Paper “Shedding too much Light on a Microcontroller’s Firmware Protection”

https://www.aisec.fraunhofer.de/content/dam/aisec/ResearchExcellence/woot17-paper-obermaier.pdf

• Every microcontroller has firmware readout protection
• Checked only STM32F0 family (entry-level microcontroller)
• Paper:
  • analysis of 3 security core components
  • detection of 3 weknesses + 3 ideas for their exploitation
    • Cold-Boot Stepping: enforcing single-stepping under limited debugging capabilities in Readout Protection (RDP) Level 1
    • Security Downgrade: Leveraging the lock-level design to downgrade the firmware protection setting
    • Debug Interface Exploit: Discovery of a race condition in the debug interface in RDP Level1
  • Proof of Concept for each weakness => vulnerabilities
  • discussion of impact
• STM32 Security Concept