# Breaking Espressif's ESP32 V3: Program Counter Control with Computed Values using Fault Injection

Jeroen Delvaux, Cristofaro Mune, Mario Romero, Niek Timmers

all contributed equally



Usenix WOOT 2024, Philadelphia, USA

# Our Target: ESP32 V3

## ESP32 V1 [2016]



- The ESP32 is a widely popular system-on-chip (SoC) with WiFi and Bluetooth.
- The CPU of the V1 chip implements the Xtensa instruction set (not RISC-V).
- Security features: *Secure Boot* and *Flash Encryption*.
- Left, a development board from Espressif is shown.

Broken by multiple *fault injection* (FI) attacks from multiple research teams.

## ESP32 V3 [2020]



## Hardened:

- The ROM code is protected against FI by introducing redundancies
- Cryptographic overhaul of secure boot: from symmetric-key crypto to public-key crypto

We defeat all security features with a single electromagnetic (EM) glitch. Findings were responsibly disclosed:

- Security Advisory AR2023-005
- CVE-2023-35818.

## Secure Boot and Flash Encryption



# **Program Counter Control using EM-FI**



# Serial (UART)

### Valid bootloader, printing "Hello, World!"

#### ets Jul 29 2019 12:21:46

rst:0x1 (POWERON\_RESET), boot:0x13 (SPI\_FAST\_FLASH\_BOOT) configsip: 0, SPIWP:0xee clk drv:0x00,g drv:0x00,d drv:0x00,cs0 drv:0x00, hd\_drv:0x00,wp\_drv:0x00 mode:2, clock div:2 secure boot v2 enabled secure boot verification succeeded load:0x3fff0020 len:0xc8c load:0x40078000 len:0x2020 load:0x40080400 len:0xeac entry 0x40080640 I (41) boot: ESP-IDF v5.0.1-397-g3050ea656f 2nd stage bootloader I (41) boot: compile time 16:51:07 I (41) boot: chip revision: v3.0 I (45) boot.esp32: SPI Speed : 40MHz I (50) boot.esp32: SPI Mode : DIO I (54) boot.esp32: SPI Flash Size : 2MB I (59) boot: Enabling RNG early entropy source... Hello, World!

We manipulate ciphertext such that a CRC32 checksum over the signature block fails and prints our pointer

ets Jul 29 2019 12:21:46 rst:0x1 (POWERON\_RESET),boot:0x13 (SPI\_FAST\_FLASH\_BOOT) configsip: 0, SPIWP:0xee clk\_drv:0x00,q\_drv:0x00,d\_drv:0x00,cs0\_drv:0x00, hd\_drv:0x00,wp\_drv:0x00 mode:2, clock div:2 secure boot v2 enabled Sig block 0 invalid: Stored CRC 0xbaaeaf78 calculated 0xdeadbeef secure boot verification failed

| Pointer    | Practical use                                                                                      |
|------------|----------------------------------------------------------------------------------------------------|
| 0xdeadbeef | None; hexpeak                                                                                      |
| 0x80006864 | A print statement in ROM, kindly letting us know that PC control is successful                     |
| 0x80008ceb | ROM entry point for <i>Download Mode</i> .<br>Here, the entire Flash contents can be<br>decrypted. |

# Pointer Insertion via CRC32 Checksum

## **Enabling factors:**

- CRC32 is an affine/linear function
- Checksums are printed via UART
- AES operates on 128-bit blocks independently

By solving a system of 32 linear equations, the calculated checksum can be set to any 32-bit value



# Pointer Transfer to Program Counter

Espressif published the ROM code as an \*.elf file, which allows for reverse engineering in Ghidra.

#### ets\_secure\_boot\_verify\_signature



#### crc32\_le

| 0x4005cfec | entry  | <b>a1</b> , 0 <b>x</b> 20                            |
|------------|--------|------------------------------------------------------|
| 0x4005cfef | movi.n | <mark>a8</mark> ,0xff                                |
| 0x4005cff1 | xor    | a2, a8, a2                                           |
| 0x4005cff4 | 132r   | a9,0x4005cfe8                                        |
| 0x4005cff7 | movi.n | <mark>a8</mark> , 0 <b>x</b> 0                       |
| 0x4005cff9 | j      | 0x4005d014                                           |
| 0x4005cffc | add.n  | a10, a3, a8                                          |
| 0x4005cffe | 18ui   | <b>a10</b> , <b>a10</b> , 0 <b>x</b> 0               |
| 0x4005d001 | addi.n | <mark>a8, a8</mark> , 0 <b>x1</b>                    |
| 0x4005d003 | xor    | a10, a10, a2                                         |
| 0x4005d006 | extui  | <b>a10</b> , <b>a10</b> , 0 <b>x</b> 0, 0 <b>x</b> 8 |
| 0x4005d009 | addx4  | a10, a10, a9                                         |
| 0x4005d00c | 132i.n | <b>a10</b> , <b>a10</b> , 0 <b>x</b> 0               |
| 0x4005d00e | srli   | <mark>a2, a2</mark> , 0 <b>x</b> 8                   |
| 0x4005d011 | xor    | a2, a10, a2                                          |
| 0x4005d014 | bne    | <b>a8</b> , <b>a4</b> , <b>0x4005cffc</b>            |
| 0x4005d017 | movi.n | <u>a3,</u> 0xff                                      |
| 0x4005d019 | xor    | a2, a3, a2                                           |
| 0x4005d01c | retw.n |                                                      |

#### ets\_printf

Sig block 0 invalid: Stored CRC 0xbaaeaf78 calculated 0xdeadbeef

The pointer passes

through several GP

EM-FI corrupts CPU

instructions, thereby

the pointer to the PC

potentially transferring

Overwriting register a0,

which stores a function's

return address, is a likely

registers.

register.

pathway.

## **Riscure EM-FI Setup**



XYZ stage, Spider, breadboard



ESP32V3, probe

- The surface of the ESP32 V3 chip is partially blocked by the Flash chip.
- Displacing the Flash chip is not needed to succeed.

# Rough Timing of the Glitch

Timing reference: *chip-enable* (CE) signal of the Flash chip:

- Five large blocks where data is copied.
- The glitch is injected shortly after block 5.



## GNU Debugger (GDB) execution trace



# Fine Timing of the Glitch

Using FI as a virtual oscilloscope.

320

310

300

290

280

270

260

250

Power

Sig block 0 invalid: Stored CRC 0xbaaeaf78 calculated Oxdeadbeef

## Nominal

- Crash
- Calculated sum is altered
- Stored sum is altered
- Calculated and stored sums are both altered
- Deformed checksum string
- PC control



## Scan Results



Speed: 3.4 glitches per second. A few days sufficed to find the first 'red' dot.

Breaking Espressif's ESP32 V3: Program Counter Control with Computed Values using Fault Injection

At least two places in the ROM

## Download Mode

- Download Mode is used by developers and is disabled in the field by burning a fuse.
- Nevertheless, we enter Download Mode by taking PC Control.
- Upon entering, we send and receive packets via UART to decrypt the Flash contents.

Request: c0000a0400000000000000010403fc0

Reply: c0010a0400**e9030210**000000000

Read 32 bits at virtual address 0x3f401000.

The requested 32-bit word is 0x100203e9.

## Ciphertext (Flash)

## Plaintext (CPU)

| 00000000 | E9030210    | 3C 06 08 40 | EE 00 00 00 | 00 00 03 00 | · · · · < · · @ · · · · · · · |
|----------|-------------|-------------|-------------|-------------|-------------------------------|
| 0000010  | 00 FF FF 00 | 00 00 00 01 | 20 00 FF 3F | C4 OC 00 00 | ??                            |
|          |             |             |             |             | (P                            |
| 00000030 | 00 F0 F5 3F | 00 00 00 00 | 04 00 00 00 | 05 00 00 00 | ?                             |
|          |             |             |             |             | Assert f                      |
| 00000005 | 61 69 6C 65 | 64 20 69 6E | 20 25 73 2C | 20 25 73 3A | ailed in %s, %s:              |

# **Concluding Remarks**

- Main lesson: avoid printing plaintext data, or results from a plaintext computation.
- We thank Espressif for establishing a smooth vulnerability disclosure process.
- Espressif indicated that the attack does not apply to ESP32-S2, ESP32-C3, ESP32-S3, and future chips.
- Taking PC control by inserting pointers in a computation is a generic methodology for attacks, possibly affecting manufacturers other than Espressif.
- Thank you for attending!

ets Jul 29 2019 12:21:46 rst:0x1 (POWERON\_RESET),boot:0x13 (SPI\_FAST\_FLASH\_BOOT) configsip: 0, SPIWP:0xee clk\_drv:0x00,q\_drv:0x00,d\_drv:0x00,cs0\_drv:0x00, hd\_drv:0x00,wp\_drv:0x00 mode:2, clock div:2 secure boot v2 enabled Sig block 0 invalid: Stored CRC 0xbaaeaf78 calculated 0xdeadbeef secure boot verification failed