In order to make each product unique,many software encrypt the program by using the unique device identifier (UID) of the microcontroller.In this paper,we use some functional units of microcontroller to forge UID without directly modifying the original code.We add some code to run before the target software,capture the access to UID by using MPU or DWT unit,and use FPB unit or vector table relocation to relocate some interrupt vectors to avoid directly modifying the target software.Taking STM32F429 with cortex-m4 as an example,a 96-bit UID is successfully forged by using the Flash patch.The similar method can be used to forge UIDs on other microcontrollers with MPU or DWT or FPB units,but prevention is relatively easy,as long as the relevant settings are destroyed.
Key words
MCU /
unique device ID /
STM32F429 /
Flash patch and breakpoint /
data watchpoint and trace
{{custom_sec.title}}
{{custom_sec.title}}
{{custom_sec.content}}
References
[1] Arm Limited.ARM © v7M Architecture Reference Manual ARM DDI 0403E.b (ID120114),2014.
[2] U Guin,S Bhunia,D Forte,et al.SMA:A SystemLevel Mutual Authentication for Protecting Electronic Hardware and Firmware[J].IEEE Transactions on Dependable and Secure Computing,2017,14(3):265278.
[3] Wang X,Konstantinou C,Maniatakos M,et al.Malicious firmware detection with hardware performance counters[J].IEEE Transactions on MultiScale Computing Systems,2016,2(3):160173.
[4] D K Nilsson,L Sun,T Nakajima.A Framework for SelfVerification of Firmware Updates over the Air in Vehicle ECUs[C]//2008 IEEE Globecom Workshops,2008:15.
[5] 黄钰强,岳伟.Ethernet的嵌入式系统BootLoader设计[J].单片机与嵌入式系统应用,2021,21(9):1013.
[6] 姚文祥.ARM CortexM3与CortexM4权威指南[M].北京:清华大学出版社,2015.
[7] nRF52flashpatch[DB/OL].[202205].https://github.co m/NordicPlayground/nRF52flashpatch.
PDF(955 KB)
