top of page
Diese Website wurde mit dem Homepage-Baukasten von
.com
erstellt. Erstelle deine Website noch heute.Gleich loslegen

HACKED!

The WODE was successfully hacked on May 23rd 2022, allowing to dump the whole OTP area including the Bootloader AES key and the MCU configuration data.

​

Achieved was this by "abusing" the GPIO0, GPIO1 and GPIO2 pins to trigger UART boot mode which usually (once the "AES-key-VALID" bit has been set in OTP upon factory) only allows downloading of secured (encrypted) boot images.

​

It is possible to circumvent this kind of security by voltage-glitching the 1.2V power rail which is used for devices on the MCU like SD/MMC, USB, OTP etc. using a ChipWhisperer and a memory dumper.

​

Once the glitch was successfully triggered, the MCU will no longer reply "LPC31xx READY FOR AES IMAGE" but instead "LPC31xx READY FOR PLAIN IMAGE". As soon as this happens, the end user can simply download own code into the MCU and therefore dump all memory regions available - not just OTP but also APB (AMBA), BOOTROM, ISRAM and so on. *

​

Fig. 1: Shows a partially working VCC-Glitch attempt which finally failed

and made the MCU restart because of the glitch settings being setup too high.

​

Fig. 2: Partial glitch success after lowering the glitch settings.

The only problem here was that instead of getting around

"SECURE BOOT", it would enter "TEST MODE" but still good

enough to know that it finally works.

​

Fig. 3: Changing the glitch settings once again (like it's offset),

it was now possible to trigger "UNSECURE BOOT" instead of

"TEST MODE". The result can be seen as kind of the "AES" / 

"PLAIN" message coming in over the UART port and the first

binary test which was downloaded into the MCU after success.

​

Fig. 4: After changing the glitch offset and writing a memory

dumper, it was possible to dump the OTP data of the WODE.

Not included in this picture: the actual bootloader AES key used

for decryption.

​

Fig. 5: Roughly said "the glitch setup". The oscilloscope was of good use when

it came to the impact of the glitch on the MCU by changing the glitch settings

at runtime.

​

* - Dumping several memory areas by reading the documentation to the MCU, it was possible to dump the BOOTROM of the LPC3143 and therefore also gain the bootloader AES IV which is (aside from the AES key) required for decryption of the boot image(s) used on the WODE. The AES IV is stored at offset 0x12000324 in the BOOTROM binary with a length of 0x10 hex-bytes.

​

bottom of page