The list below is compiled to inform, guide, and inspire budding security researchers. Oh and to pick something for bedtime reading too.
Included in the list are works on the following topics related to MCU/SoC security:
- Secure boot
- Fault injection
- Side channel attacks
At the end of the list, there is also a section with links to articles of potential general interest, not addressing vulnerabilities in any specific device.
- 6500/1 ROM may be applicable to other mask ROM 6502
- Raelize:Espressif ESP32: Breaking HW AES with Power Analysis
- Raelize:Espressif ESP32: Bypassing Encrypted Secure Boot (CVE-2020-13629)
- Raelize:Espressif ESP32: Bypassing Flash Encryption (CVE-2020-15048)
- Raelize:Espressif ESP32: Controlling PC during Secure Boot
- Raelize:Espressif ESP32: Bypassing Secure Boot using EMFI
- LimitedResults:Pwn the ESP32 Forever: Flash Encryption and Sec. Boot Keys Extraction
- LimitedResults:Pwn the ESP32 Secure Boot
- LimitedResults:Pwn the ESP32 crypto-core
- Courk:Breaking the Flash Encryption Feature of Espressif’s Parts
- Skorobogatov:Compromising device security via NVM controller vulnerability
- Skorobogatov:Practical reverse engineering of ECC-based authentication device with zero knowledge
- LimitedResults:nRF52 Debug Resurrection (APPROTECT Bypass) Part 1
- LimitedResults:nRF52 Debug Resurrection (APPROTECT Bypass) Part 2
- LimitedResults:Nuvoton M2351 MKROM
- https://media.ccc.de/v/36c3-10859-trustzone-m_eh_breaking_armv8-m_s_security
- Fill your Boots: Enhanced Embedded Bootloader Exploits via Fault Injection and Binary Analysis
- https://i.blackhat.com/eu-19/Thursday/eu-19-Temeiza-Breaking-Bootloaders-On-The-Cheap-2.pdf
- NXP LPC1343 Bootloader Bypass (Part 1) - Communicating with the bootloader
- NXP LPC1343 Bootloader Bypass (Part 2) - Dumping firmware with Python and building the logic for the glitcher
- NXP LPC1343 Bootloader Bypass (Part 3) - Putting it all together
- Oxide:Exploiting Undocumented Hardware Blocks in the LPC55S69
- Oxide:Another vulnerability in the LPC55S69 ROM
- Oxide:A Gap in the TrustZone preset settings for the LPC55S69
- Fill your Boots: Enhanced Embedded BootloaderExploits via Fault Injection and Binary Analysis
- Shaping the Glitch: Optimizing Voltage Fault Injection Attacks
- D78F0831Y
- Bypassing the Renesas RH850/P1M-E read protection using fault injection
- RH850/F1L ID code check bypass via glitching
- LimitedResults:Enter the EFM32 Gecko
- Quarkslab:Breaking Secure Boot on the Silicon Labs Gecko platform
- Fill your Boots: Enhanced Embedded BootloaderExploits via Fault Injection and Binary Analysis
- Dumping Firmware With a 555
- Kraken Identifies Critical Flaw in Trezor Hardware Wallets
- Riscure:Glitching the KeepKey hardware wallet
- https://www.xilinx.com/support/answers/76201.html
- Zynq Part 2: UART Secrets
- Zynq Part 3: CVE-2021-27208
- Zynq Part 4: CVE-2021-44850
- The Sorcerer’s Apprentice Guide to Fault Attacks
- Skorobogatov:Copy Protection in Modern Microcontrollers
- chip.fail
- https://research.nccgroup.com/wp-content/uploads/2020/02/NCC-Group-Whitepaper-Microcontroller-Readback-Protection-1.pdf
- Taking a Look into Execute-Only Memory
- Skorobogatov:Copy Protection in Modern Microcontrollers
- https://ryancor.medium.com/pulling-bits-from-rom-silicon-die-images-unknown-architecture-b73b6b0d4e5d
- Hacker's guide to deep-learning side-channel attacks: the theory
- Hacker's guide to deep-learning side-channel attacks: code walkthrough
- Design Considerations for EM Pulse Fault Injection
- Shaping the Glitch: Optimizing Voltage Fault Injection Attacks
- Quarkslab:Vulnerabilities in the TPM 2.0 reference implementation code
- Quarkslab:RFID: Monotonic Counter Anti-Tearing Defeated
- High Precision Laser Fault Injection using Low-cost Components
- SiliconToaster: A Cheap and Programmable EM Injector for Extracting Secrets
Added, thanks!