

# Bachelor Thesis

Marcel Delissen

Design and Implementation of a Demonstrator Bypassing the Readout Protection in an Embedded System

*Faculty of Computer Science and Engineering Department of Information and Electrical Engineering*

*Fakultät Technik und Informatik Department Informations- und Elektrotechnik* Marcel Delissen

## Design and Implementation of a Demonstrator Bypassing the Readout Protection in an Embedded System

Bachelor Thesis based on the examination and study regulations for the Bachelor of Engineering degree programme *Bachelor of Science Elektro- und Informationstechnik* at the Department of Information and Electrical Engineering of the Faculty of Engineering and Computer Science of the University of Applied Sciences Hamburg

Supervising examiner: Prof. Dr. Heike Neumann Second examiner: Prof. Dr. Paweł Buczek

Day of delivery: 13. January 2022

### **Marcel Delissen**

### **Title of Thesis**

Design and Implementation of a Demonstrator Bypassing the Readout Protection in an Embedded System

### **Keywords**

[Readout Protection](#page-9-0) [\(RDP\)](#page-9-0), microcontroller, hardware security, flash memory, [Serial](#page-9-1) [Wire Debug](#page-9-1) [\(SWD\)](#page-9-1)

### **Abstract**

This thesis describes the development and implementation of a demonstrator that shows a vulnerability in the readout protection of a microcontroller. For this purpose, the vulnerability in the readout protection is presented, a use case is designed and a demonstrator is developed.

#### **Marcel Delissen**

#### **Thema der Arbeit**

Entwurf und Implementierung eines Demonstrators zur Umgehung des Ausleseschutzes in einem eingebetteten System

### **Stichworte**

Ausleseschutz, Mikrocontroller, Hardwaresicherheit, Flash-Speicher, [Serial Wire Debug](#page-9-1) [\(SWD\)](#page-9-1)

#### **Kurzzusammenfassung**

Diese Thesis beschreibt die Entwicklung und Implementierung eines Demonstrators, der eine Schwachstelle im Ausleseschutz eines Mikrocontrollers aufzeigt. Zu diesem Zweck wird die Schwachstelle im Ausleseschutz vorgestellt, ein Anwendungsfall entworfen und ein Demonstrator entwickelt.

# **Contents**





# <span id="page-5-0"></span>**List of Figures**





# <span id="page-7-0"></span>**List of Tables**



## <span id="page-8-0"></span>**Abbreviations**

- <span id="page-8-1"></span>**ADI** ARM Debug Interface.
- **AES** Advanced Encryption Standard (a symmetric-key cryptography algorithm).
- <span id="page-8-6"></span>**AHB** Advanced High-performance Bus.
- <span id="page-8-5"></span>**AMBA** Advanced Microcontroller Bus Architecture.

<span id="page-8-8"></span>**AP** Access Port.

- <span id="page-8-4"></span>**APB** Advanced Peripheral Bus.
- **ASCII** American Standard Code for Information Interchange (character encoding standard).
- **CDC** Communication Device Class.
- <span id="page-8-3"></span>**CPU** Central Processing Unit.
- <span id="page-8-7"></span>**DAP** Debug Access Port.
- <span id="page-8-9"></span>**DP** Debug Port.
- **ECB** Electronic Codebook Modus (a block cipher operation mode).
- **FAT12** File Allocation Table (12-bit File Allocation Table).
- <span id="page-8-11"></span>**GUI** Graphical User Interface.
- <span id="page-8-2"></span>**IDE** Integrated Development Environment.
- <span id="page-8-10"></span>**IRQ** Interrupt Request.

<span id="page-9-7"></span>**JTAG** Joint Test Action Group (a standard of test/debug interfaces).

<span id="page-9-3"></span>**MCU** Microcontroller Unit.

<span id="page-9-8"></span>**MEM-AP** Memory Access Port.

**MSC** Mass Storage Class.

<span id="page-9-0"></span>**RDP** Readout Protection.

<span id="page-9-4"></span>**ROM** Read-only memory (type of non-volatile memory).

**SD** Secure Digital (memory card).

**SDK** Software Development Kit.

<span id="page-9-5"></span>**SRAM** Static Random Access Memory.

- <span id="page-9-2"></span>**SW-DP** Serial Wire Debug Port.
- <span id="page-9-1"></span>**SWD** Serial Wire Debug.
- <span id="page-9-6"></span>**UART** Universal Asynchronous Receiver/Transmitter (a standard for asynchronous serial communication.
- <span id="page-9-9"></span>**USB** Universal Serial Bus.
- **VCP** Virtual COM port.

## **Number Systems**

Binary numbers are preceded by *0b*. Example: 0b101010 Hexadecimal numbers are preceded by *0x*. Example: 0x2a All other values are decimal. Example: 42

# <span id="page-10-0"></span>**1 Introduction**

Embedded systems, consisting of several components such as microcontrollers, are increasingly used in everyday devices. For example, there are about 50 microcontrollers in an average car [\[8\]](#page-74-1). Almost every technical device uses a microcontroller for control. Therefore, security in everyday devices is also becoming increasingly important. These devices are often physically easily accessible and therefore need special protection. Attackers can access internal interfaces through physical access, such as debug interfaces or other direct accesses. Therefore, the microcontroller, especially the memory, should be protected accordingly, as otherwise sensitive data such as passwords or cryptographic keys can be stolen. Additionally, the theft of software also causes considerable economic damage [\[10\]](#page-75-0).

This readout protection protects the firmware stored in the microcontroller's memory from being readout. Unfortunately, this security mechanism is not error-free or may contain vulnerabilities, such as design flaws to bypass the readout protection. Another possibility is the incorrect configuration of the readout protection [\[11\]](#page-75-1) [\[13\]](#page-75-2).

A paper shows that readout protection can be bypassed called "Shedding too much Light on a Microcontroller's Firmware Protection" [\[13\]](#page-75-2). The security researchers of this paper found and described a logical vulnerability in the readout protection.

This thesis is about the development of a demonstrator that shows one of the vulnerabilities of the paper. A demonstrator shows how such an attack is possible. The target audience of the demonstrator is primarily non-technical, and it has to be understandable for a large audience. It demonstrates an attack, preferably live, to convince the majority of the need for security mechanisms in such products.

This demonstrator is being developed for NXP Semiconductors Germany GmbH (NXP), which wants to use this demonstrator to introduce customers and visitors.

### *1 Introduction*

This way of demonstrating security vulnerabilities or bypassing security measures is not new at NXP. Several demonstrators are maintained by NXP and, in this case, newly developed, such as in the bachelor thesis entitled "A Demonstrator for Optical Fault Injection Attacks" [\[24\]](#page-76-0), in which a demonstrator is revised and renewed.

This thesis is divided into the following sections. First, [Chapter 2](#page-12-0) describes the necessary technical basics and technologies. [Chapter 3](#page-30-0) presents the paper from which knowledge of this vulnerability originated. Then, in [Chapter 4,](#page-34-0) the requirements that NXP places on this demonstrator are presented. Based on these requirements, a concept is presented in [Chapter 5,](#page-37-0) implemented in [Chapter 6](#page-50-0) . [Chapter 7,](#page-72-0) the conclusion, gives a summary and an outlook for the demonstrator.

## <span id="page-12-0"></span>**2 Basics**

This chapter explains the technologies required for the attack and the implementation of the demonstrator. In the first [section,](#page-12-1) the architecture of an ARM Cortex-M0-based microcontroller is described since such a microcontroller is being attacked. The attack is carried out via the debugging interface of the microcontroller and is therefore covered in the [Section 2.2.](#page-16-0) The last [Section 2.3](#page-18-0) of this chapter covers the [Serial Wire Debug](#page-9-1) [\(SWD\)](#page-9-1) transmission protocol used by the debugging interface.

## <span id="page-12-1"></span>**2.1 Architecture of ARM**

ARM Limited, or ARM for short, is a company that does not manufacture microcontrollers itself but has revolutionised the market in a lasting way. Before ARM launched its Cortex series, the market for microcontrollers was very diverse. Many companies developed and marketed their own controller families with their own instruction sets and their architectures. The design approaches were also very different. As a result, products from the same manufacturer were sometimes incompatible with each other. Among other things, this also affected the debug interfaces. Manufacturers had to provide tools such as compilers, linkers, debuggers and sometimes [IDEs](#page-8-2) in different variants. ARM has unified the market by developing processors and different components. ARM only sells the design of the components. The sale of the designs is called "intellectual property" (IP), and the business model is IP licensing. [\[4,](#page-74-2) pp. 21ff.] and [\[23,](#page-76-1) pp. 5ff.]

In the following, one of these IPs - the ARM Cortex-M0 [MCU](#page-9-3) - is presented as part of the device under attack.

The ARM Cortex-M0 [Microcontroller Unit](#page-9-3) [\(MCU\)](#page-9-3) contains all the essential elements such as:

- a [Central Processing Unit](#page-8-3) [\(CPU\)](#page-8-3) called a processor for short, for control and computing tasks,
- memory systems like flash memory for program [ROM](#page-9-4) and [Static Random Access](#page-9-5) [Memory](#page-9-5) [\(SRAM\)](#page-9-5) and
- interface hardware, such as a debug interface and other peripherals.

There are many different versions of these microcontrollers, which can be equipped with different memory sizes and peripherals and come in different sized packages. The Cortex-M processors are designed for the mainstream microcontroller market where processing requirements are less critical than power consumption. Their design is suitable for general-purpose applications, which means they can be used in a wide range of applications. [\[23,](#page-76-1) pp. 1, 7, 98]

A Cortex-M0 [MCU](#page-9-3) is often packed with many different components. These components communicate via a system bus in which messages are sent over a shared transmission path.

A simplified block diagram with typical elements of a Cortex-M0-based microcontroller is shown in [Figure 2.1.](#page-14-0) The acronyms in the diagram are explained in [Table 2.1.](#page-14-1) [\[23,](#page-76-1) pp. 18f.]

<span id="page-14-0"></span>

Figure 2.1: Simplified Block Diagram of a Cortex M0-based Microcontroller modified from [\[23,](#page-76-1) pp. 19, 35]



<span id="page-14-1"></span>

All these components are memory-mapped, and the communication interface is based on read and write operations to particular addresses within this memory mapping. Therefore, the memory and the peripherals are mapped to distinct areas in the address space. All ARM Cortex-M processors have a 4 GB memory address space. This partitioning is hard-wired, and each region has a recommended use to facilitate porting software between different devices. The Cortex-M memory partitioning is shown in [Figure 2.2.](#page-15-0) [\[23,](#page-76-1) pp. 65, 97, 167] [\[4,](#page-74-2) pp. 28ff.]

<span id="page-15-0"></span>

Figure 2.2: ARM Cortex-M0 Memory Map modified from [\[23,](#page-76-1) p. 98]

The memory mapped peripherals are available between 0x40000000 and 0x5FFFFFFF, in this range the software can access peripherals (e.g. the I/O lines or serial interfaces). Since this area is used differently on each Cortex depending on the peripherals, the respective Technical Reference Manual must be consulted. [\[4,](#page-74-2) p. 28]

An important point is that microcontrollers, even if they have the same peripheral characteristics on paper, can have completely different peripherals and therefore different programming models (e.g. peripheral register definitions), and this varies from chip manufacturer to chip manufacturer. [\[23,](#page-76-1) p. 20]

As shown in [Figure 2.1,](#page-14-0) a Cortex-M0 processor is typically divided into two bus systems:

- One is the system bus, which communicates with the memories including [ROM,](#page-9-4) Flash memory and [SRAM,](#page-9-5) and with a few high speed peripherals.
- And secondly, the peripheral bus to which the other peripherals are connected. This can have a different operating frequency than the system bus.

It is quite common for some of the peripherals to be connected to a separate peripheral bus, which is connected to the main system bus via a bus bridge. This bus protocol for the peripheral bus is usually based on [Advanced Peripheral Bus](#page-8-4) [\(APB\)](#page-8-4), a bus protocol described in the [Advanced Microcontroller Bus Architecture](#page-8-5) [\(AMBA\)](#page-8-5) [\[1\]](#page-74-3), an open standard specification for proprietary ARM buses. [\[23,](#page-76-1) p. 35]

The system bus is based on a bus protocol called [Advanced High-performance Bus](#page-8-6) Lite [\(AHB-](#page-8-6)Lite), which, like the data path in the processor core, is 32-bit wide and is also defined in the [AMBA](#page-8-5) standard. The [AMBA](#page-8-5) standard is developed by ARM and is widely used in semiconductor industry. [\[23,](#page-76-1) pp. 29, 32f., 166]

The Cortex-M0 is based on the Von Neumann bus architecture. This means that an instruction fetch and a data operation share the same bus and therefore cannot occur simultaneously. [\[23,](#page-76-1) p. 12] [\[21,](#page-76-2) pp. 18f.]

In addition to the standard described for the hardware components, the next section introduces another ARM standard, namely the [ARM Debug Interface,](#page-8-1) which has standardised the debug interfaces.

## <span id="page-16-0"></span>**2.2 ARM Debug Interface**

This section explains the [ARM Debug Interface](#page-8-1) [\(ADI\)](#page-8-1), which is needed for the attack. The [ADI](#page-8-1) provides access to debug functionality that is provided by debug components in an embedded System. An implementation of the [ARM Debug Interface](#page-8-1) is called a [Debug Access Port](#page-8-7) [\(DAP\)](#page-8-7). A [DAP](#page-8-7) provides a debugger with a standard interface to access debug resources in systems that use resource-specific methods to provide their debug information. To access a debug resource, the debugger passes the appropriate resource address information to the [Debug Access Port,](#page-8-7) which executes the request by selecting the appropriate resource and then accessing resource-specific transport methods that are presented by the system to be debugged.

The block diagram in [Figure 2.3](#page-17-0) shows how an [ADI](#page-8-1) implementation is connected between a debugger and the system to be debugged.

<span id="page-17-0"></span>



The [Debug Access Port](#page-8-7) [\(DAP\)](#page-8-7) shown in [Figure 2.3](#page-17-0) consists of the following elements:

## **[Access Port](#page-8-8)**

An [Access Port](#page-8-8) [\(AP\)](#page-8-8) accesses debug information from the system being debugged and passes the information to the [Debug Port.](#page-8-9) Examples of debug resources are the debug registers of the core processor, [ROM](#page-9-4) Table and flash memory.

## **[Debug Port](#page-8-9)**

The [Debug Port](#page-8-9) [\(DP\)](#page-8-9) provides a debugger with a common interface to access the information that is held in the [APs.](#page-8-8) The [Debug Port](#page-8-9) includes the following elements:

- A physical connection to the debugger. The [ARM Debug Interface](#page-8-1) supports the following physical connection types, with only one interface type occurring at a time:
	- [Serial Wire Debug](#page-9-1) Port (SW-DP), which is covered in [Section 2.3](#page-18-0)
	- [JTAG](#page-9-7) debug port [\(JTAG-](#page-9-7)DP)
	- Serial Wire [JTAG](#page-9-7) debug port (SWJ-DP), a combination of the previous two interfaces.

The [JTAG-](#page-9-7)DP and the SWJ-DP are not discussed below and are listed only for completeness.

• [DP](#page-8-9) registers, hold the required information to support the transport mechanism that is implemented by the [Debug Access Port.](#page-8-7)

The connection between the [Debug Port](#page-8-9) and the [Access Ports](#page-8-8) selects the appropriate debug resource based on the address information provided by the debugger and transports the data between the [Access Ports](#page-8-8) and the [Debug Port.](#page-8-9) [\[2,](#page-74-4) pp. 23-26] In the next section, a protocol that the debug interface uses is explained in more detail, as it is needed for [Chapter 3.](#page-30-0)

## <span id="page-18-0"></span>**2.3 Serial Wire Debug**

This section explains the protocol used for the attack.

[Serial Wire Debug](#page-9-1) [\(SWD\)](#page-9-1) uses an ARM standard protocol, which is described in the [ARM Debug Interface](#page-8-1) Architecture Specification [\[2\]](#page-74-4) and is a [Debug Port](#page-8-9) for small package microcontrollers. [Serial Wire Debug](#page-9-1) is a standard interface for ARM processorbased devices. [SWD](#page-9-1) replaces the 5-pin [JTAG](#page-9-7) port with a clock pin SWDCLK and a bi-directional data pin SWDIO and provides all [JTAG](#page-9-7) debug and test functions, as well as real-time access to system memory without stopping the processor. [\[3\]](#page-74-5)

The connection from the debug host to the processor goes through a [Debug Port](#page-8-9) [\(DP\)](#page-8-9) interface called [Serial Wire Debug Port](#page-9-2) [\(SW-DP\)](#page-9-2) via an [AHB-](#page-8-6)[Access Port](#page-8-8) [\(AP\)](#page-8-8), more specifically the [Memory Access Port](#page-9-8) [\(MEM-AP\)](#page-9-8). The [Memory Access Port](#page-9-8) is connected to the system bus and has access to the memory, such as the flash memory. The memory of the target can be read or written by using the [MEM-AP.](#page-9-8) An overview of the connection from the debug host to the processor is shown in the following [Figure 2.4.](#page-19-1) [\[22,](#page-76-3) p. 453]

<span id="page-19-1"></span>

Figure 2.4: Overview of the Connection from the Debug Host to the Processor modified from [\[22,](#page-76-3) p. 453] and [\[20,](#page-76-4) p. 911ff.]

The next section describes the different phases of data transmission of the [SWD](#page-9-1) protocol.

## <span id="page-19-0"></span>**2.3.1 Basic SWD Operation**

The ARM [Serial Wire Debug](#page-9-1) interface uses a single bidirectional data connection and a separate clock to transfer data synchronously. A successful operation on the wire consists of three phases:

1. Packet request

The external host debugger issues a request to the [Serial Wire Debug Port](#page-9-2) of the microcontroller. The [SW-DP](#page-9-2) is always the target of the request and works as a bridge between the [APs](#page-8-8) and the Host.

2. Acknowledge response

The target sends an acknowledge response to the host.

3. Data transfer phase

This phase is only present when a data read or data write request is followed by a valid "OK" acknowledge response. The data transfer is one of:

- **–** Target to host, following a read request called "RDATA".
- **–** Host to target, following a write request called "WDATA".

To prevent conflicts, a turnaround period called "Trn" is required when the device driving the wire changes. The default setting is a turnaround period of one clock cycle. For the turnaround period, neither the host nor the target drives the wire. There is a turnaround period between these phases, because the transmission direction changes. When the [SW-DP](#page-9-2) receives a packet request from the debug host, it responds immediately by entering the acknowledge phase. For a write request, there is a turnaround period between the acknowledge phase and the WDATA data transfer phase. Following the WDATA data transfer phase the host continues to drive the wire. There is no additional turnaround period. For a read request, there is no turnaround period between the acknowledge phase and the data transfer phase. There is a turnaround period following the RDATA data transfer phase. [\[2,](#page-74-4) p. 106]

All data values in [SWD](#page-9-1) operations are transferred least significant bit (LSB) first. For example, the "OK" Acknowledge response of 0b001 appears on the wire as 1, followed by 0, followed by 0. [\[2,](#page-74-4) p. 108]

## <span id="page-20-0"></span>**2.3.2 SWD Protocol Operation**

This section explains which phases each SWD operation consists of, which information bits are exchanged in these phases and then describes the transmission of read and write operations.

## **1. Packet Request Phase**

The host starts the transmission with the bits listed in [Table 2.2.](#page-21-0)

<span id="page-21-0"></span>

APnDP is used to select the [AP](#page-8-8) or [DP](#page-8-9) to be accessed. The two bits A[2:3] are used to address the register of the selected [AP](#page-8-8) or [DP,](#page-8-9) and RnW is used to read from or write to the selected register.

## **2. Acknowledge Response Phase**

The acknowledge response is a three-bit target-to-host response and listed in [Table 2.3.](#page-21-1)

<span id="page-21-1"></span>



## **3. Data Transfer Phase**

<span id="page-21-2"></span>Each data transfer ends with an even parity bit. The Bits of the Frame are listed in [Table 2.3.](#page-21-1)

Table 2.4: Bits of the Data Transfer Phase modified from [\[2,](#page-74-4) p. 111]



## **Diagram of the Read Operation**

A successful read operation consists of three phases:

- 1. An eight-bit read packet request, from the host to the target. Followed by a turnaround period "Trn".
- 2. A three-bit OK acknowledge response, from the target to the host.
- 3. A total 33-bit data transfer phase, where data "RDATA" is transferred from the target to the host. Followed by a "Trn".

[Figure 2.5](#page-22-0) shows the Diagram of a successful read operation.

<span id="page-22-0"></span>

Figure 2.5: [SWD](#page-9-1) read operation modified from [\[2,](#page-74-4) p. 112]

## **Diagram of the Write Operation**

A successful write operation consists of three phases and is shown in [Figure 2.6](#page-17-0)

- 1. An eight-bit write packet request, from the host to the target. Followed by a turnaround period "Trn".
- 2. A three-bit OK acknowledge response, from the target to the host. Followed by a "Trn".
- 3. A total 33-bit data transfer phase, from the host to the target, containing the data "WDATA" and a parity bit. And also followed by a turnaround period.

<span id="page-23-1"></span>

Figure 2.6: [SWD](#page-9-1) Write Operation modified from [\[2,](#page-74-4) p. 112]

The information from this section is taken from source [\[2,](#page-74-4) pp. 110-114], where further information, e.g. on protocol errors, can be found. Errors are not dealt with in this section, as this section only gives an overview of the functionality of the SWD protocol and is not needed for the following chapters.

## <span id="page-23-0"></span>**2.3.3 SW-DP and MEM-AP Register**

Each [ADI](#page-8-1) contains a single [DP](#page-8-9) and can implement multiple [APs](#page-8-8) that are conform with one of the [DP](#page-8-9) architecture versions. This section briefly describes the [SW-DP](#page-9-2) and [MEM-AP](#page-9-8) registers for the [DP](#page-8-9) architecture versions DPv1. For details about how the register is implemented in a specific architecture version, see [\[2,](#page-74-4) pp. 48f.].

#### <span id="page-23-3"></span>**SW-DP Register**

<span id="page-23-2"></span>[Table 2.5](#page-23-2) shows the [SW-DP](#page-9-2) registers and the corresponding addresses, which will be described in more detail below.

| <b>Address</b> | <b>Register name</b> |                  |  |
|----------------|----------------------|------------------|--|
|                | Read                 | Write            |  |
| 0x00           | <b>DPIDR</b>         | <b>ABORT</b>     |  |
| 0x04           | <b>CTRL/STAT</b>     | <b>CTRL/STAT</b> |  |
| 0x08           | <b>RESEND</b>        | <b>SELECT</b>    |  |
| 0x0C           | <b>RDBUFF</b>        | N/A              |  |

Table 2.5: [SW-DP](#page-9-2) Registers and Addresses modified from [\[2,](#page-74-4) p. 50]

## **Debug Port Identification Register**

The Debug Port Identification Register (DPIDR) provides information about the [DP,](#page-8-9) such as a part number, revision code, and version of the implemented [DP](#page-8-9) architecture.

## **Abort Register**

The ABORT Register forces an [AP](#page-8-8) transaction abort and on a [SW-DP](#page-9-2) it is also used to clear error and sticky flag conditions.

### **Control/Status Register**

The Control and Status Register (CTRL/STAT) is a 32-bit register that is used to control and obtains status information about the [DP](#page-8-9) and is shown in [Figure 2.7.](#page-24-0)

Only the bits CDBGPWRUPREQ and CSYSPWRUPREQ are given special attention, as these bits are necessary for initialising the debugger.

<span id="page-24-0"></span>

Figure 2.7: SW-DP Control and Status Register (CTRL/STAT) from [\[2,](#page-74-4) p. 56]

• Bit [28] CDBGPWRUPREQ:

Debug powerup request. This bit controls the CDBGPWRUPREQ signal. This signal is required for the power controller and is used to start up and activate the clocks in the debug power domain.

• Bit [30] CSYSPWRUPREQ:

System powerup request. This bit controls the CSYSPWRUPREQ signal. This signal is required for the power controller and is used to start up and activate the system power domain.

### *2 Basics*

It is necessary to generate a debug and a system power-on request, otherwise the [DAP](#page-8-7) will not answer any requests.

## **Resend Register**

This register does not capture new data from the [AP](#page-8-8) while a read operation is performed on "RESEND" but returns the [AP'](#page-8-8)s last read or [DP](#page-8-9) RDBUFF read.

### **Select Register**

SELECT is a 32-bit [DP](#page-8-9) architecture register and selects

- an [Access Port](#page-8-8) and the active register banks within that [AP](#page-8-8) or
- the [DP](#page-8-9) address bank.

[Figure 2.8](#page-25-0) shows the SELECT register.

<span id="page-25-0"></span>

Figure 2.8: [SW-DP](#page-9-2) Select Register from [\[2,](#page-74-4) p. 70]

- Bit [31:24] APSEL Selects the [AP](#page-8-8) with the ID number APSEL
- Bit [7:4] APBANKSEL Selects the active four-word register bank on the current [AP.](#page-8-8)
- Bit[3:0] DPBANKSEL [Debug Port](#page-8-9) address bank select.

## **Read Buffer Register**

The Read Buffer (RDBUFF) presents data (typically 32-bit) captured during the previous [AP](#page-8-8) read and allows the value to be returned repeatedly without generating a new [AP](#page-8-8) access.

## **MEM-AP Register**

The [Memory Access Port](#page-9-8) module is connected to the internal bus system of the processor and has access to the memory. This allows the debugger to access all the memories components, peripherals, debug components, and debug registers of the processor. [Table 2.6](#page-26-0) shows the [MEM-AP](#page-9-8) registers and the corresponding addresses.

| Bank | <b>Address</b> | <b>Register name</b>          |
|------|----------------|-------------------------------|
| 0x0  | 0x00           | Control/Status Word (CSW)     |
|      | 0x04           | Transfer Adress (TAR)         |
|      | 0x08           | <b>RESERVED</b>               |
|      | 0x0C           | Data Read/Write (DRW)         |
| Ox1  | 0x10           | Banked Data 0 (BD0)           |
|      | 0x14           | Banked Data 1 (BD1)           |
|      | 0x18           | Banked Data 2 (BD2)           |
|      | 0x1C           | Banked Data 3 (BD3)           |
|      |                |                               |
| 0xF  | 0xF4           | <b>RESERVED</b>               |
|      | 0xF0           | Configuration Reg. (CFG)      |
|      | 0xF8           | Debug Base Addr. (BASE)       |
|      | 0xFC           | Identification Register (IDR) |

<span id="page-26-0"></span>Table 2.6: [MEM-AP](#page-9-8) Registers and Addresses modified from [\[2,](#page-74-4) p. 151]

#### **Identification Register**

Every [Access Port](#page-8-8) must implement an Identification Register (IDR) which identifies the [AP](#page-8-8) and provides information about the [AP,](#page-8-8) such as a class type and revision code. An IDR value of zero indicates that there is no [AP](#page-8-8) present.

#### **Control/Status Word register**

The Control/Status Word register CSW holds control and status information for the [MEM-AP.](#page-9-8)

## **Transfer Address Register**

The Transfer Address Register TAR holds the address for the next access to the memory system, or set of debug resources, which are connected to the [MEM-AP.](#page-9-8) The [MEM-](#page-9-8)[AP](#page-9-8) can be configured to automatically incremented the TAR value after each memory access. Reading or writing to the TAR does not cause a memory access.

## **Data Read/Write register**

The Data Read/Write register DRW is used for memory accesses:

- Writing to the DRW initiates a write to the address specified by the TAR.
- Reading from the DRW triggers a read request from the address stored in the TAR. When the read access completes, the value is returned from the DRW.

## **Banked Data Registers**

The Banked Data Registers, BD0-BD3, provide direct read or write access to a block of four words of memory, starting at the address that is specified in the TAR.

### **Configuration register**

The Configuration register CFG register hold information about the configuration of the [MEM-AP.](#page-9-8)

### **Debug Base Address register**

The Debug Base Address register BASE is a pointer into the connected memory system. It points to one of:

- The start of a set of debug registers for the single connected debug component.
- The start of a ROM Table that describes the connected debug components.

This brief summary of the [MEM-AP](#page-9-8) registers does not include cross-references to the detailed register descriptions. For more information about these registers, see on page 170 and following in source [\[2\]](#page-74-4).

## <span id="page-27-0"></span>**2.3.4 Example of Reading from the SW-DP**

This subsection describes which bit sequence must be sent to read the the [Debug Port](#page-23-2) [Identification Register \(DPIDR\)](#page-23-2) located in the [SW-DP.](#page-9-2) This register provides information about the [Debug Port,](#page-8-9) such as a part number and revision code. [Table 2.7](#page-28-1) shows the sequence of bits that must be sent to read the register entry. Reading this register is a good way to check if the initialisation was successful and a connection exists.

<span id="page-28-1"></span>

Table 2.7: Example of Reading from DPIDR

If 32-bit data are received after the OK acknowledge response, the connection to the [SW-DP](#page-9-2) works properly. For a Cortex-M0 [MCU,](#page-9-3) the default response is 0x0bb11477. [\[20,](#page-76-4) p. 911ff.]

## <span id="page-28-0"></span>**2.3.5 Example of Reading from Flash Memory via the MEM-AP**

This section shows which steps are necessary to read data from the flash memory with a debugger via [SWD.](#page-9-1) These steps are essential for the attack and will be described later as minimal communication and are therefore listed briefly.

- 1. System reset (optional): Initially, a power cycle is performed to reset the system.
- 2. Initialising the debug interface: The steps described in the Arm Debug Interface Specification [\[2,](#page-74-4) pp. 123ff.] are followed.
	- First, the [SWD](#page-9-1) interface is reset by applying the reset pattern to SWDIO and SWCLK.
	- Secondly, reading the IDCODE from the [Serial Wire Debug Port](#page-9-2) is recommended; see [Section 2.3.4.](#page-27-0)
	- Thirdly, set the System powerup request (CSYSPWRUPREQ) and Debug powerup request (CDBGPWRUPREQ) in the CTRL/STAT Register of the [SW-DP](#page-9-2) to fully initialise the debug interface, see [Section 2.3.3.](#page-23-3)
- 3. Setting the access width to 32 bits (optional): Although this is optional, it is recommended to switch to 32-bit mode, as this allows a whole word of 32 bits to be read. To switch to 32-bit mode, set the value of the size field in the Control/Status Word Register of the [AHB](#page-8-6) [Access Port,](#page-8-8) here the [MEM-AP,](#page-9-8) to 0x02.
- 4. Setting the read address of the flash: The address to be read is written to the Transfer Address Register of the [MEM-AP.](#page-9-8)
- 5. Triggering the flash read access: A read access to the Data Read/Write Register of the [MEM-AP](#page-9-8) triggers the read access of the [MEM-AP](#page-9-8) via the system bus, which reads the flash memory.
- 6. Reading the data: The result of the previous access is read from the [DP](#page-8-9) Read Buffer Register. An "SWD OK" response is returned if flash memory access was granted on success. In case of an error, "SWD ERROR" is returned. In the case of "SWD OK", the word was correctly read from the flash memory and stored in the DP read buffer register, where it can be read by the debugger.

Reading the [DP](#page-8-9) Read Buffer Register is also possible if the CPU switches off the system bus in the meantime. This note is important for the following chapter. [\[13,](#page-75-2) pp. 9f.]

# <span id="page-30-0"></span>**3 Basis of the Attack**

The vulnerability used for the demonstrator is based on a paper of the Fraunhofer Institute for Applied and Integrated Security, Fraunhofer AISEC for short. Fraunhofer AISEC supports companies in securing their systems and products and researches in the field of embedded systems and hardware components, among other things. The paper is entitled "Shedding too much Light on a Microcontroller's Firmware Protection" [\[13\]](#page-75-2) and investigates the safety concept of a specific microcontroller family.

The paper reports on the growing interest in testing the security mechanisms of newer microcontrollers, including the ARM Cortex-M-based STM32 series. The widespread use of these devices has finally sparked in their security mechanisms. Also, by the time the paper was published, there were no publicly available penetration test results for STM32 devices. Therefore, the paper's authors conducted a thorough security analysis of the STM32F0 sub-series, paying special attention to firmware readout protection.

The readout protection protects the memory in which the firmware is stored. This protection is intended to protect against unauthorized access. Flash readout protection is the root of system security because reading the firmware protects against access to the system's security configuration. Bypassing the readout protection can completely compromise other security mechanisms.

The paper begins by introducing the security system, which consists of three Levels. The different [Readout Protection](#page-9-0) [\(RDP\)](#page-9-0) Levels differ as follows.

**[RDP](#page-9-0) Level 0** is the default configuration and is not restricted in any way. The debug interface is active and allows full access to the device. Normally this level is only used for development. This protection should be set by the developer after the firmware is loaded to the embedded Flash memory.

**[RDP](#page-9-0) Level 1** keeps the debug interface active, but restricts the access to the flash memory. As soon as a debugger is connected, the flash memory is locked. A read access generates a Hard Fault interrupt and a bus error. The protection can be increased to [RDP](#page-9-0) Level 2, but can also be downgraded to level 0, in which case the entire flash memory content is erased.

**[RDP](#page-9-0) Level 2** is the most restricted and offers the highest security. Debug access is completely disabled by permanently shutting down the interface. This level is irreversible and cannot be downgraded. Although [RDP](#page-9-0) Level 2 offers the best protection, [RDP](#page-9-0) Level 1 is preferred. According to the paper, experience shows that companies do not like to lock down their devices completely as this makes it difficult to troubleshoot errors and failures. In addition, the manufacturer cannot analyse defective devices with [RDP](#page-9-0) Level 2. Overall, this leads to most devices being set to [RDP](#page-9-0) Level 1.

The readout protection is part of the system configuration of the microcontroller and is stored in a dedicated "option byte" section. In it, the three available [RDP](#page-9-0) levels are encoded with 16 bits of non-volatile memory. The 16 bits are implemented as two consecutive bytes called "RDP" and "nRDP". In any intended configuration, nRDP represents the bitwise complement of RDP. [Table 3.1](#page-31-0) shows the mapping of each RDP and nRDP setting to the configured [RDP](#page-9-0) level.

| nRDP                                | RDP  | Resulting protection |
|-------------------------------------|------|----------------------|
| 0x55                                | 0xAA | RDP Level 0          |
| Any other combination               |      | <b>RDP Level 1</b>   |
| except the values of levels 0 and 2 |      |                      |
| 0x33                                | 0xCC | <b>RDP Level 2</b>   |

<span id="page-31-0"></span>Table 3.1: Readout Protection Options of the STM32F0 Series according to the Datasheet [\[20,](#page-76-4) p. 64]

[RDP](#page-9-0) Level 0 and [RDP](#page-9-0) Level 2 are each represented by exactly one complementary byte pair. Any other configuration, including non-complementary byte pairs, is represented by [RDP](#page-9-0) Level 1 by default. The factory setting is [RDP](#page-9-0) Level 0. This description is based on sources [\[13,](#page-75-2) pp. 2f.] and [\[20,](#page-76-4) p. 64]

Fraunhofer AISEC has demonstrated that this readout protection can be bypassed. This approach is now explained and the setup is shown in [Figure 3.1.](#page-32-0)

<span id="page-32-0"></span>

Figure 3.1: Setup of the Attack

An ARM M0-based STM32F0 microcontroller was analyzed, in which protection against flash access is given by [RDP](#page-9-0) level 1. As soon as a debugger tries to read from the flash memory via [SWD,](#page-9-1) this triggers a Hard Fault interrupt, and the [CPU](#page-8-3) cannot process any further commands. The flash protection logic must be reset by a power cycle.

A closer investigation shows that the readout protection is not triggered for all [SWD](#page-9-1) requests but only for the system bus's access. Access to [SWD](#page-9-1) interface-internal registers such as the [Debug Port Identification Register \(see Section 2.3.3\)](#page-23-2) remains inconsequential, and the system continues to run. However, the flash is deactivated when the debugger accesses another module such as peripherals, [SRAM,](#page-9-5) or flash memory via the system bus. The debugger triggers a transfer on the system bus by reading from or writing to the [SWD](#page-9-1) [Memory Access Port](#page-9-8) [Data Read/Write Register \(see Section 2.3.3\).](#page-26-0) A more detailed analysis shows that the [AHB](#page-8-6) transaction and thus the lockdown is triggered by the last rising SWCLK edge of the corresponding [SWD](#page-9-1) packet transmission.

However, the paper shows that reading from memory is still possible with [RDP](#page-9-0) activated. A minimum initialization of the debug interface is required to mount the attack, and the [SWD](#page-9-1) communication needs to be reduced to a bare minimum. Experiments show that the default software shipped with [SWD](#page-9-1) Debugger (onboard Debugger and the Segger J-Link Debugger) triggers the [RDP](#page-9-0) protection while connecting. By reducing the communication, the [SWD](#page-9-1) read request can be answered without triggering the flash protection. The readout protection triggers the Hard Fault interrupt too late, which means the request can be answered. It depends on the system busload whether the read request succeeds or fails. The paper further investigated the relationship between

a successful attack and the busload and came to the following conclusion. CPU instruction and data fetches have priority over debugging access during the arbitration. Thus, the debugger has to wait for a free cycle on the bus to place the request. If the debugger gains instant access to the bus, the access takes place before the flash protection locking is triggered. The flash protection logic is triggered two cycles too late. Thus, the firmware can be extracted at an average rate of 45 bytes per second. The largest STM32F0 microcontrollers with up to 256 kByte of flash memory can be read entirely in less than two hours. Further data and the methodology used for these results can be found in the paper from the Frauenhofer AISEC by Obermaier and Tatschner [\[13\]](#page-75-2).

An assumption about the timing of the attack is shown in [Figure 3.2.](#page-33-0) It shows how the debugger makes a read request to the flash memory via the system bus, received and processed by the [RDP.](#page-9-0) While the flash memory starts processing the request, the [RDP](#page-9-0) sends an [IRQ](#page-8-10) to the [CPU](#page-8-3) via the interrupt line and triggers a bus fault exception. However, the flash memory could respond before the exception and thus fully answer the request.

<span id="page-33-0"></span>

Figure 3.2: An Assumption about the Timing of the Attack

# <span id="page-34-0"></span>**4 Requirements Specification**

This chapter lists the requirements that NXP places on a demonstrator. The basic requirements for a demonstrator are as follows. A demonstrator is intended to be a live demo showing an attack in real-time without preparations. The attack should be understandable for a broad audience, and the consequences should be impressive. The demonstrator intends to show how important security measures are and that it is not enough to trust existing security mechanisms because they can possibly be bypassed or hacked. Therefore, the explanation of the attack must be greatly simplified, as the audience does not necessarily have the required knowledge. A short and straightforward explanation of the demonstrator and presentation of the attack is required for this.

The requirements are divided into three sections. At the beginning, the use case of the demonstrator is described. Which is followed by the hardware and software requirements.

## <span id="page-34-1"></span>**4.1 Use Case Requirements**

The requirements for the use case, as already partially described, are as follows:

- The demonstrator and the attack should be easy to understand and follow. Only widely known technology should be assumed.
- It should be impressively shown how essential firmware protection is.
- It should be possible to demonstrate it live and therefore require little time and effort, ideally, in a ca. 30-minute presentation

## <span id="page-35-0"></span>**4.2 Software Requirements**

The requirements for the software are also that it should be easy to understand. The software should be executable on a modern and widely used operating system such as Windows 10. The demonstrator should communicate via a straightforward [Graphical](#page-8-11) [User Interface](#page-8-11) [\(GUI\)](#page-8-11). The operation of the software should also be intuitive, and any errors or system failures should be self-correctable and remediable, if possible. Another requirement is that the user interface is resizable and the content displayed be scalable. This requirement is necessary to change the window size for large or high-resolution display devices.

## <span id="page-35-1"></span>**4.3 Hardware Requirements**

The requirements for the hardware are to keep a simple structure. This means that it must only be limited to the connection of plugs. In the best case, these are also protected against incorrect connection, like [USB.](#page-9-9) This also means that, as with software, errors and system failures can be corrected and fixed by themselves. Again, the hardware should also be easy and intuitive to use as with the software. Therefore, if possible, no additional hardware should be needed other than that included with the demonstrator. The only exception, of course, is a computer or laptop. Another requirement for the demonstrator is that it needs to be easily and cost-effectively reproducible in case the demonstrator breaks down.

This also includes that any errors or system failures can be corrected and dealt with by themselves, if possible. Also, the handling of the demonstrator and implementation should be intuitive.
# **4.4 Specifications - Summary**

In this section, the requirements already specified are summarised in a list.

- The attack must be demonstrated live in an about 30-minute presentation, including setup.
- The use case should be as comprehensible and convincing as possible
- Explanations should be simple and easy to understand
- The consequences of the attack clearly show that further or better protective measures are necessary
- Communication should take place via a clear [Graphical User Interface](#page-8-0)
- The demonstrator should be simple in design and assembly
- The demonstrator should be easy to transport
- The demonstrator must be easily and cost-effectively duplicable
- The demonstrator must support Windows 10 as it is very well known.
- Errors or system failures should be self-correctable and remediable
- Reverse polarity protected connections

In the next section, a concept is developed based on these specifications.

# <span id="page-37-0"></span>**5 Concept**

This chapter describes the concept of the demonstrator and is divided into five sections. In the beginning, the use case is presented, which is necessary for understanding the following overview of the demonstrator. In the Use Case section, the passwordprotected hard disk is introduced. Then the concept of the password-protected hard disk is described, followed by the section describing the presentation. In the last section, the hardware necessary for the attack is described.

# **5.1 Use Case**

In the use case, sensitive data must be read from the microcontroller's flash memory by exploiting the vulnerability described in [Chapter 3.](#page-30-0) Therefore, a password-protected storage medium, such as a [USB](#page-9-0) hard drive, is chosen for the demonstrator. This technology and its handling are well known to the broad public, and the consequences of bypassing the protection are severe. This Use Case meets the requirements of designing an easy-to-understand use case and is also easy to handle, as [USB](#page-9-0) hard drives usually only require a [USB](#page-9-0) cable to be connected. Password protection is also easy to explain, as this procedure is widely known. The presentation of the password-protected hard disk will only take a few minutes so that there is still enough time for the live demonstration of the attack, and thus all the requirements are met. It is essential to mention that the password evaluation occurs on the hard disk, i.e. on the microcontroller. With this design, it is possible that the password stored on the hard disk can be read out for decryption. In this way, the password can be read from memory, as this must be available for checking against an entered password.

## <span id="page-38-1"></span>**5.1.1 Use Case Description**

This section describes how to use the password-protected hard disk, and an overview of the necessary components can be seen in [Figure 5.1.](#page-38-0) This overview shows that the hard disk is connected to a computer via [USB](#page-9-0) and that no additional hardware is required, which corresponds to the requirements. A straightforward [GUI](#page-8-0) is displayed on the computer screen, which is required to unlock and mount the hard drive. The password is entered into this software and sends entered passwords to the hard drive.

<span id="page-38-0"></span>

**Host System** 

Figure 5.1: Setup Demo Disk

**Prerequisites:** The hard disk is initially encrypted so that the data cannot be read, and no hard disk can be mounted at this time.

**Post-conditions:** After the hard disk is disconnected, it is encrypted again so that data cannot be read.

**Primary way:** The hard disk is connected to the computer via a [USB](#page-9-0) cable. The unlocking software is then started and shows the successful connection to the hard disk, and the password for unlocking can be entered. If an incorrect password was entered, the software displays this, and the password can be entered again. The hard disk remains encrypted at all times and cannot be mounted. There is no limit to the number of incorrect passwords that can be entered, and there are no consequences. The unlocking software indicates that the correct password has been entered and then starts Windows File Explorer. Only at this point the hard is disk decrypted and accessible to the operating system. The File Explorer is started at the mount point of the hard disk to allow immediate access to the hard disk and increase user-friendliness. The unlocking software exits shortly afterwards.

Alternatively, the unlocking software can be started before the hard disk is connected. The software indicates that the hard disk is not yet connected and signals that it is ready to receive the password when the hard disk is connected. This method also leads to successful completion.

# **5.2 Concept Overview**

This overview presents the different components of the demonstrator. A distinction is made between the following parts.

- The password-protected hard disk, which includes the unlocking software.
- The presentation in which the hard disk is introduced, the attack is vividly described and visualised, and the attack is demonstrated live.

The hard disk, especially the host application needed to communicate with the hard disk, is developed as a stand-alone program and is not integrated into the presentation. This separation increases authenticity, as the hard disk could be used independently of the presentation. This separation also allows the scenario of a fictitious developer of this password-protected hard disk, who only relies on the readout protection of the hardware used during development and does not take further security measures. As a result, the password used for encryption is stored in plaintext in the code and thus in the microcontroller's flash memory. Exploiting the vulnerability shows that the readout protection is insufficient, and the password can be read out, making the encryption of the data obsolete. This problem only exists because no further security measures have been taken to make it difficult to reconstruct the password.

# **5.3 The Password-Protected Hard Disk**

This section is divided into the hard disk hardware, the software running on it, and the software to unlock the hard disk. The unlocking software is presented first. The firmware and the hardware follow.

# **5.3.1 Unlocking GUI**

The main task of the unlocking [GUI](#page-8-0) is to send the entered password to the hard disk for evaluation. This software is a [GUI](#page-8-0) because the user can enter data, i.e. the password, and receive feedback on whether this is correct or incorrect. The following points are necessary for this communication, particularly for program intuitiveness. These points are shown in a concept sketch in [Figure 5.2.](#page-41-0)

- 1. For simplicity, the [GUI](#page-8-0) consists only of a description text field (1 a) and an input field (1 b) for the password.
- 2 a. The connection status is be displayed immediately after the program starts and regularly checked for up-to-dateness and changed if necessary.
- 2 b. The software independently establishes a connection to the hard disk and displays the connection's current status.
	- 3. If the hard disk is not connected, entering a password is impossible, indicated by a grayed-out input field.
	- 4. The input is hidden by using a password field.
	- 5. The entry process is completed by pressing the Enter key, and the password will be automatically transferred to the hard disk.
	- 6. Feedback is given as to whether the password was entered correctly.
	- 7. The GUI window automatically moves to the foreground and is centered.

<span id="page-41-0"></span>

Figure 5.2: Sketch of the Unlocking GUI

#### **5.3.2 Firmware of the Hard Disk**

This section introduces the concept of firmware. The firmware is the software executed on the microcontroller and implements the functionalities of a password-protected hard disk. Since the password evaluation takes place on the microcontroller, it must communicate with the host system. In order to make this particularly user-friendly and to imitate a real hard disk as closely as possible, communication via [USB](#page-9-0) is necessary. This approach is in line with the requirements. So there is only one interface and one cable for communication between the host and the hard disk. Everything necessary is realised in software. Therefore, the software has two states. The initial state after startup is the communication state, in which it remains until the correct password has been received. In this state, the user data are encrypted and cannot be accessed because no hard disk can be mounted yet. The second state is the mass storage state, which can only be reached with the correct password and makes the hard disk available to the host as a [USB](#page-9-0) storage medium and can be mounted as a hard disk. The program flow is shown in [Figure 5.3,](#page-42-0) which shows the states with the corresponding [USB](#page-9-0) class of the [Communication Device Class](#page-8-1) [\(CDC\)](#page-8-1) and the [Mass Storage Class](#page-9-1) [\(MSC\)](#page-9-1). More about the different [USB](#page-9-0) classes can be found at [\[5,](#page-74-0) pp. 169-189].

<span id="page-42-0"></span>

Figure 5.3: Conceptualised Program Flow of the Firmware

Intermediate steps such as decrypting the data between the two states have been omitted for the sake of clarity. A modern encryption standard such as [AES](#page-8-2) presents the security authentically. A full disk encryption (FDE) is remarkably authentic and is therefore conceptualised.

A communication protocol is required to send the password to the hard disk. The following commands with corresponding responses need to be implemented to meet the use case description and are listed in [Table 5.1.](#page-42-1)

<span id="page-42-1"></span>

| <b>Message from Hostsystem</b> |  | <b>Response from Microcontoller</b> | <b>Explanation</b> |  |
|--------------------------------|--|-------------------------------------|--------------------|--|
| "hello\n" or                   |  | "HELLO WORLD!!!"                    | To test the        |  |
| "HELLO\n"                      |  |                                     | communication      |  |
| "PASSWORD****\n" or            |  | "WRONG PW!\r\n"                     | **** represents    |  |
| "password****\n"               |  | "RIGHT PW!\r\n"                     | the password       |  |

Table 5.1: Protocol for Password Evaluation

#### *5 Concept*

Since the protocol is not overly complex, it is implemented using serial communication supported by [USB'](#page-9-0)s [CDC](#page-8-1) class. Using [USB](#page-9-0) [CDC](#page-8-1) has the advantage that all communication requires only the [USB](#page-9-0) cable. A message containing the keyword "password" and the password to be evaluated must be sent by the host to verify a password by the microcontroller. The keyword is not separated from the actual password and is sent together as one word. The non-printable character Newline (or Line Feed) "\n" ends the string and thus shows a unique end.

The firmware must first connect to the host as a [USB](#page-9-0) communication device and process received messages. If an incorrect password was sent, the message "WRONG\_PW!\r\n" must be sent to the host, otherwise "RIGHT\_PW!\r\n" must be sent, and the [USB](#page-9-0) class must be changed from the [CDC](#page-8-1) to the [USB](#page-9-0) [MSC.](#page-9-1) As soon as the device is disconnected, everything must be reset, and the password must be entered again.

# **5.3.3 Hardware of the Hard Disk**

Only ready-to-use development boards were used to reduce the development effort to a minimum. The choice of hardware is limited to the STM32F0 series, as the security vulnerability is restricted to this series. Since the use case is a portable password-protected [USB](#page-9-0) hard drive, the board must have a [USB](#page-9-0) port that supports [USB](#page-9-0) device mode. The microcontroller can change the [USB](#page-9-0) device classes in this mode, implementing the communication protocol described in the previous section. For the STM32F0 series, only one compatible development board is offered, namely the "32F072BDISCOVERY" with an STM32F072RB [MCU.](#page-9-2) This development board is shown in [Figure 5.4](#page-44-0) and more information about the development board and the [MCU](#page-9-2) can be found on the manufacturer's website [\[16\]](#page-75-0).

Since this board is provided with unnecessary equipment such as sensors, buttons and an onboard debugger, a smaller board equipped with the same [Microcontroller Unit](#page-9-2) was chosen. In particular, the second [USB](#page-9-0) port, which is for the onboard debugger, could lead to irritation; therefore, the smaller board with only one [USB](#page-9-0) port and no onboard debugger was chosen and is shown in [Figure 5.5.](#page-44-0)

<span id="page-44-0"></span>

Figure 5.4: STM32F0 Development Board 32F072BDISCOVERY



Figure 5.5: Demonstrator Board with an STM32F072RB

# **5.4 Presentation of the Demonstrator**

The main task of the presentation is to introduce the password-protected hard disk, explain the attack and demonstrate it live. For this purpose, the presentation will consist of slides shown one after the other. These slides are high-resolution graphics so that the presentation can be displayed well on high-resolution and large display devices, as specified in the requirements. The presentation is divided into five parts, explained and conceptualised in the following sections.

- 1. Presentation of the hard disk
- 2. Demonstration of the hard disk
- 3. Setup of the attack
- 4. Explanation of the attack
- 5. Demonstration of the attack

The sequence of the individual parts is explained in the following and why it is chosen in this way. First, it is shown that it is a hard disk, and it is explained that a password protects it and that this password must be transmitted to the hard disk so that the evaluation takes place on the hard disk (part 1). This introduction is made because the password of this hard disk will be stolen later. The demonstration of the hard disk is followed, which makes the explanation clearer and easier to follow, as the steps are followed once (part 2). After the hard disk has been established, it is pointed out that the password is stored on the hard disk for the evaluation, thus making it a target for attack. The presentation of the attack setup (part 3) builds the bridge to the explanation of the attack (part 4). The attack process is then explained simplified, followed by a live demonstration (part 5).

All slides are uniformly structured, and [Figure 5.6](#page-46-0) shows the concept sketch of the master page from which all others are derived.

<span id="page-46-0"></span>

Figure 5.6: Sketch of the Presentation GUI - Master Slide

It is possible to use both the buttons and the arrow keys to make the operation of the presentation as intuitive as possible. This [GUI](#page-8-0) is structured like a classic presentation with slides, in which the live demonstration is integrated.

## **5.4.1 The Hard Disk Part**

Parts 1 and 2 of the presentation are conceptualised in this section. For Part 2, a variation of [Figure 5.1](#page-38-0) [\(Subsection 5.1.1\)](#page-38-1) is used, and it is shown that the password has to be sent to the hard drive to unlock it, which is illustrated by sending a password and then opening the lock. For the second part, there will be a slide with a button to start the unlocking software. After starting, the hard disk and software functionality is demonstrated once. First, a wrong password is entered, showing that no hard disk is available. Then the correct password is entered, showing that the hard disk is available.

#### **5.4.2 The Attack Part**

This section explains and conceptualises parts 3 and 4 of the presentation. For part 3, a simplified variation of [Figure 3.1](#page-32-0) from [Chapter 3](#page-30-0) is used. Part 4, the explanation of the attack must be designed for a broad audience and therefore be very descriptive. Since this vulnerability within the system is a race condition, a visualisation is required. The designed visualisation shows which components are present and that they are interconnected. The main components are the [CPU,](#page-8-3) the debugger (partially housed in the [CPU\)](#page-8-3), the [RDP](#page-9-3) and the flash memory. Unfortunately, as described in [Chapter 3,](#page-30-0) the components' connections are not entirely clear and thus are not described in detail. The result is the simplified representation in [Figure 5.7,](#page-47-0) which reflects the most likely assumption as shown in [Figure 3.2](#page-33-0) in [Chapter 3.](#page-30-0) [Figure 5.9](#page-49-0) illustrates how the race condition is visualised. It is essential to show that the [RDP](#page-9-3) is a little too slow or that the flash memory lock message arrives too late, as shown in [Figure 5.8.](#page-48-0)

<span id="page-47-0"></span>This visualisation lends itself well to a presentation, and if the slides are shown one after the other, the flow of information is more vivid. This visualisation is easier to understand for an audience without technical expertise than the sequence diagram from [Chapter 3](#page-30-0) [\(Figure 3.2\)](#page-33-0).



Figure 5.7: Sketch of the Attack Visualisation

Messages sent over these connections are shown as thicker lines from the sender to the receiver, as shown in [Figure 5.7.](#page-47-0)

<span id="page-48-0"></span>

Figure 5.8: Message Flow of the Attack Visualisation

The primary purpose of this visualisation is to show that the message from the [RDP](#page-9-3) arrives too late. This message tells the [CPU](#page-8-3) that the debugger is not allowed to read from the flash. However, the flash has answered the read request in the meantime.

## **5.4.3 Live Demonstration of the Attack**

The attack slide, part 5 of the presentation, looks like the sketch shown in [Figure 5.9](#page-49-0) and can be started with the "Start" button and, if necessary, stopped with the "Stop" button. During the attack, the firmware dump is output line by line. A line consists of the address where the read operation was started, the firmware dump in hexadecimal representation and the firmware dump interpreted in [ASCII](#page-8-4) characters. After reading out the firmware, the password that was the target of the reading is highlighted. The attack occurs in the background and is executed by the presentation.

<span id="page-49-0"></span>

Figure 5.9: Sketch of the Presentation GUI - Attack Slide

# **5.5 Hardware for the Attack**

As described in [Chapter 3,](#page-30-0) a debugger is also needed for the attack. Since the SEG-GER J-Link is commonly used at NXP and software from NXP is already available for this device, it was chosen for the demonstrator. The J-Link supports [SWD](#page-9-4) at the required low level, i.e. reading and writing registers needed for the attack. Tests in advance have also shown that the J-Link is suitable. The SEGGER J-Link can be seen in [Figure 5.10.](#page-49-1)

<span id="page-49-1"></span>

Figure 5.10: SEGGER J-Link Debugger from [\[15\]](#page-75-1)

# **6 Implementation**

As with the concept, a distinction is made between the two following parts.

- The password-protected hard disk, which includes the unlocking [GUI](#page-8-0) and the firmware.
- The presentation, with the explanation and live demo of the attack and the hard drive demonstration.

In the beginning, the implementation of the unlocking [GUI](#page-8-0) and the hard disk firmware is introduced. Then the implementation of the presentation is presented.

# **6.1 The Password-Protected Hard Disk**

This section is divided into the software for unlocking the hard disk, which runs on the host system, and the hard disk firmware, which runs on the microcontroller and hardware for the demonstrator.

## **6.1.1 Unlocking GUI**

The unlocking software is implemented with Python and with the help of the [GUI](#page-8-0) toolkit Tkinter. Tkinter was the first [GUI](#page-8-0) toolkit for Python, which is why it is now part of the standard Python package. [\[14\]](#page-75-2)

In this way, it was possible to create a simple GUI as specified by the concept. The GUI works with two threads. The main thread creates the visible window that the user operates and updates the visual components. The second thread runs in the background, checks the connection status of the hard disk, passes changes and other data via message queues to the main thread, which then updates the window. The second

thread also manages the communication with the hard disk, sends entered passwords to the microcontroller and passes the received response to the main thread. In this way, the [GUI](#page-8-0) remains responsive as soon as communication with the hard disk occurs. The second thread, the communication thread, is described first, followed by the main thread.

#### **The Communication Thread**

This section describes the thread that works in the background, the communication thread. This worker thread automatically searches for the hard drive after the software is started to increase usability. It searches for the unique [USB](#page-9-0) identifiers, such as the Vendor ID (VID) and the Product ID (PID), and thus identifies the hard disk. The software also handles the connection initialisation, so the user only has to enter the password. Communication occurs via three message queues. One queue syncs the connection status from the communication thread to the main thread, another one receives the password from the main thread, and the last queue forwards the response from the hard disk to the main thread. These three threads are described in [Table 6.1.](#page-51-0)

<span id="page-51-0"></span>

Table 6.1: Message Queues for Communication between Threads

A flowchart of the communication thread can be seen in [Figure 6.1.](#page-52-0) This flowchart shows how an attempt is first made to connect to the hard disk. Whether a connection could be established is saved and passed on to the main thread via the connection queue. The following steps are repeated continuously until the thread is terminated. This termination occurs when the microcontroller has received the correct password and the main thread has received this message via the response queue. After this, the loop and thus the communication thread is terminated. Within this loop, a check is made to see if the connection status has changed since the last run. If so, it is forwarded to the main thread. Otherwise, if a connection is established, it is checked whether a password has been received from the main thread via the password queue. If a password is received, this password is sent to the microcontroller. The microcontroller's response is forwarded to the main thread via the answer queue.

<span id="page-52-0"></span>

Figure 6.1: Flowchart of the Communication Thread

[Figure 6.2](#page-53-0) shows a sequence diagram of the main thread and the communication thread, illustrating the communication between the two threads through the queues.

<span id="page-53-0"></span>

Figure 6.2: Sequence Diagram of the Unlocking GUI

#### **The Main Thread**

As described at the beginning of the section, the main thread is responsible for the visible window and manages the displayed components. The [concept](#page-37-0) chapter describes these components as the welcome text and the description, the connection status, and the password input field. Furthermore, there are two buttons in the GUI. The "Quit" button can be used to end the program, and the "OK" button can be used to send the entered password. This button can only be pressed when the hard disk is connected and ready to receive. The window is shown in [Figure 6.3](#page-54-0) with an unconnected hard disk and [Figure 6.4](#page-54-1) with a connected hard disk.

<span id="page-54-0"></span>

<span id="page-54-1"></span>Figure 6.3: Unlocking GUI with an unconnected Hard Disk



Figure 6.4: Unlocking GUI with a connected Hard Disk

As required by the [concept,](#page-37-0) a password field has been implemented. The entered characters cannot be read because they are displayed as an asterisk '\*'. In order to increase the user-friendliness requested in the requirements, the window automatically centers itself after start-up and automatically lifts itself into the foreground when changes are made. Thus, all requirements for the software are fulfilled.

# **6.1.2 Firmware of the Hard Disk**

The hard disk's firmware is written in the C programming language. The basis for the firmware is the [Software Development Kit](#page-9-5) [\(SDK\)](#page-9-5) from the microcontroller's manufacturer [\[17\]](#page-75-3). This [SDK](#page-9-5) served as the basis and had to be adapted in some places. The [SDK](#page-9-5) is chosen because it already offers executable projects that can easily be adapted and provides many required functionalities. The communication functionalities via [USB](#page-9-0) and the hard disk are initially developed separately and later merged.

- 1. The [USB](#page-9-0) [Communication Device Class](#page-8-1) [\(CDC\)](#page-8-1) sample application from the [SDK](#page-9-5) is adapted in the next subsection [Communications Part of the Firmware.](#page-55-0)
- 2. The [USB](#page-9-0) [Mass Storage Class](#page-9-1) [\(MSC\)](#page-9-1) sample application is adapted in the following subsection [Mass Storage Part of the Firmware.](#page-57-0)
- 3. These applications are merged with the required functionality, in subsection [The](#page-61-0) [merged Firmware.](#page-61-0)

## <span id="page-55-0"></span>**Communications Part of the Firmware**

The [USB](#page-9-0)[-CDC](#page-8-1) sample application uses the [USB](#page-9-0) device and [UART](#page-9-6) peripherals. With this application the [MCU](#page-9-2) acts as a [USB-](#page-9-0)to[-UART](#page-9-6) bridge. This bridge is implemented as a [Virtual COM port,](#page-9-7) which means that on one side, the microcontroller exchanges data with the host system via [USB](#page-9-0) interface in device mode and on the other side, the microcontroller exchanges data with other devices via [UART](#page-9-6) interface. In this [USB](#page-9-0) example, three [USB](#page-9-0) endpoints (separate communication channels) are declared in the [CDC](#page-8-1) class.

These three endpoints are:

1. The Bulk IN endpoint.

This endpoint is for messages received via [UART,](#page-9-6) which must be forwarded to the host system from the microcontroller.

- 2. The Bulk OUT endpoint. This endpoint is for messages received via [USB](#page-9-0) from the host system, which must be forwarded via [UART.](#page-9-6)
- 3. The interrupt IN endpoint for setting and getting serial-port parameters.

The interrupt IN endpoint and is taken over unchanged, as it has all the necessary functions. Only the callback functions of the Bulk IN and OUT endpoints for receiving and transmitting are adapted.

Since the [UART](#page-9-6) functionality is not needed, the functions are adapted so that messages received via [USB](#page-9-0) are not forwarded via the [UART](#page-9-6) Interface but instead copied into a buffer. Furthermore, messages can be sent to the host via [USB](#page-9-0) without receiving via the [UART](#page-9-6) Interface. The status of the input buffer is periodically queried. If messages are present, they are processed, and the request is answered.

The following had to be changed in the [USB-](#page-9-0)[CDC](#page-8-1) example for this functionality, as listed in [Table 6.2.](#page-56-0)

<span id="page-56-0"></span>



#### <span id="page-57-0"></span>**Mass Storage Part of the Firmware**

The [USB](#page-9-0)[-MSC](#page-9-1) sample application is originally intended for more complex development board with the same processor. This board has an internal [SD](#page-9-8) card slot where the sample application uses the microcontroller as a bridge and acts as a [USB](#page-9-0) [SD](#page-9-8) card reader. In this way, the host system can address and access the [SD](#page-9-8) card via the microcontroller.

The functionality of the [SD](#page-9-8) card is not adopted to keep the demonstrator as simple as required. This way, no parts of the demonstrator, such as an [SD](#page-9-8) card or the external [SD](#page-9-8) card holder, can be lost. Instead of the [SD](#page-9-8) card, a file system for the hard disk is implemented in the flash memory. The host system accesses the file system stored in the flash memory block by block via [USB.](#page-9-0) The file system in the flash memory replaces the [SD](#page-9-8) card and behaves like a real hard disk. This functionality is taken from the opensource project TinyUSB. TinyUSB is a cross-platform open-source [USB](#page-9-0) host/device stack for embedded systems, and more information can be found on the project website [\[9\]](#page-75-4). In this project, an array can be found that represents a complete [FAT12](#page-8-5) file system. This file system contains a sample text file whose contents can be customized. Thus the array is adopted for the hard disk firmware. Changes made by the host via [USB](#page-9-0) to the text files are initially buffered on the host side and are thus volatile since the changed file system is not written to the flash memory after use. Therefore, the system is in the same state with each new demonstration. A part of the [FAT12](#page-8-5) array is shown in [Figure 6.5.](#page-58-0)

<span id="page-58-0"></span>

Figure 6.5: FAT12 File System Array

#### *6 Implementation*

Building on this, encryption is applied to the entire file system residing in the flash memory. The file system stored as an array is encrypted with Tiny [AES.](#page-8-2) Tiny [AES](#page-8-2) is a lightweight implementation of the [AES](#page-8-2) crypto algorithm in C, which supports the standard key sizes (128/192/256-Bit) and the common block cipher operation modes, like the [Electronic Codebook Modus](#page-8-6) [\(ECB\)](#page-8-6). The implementation of Tiny [AES](#page-8-2) is based on the recommendations of the National Institute of Standards and Technology (NIST). [\[12\]](#page-75-5) The file system is encrypted with an [AES](#page-8-2) in [ECB](#page-8-6) mode with a key length of 256 bits. Information on this can be found in NIST's Specification for the [AES](#page-8-2) [\[7\]](#page-74-1) and in NIST's Paper "Recommendation for Block Cipher Modes of Operation" [\[6\]](#page-74-2). A part of the encrypted [FAT12](#page-8-5) array is shown in [Figure 6.6.](#page-60-0)

The following had to be changed in the [USB](#page-9-0)[-MSC](#page-9-1) example for this functionality, as listed in [Table 6.3.](#page-59-0)

<span id="page-59-0"></span>



<span id="page-60-0"></span>

| ₹      |                                                                                                                                               |  |
|--------|-----------------------------------------------------------------------------------------------------------------------------------------------|--|
|        | 0xba, 0x59, 0x4a, 0x8a, 0x9d, 0x90, 0xd9, 0x19,<br>$0x83$ , $0xaa$ , $0x32$ , $0x63$ , $0x90$ , $0xfb$ , $0x27$ , $0xcc$ ,                    |  |
|        | $0x45$ , $0x61$ , $0x86$ , $0xe1$ , $0x90$ , $0xa1$ , $0xc3$ , $0x49$ ,                                                                       |  |
|        | 0xb3, 0x87, 0xdf, 0xcd, 0x8d, 0xd2, 0x17, 0xe9,                                                                                               |  |
|        | 0xb7, 0xef, 0x9e, 0xf5, 0x34, 0x19, 0xdb, 0x13,                                                                                               |  |
|        | 0xd7, 0x04, 0x81, 0x7a, 0x71, 0x02, 0x9c, 0xd6,                                                                                               |  |
|        | $0x0c$ , $0xd1$ , $0x1a$ , $0x40$ , $0xbf$ , $0x86$ , $0xac$ , $0x4a$ ,                                                                       |  |
|        | $0x76$ , $0x58$ , $0x12$ , $0xc1$ , $0x0f$ , $0xda$ , $0xe6$ , $0xb8$ ,                                                                       |  |
|        | 0xf3, 0x95, 0x06, 0x91, 0x37, 0x2f, 0xe3, 0xca,                                                                                               |  |
|        | $0xe4$ , $0xf7$ , $0xaf$ , $0x76$ , $0xdd$ , $0xd4$ , $0x93$ , $0x77$ ,                                                                       |  |
|        |                                                                                                                                               |  |
|        | $0xf3$ , $0x95$ , $0x06$ , $0x91$ , $0x37$ , $0x2f$ , $0xe3$ , $0xca$ ,                                                                       |  |
|        | 0xe4, 0xf7, 0xaf, 0x76, 0xdd, 0xd4, 0x93, 0x77,                                                                                               |  |
|        | $0 \times 3$ , $0 \times 62$ , $0 \times 63$ , $0 \times 4c$ , $0 \times 66$ , $0 \times 30$ , $0 \times c1$ , $0 \times 23$ ,                |  |
|        | 0x70, 0xde, 0x6d, 0xbc, 0x27, 0x93, 0x5b, 0xb9,                                                                                               |  |
|        | $0xf3$ , $0xdb$ , $0x3f$ , $0xe1$ , $0xc5$ , $0x4b$ , $0xb8$ , $0x34$ ,                                                                       |  |
|        | $0 \times 1$ , $0 \times 56$ , $0 \times 06$ , $0 \times 22$ , $0 \times 4c$ , $0 \times 66$ , $0 \times 6e$ , $0 \times 9e$ ,                |  |
|        | 0xf3, 0x95, 0x06, 0x91, 0x37, 0x2f, 0xe3, 0xca,                                                                                               |  |
|        | 0xe4, 0xf7, 0xaf, 0x76, 0xdd, 0xd4, 0x93, 0x77,                                                                                               |  |
|        |                                                                                                                                               |  |
|        | $0xf3$ , $0x95$ , $0x06$ , $0x91$ , $0x37$ , $0x2f$ , $0xe3$ , $0xca$ ,                                                                       |  |
|        | 0xe4, 0xf7, 0xaf, 0x76, 0xdd, 0xd4, 0x93, 0x77,                                                                                               |  |
|        | $0$ xda, $0$ xa $3$ , $0$ xaf, $0$ xb $5$ , $0$ xf1, $0$ x4a, $0$ xfb, $0$ xb $5$ ,                                                           |  |
|        | 0xe3, 0x21, 0xfc, 0x87, 0x68, 0xc2, 0x66, 0x92,                                                                                               |  |
|        | $0x76$ , $0x7b$ , $0xfb$ , $0x91$ , $0x38$ , $0xf1$ , $0xb7$ , $0xed$ ,                                                                       |  |
|        | $0x11$ , $0xd4$ , $0x6b$ , $0x8b$ , $0xcb$ , $0x70$ , $0x68$ , $0xe0$ ,                                                                       |  |
|        | $0x44$ , $0x52$ , $0xc7$ , $0x0f$ , $0x17$ , $0xc1$ , $0x38$ , $0x3c$ ,                                                                       |  |
|        | $0x8c$ , $0xed$ , $0x76$ , $0x20$ , $0x0f$ , $0x62$ , $0x43$ , $0xd0$ ,                                                                       |  |
|        | 0xe7, 0x0f, 0x97, 0xa5, 0xe9, 0xaa, 0x45, 0x72,                                                                                               |  |
|        | $0xc2$ , $0xd2$ , $0x52$ , $0x3a$ , $0x7a$ , $0xc9$ , $0x31$ , $0x1f$ ,                                                                       |  |
|        | $0xf3$ , $0x95$ , $0x06$ , $0x91$ , $0x37$ , $0x2f$ , $0xe3$ , $0xca$ ,                                                                       |  |
|        | 0xe4, 0xf7, 0xaf, 0x76, 0xdd, 0xd4, 0x93, 0x77,                                                                                               |  |
|        |                                                                                                                                               |  |
|        | $0xf3$ , $0x95$ , $0x06$ , $0x91$ , $0x37$ , $0x2f$ , $0xe3$ , $0xca$ ,                                                                       |  |
|        | $0xe4$ , $0xf7$ , $0xaf$ , $0x76$ , $0xdd$ , $0xd4$ , $0x93$ , $0x77$ ,                                                                       |  |
|        | $0x53$ , $0x68$ , $0x15$ , $0x88$ , $0x66$ , $0x66$ , $0x48$ , $0x53$ ,                                                                       |  |
|        | 0xe5, 0x3a, 0x51, 0x1a, 0x21, 0x85, 0x58, 0xb7,                                                                                               |  |
|        | 0x11, 0xfb, 0x83, 0x44, 0x73, 0xf7, 0xcf, 0xc7,                                                                                               |  |
|        | 0x7d, 0x8f, 0xe1, 0x52, 0xb0, 0x15, 0x18, 0x64,                                                                                               |  |
|        | $0 \times 13$ , $0 \times 95$ , $0 \times 06$ , $0 \times 91$ , $0 \times 37$ , $0 \times 21$ , $0 \times 37$ , $0 \times 3$ , $0 \times 37$  |  |
|        | $0xe4$ , $0xf7$ , $0xaf$ , $0x76$ , $0xdd$ , $0xd4$ , $0x93$ , $0x77$ ,                                                                       |  |
|        |                                                                                                                                               |  |
|        | $0xf3$ , $0x95$ , $0x06$ , $0x91$ , $0x37$ , $0x2f$ , $0xe3$ , $0xca$ ,                                                                       |  |
|        | $0xe4$ , $0xf7$ , $0xaf$ , $0x76$ , $0xdd$ , $0xd4$ , $0x93$ , $0x77$ ,                                                                       |  |
|        | $0 \times 13$ , $0 \times 95$ , $0 \times 06$ , $0 \times 91$ , $0 \times 37$ , $0 \times 21$ , $0 \times 23$ , $0 \times 23$ , $0 \times 24$ |  |
|        | 0xe4, 0xf7, 0xaf, 0x76, 0xdd, 0xd4, 0x93, 0x77,                                                                                               |  |
|        | $0 \times 13$ , $0 \times 95$ , $0 \times 06$ , $0 \times 91$ , $0 \times 37$ , $0 \times 21$ , $0 \times 37$ , $0 \times 37$ , $0 \times 21$ |  |
|        | $0xe4$ , $0xf7$ , $0xaf$ , $0x76$ , $0xdd$ , $0xd4$ , $0x93$ , $0x77$                                                                         |  |
| $\}$ ; |                                                                                                                                               |  |

Figure 6.6: Encrypted FAT12 File System Array

In summary, the following is implemented. An encrypted array is stored in the flash memory. After decryption, this array becomes a [FAT12](#page-8-5) file system, which fulfils the required Full Disk Encryption (FDE). The block requested by the host system via [USB](#page-9-0)

#### *6 Implementation*

is read from the flash memory, decrypted and then passed on to the host system. Since changes are not saved, it is strictly speaking a read-only disk.

## <span id="page-61-0"></span>**The merged Firmware**

This section describes how to merge the customised [USB](#page-9-0) sample applications into the password-protected hard disk firmware.

Since the previous applications can both communicate, i.e. receive a password via USB and act like an encrypted hard disk, the following points need to be implemented for the merge:

- 1. Change the [USB](#page-9-0) class from CDC to MSC class after correctly entering the password.
- 2. Return to the starting point after disconnecting the [USB](#page-9-0) connection.
- 3. Make sure that the password used to unlock the device can be read as a string from the flash memory, i.e., it is stored there.

A simplified flowchart of the merged program is shown in [Figure 6.7](#page-62-0) and the steps required are described below.

For point 1, as soon as the correct password is entered, the [USB](#page-9-0) interrupts are deactivated and then the [USB](#page-9-0) interface is stopped and deinitialised. Afterwards, the USB interface is initialised again, but as [USB](#page-9-0) MSC device. To achieve this functionality, the documentation "STM32Cube USB device library" [\[18\]](#page-75-6) and the "Description of STM32F0xx HAL drivers" [\[19,](#page-76-0) p. 21-31, 33ff., 48ff.] had to be consulted.

For point 2, a reset function (NVIC\_SystemReset()) is called as soon as the connection is disconnected within the [USB](#page-9-0) MSC state. This resets the microcontroller and the program is restarted, returning the microcontroller to the USB CDC state. This function requests a system reset by setting the system reset request flag (SYSRESETREQ) in the Application Interrupt and Reset Control Register (AIRCR).

Finally, for item 3, the password is stored in plaintext as a character array in the main function and used for comparison with the received password during the program run. This way it is stored in the flash memory and can be read out.

<span id="page-62-0"></span>

Figure 6.7: Flowchart of the password-protected Hard Disk's Firmware

## **6.1.3 Hardware of the Disk**

Only reverse polarity-protected cables have to be connected for the assembly, as specified in the requirements. This connection is shown in [Figure 6.9](#page-63-0) and ensures that the cable is not misused. For this purpose, a connector is soldered to the development board, and the board is provided with housing. The housing for the development board

#### *6 Implementation*

of the hard disk is made with a 3D printer. The cover was made of transparent Plexiglas to allow a view inside, seen in [Figure 6.8](#page-63-1) and [6.10.](#page-63-0)

<span id="page-63-1"></span>

Figure 6.8: Device under Attack in Housing - Topview

<span id="page-63-0"></span>

Figure 6.9: Device under Attack in Housing Figure 6.10: Device under Attack in Hous-- Connector Front ing - USB Front

# **6.2 Presentation of the Demonstrator**

This section describes the implementation of the presentation, which introduces the hard drive, explains the attack and demonstrates it live. As with the unlocking GUI, Python is used together with Tkinter for the implementation. A presentation developed and used for other demonstrators is used as the basis for the implementation. In this section, the structure of the GUI, the different classes and the implementation of the attack are explained.

# **6.2.1 Structure of the GUI**

The presentation consists of the following classes, which can also be seen in the class diagram in [Figure 6.11.](#page-65-0)

- MainView
- SlideShow
- Page-Classes (Page1 to Page5)
- DebugJLink

The classes will be explained in this order.

<span id="page-65-0"></span>

Figure 6.11: Class Diagram of the Presentation

## **MainView**

The MainView class is responsible for creating the visible window and managing it, i.e., creating and displaying various pages. The buttons for scrolling forwards and backwards are also managed in the Main-View class. These buttons call the  $lift()$  function of Tkinter for the corresponding page, which lifts this page into the foreground and thus makes it visible. All other pages lie behind it and can be displayed in order. After the last page, the first page is displayed and the other way around.

A loading bar is displayed at the beginning to inform the user that the GUI has been started. This feedback increases user-friendliness. This loading bar is necessary because the first reading, copying and pre-scaling of the graphics take about 5 seconds. This time is necessary because the graphics are high resolution and can be used on large and high-resolution display devices as specified in the requirements.

After the graphics have been processed, the pages are created. These inherit from the class SlideShow, described in the next section. As soon as all pages have been created, the loading bar is 100%. After that, the first page, Page1, is displayed, and the loading bar is closed. The window is brought to the foreground of the main screen

#### *6 Implementation*

and displayed in full screen. In summary, the following happens from the user's point of view. After starting the presentation, the user sees only a loading bar displayed in the center of the main screen in the foreground. This loading bar reaches 100% within a few seconds, and the next moment, the first page of the presentation is full screen on the main screen. The presentation can be operated using the buttons at the bottom or with the arrow keys on the keyboard. As required, starting the software is very simple and intuitive.

#### **SlideShow**

A base class is implemented from which all parts are inherit. This base class represents the master slide shown in the [concept](#page-37-0) [\(Figure 5.6\)](#page-46-0). The base class contains the title of the demonstrator, the name of the company and an area for slides. It is also possible to display graphics that can be automatically scaled to the size of the window. The scaling functionality has been adopted mainly from the existing presentation. The scaling functionality saves the high-resolution original graphic and creates a copy used for scaling. The original is saved to ensure the best possible quality. If the window is first reduced and then enlarged again, this could lead to a loss of quality. Because when the window is reduced, information is removed that is then missing when the window is enlarged. In this case, the original is used, and the copy is replaced by the original. The renewed copy can then be resized without loss of quality. The possibility of a slide show is also implemented in the base class. This slide show makes it possible to display several graphics one after the other, as is necessary, for example, when explaining the attack and is described in the next section, among the other Pages.

#### **Page-Classes**

This section describes the page classes. There are five Page classes, each representing a part of the presentation and inherits from the basis-class SlideShow. [Table 6.4](#page-67-0) lists all five classes.

| $1.10$ and |                        |                                 |  |  |  |
|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------|---------------------------------|--|--|--|
|                                                                                                                                                                                                                             | Name of the Page-Class | <b>Part of the Presentation</b> |  |  |  |
|                                                                                                                                                                                                                             | Page1                  | Presentation of the hard disk   |  |  |  |
|                                                                                                                                                                                                                             | Page2                  | Demonstration of the hard disk  |  |  |  |
|                                                                                                                                                                                                                             | Page3                  | Setup of the attack             |  |  |  |
|                                                                                                                                                                                                                             | Page4                  | Explanation of the attack       |  |  |  |
|                                                                                                                                                                                                                             | Page5                  | Demonstration of the attack     |  |  |  |
|                                                                                                                                                                                                                             |                        |                                 |  |  |  |

<span id="page-67-0"></span>Table 6.4: Parts of Presentation with the corresponding Page-Class

## **Page1**

Page1 shows the password-protected hard disk and that the password must be sent to the hard disk. By inheritance, only a subtitle is assigned to the class, i.e. the title of the slide "Explanation Disk" and the associated graphic for the slide show.

## **Page2**

As with any page class, the subtitle must still be added to page2. This subtitle is called "Demo Disk", and this page only has a button for starting the unlocking GUI, with which the hard disk is presented and demonstrated live.

## **Page3**

Page3 is titled "Attack" and shows the setup of the attack. [Figure 6.12](#page-67-1) shows this setup visualisation.

<span id="page-67-1"></span>

Figure 6.12: Visualisation of the Attack's Setup

## **Page4**

Page4 describes the attack and is also named "Attack". For this, the graphics shown in the concept are displayed and shown with stick point explanations. In [Figure 6.13,](#page-68-0) the first graphic is shown, and the corresponding explanation is highlighted. This graphic gives an overview of all components.

<span id="page-68-0"></span>

Figure 6.13: Slide Explaining the Attack in the Presentation

## **Page5**

Page 5 is the slide of the live attack and is called "Attack". There is only a start button and a black field in the beginning. If the hard disk is still connected to the computer via [USB,](#page-9-0) it is pointed out that the [USB](#page-9-0) cable must be disconnected. This notification is necessary because the microcontroller is supplied with power via [USB,](#page-9-0) and a restart (power cycle) via the debugger is not possible. The attack, described in [Chapter 3,](#page-30-0) begins as soon as the Start button is pressed. After the start, another button is displayed - the Stop button - with which the attack can be stopped. The read firmware is output during the attack as described in the [concept,](#page-37-0) and the password is highlighted in the end. The class of the attack is described next.

## **DebugJLink**

The class DebugJLink controls the J-Link debugger and thus executes the attack. NXP's software library is used to control the J-link. This library, Lab Control, contains functions to communicate with the microcontroller via the minimal implementation of the [SWD](#page-9-4) protocol using the J-Link, which is necessary for the attack.

After the attack is started, it is checked whether the microcontroller is configured correctly. It is checked whether the read protection is set to [RDP](#page-9-3) level 1. If this is not the

#### *6 Implementation*

case, the user can decide whether the protection should be switched on. If this option is chosen, the current firmware is loaded into the flash memory and then [RDP](#page-9-3) level 1 is set. This procedure fulfils the requirement that the software can correct errors itself. The attack then begins with a restart (power cycle) of the microcontroller. Power cycle means that the J-Link briefly switches off the microcontroller's power supply. For reading out the firmware, the steps described in section 4 are performed, and if the access is successful, the address to be read is incremented. The password is searched and marked if the firmware is completely read out. In addition, the focus is set to the position of the password. The procedure is shown in a flowchart of the attack in [Figure 6.14.](#page-69-0)

<span id="page-69-0"></span>

Figure 6.14: Flowchart of the Attack

# **6.3 Limitations and Opportunities**

The demonstrator is in an operational state. Several test runs have shown that the complete firmware with a size of nearly 32 kByte can be read in approximately 10 minutes. That means one of the essential requirements, the live demonstration, has been successfully implemented. Furthermore, typical errors are detected by the software. For example, the presentation points out that the [USB](#page-9-0) cable must be disconnected before the attack begins. Otherwise, the attack is not possible. The presentation can also check the status of the microcontroller and, if necessary, renew the firmware and switch on the [RDP.](#page-9-3)

Nevertheless, there is still potential for improvement. For one thing, the hard drive's locking mechanism could be reworked. A desirable feature would be the ability to change the password. The password is currently hardcoded into the program and cannot be changed. For this, the communication protocol would have to be extended to include the possibility of changing the password, and a function would have to overwrite the old password in the flash memory with the new one. On the other hand, a different operating mode of the [AES](#page-8-2) would be desirable since the [ECB](#page-8-6) mode encrypts identical plaintext blocks into identical ciphertext blocks and thus does not hide data patterns. Because the hard disk consists primarily of "0x00" entries, and these blocks are uncomplicated to recognise. For this reason, the [ECB](#page-8-6) is unsuitable for full disk encryption, even if it is straightforward to implement.

Another essential point is the performance of the presentation. The presentation must be revised, whereby the revision will focus on the performance of the graphics scaling. In this area, optimising with a second thread with message queues could be helpful and reduce the loading time in the beginning.

Further work will replace the J-Link debugger with a smaller, less expensive alternative to better meet the requirement of duplicating quick and inexpensive this demonstrator. During development, it was detected that the J-Link debugger could easily be replaced by a debugger that supports [SWD](#page-9-4) at all levels, especially the low level. Support for all [SWD](#page-9-4) levels means that the debugger supports flashing of the MCU and operation with low-level functions, such as reading and writing registers, as required for the attack. The debugger should be able to supply the [MCU](#page-9-2) with power. This power supply should be switchable since the microcontroller must be restarted via a power cycle. However, this functionality could also be easily implemented with a transistor, which turns the power

supply on and off. It would be conceivable to develop a debugger with a development board and implement the [SWD](#page-9-4) protocol. For this purpose, the development board used for the hard disk could be used with the [USB](#page-9-0) communications functionality already developed. Also, the attack's performance could possibly be increased by implementing a self-made debugger. In the course of this, it could also be tested whether reducing the capacity of the capacitor that stabilises the voltage supply influences the restart duration. In other words, whether there is a significant correlation between the total capacity of the voltage supply and the restart time.

The creation of a manual is still obligatory. This manual is included with the demonstrator and describes the setup. This manual is provided on a [USB](#page-9-0) flash drive. The demonstrator will later be packed in a suitcase to make it handier and easier to transport. This case contains the microcontroller, i.e. the hard disk, the debugger and the [USB](#page-9-0) flash drive with the manual, the presentation and the unlocking GUI.
## **7 Conlusion**

In this bachelor thesis, a demonstrator is built that bypasses the readout protection and thus reads out a microcontroller's firmware. For this purpose, a suitable and authentic use case was developed and implemented with corresponding hardware. The use case consists of a portable password-protected [USB](#page-9-0) hard disk, which can only be decrypted and mounted with the correct password. The password is evaluated on the hard disk. For this purpose, the password is sent to the hard disk via [USB.](#page-9-0) Since the evaluation takes place on the hard disk, the password must also be stored there for comparison, making the hard disk the target of the attack. The attack shows how the readout protection is bypassed, and the password stored in the firmware is readout. The impact of password theft is significant as it compromises the entire encryption. A presentation was developed to demonstrate the attack that introduces the typical working hard disk to the user and gives a live demonstration. Afterwards, the attack is explained and also demonstrated live. The entire firmware, including the password, is read out in about 10 minutes. After reading out, the password is highlighted and presented, ending the presentation.

This demonstrator fulfills almost all the requirements that were set for it. Thus, the most important goals were achieved, which say that the hard drive and the attack have to be live demos, and especially the attack is shown in real-time without preparations. It also tries to explain the attack in an understandable way to a broad audience and show the consequences as impressively as possible. The demonstrator shows the importance of security measures and that it is not enough to rely on single security mechanisms, as they may be bypassed or hacked.

One possibility to extend the demonstrator even further would be to implement the much more secure [RDP](#page-9-1) level 2 in this demonstrator so that the microcontroller is first downgraded from level 2 to 1 and then read out. [RDP](#page-9-1) Level 2 is more secure because it permanently shuts down the entire debugging interface. However, possibilities for successfully attacking the RDP level 2 were also presented in the Frauenhofer AISEC

paper by Obermaier and Tatschner [\[13\]](#page-75-0). Alternatively, also found in this presentation [3]. In this presentation, one of the cryptocurrency hardware wallets will be cracked. The attacks carried out on the hardware wallets range from leveraging the proprietary bootloader protection to leveraging the web interfaces to physical attacks, including glitches, to bypass the security implemented in the microcontroller of the wallet. These attacks include glitching a microcontroller protected with RDP level 2 to 1. For this extension, the microcontroller secured with [RDP](#page-9-1) Level 2 could be downgraded from Level 2 to Level 1 by attacking the power supply, which is shown in the presentation, with a so-called voltage glitch, in which the power supply is briefly switched off, thereby inducing an error in the digital logic of the microcontroller. Then the firmware can be read out with the debugger.

## **Bibliography**

- [1] ARM LTD.: *AMBA® AHB Protocol Specification IHI 0033C*. [https://](https://developer.arm.com/documentation/ihi0033/latest/) [developer.arm.com/documentation/ihi0033/latest/](https://developer.arm.com/documentation/ihi0033/latest/), Last accessed: 04. Nov 2021. – Rev. C
- [2] ARM LTD.: *Arm Debug Interface Architecture Specification v5.1 IHI 0031F*. <https://developer.arm.com/documentation/ihi0031/latest/>, Last accessed: 25 Jun 2021. – Rev. F
- [3] ARM LTD.: *CoreSight Architecture: Serial Wire Debug*. [https://developer.](https://developer.arm.com/architectures/cpu-architecture/debug-visibility-and-trace/coresight-architecture/serial-wire-debug) [arm.com/architectures/cpu-architecture/debug-visibility](https://developer.arm.com/architectures/cpu-architecture/debug-visibility-and-trace/coresight-architecture/serial-wire-debug)[and-trace/coresight-architecture/serial-wire-debug](https://developer.arm.com/architectures/cpu-architecture/debug-visibility-and-trace/coresight-architecture/serial-wire-debug), Last accessed: 25 Jun 2021. 2021
- [4] ASCHE, Rüdiger R.: *Embedded Controller Grundlagen und praktische Umsetzung für industrielle Anwendungen*. Berlin Heidelberg New York : Springer-Verlag, 2016. – ISBN 978-3-658-14850-8
- [5] AXELSON, Jan: *USB Complete The Developer's Guide*. Madison WI 53704 : Lakeview Research, 2009. – ISBN 978-1-931-44808-6
- [6] DWORKIN, Morris: Recommendation for Block Cipher Modes of Operation / National Institute of Standards and Technology. Washington, D.C., 2001 (NIST Special Publication 800-38A 2001 Edition). – Forschungsbericht
- [7] DWORKIN, Morris ; BARKER, Elaine ; NECHVATAL, James ; FOTI, James ; BASSHAM, Lawrence ; ROBACK, E. ; DRAY, James: *Advanced Encryption Standard (AES)*. <https:///doi.org/10.6028/NIST.FIPS.197>, Last accessed: 04. Jan 2022. 2001-11-26 2001
- [8] FLEMING, Bill: Microcontroller Units in Automobiles [Automotive Electronics]. In: *IEEE Vehicular Technology Magazine* 6 (2011), Nr. 3, S. 4–8
- [9] HA THACH: *TinyUSB*. [https://docs.tinyusb.org/en/latest/index.](https://docs.tinyusb.org/en/latest/index.html) [html](https://docs.tinyusb.org/en/latest/index.html), Last accessed: 04. Jan 2022
- [10] INTEGRIERTE SICHERHEIT AISEC, Fraunhofer-Institut für Angewandte und: *Produktschutz-Infografik.pdf*. [https://www.aisec.fraunhofer.](https://www.aisec.fraunhofer.de/content/dam/aisec/Dokumente/Publikationen/Sonstige/Produktschutz-Infografik.pdf) [de/content/dam/aisec/Dokumente/Publikationen/Sonstige/](https://www.aisec.fraunhofer.de/content/dam/aisec/Dokumente/Publikationen/Sonstige/Produktschutz-Infografik.pdf) [Produktschutz-Infografik.pdf](https://www.aisec.fraunhofer.de/content/dam/aisec/Dokumente/Publikationen/Sonstige/Produktschutz-Infografik.pdf), Last accessed: 10. Jan 2022
- [11] KHAN, Sultan Q.: *Microcontroller Readback Protection: Bypasses and Defenses*. [https://research.nccgroup.com/wp-content/uploads/2020/02/](https://research.nccgroup.com/wp-content/uploads/2020/02/NCC-Group-Whitepaper-Microcontroller-Readback-Protection-1.pdf) [NCC-Group-Whitepaper-Microcontroller-Readback-Protection-](https://research.nccgroup.com/wp-content/uploads/2020/02/NCC-Group-Whitepaper-Microcontroller-Readback-Protection-1.pdf)[1.pdf](https://research.nccgroup.com/wp-content/uploads/2020/02/NCC-Group-Whitepaper-Microcontroller-Readback-Protection-1.pdf), Last accessed: 10. Jan 2022
- [12] KOKKE: *tiny-AES-c*. <https://github.com/kokke/tiny-AES-c>, Last accessed: 04. Jan 2022
- <span id="page-75-0"></span>[13] OBERMAIER, Johannes ; TATSCHNER, Stefan: Shedding too much Light on a Microcontroller's Firmware Protection. In: *11th USENIX Workshop on Offensive Technologies (WOOT 17)*. Vancouver, BC : USENIX Association, 2017. – URL [https://www.usenix.org/conference/woot17/workshop](https://www.usenix.org/conference/woot17/workshop-program/presentation/obermaier)[program/presentation/obermaier](https://www.usenix.org/conference/woot17/workshop-program/presentation/obermaier). – Last accessed: 04. Oct 2021
- [14] PYTHON SOFTWARE FOUNDATION: *tkinter Python interface to Tcl/Tk*. [https:](https://docs.python.org/3/library/tkinter.html) [//docs.python.org/3/library/tkinter.html](https://docs.python.org/3/library/tkinter.html), Last accessed: 07. Dec 2021
- [15] SEGGER MICROCONTROLLER GMBH: *Product Page J-Link Base*. [https:](https://www.segger.com/products/debug-probes/j-link/models/j-link-base/) [//www.segger.com/products/debug-probes/j-link/models/j](https://www.segger.com/products/debug-probes/j-link/models/j-link-base/)[link-base/](https://www.segger.com/products/debug-probes/j-link/models/j-link-base/), Last accessed: 07. Dec 2021
- [16] STMICROELECTRONICS: *Product overview: 32F072BDISCOVERY*. [https://](https://www.st.com/en/evaluation-tools/32f072bdiscovery.html) [www.st.com/en/evaluation-tools/32f072bdiscovery.html](https://www.st.com/en/evaluation-tools/32f072bdiscovery.html), Last accessed: 07. Dec 2021
- [17] STMICROELECTRONICS: *STM32Cube MCU Package for STM32F0 series*. <https://www.st.com/en/embedded-software/stm32cubef0.html>, Last accessed: 07. Dec 2021
- [18] STMICROELECTRONICS: *UM1734 STM32Cube USB device library*. [http://www.st.com/st-web-ui/static/active/en/resource/](http://www.st.com/st-web-ui/static/active/en/resource/technical/document/user_manual/DM00105256.pdf)

[technical/document/user\\_manual/DM00105256.pdf](http://www.st.com/st-web-ui/static/active/en/resource/technical/document/user_manual/DM00105256.pdf), Last accessed: 01. Dec 2021

- [19] STMICROELECTRONICS: *UM1785 Description of STM32F0xx HAL drivers*. [http://www.st.com/st-web-ui/static/active/en/resource/](http://www.st.com/st-web-ui/static/active/en/resource/technical/document/user_manual/DM00122015.pdf) [technical/document/user\\_manual/DM00122015.pdf](http://www.st.com/st-web-ui/static/active/en/resource/technical/document/user_manual/DM00122015.pdf), Last accessed: 01. Dec 2021
- [20] STMICROELECTRONICS: *RM0091 Reference manual*. [https:](https://www.st.com/en/microcontrollers-microprocessors/stm32f0-series.html#documentation) [//www.st.com/en/microcontrollers-microprocessors/stm32f0](https://www.st.com/en/microcontrollers-microprocessors/stm32f0-series.html#documentation) [series.html#documentation](https://www.st.com/en/microcontrollers-microprocessors/stm32f0-series.html#documentation), Last accessed: 08. Oct 2021. 2021. – Rev 9
- [21] TANENBAUM, Andrew S.: *Structured Computer Organization -*. 5th Edition. London : Prentice Hall, 2006. – ISBN 978-0-131-48521-1
- [22] YIU, Joseph: *The Definitive Guide to ARM® Cortex®-M3 and Cortex®-M4 Processors*. Third Edition. London : Newnes, 2013. – ISBN 978-0-124-07918-2
- [23] YIU, Joseph: *The Definitive Guide to ARM® Cortex®-M0 and Cortex®-M0+ Processors*. Second Edition. London : Newnes, 2015. – ISBN 978-0-12-803277-0
- [24] ZÜRNER, Dominik B.: *A Demonstrator for Optical Fault Injection Attacks*. 2018. URL <https://reposit.haw-hamburg.de/handle/20.500.12738/8371>

## **A Appendix**

The appendix is located on a CD-ROM.

This CD-ROM can be inspected at the supervisors:

[Prof. Dr. Heike Neumann <heike.neumann@haw-hamburg.de>](mailto:heike.neumann@haw-hamburg.de) and

[Prof. Dr. Paweł Buczek <pawel.buczek@haw-hamburg.de>.](mailto:pawel.buczek@haw-hamburg.de)

## **Declaration**

I declare that this Bachelor Thesis has been completed by myself independently without outside help and only the defined sources and study aids were used.

Hamburg 13. January 2022

City Date Date Signature