Breaking crp level 1 stm32f103

Hi, I’m trying to voltage glitch an Stm32f103 to gain access to the flash memory and dump the firmware. I’m basing my thinking on this glitch paper https://www.google.com/url?sa=t&source=web&rct=j&url=https://tches.iacr.org/index.php/TCHES/article/download/7390/6562/&ved=2ahUKEwi087W0p8DnAhV30TgGHVQ8BPkQFjABegQIBRAM&usg=AOvVaw3Yf850otJLHvHHJiRQLcVi
Anyway I somehow have to coordinate the read Flash command via openocd and stlink v2 adaprer and use it as a trigger for the chip whisperer lite. Does anybody have any ideas on how I might go about this or if there is an easier way to gain flash access.

Hi,

Ideally you would have an FPGA to passively observe the JTAG traffic and issue a trigger to your ChipWhisperer at or around the “right time”.
But all you really need is a constant time reference that you can use to time your glitch, since you can offset and sweep from there with the ChipWhisperer. I’m not sure what’s the simplest way to do that, I’m just pointing you in (hopefully) the right direction.
One option is to adapt our PhyWhisperer-USB for your purposes, as explained here.
You might also get some ideas from Dmitry’s bootloader bypass tutorial.

Jean-Pierre

OK so your suggesting to use a phy whisperer USB hooked up to my stlink v2. Sniff the USB line of the stlink and wait for the read Flash message and use it as a trigger for chip whisperer?

That might work but I don’t know whether the USB traffic can serve as a constant time reference?
Ideally you’d customize the PhyWhisperer FPGA to sniff the JTAG itself. It’s got a bank of 8 I/Os that were put there for these kinds of situations. But it does require you to customize the FPGA bitfile yourself.

Jean-Pierre

Hello, fridgyylife

I has sucessful break crp level 1 on STM32F103 and script this here

Best reguad,
Nik.

1 Like