Detect flash size - Githubissues

CTXz / stm32f1-picopwner

Dump read-out protected STM32F1's with a Pi Pico - A Pi Pico implementation of @JohannesObermaier's, Marc Schink's and Kosma Moczek's Glitch and FPB attack to bypass RDP (read-out protection) level 1 on STM32F1 chips

166 stars 23 forks source link

Detect flash size #8

Closed deividAlfa closed 9 months ago

deividAlfa commented 10 months ago

DBGMCU_IDCODE @ 0xE0042000 (RM0008 page 1088) reads 0 in the attack firmware, so we can't detect the flash using DEV_ID. Flash size register @ 0x1FFFF7E0 (RM0008 page 1076) works, so use it instead.

64KB devices actually have 128KB, it's the same die. Some firmwares use it, specially chinese devices, as they're cheaper and work anyways. So, override to 128KB when reporting 64KB.

deividAlfa commented 10 months ago

Tested working in my STM32F103CB:

Attack ready
Press enter to start dumping firmware

xxxxxxx ......
xxxxxxx ......

Target has stopped sending data, assuming dump is complete
Dumped 131072 bytes
Output saved to dump.bin

Attached compiled firmares just in case anyone wants to try: targets.zip

No modification to dump.py required.