Difference between revisions of "ATSAM4C32"

Bypassing Microchip Atmel SAM4C32

Introduction

This write-up will cover analysis of the Microchip (ATMEL) SAM4C32 microcontroller vulnerability that allows an attacker to gain unlocked JTAG access to a previously locked device. This attack appears to affect many devices (though not all) in the SAM family. It was discovered that essentially the same attack performed by 0x01 Team on the SAM E70/S70/V70/V71 works on many SAM processors. What's novel about this write-up is identification of the Reset pin as a side channel.

While the attack method used was voltage fault injection, I believe EMFI (electromagnetic fault injection) could also be a viable method to bypass security. EMFI generally permits attacks without the need to remove all the capacitors on the power rail. This is helpful when attacking devices where you don't want to alter the target board.

Why attack the SAM4C32?

The SAM4C32 is used in this Landis+Gyr Generation 5 smart meter. I have a long history analyzing various aspects of these smart meters, previously extracting the firmware from a Generation 4 smart meter which uses a Renesas (Mitsubishi) M30626FHPGP processor. It is a M16C architecture and the extracted firmware proved challenging to reverse engineer with tools like Binary Ninja and Ghidra.

ARM architecture is supported by more RE (reverse engineering) tools and has been analyzed by more people in the RE community. Therefore, I decided to extract the firmware from the SAM4C32 to further my analysis of smart meter technology.

Locking Mechanism

The SAM4C32 makes use of general-purpose non-volatile memory (GPNVM) bits to control locking (security GPNVM bit 0), boot mode and memory plane selection as seen below.

Reset vs Power Cycle

TBD

Reset Pin as a Side Channel

TBD

Voltage Fault Injection

TBD

JTAG Access

TBD

Other Vulnerable Devices

TBD

Conclusion

TBD