Skip to content

Instantly share code, notes, and snippets.

egirault

Block or report user

Report or block egirault

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
@egirault
egirault / Syscan2015Badge.md
Last active Sep 28, 2019
Dumping the flash memory of the Syscan 2015 badge
View Syscan2015Badge.md

Dumping the flash of the Syscan 2015 badge

The badge of the Syscan 2015 conference included an ARM-based STM32F030R8 processor running some challenges. Although SWD pins are accessible on the badge, some have noted that the STM32 is readout-protected, meaning that it will refuse to dump its flash memory.

Fortunately, two researchers (Johannes Obermaier and Stefan Tatschner) recently published a paper at the WOOT '17 conference, in which they reveal a vulnerability allowing to bypass the readout protection. Their technique allows to dump the flash one DWORD at a time, rebooting the CPU between each access.

I implemented this attack using a BusPirate and the PySWD module. Here is a quick'n dirty PoC to

You can’t perform that action at this time.