A curated list of research papers on embedded security, keyed by the device p/n

imperfect-design.md

The list below is compiled to inform, guide, and inspire budding security researchers. Oh and to pick something for bedtime reading too.

Amlogic

S905

• https://fredericb.info/2016/10/amlogic-s905-soc-bypassing-not-so.html

Cypress

CY8C21434

• https://syscall.eu/blog/2018/03/12/aigo_part2/

Espressif

ESP32

• https://raelize.com/blog/espressif-esp32-bypassing-encrypted-secure-boot-cve-2020-13629/
• https://limitedresults.com/2019/11/pwn-the-esp32-forever-flash-encryption-and-sec-boot-keys-extraction/
• https://limitedresults.com/2019/09/pwn-the-esp32-secure-boot/
• https://limitedresults.com/2019/08/pwn-the-esp32-crypto-core/

Infineon

SLE95250

• Compromising device security via NVM controller vulnerability
• https://www.cl.cam.ac.uk/~sps32/HWIO_OTB.pdf

Microchip/Atmel

AT91SAM7XC256

• https://adamsblog.rfidiot.org/2013/02/atmel-sam7xc-crypto-co-processor-key.html

ATECC508A

• https://i.blackhat.com/USA-20/Thursday/us-20-Heriveaux-Black-Box-Laser-Fault-Injection-On-A-Secure-Memory.pdf

PIC18F452

• Heart of Darkness - exploring the uncharted backwaters of HID iCLASS security

PIC18F1320

• https://www.bunniestudios.com/blog/?page_id=40

Nordic Semi

nRF51822

• https://blog.includesecurity.com/2015/11/firmware-dumping-technique-for-an-arm-cortex-m0-soc/

nRF52

• https://limitedresults.com/2020/06/nrf52-debug-resurrection-approtect-bypass/
• https://limitedresults.com/2020/06/nrf52-debug-resurrection-approtect-bypass-part-2/

Nuvoton

M2351

• https://limitedresults.com/2020/01/nuvoton-m2351-mkrom-armv8-m-trustzone/
• https://media.ccc.de/v/36c3-10859-trustzone-m_eh_breaking_armv8-m_s_security

NVidia

Tegra

• https://github.com/Qyriad/fusee-launcher/blob/master/report/fusee_gelee.md

NXP

i.MX50

• https://blog.quarkslab.com/vulnerabilities-in-high-assurance-boot-of-nxp-imx-microprocessors.html

i.MX53

• https://blog.quarkslab.com/vulnerabilities-in-high-assurance-boot-of-nxp-imx-microprocessors.html

i.MX6

• https://blog.quarkslab.com/vulnerabilities-in-high-assurance-boot-of-nxp-imx-microprocessors.html

LPC

• https://recon.cx/2017/brussels/resources/slides/RECON-BRX-2017-Breaking_CRP_on_NXP_LPC_Microcontrollers_slides.pdf

LPC1343

• Fill your Boots: Enhanced Embedded BootloaderExploits via Fault Injection and Binary Analysis
• https://i.blackhat.com/eu-19/Thursday/eu-19-Temeiza-Breaking-Bootloaders-On-The-Cheap-2.pdf
• https://toothless.co/blog/bootloader-bypass-part1/

Qualcomm

MSM8994

• https://blog.quarkslab.com/analysis-of-qualcomm-secure-boot-chains.html

Renesas

78K0

• Fill your Boots: Enhanced Embedded BootloaderExploits via Fault Injection and Binary Analysis
• Shaping the Glitch: Optimizing Voltage Fault Injection Attacks

STMicro

STM8

• Fill your Boots: Enhanced Embedded BootloaderExploits via Fault Injection and Binary Analysis

STM32F0

• Shedding too much Light on a Microcontroller’s Firmware Protection

STM32F1

• https://blog.zapb.de/stm32f1-exceptional-failure/

STM32F103

• https://medium.com/@LargeCardinal/how-to-bypass-debug-disabling-and-crp-on-stm32f103-7116e7abb546

STM32F205

• https://blog.kraken.com/post/3662/kraken-identifies-critical-flaw-in-trezor-hardware-wallets/
• https://www.riscure.com/uploads/2019/04/Riscure_OffensiveCon19_glitchingKeepkey.pdf

STM32F373

• Shaping the Glitch: Optimizing Voltage Fault Injection Attacks

TI

MSP430

• Practical Attacks against the MSP430 BSL

MSP430F5172

• Shaping the Glitch: Optimizing Voltage Fault Injection Attacks

General interest

• https://chip.fail/chipfail.pdf
• https://research.nccgroup.com/wp-content/uploads/2020/02/NCC-Group-Whitepaper-Microcontroller-Readback-Protection-1.pdf
• Taking a Look into Execute-Only Memory
• https://www.cl.cam.ac.uk/~sps32/mcu_lock.html