Bypassing the Renesas RH850/P1M-E read protection using fault injection

We discussed this vulnerability during Episode 170 on 22 November 2022

The RH850 is an automotive MCU which features SecureOnboard Communication or SecOC, which includes read protections to prevent the ability to dump the ROM over serial. After reversing the protocol with a logic analyzer, they discovered the authentication was only gated on the sync command (which is required before any other commands are acknowledged). They decided to setup a voltage glitch attack on the “programming enabled” check.

It was a little tricky as the MCU had two cores, with one acting as a validator. Both cores needed to be glitched successfully to allow serial access. After bruteforcing the timing for a day or so, they were able to get the timing right and dump the firmware.