Microcontroller Exploits is a deep dive into advanced hardware hacking with detailed examples of real-world techniques and a comprehensive survey of vulnerabilities.
In this advanced guide to hardware hacking, you'll learn how to read the software out of single chip computers, especially when they are configured not to allow the firmware to be extracted.
This book documents a very wide variety of microchip hacking techniques; it's not a beginner's first introduction.
You'll start off by exploring detailed techniques for hacking real-world chips, such as how the STM32F0 allows for one word to be dumped after every reset. You'll see how the STM32F1’s exception handling can slowly leak the firmware out over an hour, and how the Texas Instruments MSP430 firmware can be extracted by a camera flash.
For each exploit, you'll learn how to reproduce the results, dumping a chip in your own lab.
In the second half of the book you'll find an encyclopedic survey of vulnerabilities, indexed and cross referenced for use in practicing hardware security.
Microcontrollers are single-chip computers. There’s one in your credit card and dozens in your laptop and car. Medical devices, video games, electric power meters, and two-way radios use them. Inside each there is some non-volatile memory for a computer program, the barest minimum of a CPU to run that program, and enough RAM to store global variables, and maybe also a heap and a call stack.
You will learn how the nRF51’s protection mode allows debugging that can disable its protection over JTAG, and how the protection of the nRF52 series is a little better but vulnerable to voltage glitching attacks. You’ll explore how the STM32F0 allows for one word to be dumped after every reset, how the STM32F1’s exception handling can slowly leak the firmware out over an hour, and how the USB bootloaders of the STM32F2 and STM32F4 are vulnerable to arbitrary code execution. You’ll also learn how the Texas Instruments MSP430 firmware can be extracted by a camera flash, and how grounding one pin on the Freescale MC13224 will disable all protections to allow an external debugger.
For each of these exploits, you’ll learn how to reproduce the results, dumping a chip in your own lab. Side commentary will refer you to related chips, and how one attack might’ve predicted another, which will be handy when you try to dump the firmware from something new. And wherever possible, you will be referred to both source code and the first publication of the technique.
Numbered chapters provide in-depth explanations of either techniques or how to hack a specific chip. These are roughly grouped together with chapters that introduce a type of technique. Lettered chapters attempt to quickly group targets, describing prior research succinctly. Memory maps are provided to help you think of memory addresses as specific places, and wherever possible I’ve included X-ray and die photographs from my own lab.
To use this book, I’d suggest first reading through quickly to get an overview of how to extract chip firmware, then using the index in the back to find techniques for specific part numbers when you need them. You won’t get anywhere without practice, so be sure to implement some of these attacks yourself even if your intent is to defend against them.