# BYPASS NXP LPC-FAMILY DEBUG CHECK WITH VOLTAGE FAULT INJECTION

Waleed AlZamil
Embedded devices security researcher
@WaleedAlzamil

Bandar Alharbi Cybersecurity researcher @0xB4x

### **AGENDA**

- Introduction
  - o LPC
  - Goal
  - Security mechanism
- BootROM analysing & reverse engineering
  - Memory map & Boot process
  - Reverse engineering BootROM
  - Finding the vulnerability
- What is Fault injection (Glitching)?
- Glitching the LPC1343
  - Attack Setup
  - Power analysis
  - Recorded demo
- Conclusion

### INTRODUCTION



- LPC1343 is a Cortex-M3 MCU (pic of dev board from Olimex)
- Harvard architecture
- Microcontroller for embedded applications featuring a high level of integration and low power consumption
- Previous work on the LPC1343/... @Chris Gerlinsky

### GOAL

1. Study LPC debug locking mechanism

2. Targeting to unlock debug interface

## LPC CODE READ PROTECTION

Table 314. Code Read Protection (CRP) options

| Name   | Pattern<br>programmed in<br>0x0000 02FC | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
|--------|-----------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| NO_ISP | 0x4E69 7370                             | Prevents sampling of pin PIO0_1 for entering ISP mode. PIO0_1 is available for other uses.                                                                                                                                                                                                                                                                                                                                                                                                                                                     |
| CRP1   | 0x12345678                              | Access to chip via the SWD pins is disabled. This mode allows partial flash update using the following ISP commands and restrictions:  • Write to RAM command cannot access RAM below 0x1000 0300.  • Copy RAM to flash command can not write to Sector 0.  • Erase command can erase Sector 0 only when all sectors are selected for erase.  • Compare command is disabled.  • Read Memory command is disabled.  This mode is useful when CRP is required and flash field updates are needed but all sectors can not be erased. Since compare |
| CRP2   | 0x87654321                              | command is disabled in case of partial updates the secondary loader should implement checksum mechanism to verify the integrity of the flash.  Access to chip via the SWD pins is disabled. The following ISP                                                                                                                                                                                                                                                                                                                                  |
|        |                                         | commands are disabled:  Read Memory  Write to RAM  Go  Copy RAM to flash  Compare  When CRP2 is enabled the ISP erase command only allows erasure                                                                                                                                                                                                                                                                                                                                                                                              |
| CRP3   | 0x43218765                              | of all user sectors.  Access to chip via the SWD pins is disabled. ISP entry by pulling PIOO_1 LOW is disabled if a valid user code is present in flash sector 0.  This mode effectively disables ISP override using PIOO_1 pin. It is up to the user's application to provide a flash update mechanism using IAP calls or call reinvoke ISP command to enable flash update via UARTO.                                                                                                                                                         |
|        |                                         | Caution: If CRP3 is selected, no future factory testing can be performed on the device.                                                                                                                                                                                                                                                                                                                                                                                                                                                        |

## LPC CODE READ PROTECTION

Table 254. Code Read Protection hardware/software interaction

| CRP option | User Code<br>Valid | PIO0_1 pin at reset | JTAG enabled | LPC13xx<br>enters ISP<br>mode | partial flash<br>Update in ISP<br>mode |
|------------|--------------------|---------------------|--------------|-------------------------------|----------------------------------------|
| No         | No                 | X                   | Yes          | Yes                           | Yes                                    |
| No         | Yes                | High                | Yes          | No                            | NA                                     |
| No         | Yes                | Low                 | Yes          | Yes                           | Yes                                    |
| CRP1       | Yes                | High                | No           | No                            | NA                                     |
| CRP1       | Yes                | Low                 | No           | Yes                           | Yes                                    |
| CRP2       | Yes                | High                | No           | No                            | NA                                     |
| CRP2       | Yes                | Low                 | No           | Yes                           | No                                     |
| CRP3       | Yes                | Х                   | No           | No                            | NA                                     |
| CRP1       | No                 | Х                   | No           | Yes                           | Yes                                    |
| CRP2       | No                 | X                   | No           | Yes                           | No                                     |
| CRP3       | No                 | Х                   | No           | Yes                           | No                                     |

### LPC13xx MEMORY MAP



### LPC13xx BOOT PROCESS





```
CRP1 2 3 Enabled?
1fff0104 00 4a
                        ldr
                                    r2, [PTR Check CRP Value+1 1fff0108]
                                    r2=>Check CRP Value
1fff0106 10 47
                        bx
                    PTR Check CRP Value+1 1fff0108
                                                                     XREF[1]:
                                                                                  1fff0104(R)
1fff0108 0d 01 ff 1f
                        addr
                                    Check CRP Value+1
                    Check CRP Value+1
                                                                     XREF[1,1]: 1fff0106(j), 1fff0108(*)
                    Check CRP Value
                         ldr
1fff010c la 4a
                                    r2, [->SYSCON Reserved (23c-3f0)]
1fff010e 1b 4b
                        ldr
                                    r3,[->ROM CRP 2fc]
1fff0110 1b 68
                        ldr
                                    r3,[r3,#0x0]=>ROM CRP 2fc
                        ldr
1fff0112 1c 4d
                                    r5, [->CRP3]
                        ldr
1fff0114 2d 68
                                    r5, [r5, #0x0] => CRP3
                                                                    R5=CRP3
1fff0116 1c 4e
                                    r6, [->CRP1]
                                                                    R6=CRP1
1fff0118 36 68
                                    r6.[r6.#0x0]=>CRP1
                                                                                     B4:Load the configured CRP value
1fff011a 1c 68
                        ldr
                                    r4, [r3,#0x0]=>DAT 000002fc
1fff011c ac 42
                                    r4, r5
                                                                                     B4:Compare it with CRP3
                        cmp
1fff011e 01 d0
                        beq
                                    LOAD CRP2
1fff0120 b4 42
                                    r4, r6
                                                                                     B4:Compare it with CRP1
                        CMD
1fff0122 01 d1
                        bne
                                    FLASH DEBUG CTRL
                    LOAD CRP2
                                                                     XREF[1]:
                                                                                  1fff011e(j)
1fff0124 16 4c
                        ldr
                                    r4, [->CRP2]
1fff0126 24 68
                        ldr
                                    r4, [r4, #0x0] => CRP2
                                                                     XREF[1]:
                                                                                  1fff0122(i)
                    FLASH DEBUG CTRL
                                    r4, [r2,#0x0]=>SYSCON Reserved(23c-3f0)
                                                                                     B4:Store CRP2 value or [0x2fc] c...
1fff0128 14 60
                        str
                                                                                        into a reserved location!
1fff012a Od 4a
                                    r2, [->Peripherals::FMC]
                        ldr
                        ldr
                                    r3, [r2,#0x0]=>Peripherals::FMC
1fff012c 13 68
```

9

[0x2fc]:

#### CRP3



CRP1 2 3 Enabled? 1fff0104 00 4a ldr r2, [PTR Check CRP Value+1 1fff0108] r2=>Check CRP Value 1fff0106 10 47 bx PTR Check CRP Value+1 1fff0108 XREF[1]: 1fff0104(R) 1fff0108 0d 01 ff 1f addr Check CRP Value+1 Check CRP Value+1 XREF[1,1]: 1fff0106(j), 1fff0108(\*) Check CRP Value ldr 1fff010c la 4a r2, [->SYSCON Reserved (23c-3f0)] 1fff010e 1b 4b ldr r3,[->ROM CRP 2fc] 1fff0110 1b 68 ldr r3,[r3,#0x0]=>ROM CRP 2fc ldr 1fff0112 1c 4d r5, [->CRP3] ldr 1fff0114 2d 68 r5, [r5, #0x0] => CRP3R5=CRP3 1fff0116 1c 4e ldr r6, [->CRP1] R6=CRP1 1fff0118 36 68 r6.[r6.#0x0]=>CRP1 B4:Load the configured CRP value ldr 1fff011a 1c 68 r4, [r3,#0x0]=>DAT 000002fc 1fff011c ac 42 r4, r5 B4:Compare it with CRP3 CMD R4=CRP3 1fff011e 01 d0 beq LOAD CRP2 1fff0120 b4 42 B4: Compare it with CRP1 r4, r6 CMD 1fff0122 01 d1 bne FLASH DEBUG CTRL LOAD CRP2 XREF[1]: 1fff011e(j) 1fff0124 16 4c ldr r4, [->CRP2] 1fff0126 24 68 ldr r4, [r4, #0x0] => CRP2XREF[1]: 1fff0122(i) FLASH DEBUG CTRL 1fff0128 14 60 r4, [r2,#0x0]=>SYSCON Reserved (23c-3f0) B4:Store CRP2 value or [0x2fc] c... str into a reserved location! 1fff012a Od 4a r2, [->Peripherals::FMC] ldr ldr r3, [r2,#0x0]=>Peripherals::FMC 1fff012c 13 68

10

[0x2fc]:

#### CRP3



CRP1 2 3 Enabled? 1fff0104 00 4a ldr r2, [PTR Check CRP Value+1 1fff0108] r2=>Check CRP Value 1fff0106 10 47 bx PTR Check CRP Value+1 1fff0108 XREF[1]: 1fff0104(R) 1fff0108 Od 01 ff 1f addr Check CRP Value+1 Check CRP Value+1 lfff0106(j), lfff0108(\*) XREF[1,1]: Check CRP Value ldr 1fff010c la 4a r2, [->SYSCON Reserved (23c-3f0)] 1fff010e 1b 4b ldr r3,[->ROM CRP 2fc] 1fff0110 1b 68 ldr r3,[r3,#0x0]=>ROM CRP 2fc ldr 1fff0112 1c 4d r5, [->CRP3] ldr 1fff0114 2d 68 r5, [r5, #0x0] => CRP3R5=CRP3 1fff0116 1c 4e ldr r6, [->CRP1] R6=CRP1 1fff0118 36 68 r6.[r6.#0x0]=>CRP1 B4:Load the configured CRP value ldr 1fff011a 1c 68 r4, [r3,#0x0]=>DAT 000002fc 1fff011c ac 42 r4, r5 B4:Compare it with CRP3 CMD R4=CRP3 1fff011e 01 d0 beq LOAD CRP2 1fff0120 b4 42 B4: Compare it with CRP1 r4, r6 CMD 1fff0122 01 d1 bne FLASH DEBUG CTRL LOAD CRP2 XREF[1]: 1fff011e(j) 1fff0124 16 4c ldr r4, [->CRP2] R4=CRP2 1fff0126 24 68 ldr r4, [r4, #0x0] => CRP2XREF[1]: 1fff0122(j) FLASH DEBUG CTRL 1fff0128 14 60 r4, [r2,#0x0]=>SYSCON Reserved(23c-3f0) B4:Store CRP2 value or [0x2fc] c... str into a reserved location! 1fff012a 0d 4a r2, [->Peripherals::FMC] ldr ldr r3, [r2,#0x0]=>Peripherals::FMC 1fff012c 13 68 11

[0x2fc]: CRP1

#### CRP3



CRP1 2 3 Enabled? 1fff0104 00 4a ldr r2, [PTR Check CRP Value+1 1fff0108] r2=>Check CRP Value 1fff0106 10 47 bx PTR Check CRP Value+1 1fff0108 XREF[1]: 1fff0104(R) 1fff0108 0d 01 ff 1f addr Check CRP Value+1 Check CRP Value+1 XREF[1,1]: 1fff0106(j), 1fff0108(\*) Check CRP Value ldr 1fff010c la 4a r2, [->SYSCON Reserved (23c-3f0)] 1fff010e 1b 4b ldr r3,[->ROM CRP 2fc] 1fff0110 1b 68 ldr r3,[r3,#0x0]=>ROM CRP 2fc ldr 1fff0112 1c 4d r5, [->CRP3] ldr 1fff0114 2d 68 r5, [r5, #0x0] => CRP3R5=CRP3 1fff0116 1c 4e ldr r6, [->CRP1] R6=CRP1 1fff0118 36 68 r6.[r6.#0x0]=>CRP1 B4:Load the configured CRP value 1fff011a 1c 68 ldr r4, [r3,#0x0]=>DAT 000002fc 1fff011c ac 42 r4, r5 B4:Compare it with CRP3 CMD R4=CRP1 1fff011e 01 d0 beq LOAD CRP2 1fff0120 b4 42 B4:Compare it with CRP1 r4, r6 CMD 1fff0122 01 d1 bne FLASH DEBUG CTRL LOAD CRP2 XREF[1]: 1fff011e(j) 1fff0124 16 4c ldr r4, [->CRP2] 1fff0126 24 68 ldr r4, [r4, #0x0] => CRP2XREF[1]: 1fff0122(i) FLASH DEBUG CTRL 1fff0128 14 60 r4, [r2,#0x0] => SYSCON Reserved (23c-3f0) B4:Store CRP2 value or [0x2fc] c... str into a reserved location! 1fff012a Od 4a r2, [->Peripherals::FMC] ldr ldr r3, [r2,#0x0]=>Peripherals::FMC 1fff012c 13 68 12

[0x2fc]: CRP1

#### CRP3





[0x2fc]: CRP1 CRP2/NO\_ISP/NO\_CRP... CRP3





### **BOOTLOADER VULNERABILITY**



## WHAT IS FAULT INJECTION (GLITCHING)?

- Hardware corruption on a normal device
- Causes undefined behavior
- Examples [bit flip, instruction skip, change an instruction, ...etc]

- Clock
- Voltage
- Electromagnetic
- Laser
- And more...



- Clock
- Voltage
- Electromagnetic
- Laser
- And more...



- Clock
- Voltage
- Electromagnetic
- Laser
- And more...



- Clock
- Voltage
- Electromagnetic
- Laser
- And more...



## IS IT DIFFICULT?



## IS IT DIFFICULT?



## **EXAMPLES**



### **EXAMPLES**





### **EXAMPLES**



How I hacked a hardware crypto wallet and recovered \$2 million (Joe Grand)

Wallet.fail (Thomas, Dmitry, Josh)

### BEFORE THE ATTACK

• Inspired by Recon Brussels 2017 talk, by Chris Gerlinsky.

### BEFORE THE ATTACK

Inspired by Recon Brussels 2017 talk, by Chris Gerlinsky.



## ATTACK SETUP





## ATTACK SETUP



## **POWER ANALYSIS**



### **POWER ANALYSIS**



#### THE ATTACK

- We did the attack first with a RESET setup, but we didn't succeed !!
- After we changed the setup. **POWER ON** is the trigger now.
- And did the attack we succeeded !!

## THE ATTACK



## Recorded demo



## RESULT (CRP1 GLITCH)



## RESULT (CRP1 & NO CRP)



## RESULT (CRP2 GLITCH)



## RESLUT (CRP2 & NO\_CRP)



## RESLUT (CRP1,2 & NO\_CRP)



### PHILIPS → NXP



#### UM10139

Volume 1: LPC214x User Manual

Rev. 01 — 15 August 2005

User manual

UM10139 Philips Semiconductors Volume 1 Chapter 21: Flash Memory







#### **UM10139**

LPC214x User manual

Rev. 4 — 23 April 2012

User manual



Fig 66. Boot process flowchart

#### PHILIPS → NXP



#### UM10139

Volume 1: LPC214x User Manual

Rev. 01 — 15 August 2005

User manual



#### 21.7 Code Read Protection (CRP)

Code read protection is enabled by programming the flash address location 0x1FC (User flash sector 0) with value 0x8765 4321 (2271560481 Decimal). Address 0x1FC is used to allow some room for the FIQ exception handler. When the code read protection is enabled the JTAG debug port, external memory boot and the following ISP commands are disabled:

- Read Memory
- · Write to RAM
- Go
- Copy RAM to Flash

The ISP commands mentioned above terminate with return code CODE\_READ\_PROTECTION\_ENABLED. The ISP erase command only allows erasure of all user sectors when the code read protection is enabled. This limitation does not exist if the code read protection is not enabled. IAP commands are not affected by the code read protection.

Important: CRP is active/inactive once the device has gone through a power cycle.

#### \*The value that disables JTAG:0x87654321=CRP2

#### **UM10139**

LPC214x User manual

Rev. 4 — 23 April 2012

User manual

#### Table 289. Code Read Protection levels

## Name Pattern Description programmed in 0x000001FC NO I 0x4E69 7370 Prevents sampling of pin P0.14 for entering ISP mode. P0.14 is available

NO\_I 0x4E69 7370 SP CRP1 0x12345678

for other uses.

Access to chip via the JTAG pins is disabled. This mode allows partial

- Flash update using the following ISP commands and restrictions:
- Write to RAM command can not access RAM below 0x40000200
- . Copy RAM to Flash command can not write to Sector 0
- Erase command can erase Sector 0 only when all sectors are selected for erase
- Compare command is disabled

This mode is useful when CRP is required and Flash field updates are needed but all sectors can not be erased. Since compare command is disabled in case of partial updates the secondary loader should implement checksum mechanism to verify the integrity of the Flash.

#### CRP2 0x87654321

Access to chip via the JTAG pins is disabled. The following ISP commands are disabled:

- · Read Memory
- Write to RAM
- Go
- . Copy RAM to Flash
- Compare

When CRP2 is enabled the ISP erase command only allows erasure of all user sectors.

#### CRP3 0x43218765

Access to chip via the JTAG pins is disabled. ISP entry by pulling P0.14 LOW is disabled if a valid user code is present in Flash sector 0.

This mode effectively disables ISP override using P0.14 pin. It is up to the user's application to provide Flash update mechanism using IAP calls if necessary.

Caution: If CRP3 is selected, no future factory testing can be performed on the device.

#### LPC FAMILY

Sharing same CRP mechanism and boot process (based on user manuals)



- We've successfully apply our attack on
  - LPC812 & LPC1114 & LPC1343
- ECRP is introduced in LPC546xx
- OTP banks is used in LPC540xx...
- LPC55xx (Cortex-M33 ARM trustzone)

#### CONCLUSION

- We reversed the bootROM and took power consumption traces
- Applied the attack based on RESET trigger. (Did Not succeed)
- Changed the setup, our glitch trigger now based on POWER ON (Succeeded!)
- CRP locking mechanisms exist since Philips time
- Contacted NXP to disclose (professional and fast)

## Q&A

# Thank you...

#### Resources

- LPC1311/13/42/43 User manual
- https://github.com/leveldown-security/SVD-Loader-Ghidra
- https://github.com/CPELyon/lpctools
- Gerlinsky, C. (2017, January 28). Breaking Code Read Protection on the NXP LPC-family Microcontrollers. Recon.
  - https://recon.cx/2017/brussels/talks/breaking\_crp\_on\_nxp.html
- ChipWhisperer-Lite <a href="https://www.newae.com/chipwhisperer">https://www.newae.com/chipwhisperer</a>