Scribd
Upload
105 views47 pages

Bypass NXP LPC Family Debug Check

Uploaded by

Miralem Misini
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
105 views47 pages

Bypass NXP LPC Family Debug Check

Uploaded by

Miralem Misini
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 47

BYPASS NXP LPC-FAMILY DEBUG

CHECK WITH VOLTAGE FAULT


INJECTION

Waleed AlZamil Bandar Alharbi


Embedded devices security researcher Cybersecurity researcher
@WaleedAlzamil @0xB4x 1
AGENDA
● Introduction
○ LPC
○ Goal
○ Security mechanism
● BootROM analysing & reverse engineering
○ Memory map & Boot process
○ Reverse engineering BootROM
○ Finding the vulnerability
● What is Fault injection (Glitching)?
● Glitching the LPC1343
○ Attack Setup
○ Power analysis
○ Recorded demo
● Conclusion
2
INTRODUCTION

● LPC1343 is a Cortex-M3 MCU (pic of dev board from Olimex)


● Harvard architecture
● Microcontroller for embedded applications featuring a high level of integration
and low power consumption
● Previous work on the LPC1343/… @Chris Gerlinsky

3
GOAL

1. Study LPC debug locking mechanism

2. Targeting to unlock debug interface

4
LPC CODE READ PROTECTION

5
LPC CODE READ PROTECTION

6
LPC13xx MEMORY MAP

7
LPC13xx BOOT PROCESS

8
BOOTLOADER RE

R5=CRP3
R6=CRP1

9
BOOTLOADER RE

[0x2fc]:

CRP3

R5=CRP3
R6=CRP1

R4=CRP3

*R4=0x87654321=CRP2 10
BOOTLOADER RE

[0x2fc]:

CRP3

R5=CRP3
R6=CRP1

R4=CRP3

R4=CRP2

*R4=0x87654321=CRP2 11
BOOTLOADER RE

[0x2fc]:
CRP1

CRP3

R5=CRP3
R6=CRP1

R4=CRP1

*R4=0x87654321=CRP2 12
BOOTLOADER RE

[0x2fc]:
CRP1

CRP3

R5=CRP3
R6=CRP1

R4=CRP1

R4=CRP2

*R4=0x87654321=CRP2 13
BOOTLOADER RE

[0x2fc]:
CRP1
CRP2/NO_ISP/NO_CRP…
CRP3

R5=CRP3
R6=CRP1

14
*The value that disables JTAG:0x87654321=CRP2
BOOTLOADER VULNERABILITY

Load configuration
Execute Locking
Startup from Non-Volatile
memory/FUSED! Mechanism

CRP1 0x12345678
Corrupting the configuration values CRP2 0x87654321
Register corruption CRP3 0x43218765
Bypass the load NO_ISP 0x4E697370
Bypass/Corrupt compare instruction —————————————
… NO_CRP 0xFFFFFFFF
0x000000000
0xB4B4B4B4….
15
WHAT IS FAULT INJECTION (GLITCHING)?

● Hardware corruption on a normal device

● Causes undefined behavior

● Examples [bit flip, instruction skip, change an instruction, …etc]

16
TECHNIQUES

● Clock

● Voltage

● Electromagnetic

● Laser

● And more…

https://www.mdpi.com/2079-9292/9/7/1153/htm 17
TECHNIQUES

3.2
● Clock

Supply Voltage
● Voltage 2.4

● Electromagnetic 1.6

● Laser
0.8

● And more…
0
Time

18
TECHNIQUES

● Clock

● Voltage

● Electromagnetic

● Laser

● And more…

19
TECHNIQUES

● Clock

● Voltage

● Electromagnetic

● Laser

● And more…

https://www.alphanov.com/en/products-services/double-laser-fault-injection 20
IS IT DIFFICULT?

Julio Della Flora @jcldf 21


https://twitter.com/jcldf/status/1235859271176171521
IS IT DIFFICULT?

22
https://www.fraunhofer-innovisions.de/cybersicherheit/laser-fault-injection/
EXAMPLES

https://www.youtube.com/watch?v=_E0PWQvW-14 23
EXAMPLES

Bypassing Android MDM Using Electromagnetic Fault Injection 24


By A Gas Lighter For $1.5 (Arun 24-September-2020)
EXAMPLES

How I hacked a hardware crypto wallet and recovered $2 million (Joe Grand)
Wallet.fail (Thomas, Dmitry, Josh)
Kraken Security Labs (Nick)
Glitching Trezor using EMFI Through The Enclosure (Colin O’flynn) 25
BEFORE THE ATTACK

● Inspired by Recon Brussels 2017 talk, by Chris Gerlinsky.

26
BEFORE THE ATTACK

● Inspired by Recon Brussels 2017 talk, by Chris Gerlinsky.

27
ATTACK SETUP

28
ATTACK SETUP

29
POWER ANALYSIS

30
POWER ANALYSIS

31
THE ATTACK

● We did the attack first with a RESET setup, but we didn’t succeed !!
● After we changed the setup. POWER ON is the trigger now.
● And did the attack we succeeded !!

33
THE ATTACK

34
Recorded demo

35
36
RESULT (CRP1 GLITCH)

37
RESULT (CRP1 & NO CRP)

38
RESULT (CRP2 GLITCH)

39
RESLUT (CRP2 & NO_CRP)

40
RESLUT (CRP1,2 & NO_CRP)

41
PHILIPS → NXP

42
https://www.keil.com/dd/docs/datashts/philips/user_manual_lpc214x.pdf https://www.nxp.com/docs/en/user-guide/UM10139.pdf
PHILIPS → NXP

*The value that disables JTAG:0x87654321=CRP2


43
https://www.keil.com/dd/docs/datashts/philips/user_manual_lpc214x.pdf https://www.nxp.com/docs/en/user-guide/UM10139.pdf
LPC FAMILY

● Sharing same CRP mechanism and boot process (based on user manuals)
○ Cortex-M4 ○ Cortex-M3 ○ Cortex-M0 ○ ARM7
■ LPC5411X ■ LPC18XX ■ LPC8XX ■ LPC2XXX
■ LPC5410X ■ LPC17XX ■ LPC51U68
■ LPC43XX ■ LPC15XX ■ LPC11XX
■ LPC43SXX ■ LPC13XX ■ LPC122X
■ LPC40(8/7)X

● We’ve successfully apply our attack on


○ LPC812 & LPC1114 & LPC1343

● ECRP is introduced in LPC546xx


● OTP banks is used in LPC540xx…
● LPC55xx (Cortex-M33 ARM trustzone)
44
CONCLUSION

● We reversed the bootROM and took power consumption traces


● Applied the attack based on RESET trigger. (Did Not succeed)
● Changed the setup, our glitch trigger now based on POWER ON
(Succeeded!)
● CRP locking mechanisms exist since Philips time
● Contacted NXP to disclose (professional and fast)

45
Q&A

46
Thank you…

47
Resources

● LPC1311/13/42/43 User manual


● https://github.com/leveldown-security/SVD-Loader-Ghidra
● https://github.com/CPELyon/lpctools
● Gerlinsky, C. (2017, January 28). Breaking Code Read Protection on the NXP
LPC-family Microcontrollers. Recon.
https://recon.cx/2017/brussels/talks/breaking_crp_on_nxp.html
● ChipWhisperer-Lite https://www.newae.com/chipwhisperer

48

You might also like