2 STM32F217 DFU Exit
Reported privately in Goodspeed (2012) to ST Microelectronics, this chapter is the first public description of a remote code execution exploit for the STM32F217, STM32F407, and other chips in the family with mask ROM implementations of the USB device firmware update (DFU) protocol. This bug is nice because it’s so straightforward: the DFU implementation restricts access to reading and writing memory of a locked chip, but changing the target address and executing the application are both freely allowed.
To dump a locked chip’s memory, we’ll first use JTAG to place some shellcode into unused SRAM, then reset the chip and use DFU over USB to execute that shellcode, dumping all of memory out of the GPIO pins. The bootloader’s ...
Get Microcontroller Exploits now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
