Flash Keys - How to change?

Posted on May 17, 2011 at 13:42

I have read most of the internal bootloader code. This bootloader alone cannot read out readout protected code. The code checks the readout flag and NACKs the operation if set.

The bigger problem is, that you can reset the complete flash to delivery/default state and then you can flash and run everything.

If you connect the SWD, you can do the same without bootloader. If you activate the User Options (Hardware Watchdog), it isn't possible by hand, but you can write a programm, which is executed in debugger, that executes the trigger. And then you can run, what you want in RAM => Access to complete Hardware even without destroying the flash!

...

Posted on May 17, 2011 at 13:42

Code in RAM has no access to FLASH if ROP is activated, and update of FLASH from code running in RAM shall be safe, too. Dtto for DMA accessing FLASH if ROP is active.

Posted on May 17, 2011 at 13:42

>>Code in RAM has no access to FLASH if ROP is activated, ...

Other commentators on the forum, and my own experience with this on an STM32F103RET suggests/demonstrates this is simply NOT true.

Code can be copied from FLASH into RAM, this code when executed in RAM can access FLASH while Read Out Protection is enabled (1FFFF800 : 00 FF)

-Clive

Posted on May 17, 2011 at 13:42

I guess, ...

there is a unlock sequence to unlock the readout protection of the flash.

This is done ''automatically'', if booted without debug from internal bootloader or flash. If they boot from RAM or with debug, this unlock sequence is not executed.

If you copy with flash code code from flash to RAM, this unlock sequence is executed before! So it is normal, that you can read it completely.

The problem is, can I execute this (unknown) unlock sequence with RAM code or debug access?

Is there ROM code, that is executed before Reset_Handler()?

Is there an other unlock sequence to unlock the flash of the internal bootloader and option bytes without the parsing effect of flash interface?

I think, all 3 questions have the answer YES.

Posted on May 17, 2011 at 13:42

There is no unlock sequence required, and the STM32 runs code from the flash memory directly, it does not start something in ROM and jump into FLASH. The Cortex-M3 permits the hardware to provide an initial vector address, in the case of the STM32 this is controlled by the BOOT pins.

The ROP check is supposedly done in hardware with the value in the option byte being checked along with the value in the program counter (PC/R15) to permit access.

I am sure there are multiple ways to exploit this method, if it worked, as code within the flash can always be called and executed directly, and there are PC relative load instructions loading literals. Even without PC relative, text strings embedded in flash can be pulled with regular register references and C pointers.

Even if any of that provided a level of protection, someone with $10K of surplus equipment could probably get to the flash content in an afternoon, let alone an army of smart and well equipped Chinese nationals, or other naferious individuals looking to steal your code.

I'm pretty sure I could demonstrate code being injected and executed via Motorola S-Records (or Intel Hex). And also executed in RAM by setting the BOOT pins and resetting into it. This however strikes me as a pointless exercise at this point having already demonstrated code in RAM can access the FLASH/ROM while ROP is enabled.

The ROP setting does break the JTAG's ability to rewrite flash memory, it appears to erase, but you need to run the J-Link tool JLinkSTM32 to unprotect it. Pretty much complete broke Keil U-Link access until I located the aforementioned tool. The ''ROM'' based boot loader also does not function normally.

-Clive

Posted on May 17, 2011 at 13:42

@clive1:

(with debug on, ROP on) A call to flash calls directly the hardfault handler. No code is executed. How did you test it? Without debug?

I know, that there is nothing mentioned about my guess in the datasheets.

Posted on May 17, 2011 at 13:42

Ok, calling is not the reason for the hardfault. But if I call into the internal bootloader, I get a hardfault, when the code tries to read from the same addresses like the executed code.

The first bootloader command

1FFFF020: ldr         r0,[pc,#0000]

leads into a bus error at 1FFFF024 (the read address).

If I call functions without such accesses, the stm runs fine.

Posted on May 17, 2011 at 13:42

>> (with debug on, ROP on) A call to flash calls directly the hardfault handler. No code is executed. How did you test it? Without debug?

No JTAG, serial console to a simple monitor application. The monitor can dump memory regions, and checksum (CRC) tracts of memory. Code performing some of the checksumming is downloaded into RAM, and reads data from FLASH. The code running in RAM is faster, being single cycle. I can also check and enable the ROP state from the monitor.

As I think you've noted already, the ROP is enforced in the boot loader via a software check.

-Clive