Breaking Bootloaders on the Cheap

The presentation discusses the vulnerability of the LPC 1343 microcontroller and how it can be exploited using return-oriented programming.

• The LPC 1343 microcontroller has a vulnerability in its read command function due to the lack of code protection checks.
• The vulnerability can be exploited by overwriting the return address of the write command and making it jump to the read command area.
• Return-oriented programming can be used to branch the code and prevent the device from crashing.
• The vulnerability was responsibly disclosed to NXP and they updated their documentation to encourage the use of CRP level 1.
• Empty bootloaders are easy to dump and reverse-engineer, resulting in the discovery of logical attacks and vulnerabilities in widely available devices.

The presenter demonstrated how they were able to exploit the vulnerability by overwriting addresses in the stack area until they found the return address of a function. They then enabled CRP level 1 and used return-oriented programming to branch the code and prevent the device from crashing. The vulnerability was responsibly disclosed to NXP and they updated their documentation to encourage the use of CRP level 1.

One of the challenges in securing embedded devices is to protect the flash memory storing code, data, and cryptographic secrets against malicious read/write access. Therefore, most microcontroller vendors decided to implement code read protection mechanisms (usually controlled by some security bits or fuses) in order to prevent such attacks.Most modern microcontrollers include a bootloader (stored in ROM) that allows for in-circuit programming via USB, UART, or another link. The bootloader is also responsible for enforcing potentially configured readout protections. So far, attacks against embedded bootloaders were based on hardware attacks, e.g. using voltage glitching or UV light. Logical vulnerabilities (e.g. buffer overflows) in the bootloader code have received less attention.For this presentation, we reverse-engineered and analysed the bootloaders of three widely used microcontrollers (NXP LPC1343, ST STM32F4, and ST STM8) in order to assess if the readout protection can be overcome with software-based attacks.Our analysis shows that the bootloader of the LPC1343 (and other chips from the same family) contains a critical vulnerability in the "Write to RAM" command. While the command prevents writing to bootloader RAM, without the Memory Management Unit, it does not protect the stack (located at the other end of memory). This allows an attacker to break code readout protection level 1 by overwriting return addresses on the stack and chaining gadgets of code as in Return-Oriented Programming. The attack can be carried out with any cheap serial-to-USB converter.We responsibly disclosed this to NXP, and they acknowledged the issue. Although NXP had cautioned users about limitations of using CRP level 1, they updated their developer guidance and now recommend to set CRP level 2 or 3, where this exploit is not possible.While we did not find similar issues in the code of the STM32 and STM8 bootloaders, we point out that analysis on the assembly level can be useful in developing other attacks, e.g. for pinpointing the correct locations for voltage glitching.