One of the challenges in securing embedded devices is to protect the flash memory storing code, data, and cryptographic secrets against malicious read/write access. Therefore, most microcontroller vendors decided to implement code read protection mechanisms (usually controlled by some security bits or fuses) in order to prevent such attacks.
Most modern microcontrollers include a bootloader (stored in ROM) that allows for in-circuit programming via USB, UART, or another link. The bootloader is also responsible for enforcing potentially configured readout protections. So far, attacks against embedded bootloaders were based on hardware attacks, e.g. using voltage glitching or UV light. Logical vulnerabilities (e.g. buffer overflows) in the bootloader code have received less attention.
For this presentation, we reverse-engineered and analysed the bootloaders of three widely used microcontrollers (NXP LPC1343, ST STM32F4, and ST STM8) in order to assess if the readout protection can be overcome with software-based attacks.
Our analysis shows that the bootloader of the LPC1343 (and other chips from the same family) contains a critical vulnerability in the "Write to RAM" command. While the command prevents writing to bootloader RAM, without the Memory Management Unit, it does not protect the stack (located at the other end of memory). This allows an attacker to break code readout protection level 1 by overwriting return addresses on the stack and chaining gadgets of code as in Return-Oriented Programming. The attack can be carried out with any cheap serial-to-USB converter.
We responsibly disclosed this to NXP, and they acknowledged the issue. Although NXP had cautioned users about limitations of using CRP level 1, they updated their developer guidance and now recommend to set CRP level 2 or 3, where this exploit is not possible.
While we did not find similar issues in the code of the STM32 and STM8 bootloaders, we point out that analysis on the assembly level can be useful in developing other attacks, e.g. for pinpointing the correct locations for voltage glitching.