Implement IWDG. Ignore flash size, dump until hard fault. Show hex address.

CTXz / stm32f1-picopwner

Dump read-out protected STM32F1's with a Pi Pico - A Pi Pico implementation of @JohannesObermaier's, Marc Schink's and Kosma Moczek's Glitch and FPB attack to bypass RDP (read-out protection) level 1 on STM32F1 chips

182 stars 25 forks source link

Implement IWDG. Ignore flash size, dump until hard fault. Show hex address. #25

Closed deividAlfa closed 6 months ago

deividAlfa commented 6 months ago

Check WDG_SW in Option Bytes, IWDG might be enabled by hardware, triggering a reset while dumping the firmware and causing an endless loop.

Ignore flash size register as not all stm32 clones implement it. Instead, dump up to 1MB, when the flash is over it'll trigger a hard fault and stop.

deividAlfa commented 6 months ago

Tried this, enabling SW_WDG in Option Bytes. With the current target FW, it bootlooped endlessly, sending the same first bytes again and again.

With this modification it worked as expected, ending in:

Target has stopped sending data, assuming dump is complete
Dumped 131072 bytes

deividAlfa commented 6 months ago

The MCU might have large empty areas, so it would look static, showing the same "FF FF..." to the user.

Last commit will show this:

Attack ready
Press enter to start dumping firmware

0x8000000:  00 50 00 20 e1 02 00 08 c9 02 00 08 cb 02 00 08
...
...
0x801ffd0:  ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
0x801ffe0:  ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
0x801fff0:  ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
Target has stopped sending data, assuming dump is complete
Dumped 131072 bytes

CTXz commented 6 months ago

Great contributions again! Will merge soon!

~~Good catch on the IWDG option byte. That was likely the culprit of this issue: https://github.com/CTXz/stm32f1-picopwner/issues/20~~

Edit: Looks like you already checked it out :)