170 - Hacking Pixel Bootloaders and Injecting Bugs
A timing-based side-channel in the
CHECK_DATA Device Configuration Data could allow the value of memory to be disclosed and read even when reading was disabled.
The RH850 is an automotive MCU which features SecureOnboard Communication or SecOC, which includes read protections to prevent the ability to dump the ROM over serial. After reversing the protocol with a logic analyzer, they discovered the authentication was only gated on the sync command (which is required before any other commands are acknowledged). They decided to setup a voltage glitch attack on the “programming enabled” check.
It was a little tricky as the MCU had two cores, with one acting as a validator. Both cores needed to be glitched successfully to allow serial access. After bruteforcing the timing for a day or so, they were able to get the timing right and dump the firmware.