Results - LimitedResults

NoHat 21

Posted on November 22, 2021November 22, 2021 by LimitedResults

20 November 2021, Bergamo The event Webpage here. My talk Conclusion Solid and high technical program, perfect organisation, fun people all around. Premium. Grazie a tutti!

Enter the EFM32 Gecko

Posted on June 22, 2021June 26, 2021 by LimitedResults

This new post presents a hardware exploit to unlock the debug port on the EFM32 Gecko MCUs Series 1 designed by Silicon Labs. Once again, after the previous nRF52 episode, this security research reveals an entire range of products vulnerable to a silicon design vulnerability. The way to unlock these chips was quite challenging and…

The PocketGlitcher

Posted on March 14, 2021May 15, 2021 by LimitedResults

This blogpost presents a modding system, called PocketGlicher. It provides an automated way to perform voltage glitching, without any expensive electronic equipments or any “hardware” skills.As proof of concept, the nRF52 Debug Resurrection Attack presented at BlackHat EU 2020 can be reproduced easily using this plug-and-play solution. Introduction I recently found back my PocketBeagle in…

Black Hat Europe 2020

Posted on December 10, 2020December 10, 2020 by LimitedResults

07-10 December 2020, London Program BHEU20 Program (virtual event) is here. Prez Slides Kudos to BHEU staff (especially in these tough times).

nRF52 Debug Resurrection (APPROTECT Bypass) Part 2

Posted on June 14, 2020May 22, 2021 by LimitedResults

After the Part 1 describing the APPROTECT Bypass, this new post presents how to: exploit a real product based on nRF52840 to extract the Firmware and reactivate the SWD interface. reproduce the attack on others nRF52 SoCs to confirm the vulnerability in all the nRF52 versions. Exploit Validation on real Product Let’s start by a…

nRF52 Debug Resurrection (APPROTECT Bypass) Part 1

Posted on June 10, 2020May 23, 2021 by LimitedResults

Yes, resurrection of JTAG/SWD interface on protected platforms has always been a sensitive topic in embedded security. This security investigation presents a way to bypass the APPROTECT on a protected nRF52840, in order to reactivate the Serial Wire Debug Interface (SWD), offering full debug capabilities on the target (R/W access to Flash/RAM/Registers, Code Exec and…

Nuvoton M2351 MKROM

Posted on January 12, 2020June 10, 2020 by LimitedResults

TrustZone is the last hardware security mechanism integrated to ARMv8-M. This article presents some Fault Injection results achieved on Nuvoton M2351 (Cortex-M23), targeting MKROM crypto-functions and secure Code. ARMv8-M TrustZone TrustZone technology (TZ) is NOT really a NEW security concept. It has been available on ARM Cortex-A since more than 10 years now. The TrustZone…

Black Hat Europe 2019

Posted on December 6, 2019December 6, 2019 by LimitedResults

04-05 December 2019, London The website Link here The program Link here My talk Thanks to BHEU, see you!

ZeroNights 2019

Posted on December 6, 2019 by LimitedResults

12-13 November 2019, St Petersburg The Website Link Here The program Two days of pure premium offensive research presentations. Program Here My talk The last word ZeroNights was great, I hope I will come back again. Thanks to ZN team!

Pwn the ESP32 Forever: Flash Encryption and Sec. Boot Keys Extraction

Posted on November 13, 2019November 19, 2019 by LimitedResults

I wanted to close my investigation by targeting the two major security features: Secure Boot Flash Encryption My final goal is to achieve a PERSISTENT exploit, bypassing the Secure Boot and the Flash Encryption. In this report, I disclose a full readout of protected E-Fuses storing two secret keys, one used for Flash Encryption (BLK1)…

Older posts →