search

applehat / reversing-contour-next-link-24

Tear Down of the Contour Next Link 2.4 Blood Glucose Meter and Attempts to Unlock Its Secrets
13 stars 7 forks source link

All Keys can be extracted from firmware despite DBGLOCK bit #2

Open jrussell88 opened 6 years ago

jrussell88 commented 6 years ago

Travis Goodspeed, presentation at Black Hat USA 2009 July, 2009, Las Vegas, Nevada:

Like many schemes, including the bootloader (BSL) of some MSP430 microcontrollers [6][5], the CC2430 protects flash memory but not RAM. Further, as a Harvard-architecture chip, all constants are copied into RAM by default as a performance feature of the compiler. Thus, while the protection scheme of the chip is sufficient to protect its programming, it does nothing to prevent the extraction of keys! Extraction is as simple as erasing the chip by the debugger, then reconnecting and dumping RAM.

His blog http://travisgoodspeed.blogspot.com/2009/10/cc2430-debug-protocol-first-notes.html also describes this method of extracting keys held in the firmware of the CC2430.

_Concerning the protection of Code memory, there is a lock bit in a hidden page of Flash memory. By setting the lowest configuration bit (by WR_CONFIG), the lowest 2kB of flash memory will be mapped to a special information region. Clearing the least significant bit of the first byte will lock the chip, causing it to refuse debugging after a full-power reset. Access to debugging instructions can only be regained after executing a CHIPERASE, which erases all of Flash memory.

_At Black Hat USA in August of 2009, I presented a paper entitled Extracting Keys from Second Generation Zigbee Chips. The vulnerability, demonstrated in the image below, is that Data memory is not cleared along with Flash memory during a CHIPERASE. By booting a wireless sensor, then erasing it, then dumping RAM, the attacker can find any keys which are stored within the unit. This works even for constant keys, as 8051 compilers will copy them into RAM in order to make C pointers consistent.

Would you like to give it a try?

applehat commented 6 years ago

I believe the keys have been extracted by someone else already. Join the gitter chat mentioned in the readme and converse with us :)

jrussell88 commented 6 years ago

I hope so. :) If not, would you like to be the first to get them?