20 November 2021, Bergamo The event Webpage here. My talk Conclusion Solid and high technical program, perfect organisation, fun people all around. Premium. Grazie a tutti!
Results
Enter the EFM32 Gecko
This new post presents a hardware exploit to unlock the debug port on the EFM32 Gecko MCUs Series 1 designed by Silicon Labs. Once again, after the previous nRF52 episode, this security research reveals an entire range of products vulnerable to a silicon design vulnerability. The way to unlock these chips was quite challenging and…
The PocketGlitcher
This blogpost presents a modding system, called PocketGlicher. It provides an automated way to perform voltage glitching, without any expensive electronic equipments or any “hardware” skills.As proof of concept, the nRF52 Debug Resurrection Attack presented at BlackHat EU 2020 can be reproduced easily using this plug-and-play solution. Introduction I recently found back my PocketBeagle in…
Black Hat Europe 2020
07-10 December 2020, London Program BHEU20 Program (virtual event) is here. Prez Slides Kudos to BHEU staff (especially in these tough times).
nRF52 Debug Resurrection (APPROTECT Bypass) Part 2
After the Part 1 describing the APPROTECT Bypass, this new post presents how to: exploit a real product based on nRF52840 to extract the Firmware and reactivate the SWD interface. reproduce the attack on others nRF52 SoCs to confirm the vulnerability in all the nRF52 versions. Exploit Validation on real Product Let’s start by a…
nRF52 Debug Resurrection (APPROTECT Bypass) Part 1
Yes, resurrection of JTAG/SWD interface on protected platforms has always been a sensitive topic in embedded security. This security investigation presents a way to bypass the APPROTECT on a protected nRF52840, in order to reactivate the Serial Wire Debug Interface (SWD), offering full debug capabilities on the target (R/W access to Flash/RAM/Registers, Code Exec and…
Nuvoton M2351 MKROM
TrustZone is the last hardware security mechanism integrated to ARMv8-M. This article presents some Fault Injection results achieved on Nuvoton M2351 (Cortex-M23), targeting MKROM crypto-functions and secure Code. ARMv8-M TrustZone TrustZone technology (TZ) is NOT really a NEW security concept. It has been available on ARM Cortex-A since more than 10 years now. The TrustZone…
Black Hat Europe 2019
04-05 December 2019, London The website Link here The program Link here My talk Thanks to BHEU, see you!
ZeroNights 2019
12-13 November 2019, St Petersburg The Website Link Here The program Two days of pure premium offensive research presentations. Program Here My talk The last word ZeroNights was great, I hope I will come back again. Thanks to ZN team!
Pwn the ESP32 Forever: Flash Encryption and Sec. Boot Keys Extraction
I wanted to close my investigation by targeting the two major security features: Secure Boot Flash Encryption My final goal is to achieve a PERSISTENT exploit, bypassing the Secure Boot and the Flash Encryption. In this report, I disclose a full readout of protected E-Fuses storing two secret keys, one used for Flash Encryption (BLK1)…