Yes, resurrection of JTAG/SWD interface on protected platforms has always been a sensitive topic in embedded security. This security investigation presents a way to bypass the APPROTECT on a protected nRF52840, in order to reactivate the Serial Wire Debug Interface (SWD), offering full debug capabilities on the target (R/W access to Flash/RAM/Registers, Code Exec and…
Category: reverse
Pwn the ESP32 Forever: Flash Encryption and Sec. Boot Keys Extraction
I wanted to close my investigation by targeting the two major security features: Secure Boot Flash Encryption My final goal is to achieve a PERSISTENT exploit, bypassing the Secure Boot and the Flash Encryption. In this report, I disclose a full readout of protected E-Fuses storing two secret keys, one used for Flash Encryption (BLK1)…
Pwn the ESP32 Secure Boot
In this post, I focus on the ESP32 Secure Boot and I disclose a full exploit to bypass it during the boot-up, using low-cost fault injection technique. Espressif and I decided to go to Responsible Disclosure for this vulnerability (CVE-2019-15894). The Secure Boot Secure boot is the guardian of the firmware authenticity stored into the external…
Pwn the ESP32 crypto-core
A crypto-core (also called crypto-accelerator) is a dedicated piece of hardware inside the System-on-Chip. Its main role is to ‘accelerate’ cryptographic primitives and to perform keys management. This post presents several vulnerabilities and fault injection exploits targeting the crypto-core implementation, allowing an attacker to: Bypass the HW-AES encryption Control the AES key value The vulnerabilities…