[Gnuk-users] Gnuk and possible hardware vulnerability

Aurelien Jarno aurelien at aurel32.net
Wed Aug 23 20:08:08 UTC 2017

On 2017-08-23 14:52, NIIBE Yutaka wrote:
> NIIBE Yutaka <gniibe at fsij.org> wrote:
> > For a particular version of STM32F0, I was informed that there is an
> > effective exploit of 2017 for (3), and possibility of (2).
> I think that this is the talk of that exploit.
>     Shedding too much Light on a Microcontroller's Firmware Protection
>     Johannes Obermaier and Stefan Tatschner, Fraunhofer Institute AISEC
>     https://www.usenix.org/conference/woot17/workshop-program/presentation/obermaier

Thanks for the link. It seems that the protection has been improved on
the STM32 F1 series. The way to disable the protection is now to write
to the option byte block with the following bytes:
- RDP = 0xA5
- nRDP = 0x5A
Any other values mean the code is protected. As the two values are the
exact complement of each other, the UV light attack therefore doesn't
work anymore.

However there is now only 2 levels of protection instead of 3, I don't
know if the SWD vulnerability is still present or not. Or if it has
another one...

All that said the article suggests to check the RDP value at the
beginning of the boot and set enable the memory protection if it is not
done. It might be something interesting to implement. Without going
that far, it might be a good idea to check that for the flash protection
is active before accepting a GPG key.


Aurelien Jarno                          GPG: 4096R/1DDD8C9B
aurelien at aurel32.net                 http://www.aurel32.net

More information about the gnuk-users mailing list