Open main menu
RECESSIM

Changes

ATSAM4C32 (view source)

Revision as of 16:03, 2 April 2025

2,122 bytes added ,  2 April
→‎Bypassing Lock - Microchip/Atmel SAM4C32
==Bypassing Lock - Microchip/Atmel SAM4C32==
Hash Salehi
===Introduction===
When the security bit is bypassed the following commands can be run, shown with their associated output
==== at91sam4 info ====
> at91sam4 info
CKGR_MOR: [0x400e0420] -> 0x00000008
cpu-freq: 3.998 MHz
mclk-freq: 3.998 MHz
UniqueId: 0x20000c00 0x01006df3 0x010046af 0x010046b3<br  ====reg==== > reg ===== arm v7m registers (0) r0 (/32): 0x00000000 (1) r1 (/32): 0x00000000 (2) r2 (/32): 0x00000000 (3) r3 (/32): 0x00000000 (4) r4 (/32): 0x00000000 (5) r5 (/32): 0x00000000 (6) r6 (/32): 0x00000000 (7) r7 (/32): 0x00000000 (8) r8 (/32): 0x00000000 (9) r9 (/32): 0x00000000 (10) r10 (/32): 0x00000000 (11) r11 (/32): 0x00000000 (12) r12 (/32): 0x00000000 (13) sp (/32): 0xffffffd8 (14) lr (/32): 0xfffffff9 (15) pc (/32): 0xfffffffe (16) xPSR (/32): 0x01000003 (17) msp (/32): 0xffffffd8 (18) psp (/32): 0x00000000 (20) primask (/1): 0x00 (21) basepri (/8): 0x00 (22) faultmask (/1): 0x00 (23) control (/3): 0x00 ===== Cortex-M DWT registers ====at91sam4 gpnvm====Note below GPNVM bit 0 says its current value is 0 due to the glitch, if the processor is reset we lose access and it goes back to 1. >at91sam4 gpnvm sam4-gpnvm0: 0 sam4-gpnvm1: 1 sam4-gpnvm2: 1
----
===Other Vulnerable Devices===
TBDMicrochip (ATMEL) families [[File:ATMEL SAM Family Overview.jpg|650x650px]] This list is not exhaustive, there may be more that are vulnerable and do not show up in this main overview of devices provided by Microchip. Only the '''bold''' ones are confirmed, the others are assumed vulnerable because the datasheet specifies the use of GPNVM bits for security. *'''SAM E70/S70/V70/V71'''*'''SAM 4C'''*SAM 4E*SAM 4N*'''SAM 4S'''*SAM G51/G54/G55*SAM 3X/3A The following datasheets were reviewed and '''''did not''''' show the use of GPNVM bits for security protection. This does not mean they are secure, but this specific vulnerability may not be present. *SAM 4L*SAM L10/L11*SAM L21/L22*SAM C20/C21*SAM D10/D11/D21/DA1/D5x/E5x/D20 
----
===Conclusion===
TBDMany devices in the Microchip (ATMEL) SAM Family make use of GPNVM bits to secure access to the JTAG debug interface. This protection can be bypassed using voltage glitching allowing full access to the device. It appears this is a low-level hardware bug, likely not patchable in the field. ===Disclosure===Full disclosure at time of discovery via YouTube. Enjoy!<br><youtube width="640" height="360">IOD5voFTAz8</youtube><br />
Retrieved from "https://wiki.recessim.com/view/Special:MobileDiff/2927...2943"