Closed luistmw closed 1 year ago
CTXz
commented
1 year ago Hmm, interesting
It'd be a shame if the attack doesn't work on F105's. Truth be told, I've only tested the attack on F102's (RxT6) and F103's (RxT6 & C8T6). Is the target device a simple breakout board or is it a more complex board? Sometimes caps on the reset and power lines can have an effect on the power glitching.
luistmw
commented
1 year ago I did remove every cap and after i put on breakout board.When i tried the original exploit i was having same issue. And tried this but didnt work either. Apparently the startup address might be different on rbt6. https://github.com/JohannesObermaier/f103-analysis/issues/1
CTXz
commented
1 year ago I wasn't quite aware of these differences. I'll try to get my hands on a RBT6 and see how far I can get with it. I suppose you've attempted to change the start-up address to 0x1CC as guessed by the user, right?
CTXz
commented
1 year ago Alright, I've done a bit of research regarding the whole start address thing. This stack overflow post turned out to be rather helpful. By the looks of it, the difference in entry points is a result of STM's quirky implementation of booting from SRAM. Because the size of the vector table apparently differs between some models, so must the value of the entry point, which is located after the vector table. STM F1's seem to deal with this by aliasing the memory block at 0x00000000 to a 16 Byte ROM which holds a minimal Interrupt Vector Table (which from my understanding is harcoded into the chip?). The second entry of this IVT is the reset vector which is set to jump to the entry point. In the case of the F1C8T6 found on the blue pill, the reset vector will jump to 0x20000108, that's the Start of the RAM + an offset of 0x108. I guess once the entry address has been jumped to, the IVT loaded in RAM is used.
Knowing this means the entry point can be easily figured out by simply booting the STM32F1 into SRAM (no flashing required) and the executing a reset halt. The value of the PC should be then set to the entry point provided to the reset vector in the ROM.
So, to figure out the entry vector for your model, simply:
BOOT0 and BOOT1 to high.reset haltPC contains (Will be shown after executing reset halt)The last digits will provide the entry point offset that you'll need to fix in the linker file. Let me know what the offset is and whether it worked!
luistmw
commented
1 year ago Alright, I've done a bit of research regarding the whole start address thing. This stack overflow post turned out to be rather helpful. By the looks of it, the difference in entry points is a result of STM's quirky implementation of booting from SRAM. Because the size of the vector table apparently differs between some models, so must the value of the entry point, which is located after the vector table. STM F1's seem to deal with this by aliasing the memory block at
0x00000000to a 16 Byte ROM which holds a minimal Interrupt Vector Table (which from my understanding is harcoded into the chip?). The second entry of this IVT is the reset vector which is set to jump to the entry point. In the case of the F1C8T6 found on the blue pill, the reset vector will jump to 0x20000108, that's the Start of the RAM + an offset of0x108. I guess once the entry address has been jumped to, the IVT loaded in RAM is used.Knowing this means the entry point can be easily figured out by simply booting the STM32F1 into SRAM (no flashing required) and the executing a
reset halt. The value of thePCshould be then set to the entry point provided to the reset vector in the ROM.So, to figure out the entry vector for your model, simply:
- Set
BOOT0andBOOT1to high.- Connect your debugger
- Open openocd and run
reset halt- Check what value the
PCcontains (Will be shown after executingreset halt)The last digits will provide the entry point offset that you'll need to fix in the linker file. Let me know what the offset is and whether it worked!
That worked 100% !!!!!
luistmw
commented
1 year ago You can probably integrate this into the script easily
luistmw
commented
1 year ago 0x1e0 was the address
CTXz
commented
1 year ago Neat! Glad that worked!
Yes i was thinking about how to potentially integrate this into the scrip, ideally without requiring the target firmware to be built from scratch. Until that's done, I'll keep the issue open.
luistmw
commented
1 year ago Now that i think about it this can probably work way beyond the f1 chipset
CTXz
commented
1 year ago Hi, I've worked on a new release which should be able to automatically detect the entry point offset. I've attached it below. The target binaries have already been built, so all you need to do is to run the dump script. If you could try it out and confirm whether it works on your STM32F105, that'd be amazing!
~[stm32f1-picopwner.zip]()~
EDIT: Fixed filename case related issue. Please use this release:
luistmw
commented
1 year ago Ill test out in about an hour ill let you know on results
luistmw
commented
1 year ago Hi, I've worked on a new release which should be able to automatically detect the entry point offset. I've attached it below. The target binaries have already been built, so all you need to do is to run the dump script. If you could try it out and confirm whether it works on your STM32F105, that'd be amazing!
~[stm32f1-picopwner.zip]()~
EDIT: Fixed filename case related issue. Please use this release:
Can confirm that it is working correctly on f105rbt6
CTXz
commented
1 year ago Amazing, thanks for the help. The changes have been merged into main and the issue can be closed now. :tada:
I succesfully tested out a bluepill (works great) but ive been trying the Stm32f105rbt6 to no success. Tried thru usart1 and usart2 but get no response.