cancel
Showing results for 
Search instead for 
Did you mean: 

Reverse from RDP L2 to RDP L1 is not possible due to a JTAG fuse!

coffeeMaker
Associate II

Hi,

According to application note for STM32F4xx protection features ,the reverse from RDP L2 to RDP L1 is not possible due to a JTAG fuse, does this mean also that the MCU can check the fuses before checking the RDP?

Is it possible to change the Level using UV attack or similar even though the JTAG fuse is blown?

Is there any detailed documentation describing how it works to secure FW inside MCU using this feature ?

4 REPLIES 4
Uwe Bonnes
Principal II

There are power-on/power off attacs. Some talks where given on that subject on CCC (Computer Chaos Club) conferences. With some luck a change from L2 to L1 happens.

There are some known vulns/attacks on L1 and PCROP (see below), but no public information about defeating L2.

CVE-2017-18347 (details)

CVE-2019-14236 (details)

CVE-2019-14238 (details, same as previous)

Bob S
Principal

> but no public information about defeating L2.

Ahhh... but the paper associated with the first link (CVE-2017-18347) does identify an attack to change L2 to L1 protection. This was done on an F0 part, and going from L2 to L1 required de-capping the part and selectively exposing a small section of Flash to UV light to alter the protection bits. No word (that I've found) on whether the same attack is possible on other families.

Uwe Bonnes
Principal II