Reading the Unreadable SROM: Inside the PSOC4 by Elliot Williams.
From the post:
Wow. [Dmitry Grinberg] just broke into the SROM on Cypress’ PSoC 4 chips. The supervisory read-only memory (SROM) in question is a region of proprietary code that runs when the chip starts up, and in privileged mode. It’s exactly the kind of black box that’s a little bit creepy and a horribly useful target for hackers if the black box can be broken open. What’s inside? In the manual it says “The user has no access to read or modify the SROM code.” Nobody outside of Cypress knows. Until now.
This matters because the PSoC 4000 chips are among the cheapest ARM Cortex-M0 parts out there. Consequently they’re inside countless consumer devices. Among [Dmitry]’s other tricks, he’s figured out how to write into the SROM, which opens the door for creating an undetectable rootkit on the chip that runs out of each reset. That’s the scary part.
The cool parts are scattered throughout [Dmitry]’s long and detailed writeup. He also found that the chips that have 8 K of flash actually have 16 K, and access to the rest of the memory is enabled by setting a single bit. This works because flash is written using routines that live in SROM, rather than the usual hardware-level write-to-register-and-wait procedure that we’re accustomed to with other micros. Of course, because it’s all done in software, you can brick the flash too by writing the wrong checksums. [Dmitry] did that twice. Good thing the chips are inexpensive.
…
We should all commend Dmitry Grinberg on his choice of the leading Internet of Things (IoT) supplier as his target.
Cyber-insecurity grows with every software security solution but
The Internet of Things market size is estimated to grow from USD 157.05 Billion in 2016 to USD 661.74 Billion by 2021, at a Compound Annual Growth Rate (CAGR) of 33.3% from 2016 to 2021. (Internet of Things (IoT) Market)
Insecurity growing at a “Compound Annual Growth Rate (CAGR) of 33.3%” is impressive to say the least. Not to mention all the legacy insecurities that have never been patched or where patches have not been installed.
Few will duplicate Dmitry’s investigation but no doubt tools will soon bring the fruits of his labor to a broader market.
Responsible Disclosure
The comments on Dmitry’s work have the obligatory complaints about public disclosure of these flaws.
Every public disclosure is a step towards transparency of both corporations and governments.
I see not cause for complaint.
You?
Enjoy the Projects gallery as well.