Microcontroller Exploits

Microcontroller Exploits is a deep dive into advanced hardware hacking with detailed examples of real-world techniques and a comprehensive survey of vulnerabilities.

In this advanced guide to hardware hacking, you'll learn how to read the software out of single chip computers, especially when they are configured not to allow the firmware to be extracted. 

This book documents a very wide variety of microchip hacking techniques; it's not a beginner's first introduction.

You'll start off by exploring detailed techniques for hacking real-world chips, such as how the STM32F0 allows for one word to be dumped after every reset. You'll see how the STM32F1’s exception handling can slowly leak the firmware out over an hour, and how the Texas Instruments MSP430 firmware can be extracted by a camera flash.

For each exploit, you'll learn how to reproduce the results, dumping a chip in your own lab.

In the second half of the book you'll find an encyclopedic survey of vulnerabilities, indexed and cross referenced for use in practicing hardware security.

Travis Goodspeed is an embedded systems reverse engineer from Tennessee, where he drives a Studebaker and collects memory extraction exploits for microcontrollers. His recent projects include a function recognizer for Thumb2 firmware, a fresh memory corruption exploit for a 90's smart card, and a CAD tool for extracting bits from mask ROM photographs.

Introduction
Chapter 1: Basics of Memory Extraction
Chapter 2: STM32F217 DFU Exit
Chapter 3: MD380 Null Pointer, DFU
Chapter 4: LPC1343 Call Stack
Chapter 5: Ledger Nano S, 0xF00DBABE
Chapter 6: NipPEr Is a buTt liCkeR
Chapter 7: RF 430 Backdoors
Chapter 8: Basics of JTAG and ICSP
Chapter 9: nRF51 Gadgets in ROM
Chapter 10: STM32F0 SWD Word Leak
Chapter 11: STM32F1 Interrupt Jigsaw
Chapter 12: PIC18F452 ICSP and HID
Chapter 13: Basics of Glitching
Chapter 14: MC13224, the Simplest Fault Injection
Chapter 15: LPC1114 Bootloader Glitch
Chapter 16: nRF52 APPROTECT Glitch
Chapter 17: STM32 FPB Glitch
Chapter 18: Chip Decapsulation
Chapter 19: PIC Ultraviolet Unlock
Chapter 20: MSP430 Paparazzi Attack
Chapter 21: CMOS VLSI Interlude
Chapter 22: Mask ROM Photography
Chapter 23: Game Boy Via ROM
Chapter 24: Clipper Chip Diffusion ROM
Chapter 25: Nintendo CIC and Clones
Chapter A: More Bootloader Vulns
Chapter B: More Debugger Attacks
Chapter C: More Privilege Escalation
Chapter D: More Invasive Attacks
Chapter E: More Fault Injections
Chapter F: More Test Modes
Chapter G: More ROM Photography
Chapter H: Unsorted Attacks
Chapter I: Other Chips Thank you, kindly.
Bibliography
Index