Microcontroller Exploits

by Travis Goodspeed

August 2024, 408 pp.

ISBN-13:

9781718503885

Download Chapter 18: Chip Decapsulation

Look Inside!

Microcontroller Exploits open book on white background

In this advanced guide to hardware hacking, you'll learn how to read the software out of single chip computers, especially when they are configured not to allow the firmware to be extracted.

This book documents a very wide variety of microchip hacking techniques; it's not a beginner's first introduction.

You'll start off by exploring detailed techniques for hacking real-world chips, such as how the STM32F0 allows for one word to be dumped after every reset. You'll see how the STM32F1’s exception handling can slowly leak the firmware out over an hour, and how the Texas Instruments MSP430 firmware can be extracted by a camera flash.

For each exploit, you'll learn how to reproduce the results, dumping a chip in your own lab.

In the second half of the book, you'll find an encyclopedic survey of vulnerabilities, indexed and cross referenced for use in practicing hardware security.

Author Bio

Travis Goodspeed is an embedded systems reverse engineer from Tennessee, where he drives a Studebaker and collects memory extraction exploits for microcontrollers. His recent projects include a function recognizer for Thumb2 firmware, a fresh memory corruption exploit for a 90's smart card, and a CAD tool for extracting bits from mask ROM photographs.

Table of contents

Introduction
Chapter 1: Basics of Memory Extraction
Chapter 2: STM32F217 DFU Exit
Chapter 3: MD380 Null Pointer, DFU
Chapter 4: LPC1343 Call Stack
Chapter 5: Ledger Nano S, 0xF00DBABE
Chapter 6: NipPEr Is a buTt liCkeR
Chapter 7: RF 430 Backdoors
Chapter 8: Basics of JTAG and ICSP
Chapter 9: nRF51 Gadgets in ROM
Chapter 10: STM32F0 SWD Word Leak
Chapter 11: STM32F1 Interrupt Jigsaw
Chapter 12: PIC18F452 ICSP and HID
Chapter 13: Basics of Glitching
Chapter 14: MC13224, the Simplest Fault Injection
Chapter 15: LPC1114 Bootloader Glitch
Chapter 16: nRF52 APPROTECT Glitch
Chapter 17: STM32 FPB Glitch
Chapter 18: Chip Decapsulation
Chapter 19: PIC Ultraviolet Unlock
Chapter 20: MSP430 Paparazzi Attack
Chapter 21: CMOS VLSI Interlude
Chapter 22: Mask ROM Photography
Chapter 23: Game Boy Via ROM
Chapter 24: Clipper Chip Diffusion ROM
Chapter 25: Nintendo CIC and Clones
Chapter A: More Bootloader Vulns
Chapter B: More Debugger Attacks
Chapter C: More Privilege Escalation
Chapter D: More Invasive Attacks
Chapter E: More Fault Injections
Chapter F: More Test Modes
Chapter G: More ROM Photography
Chapter H: Unsorted Attacks
Chapter I: Other Chips Thank you, kindly.
Bibliography
Index

View the Copyright page
View the detailed Table of Contents
View the Index

Reviews

"This is both a fascinating and profoundly disturbing book. On the fascinating side, it is a cornucopia of great information . . . On the disturbing side, all that great and profoundly useful information is now gathered in one place and presented by a master."
—Richard Austin, IEEE-Cipher (Read More)

"Understanding the pitfalls of microcontroller security is hard, because there are many exquisite and obscure bits of knowledge that must all work together. Before this book, there was only one effective way to learn: talk to a master practitioner like Travis. This book gives a broad and deep survey of the craft, but most importantly it gets the many critical bits in one place, under one cover. I am sure it will become a foundation of many career-changing classes. One day I hope to get good enough to teach one!"
—Sergey Bratus, Distinguished Professor in Cyber Security, Technology, and Society, Dartmouth College

"We don't have many books focused on such a topic, but face security problems tied to hardware and specifically to microcontrollers every day. Travis's book is foundational to understanding the security problems and how the attackers are going to exploit them. This book is a must-read for every product security team involved in device security."
— Alex Matrosov, CEO and Founder of Binarly