Procedures for reading the protected area of ​​the microcomputer using "processor exception handling" are available, and source code is also available


Procedures for reading the protected area of ​​the microcomputer using "processor exception handling" are available, and source code is also available

Important data of microcomputers is usually protected by a “read protection function” that restricts data reading, but ways to avoid this function are being researched and developed daily by security researchers and others. Embedded engineers Marc Schink and Johannes Obermaier are one of the microcomputersSTM32F1A blog post on how to bypass the protection features of the series.

Exception (al) Failure-Breaking the STM32F1 Read-Out Protection |

In the STM32F1 series, an attacker can use the debug function if physical access is possible. Also, when an exception occurs in the program, the processorVector tableThe exception handling address shown above is alsoProgram counter (PC)The read protection function of the STM32F1 series isDCodeOnly for buses,ICodeDoes not block memory access from the bus. By using the processing of the ICode bus, read-protected information can be read.

It seems that the method of "adding an exception to the vector table" is a method that exploits a general vulnerability, but this method can not be used because there is no space in the vector table in the STM32F1 series.

An alternative to the "add exception to vector table" method is to "use vector table offset". Since the attacker can enter the debug state, the vector table can be replaced by using the "vector table offset registration function (VTOR)" provided in the STM32F1 series CPU "ARMv7-M".

For special exceptions and reserved data shown in red in the figure in the vector table, data cannot be extracted even by replacement with VTOR, but this limitation is set to "Exception replacement with an exception number larger than the size of the vector table. "It can be avoided by doing. In this case, the table size is 32, so if you replace exceptions with exception numbers of 32 or more, you can extract data for all exceptions in the vector table.

Explains how to raise an exception. First of allOpenOCDIt is necessary to disable the interrupt mask that suppresses the occurrence of the exception by using the above command.

cortex_m maskisr off

To generate one of the exceptions, “BusFault” exception and extract data, execute the unallocated memory space “0xf0000000” in STM32F1 series. Then, a BusFault occurs, and the exception processing address is saved on the PC.

mwh 0x20000000 0x0868
reg r1 0xf0000000
reg pc 0x20000000

The "MemManage" exception that occurs when trying to execute an execution-prohibited memory area can be raised by executing the following command.

reg pc 0xe0000000

According to a test that used this vulnerability to attack the STM32F1 series, it was found that approximately 90% of data in flash memory could be extracted. Marc and Johannes have concluded that "the read protection feature of the STM32F1 series has been breached," and argue that the use of the feature should be avoided.

A movie that actually hacks the STM32F1 series has also been released.

The script used in the movie can be confirmed from the following.

zapb / stm32f1-firmware-extractorGitLab

Copy the title and URL of this article

Source link

Show More

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button