthwhile - ⇒ All firmware contents need to be protected! #### **Firmware Protection against Product Piracy** - Microcontrollers in a lot of applications - Firmware properties - Contains intellectual property - Might be license-locked - Cryptographic keys are included - ⇒ Gaining access becomes more worthwhile - → All firmware contents need to be protected! - Due to insufficient protection, several systems have been broken in the past. - Researchers have shown that security concepts have flaws, hidden functions, or backdoors. #### The STM32 Series - STM32: Divided into several families (F0, L0, F1, F2, ...) - Different capabilities and performance - **STM32F0:** Entry-level / cost-efficient sub-series - Used in commercial products - ARM Cortex-M0 CPU core - Integrated SRAM, Flash, Peripherals, . . . - No JTAG, only SWD interface for debugging - Easily available evaluation boards (+integrated debugger) STM32F0 discovery evaluation board #### **Flash Readout Protection Levels** - Three levels of security available for Readout Protection (RDP) - Two bytes: nRDP and RDP - $nRDP \stackrel{!}{=} \sim RDP$ (nRDP is bitwise complement of RDP) #### **Flash Readout Protection Levels** - Three levels of security available for Readout Protection (RDP) - Two bytes: nRDP and RDP - nRDP $\stackrel{!}{=} \sim$ RDP (nRDP is bitwise complement of RDP) - **RDP Level 0**: "no protection" (Default) Full system access incl. flash read/write - RDP Level 1: "read protection" No access to flash memory - RDP Level 2: "no debug" SWD interface permanently disabled | nRDP | RDP | Protection | |-------------|-------------|-------------| | 0x55 | 0xAA | RDP Level 0 | | Any other o | RDP Level 1 | | | 0x33 | 0xCC | RDP Level 2 | #### **Readout Protection Level Configuration** #### **Flash Readout Protection Levels** - Three levels of security available for Readout Protection (RDP) - Two bytes: nRDP and RDP - nRDP $\stackrel{!}{=}$ ~RDP (nRDP is bitwise complement of RDP) - **RDP Level 0**: "no protection" (Default) Full system access incl. flash read/write - RDP Level 1: "read protection" No access to flash memory - RDP Level 2: "no debug" SWD interface permanently disabled | | _ | 100 | 100 | | | | |---------------|-----|------|-------|------|----------|----------| | $\Rightarrow$ | But | what | about | SRAM | I in RDP | Level 1? | | nRDP | RDP | Protection | |-------------|-------------|-------------| | 0x55 | 0xAA | RDP Level 0 | | Any other o | RDP Level 1 | | | 0x33 | 0xCC | RDP Level 2 | #### **Readout Protection Level Configuration** ## **Readout Protection Storage** | nRDP | RDP | Protection | |--------------|-------------|-------------| | 0x55 | 0xAA | RDP Level 0 | | Any other of | RDP Level 1 | | | 0x33 | 0xCC | RDP Level 2 | #### Option Bytes | Address | [31:24] | [23:16] | [15:8] | [7:0] | |-------------|---------|---------|--------|-------| | 0x1FFF F800 | nUSER | USER | nRDP | RDP | | 0x1FFF F804 | nDATA1 | DATA1 | nDATA0 | DATA0 | | 0x1FFF F808 | nWRP1 | WRP1 | nWRP0 | WRP0 | | 0x1FFF F80C | nWRP3 | WRP3 | nWRP2 | WRP2 | - RDP and nRDP: Stored in "Option Bytes" region - Non-volatile memory for system configuration #### **Readout Protection Storage** | nRDP | RDP | Protection | |-------------|-------------|-------------| | 0x55 | 0xAA | RDP Level 0 | | Any other o | RDP Level 1 | | | 0x33 | 0xCC | RDP Level 2 | - RDP and nRDP: Stored in "Option Bytes" region - Non-volatile memory for system configuration - Option Bytes: Part of the flash memory - Flash memory: Part of the system's memory map #### **Readout Protection Storage** | nRDP | RDP | Protection | |-------------|-------------|-------------| | 0x55 | 0xAA | RDP Level 0 | | Any other o | RDP Level 1 | | | 0x33 | 0xCC | RDP Level 2 | - RDP and nRDP: Stored in "Option Bytes" region - Non-volatile memory for system configuration - Option Bytes: Part of the flash memory - Flash memory: Part of the system's memory map - ⇒ Security impact of flash data manipulation? #### **Flash Protection Logic** - Complex system architecture - Core and SWD use the same bus for flash access #### STM32F0 system architecture Adapted from: STM32F051 Reference Manual (RM0091) #### **Flash Protection Logic** - Complex system architecture - Core and SWD use the same bus for flash access - RDP Level 1 raises special interest: SWD active, but no flash access - Very little information on flash locking mechanism - How does it work? - When is the protection triggered? - Who manages the protection? #### STM32F0 system architecture Adapted from: STM32F051 Reference Manual (RM0091) #### **Flash Protection Logic** - Complex system architecture - Core and SWD use the same bus for flash access - RDP Level 1 raises special interest: SWD active, but no flash access - Very little information on flash locking mechanism - How does it work? - When is the protection triggered? - Who manages the protection? - ⇒ Locking mechanism requires deep investigation and reverse engineering! #### STM32F0 system architecture Adapted from: STM32F051 Reference Manual (RM0091) Microcontrollers and Security The STM32 Security Concept Attacking the STM32 Security Concept Cold-Boot Stepping Security Downgrade Debug Interface Exploit Conclusion and Outlook #### Methodology - Theoretical analysis of each security concept component - Discovery of weaknesses, Proof-of-Concept for vulnerability - Discussion of countermeasures - ⇒ Goal: Extraction of flash memory contents ## Methodology - Theoretical analysis of each security concept component - Discovery of weaknesses. Proof-of-Concept for vulnerability - Discussion of countermeasures - **Goal:** Extraction of flash memory contents #### Three tasks for security testing - **Cold Boot Stepping**: Access permissions to non-flash memory / SRAM in RDP Level 1 - **Security Downgrade**: Feasibility and effects of flash data manipulation - **Debug Interface Exploit**: Detailed investigation of flash locking mechanism - RDP Level 1 often in use - On-field debugging - Possibility of failed-device analysis - OpenOCD support only for RDP Level 0+1 - Access permissions to non-flash memory / SRAM in RDP Level 1 - RDP Level 1 often in use - On-field debugging - Possibility of failed-device analysis - OpenOCD support only for RDP Level 0+1 - Access permissions to non-flash memory / SRAM in RDP Level 1 - Microcontroller halted upon connecting a debugger - Access to SRAM and peripherals allowed! - Potential weakness! - Common bootloader implementation: Application CRC validation during startup - Intermediate results in SRAM, Bytewise-CRC reversible ⇒ CRC source data extraction! - Common bootloader implementation: Application CRC validation during startup - Intermediate results in SRAM, Bytewise-CRC reversible ⇒ CRC source data extraction! - Each CRC iteration takes *T* microseconds - Start with n = 0 - 1. Reset System: Set a well-defined initial state - 2. Run System for $n \cdot T$ : Allow computation up to the desired intermediate CRC - 3. Dump Memory: Read the intermediate CRC from SRAM, compute firmware byte - 4. n = n + 1: Repeat for next firmware byte # Attacking the STM32 Security Concept Proof of Concept Similar to a real (successful) penetration test #### **Proof of Concept** - Similar to a real (successful) penetration test - Fully automized attack setup - Device under Attack: Bootloader computing a CRC32 - Attack control board: Precise Exec.-Time Control - Power Relay: Reset / Power cycle after each iteration #### **Proof of Concept** - Similar to a real (successful) penetration test - Fully automized attack setup - Device under Attack: Bootloader computing a CRC32 - Attack control board: Precise Exec.-Time Control - Power Relay: Reset / Power cycle after each iteration - On-Line CRC reversing, dynamic timing adjustment - Extraction of seven bytes per minute - ⇒ Firmware extraction feasible, but slow - ⇒ RDP Level 1 unable to protect firmware #### Countermeasures against Cold-Boot Stepping - Technical solution - Do not use RDP Level 1, use RDP Level 2 instead - Read the datasheet thoroughly (SRAM protection not claimed!) - Mitigation / Increasing attack effort - Insert random delay / timing iitter - Move computations into CPU registers (weak, attack can be adapted) - Increase Discoverability / Awareness, RDP Level 2 support - Created OpenOCD Patch "Added RDP Level 2 support" http://openocd.zvlin.com/4111 #### **Security Downgrade** - 16 bits to store RDP Level (3 possible configurations) - In theory, high redundancy possible #### **Security Downgrade** - 16 bits to store RDP Level (3 possible configurations) - In theory, high redundancy possible - But: Non-optimal security design - 1 setting each maps to RDP Level 0 and 2 - 65534 settings map to RDP Level 1 #### **Security Downgrade** - 16 bits to store RDP Level (3 possible configurations) - In theory, high redundancy possible - But: Non-optimal security design - 1 setting each maps to RDP Level 0 and 2 - 65534 settings map to RDP Level 1 - Hamming-Distance Level 2 to 1: One single bit! - Flipping any bit causes security downgrade! - Includes non-complementary bytes - Dangerous fallback! # Attacking the STM32 Security Concept Reverse-Engineering the Flash Memory Layout - UV-C light (254 nm wavelength) erases flash memory cells $(0\rightarrow 1)$ - Die access required → Acid decapsulation # Attacking the STM32 Security Concept Reverse-Engineering the Flash Memory Layout - UV-C light (254 nm wavelength) erases flash memory cells $(0\rightarrow 1)$ - Die access required → Acid decapsulation - Experiment: Full-Chip UV-C illumination - Successful downgrade from RDP Level 2 to 1 - Causes Firmware destruction → not useful # Attacking the STM32 Security Concept Reverse-Engineering the Flash Memory Layout - UV-C light (254 nm wavelength) erases flash memory cells $(0\rightarrow 1)$ - Die access required → Acid decapsulation - Experiment: Full-Chip UV-C illumination - Successful downgrade from RDP Level 2 to 1 - Causes Firmware destruction → not useful - Location of nRDP and RDP bytes unknown - Masking not possible, yet - Reverse-Engineering of Flash-Memory Layout ## Reverse-Engineering the Flash-Memory Layout + PoC - Bisection method: Repeatedly cover a part of the flash - Create simple mask (e.g., piece of plastic) - Apply UV-C light, analyze flipped bits #### Reverse-Engineering the Flash-Memory Layout + PoC - Bisection method: Repeatedly cover a part of the flash - Create simple mask (e.g., piece of plastic) - Apply UV-C light, analyze flipped bits - Firmware Flash Layout: 1024 bitlines, 512 wordlines - nRDP + RDP in lower region Bisection step, Blue dot = bitflip (Upper half covered) #### Reverse-Engineering the Flash-Memory Layout + PoC - Bisection method: Repeatedly cover a part of the flash - Create simple mask (e.g., piece of plastic) - Apply UV-C light, analyze flipped bits - Firmware Flash Layout: 1024 bitlines, 512 wordlines - nRDP + RDP in lower region - Cover flash except nRDP + RDP - Very few firmware errors down to no errors - ⇒ RDP Level 2 to 1 Security Downgrade possible! Weak RDP level design! Bisection step, Blue dot = bitflip (Upper half covered) #### **Countermeasures against Security Downgrade** - Root-cause not fixable by user - Non-optimal protection level design - RDP Level 2 still recommended, raises the bar for the attacker - Mitigation available - Check for RDP Level 2 during boot process - Stop firmware execution if not RDP Level 2, rewrite configuration - Prevents Cold-Boot Stepping after security downgrade - Negligible performance+memory overhead # **Debug Interface Exploit** - Goal: Analysis of the flash protection mechanism - SWD access to flash prevented in RDP Level 1 - ST-LINK debugger triggers protection instantly Integrated ST-Link on Eval Board Independent ST-LINK (clone) #### **Debug Interface Exploit** - Goal: Analysis of the flash protection mechanism - SWD access to flash prevented in RDP Level 1 - ST-LINK debugger triggers protection instantly - ⇒ Implement own SWD debugger - Less aggressive SWD interface initialization - Only a (bus) access triggers flash lockdown! - Digging deeper into the system... #### **Debug Interface Exploit** - Goal: Analysis of the flash protection mechanism - SWD access to flash prevented in RDP Level 1 - ST-LINK debugger triggers protection instantly - ⇒ Implement own SWD debugger - Less aggressive SWD interface initialization - Only a (bus) access triggers flash lockdown! - Digging deeper into the system. . . - Anomaly: If the **first** bus access targets flash memory, valid data is sometimes returned! - Flash Lock mechanism fails! #### **Searching for the Root-Cause** - Issue not visible to ST-LINK debugger - Very verbose SWD initialization - Reading of system config, breakpoints, etc. - Flash lockdown triggered early - Flash locking handled by flash module - Success ratio: Dependant on bus load - Instant bus arbitration required - Race condition! Access vs. flash lockdown - Lockdown signal arrives a few cycles too late #### **Using the Exploit** - Exploitable for firmware extraction - 1. Apply power cycle for reset - 2. Enable debug interface (minimum initialization) - 3. Set AHB Access Port to 32 bit width (optional) - 4. Trigger AHB Read from desired flash address - 5. Receive extracted data - 6. On success: Continue with address+4 ``` [...] SWD RESET [!] Triggered AHB Read at 0x00000100 [0K] Read from 0x00000100: 0x12345678 [0K] SWD RESET [!] Triggered AHB Read at 0x00000104 [0K] Read from 0x00000104: 0xFFFFFFFF [ERROR] SWD RESET [!] Triggered AHB Read at 0x00000104 [0K] Read from 0x00000104: 0x0800E125 [0K] SWD RESET [!] Triggered AHB Read at 0x00000108 [0K] Read from 0x00000108: 0x2000014A [0K] SWD RESET [!] Triggered AHB Read at 0x0000010C [0K] Read from 0x0000010C: 0x2000002A0 [0K] [...] ``` #### **Using the Exploit** - Exploitable for firmware extraction - 1. Apply power cycle for reset - 2. Enable debug interface (minimum initialization) - 3. Set AHB Access Port to 32 bit width (optional) - 4. Trigger AHB Read from desired flash address - 5. Receive extracted data - 6. On success: Continue with address+4 - Access may fail ⇒ Retry - Readout at 45 bytes per second - Practically feasible! ``` Triggered AHB Read at 0x00000100 [OK] from 0x00000100: 0x12345678 [OK] SWD RESET Triggered AHB Read at 0x00000104 [OK] from 0x00000104: 0xFFFFFFF [ERROR] RESET Retry Friggered AHB Read at 0x00000104 [OK] from 0x00000104: 0x0800E125 [OK] Triggered AHB Read at 0x00000108 [OK] from 0x00000108: 0x2000014A [OK] SWD RESET [!] Triggered AHB Read at 0x0000010C [OK] Read from 0x0000010C: 0x200002A0 [OK] 1...1 ``` #### **Proof of Concept** WOOT'17: Shedding too much Light on a Microcontroller's Firmware Protection # STM32F0 Debug Interface Exploit Demo Johannes Obermaier, Stefan Tatschner 2017 Fraunhofer Institute AISEC Video: firmware-extraction.mp4 (see availability slide) #### **Impact and Countermeasures** - RDP Level 1 security successfully leveraged! - Affects STM32F0 only (no success for other series) - Dangerous for system security - Combination of security downgrade + firmware extractor - Integrity of flash after downgrade not required anymore - Pulls down the requirements on an attacker - Recommendation: Never use RDP Level 1 $\rightarrow$ use Level 2 - Requires the attacker to open the device - Hope for a new hardware revision and fix #### **Conclusion and Outlook** - Discovery of three major security issues in the STM32F0 series - Demonstration of their practical relevance - Presentation of countermeasures and limitations - Further investigation necessary (other series, etc.) - Weaknesses perhaps already known to professional adversaries. . . # **Availability** Supplemental materials include scripts, sources, and ELF files for: - The device under attack (Sample data + CRC implementation) - The timing control board (Cold-Boot Stepping) - The Firmware Extractor (Debug Interface Exploit) - The PoC Video for Firmware Extraction (firmware-extraction.mp4) Available under the MIT license at https://science.obermaier-johannes.de/ #### **Contact Information** #### Johannes Obermaier Stefan Tatschner **Product Protection and Industrial Security** Fraunhofer-Institute for Applied and Integrated Security (AISEC) Address: Parkring 4 85748 Garching (near Munich) Germany Internet: http://www.aisec.fraunhofer.de Phone: +49 89 3229986-176 E-Mail: johannes.obermaier@aisec.fraunhofer.de stefan.tatschner@aisec.fraunhofer.de