window cleaning robot become window raced robot
A long time ago, I received an old window cleaner that had stopped working, a simple problem with the motor, but given the price of the device, the price of buying the motor and repairing it was more expensive than buying a new one. The person bought one and gave it to me if I ever wanted to do something with it.
It is thus naturally that by returning from my drawers this window cleaner I decided to see what it had in the belly.
By the way, it’s while writing the blog and seeing at what price they sell this robot now that I tell myself that replacing this engine should be really interesting. Maybe this will be the subject of another blog post.
So without a doubt, I rush to the debug ports that jump out at me. On this PCB we can see an MCU which seems to be the main chip, and in its surroundings we find a strange JST port as if waiting to be analyzed.
Mapping the pinout of the MCU obtained on this datasheet (https://datasheetspdf.com/pdf-file/1480386/STMicroelectronics/STM32F030/1) we realize that the JST port corresponds to the pins for VDD, SDWIO, SDCLK and GND, the SWD debug port pins.
For such a bad device, it will probably be enough to simply connect to it and dump the firmware…
What was my surprise when I took out my jlink and typed the command:
openocd -f interface/jlink.cfg -f target/stm32f0x.cfgIndeed it recognizes well the chip but it seems protected.
In fact on STM32 chip, you can enable a protection called RDP (Read Protection) is a feature that provides protection against unauthorized read access to the Flash memory. It is a security mechanism that is designed to prevent an attacker from reading the firmware of the microcontroller, which could be used to reverse engineer the device or extract sensitive information.
The RDP feature on STM32 MCUs provides three levels of protection:
Level 0: No protection, which means that the Flash memory can be read by anyone.
Level 1: Read-out protection enabled, which means that the Flash memory can be read only with the help of special tools provided by STMicroelectronics.
Level 2: Read-out protection enabled, and the device is permanently locked, which means that the Flash memory cannot be read even with special tools.In summary, RDP protection is a security feature of STM32 microcontrollers that provides protection against unauthorized read access to the Flash memory, and it can be configured to provide different levels of protection.
Badly, I would like to access it and as I can access it, it seems to be protected by protection level 1.
fortunately, I know a paper about a vulnerability on STM32F0 and STM32F1 chips (Shedding too much Light on a Microcontroller’s Firmware Protection). This vulnerability works only for RDP level 1, but it is enouth for our need.
Not having the board used to exploit the vulnerability in the paper, I migrate the exploit to a new board the nucleo F303RE. But even if I spend some time to port it to this board, I might as well make it portable for any kind of board and not only STM32 chips.
That’s why I used the Arduino Framework and platformio to create this new POC. You can find the project here: https://gitlab.com/MadSquirrels/hardware/stm32f_exploit_dumper. All the manipulations to make the dumper work are explained in the README of this project, but I will detail here the implementation for the board I used the nucleo F303RE.
As shown on the picture above we link the target’s pin to our exploit board as follows: - TARGET_RESET on PA9 or D8 - TARGET_PWR (VDD) on PA10 or D2 - TARGET_SWDIO on PA11 - TARGET_SWCLK on PA12 - TARGET_GND on GND
The indicated pins are the ones previously configured in the include/conf.hh file but they can of course be changed if needed.
it only remains to flash our board with pio run --target=upload and to launch our python script dump.py and the firmware starts to be dumped.