readout protection bug https://www.aisec.fraunhofer.de/en/FirmwareProtection.html even level 2 can be circumvented by cheap tools on STM32F series

Forum|Forum|3 years ago
March 6, 2023
2 replies
2101 views

The question - is it fixed on STM32G and C series?

This topic has been closed for replies.

Bubbles

ST Employee

Hi @Community member,

it's modified - improved. However some weakness remain in design. It's still true that the RDP defaults to level 1 in case of mismatch. But that's actually a requirement.

Completely different protection was introduced with STM32H5, which is now certified with security labs, being probably the best secure GP MCU offer on the market.

BR,

J

To give better visibility on the answered topics, please click on Accept as Solution on the reply which solved your issue or answered your question.

Pavel A.

Super User

@JHOUD Is your reply about the F series only or also about L, G or H7?

Documentation on RDP level 2 says that it is like a fuse, this means that undoing level 2 should be physically impossible? Isn't this the requirement for level 2?

Apologies for jumping in.

Bob S

Super User

Also apologies for jumping in :)

My understanding is that RDP 2 is "like" a fuse as treated by the internal microcode/boot code. But it is not a physical fuse, just FLASH bits. The attack in the referenced document requires de-encapsulating the chip and exposing the die to strong UV-C light in an attempt to sufficiently change the gate charge on a FLASH cell in the OPTIONS RDP bits to flip at least 1 bit. That changes the RDP from level 2 to level 1. They then use other methods to extract code from RDP 1.

S.Ma

Principal

The usual fight and defense evolution level of any product. The level of defense grows with cost, and I guess most want security for free?

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded