1,461
edits
Changes
Jump to navigation
Jump to search
====Zooming in closer we can see this clearly falls within the window of time the processor has asserted its reset line. This same fluctuation on power-up is identified by 0x01 Team in their vulnerability write-up.[[File:ATSAM4C32 Power Cycle Capture====Z2.png|none|thumb|612x612px|Zoomed in capture of voltage fluctuation seen when processor asserts reset]]TBD<br />
→Bypassing Lock - Microchip/Atmel SAM4C32
===Introduction===
This write-up will cover analysis of the [https://www.microchip.com/en-us/product/atsam4c32 Microchip (ATMEL) SAM4C32] microcontroller vulnerability that allows an attacker to gain unlocked JTAG access to a previously locked device. '''This attack appears to affect many devices''' (though not all) in the SAM family. It was discovered that essentially the same attack performed by [https://www.0x01team.com/hw_security/bypassing-microchip-atmel-sam-e70-s70-v70-v71-security/ 0x01 Team] on the [[SAM E70/S70/V70/V71]] works on many SAM processors. <u>'''What's novel about this write-up is identification of the Reset pin as a side channel'''</u>.
While the attack method used was voltage fault injection, I believe EMFI (electromagnetic fault injection) could also be a viable method to bypass security. EMFI generally permits attacks without the need to remove all the capacitors on the power rail. This is helpful when attacking devices where you don't want to alter the target board.
====Reset Capture====
This is my baseline for activity when the SAM4C32 is restarted. The purple reset trace (nRST) is toggled by an external device and we see the yellow VDDCORE activity that results as the chip boots up.
[[File:ATSAM4C32 Reset.png|none|thumb|612x612px|VDDCORE (Yellow) fluctuates due to processor activity upon reboot]]
<br />
====Power Cycle Capture====
The following images are progressively zoomed in so you can see the activity of the reset line. The first image you can see all three lines going from low to high since we are applying power to the processor. The device controlling the reset line is set to a High-Z state so we can see what the processor is doing.
[[File:ATSAM4C32 Power Cycle Z0.png|none|thumb|612x612px|Zoomed out capture of power cycle]]
The first thing I noticed is the reset line being toggled by the processor itself shortly after power-up. This was not observed when only resetting the processor. I also noticed a significant power fluctuation on VDDCORE at the same time.
[[File:ATSAM4C32 Power Cycle Z1.png|none|thumb|612x612px|Medium zoom capture of power cycle]]
----
