FAQs
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

STM32F4xx firmware protection

PZhan.11
Associate II

‎2021-11-26 02:37 AM

I am developing some products based on STM32F407/STM32F429. What I am trying to do is to protect my firmware that:

  1. simply dump the code from one chip's flash (to hex file) will not work in another chip
  2. moderate reverse engineering should not be that easy to hack the code

And what I am trying to do is use mbedtls as a crypto library and encrypt part of my code then store it in some flash sector. Then each time when I boot, decrypt the code into SRAM2 and point the function to that region.

It is a good idea to do that? and I have tried to copy the function from flash 0x0800xxxx to SRAM2 (0x2001C000) and made a function pointer to that region. but call the function caused HardFault exception.

Labels:
0 Kudos
6 REPLIES 6
TDK
Guru

‎2021-11-26 07:13 AM

Why not just use RDP level 1 to prevent readout? Seems a lot easier with about the same level of protection, maybe even more.

If you feel a post has answered your question, please click "Accept as Solution".
0 Kudos
PZhan.11
Associate II
In response to TDK

‎2021-11-26 05:52 PM

Since I found [this](https://www.usenix.org/system/files/conference/woot17/woot17-paper-obermaier.pdf). I don't carefully read it. but some blog referenced this paper that said one can bypass the protection of read-out.

0 Kudos
Tesla DeLorean
Guru

‎2021-11-26 06:08 PM

Well there are people with better reverse engineering skills than your forward engineering ones, so there's that hurdle..

You could do some elliptical curve signing using a private key and the unique id of a specific chip, and the firmware could have the public key to check/validate it.

The RDP methods protect FLASH, but code in RAM could be pulled unless you lock out JTAG/SWD.

Function pointers need odd addresses, it is certainly possible to unpack code to RAM and run it. Compression and Encryption are viable methods, I've worked on firmwares using a variety of methods.

Tips, Buy me a coffee, or three.. PayPal Venmo
Up vote any posts that you find helpful, it shows what's working..
0 Kudos
PZhan.11
Associate II
In response to Tesla DeLorean

‎2021-11-26 06:43 PM

Actually, in a previous version, I use some kind of fingerprint (not EC-like) to verify the firmware. But I think the single point which mark it valid or not would be easy to bypass. So I thought to encrypt some part of my code by the UID to prevent the simple clone and junior skill reverse engineer.

For the senior engineer, I don't think I have enough knowledge to prevent them.

0 Kudos
Tesla DeLorean
Guru
In response to PZhan.11

‎2021-11-26 11:37 PM

Well it's not always a matter of comparative skillz, someone wanting you break your code has mechanical advantage. ie low skillz but persistent, having the advantage of time and collaboration, and the ability to leverage techniques or holes others have found.​

T​he earlier STM32 have their own vunerabilities.

S​T once claimed it would take $M in equipment, but this misunderstand the threat, you simply need access to the equipment.

Tips, Buy me a coffee, or three.. PayPal Venmo
Up vote any posts that you find helpful, it shows what's working..
0 Kudos
PZhan.11
Associate II
In response to PZhan.11

‎2021-11-27 01:44 AM

Yes, that kind of crack is ignored. We will try another method like minimizing the cost.

0 Kudos
Top