Wait, does this mean you can use the reset signal directly as a glitch signal, or that the glitch has to happen for a short while within the window? If the former, that's the first time I hear of a device that provides its own bypass signal.
Excellent work!
Edit: seems I could fix it, thanks!
Only in the SAM(single letter)(rest of part number) and SAME/V/S70 family.
They went out of their way to maintain legacy parity with the M7 cores against the older M4 cores (which have GPNVM) for some reason I forget when I was discussing those chips with them in pre-production sampling long ago.
I wouldn't call this a zero-day per say. If I have your chip, programmed, physically in my hands. I will nitric acid the sucker and throw it under an electron scanning microscope to laser the security bits off if I want your firmware. I've done it before.
It used a very simple custom encryption for the time stuff and AES in ECB mode.
Protip Ghidra does not emulate inherent CPU behavior of INDEX instructions, behaviour not specified in ISA. I had to backport M32C instructions and patch M16C slaspec to emulate this behavior, caused by compiler bugs.
Overall it just seemed like the processor definition for Ghidra needed more work.
If you can identify the cycle where the security bits are being read you can insert a runt pulse that is much faster than the norflash read time.
Undocumented backdoor found in Bluetooth chip used by a billion devices
371 points | 25 days ago | 112 comments
In the process I learned not only of M32C(backwards compatible with M16C processor module in Ghidra), but as I mentioned, certain compiler bugs(not following the ISA spec strictly) that it is more flexible despite what the M16/M32C software manual says. However this meant that emulation produced wrong results, and thus my patches to fix it and ultimate success
I have opened a Ghidra support ticket, but I needed to provide proof that there is ISA behavior not described in the software manuals.