Bypassing debug password protection on the RH850 family using fault injection

This blogpost explains how we bypassed the 16-byte password protection of the debug on several variants of the RH850 family using voltage fault injection.

This blogpost explains how we bypassed the 16-byte password protection of the debug on several variants of the RH850 family using voltage fault injection. Introduction The RH850 family is a range of high-performance and high-reliability 32-bit microcontrollers for Renesas, dedicated to the automotive industry. These microcontrollers are the most common ones we have to work with in the various Electronic Control Units (ECU) we audit at Quarkslab. Like other microcontrollers, they embed a debug access for development purposes to flash new firmware or monitor its behavior. To ensure the firmware could not be extracted or tampered with in production, the debug access can be disabled or locked using a 16-byte password. Being able to bypass such protection could be useful in any black-box assessment, in order to retrieve the firmware and be able to reverse-engineer it and look for vulnerabilities. With the UNECE R155 regulation, it is also a common security goal we have to verify, to ensure an attacker will not be able to alter the firmware. To enhance our audit capabilities for the automotive industry, we studied if, using fault injection, we could reliably bypass the 16-byte password protection known as IDCODE, to perform such an attack during any assessment when needed. State-of-the-art Two previous research studies demonstrated that fault injection attacks are effective in bypassing debug protection on two families of Renesas' microcontrollers. The first one, by Franck Jullien focused on the RX65 series. He was able to use voltage fault injection to bypass the debug password on an RX architecture. In 2022, Willem Melching documented in his blog how he managed to exploit a disabled debug access of an RH850/P1M-E, also using voltage fault injection. Both articles describe Renesas' proprietary debug protocol, which supports 1-wire and 2-wire UART interfaces. When the debug access is locked using a password, the unlock sequence is the following, as described in the RX65N Group, RX651 Group User's Manual: Hardware : The debug probe starts an initialization sequence, sending about 10 0x00 bytes on the UART interface. If the RH850 is properly started in programming mode, with pin FLMD0 set at 1, it replies with a 0x00 . The debugger then sends a connect command 0x55 awaiting response 0xC1 . Several messages are then exchanged to set the expected CPU and UART speed. Once done, the debugger sends a SYNC command. Depending on the configuration, the RH850 will inform debug access is granted, password protected, or prohibited. This implementation is interesting from a security point of view, as even with a deactivated debug access, the initialization of the debug sequence is still allowed, providing monitorable information to perform an attack. Having several ECUs lying on our lab's shelves, we wondered if we could bypass the second debug protection of the RH850, using fault injection also. What is fault injection ? Fault injection is the art of generating glitches that put a microcontroller outside its expected condition of operation in order to alter its intended behavior. Some glitches generate faults that can be exploited depending on their effect. Several methods exist to inject a glitch, the most common being: clock glitching; voltage glitching; alectromagnetic pulse injection; laser. Common belief is that fault injection's main effect is to bypass instruction. If such a result can be observed, on the hardware level it flips one or several bits in memory or any internal bus during OTP reading, instruction fetching... For example, let's look at a basic ARM instruction, mov r1, #0x03 , which equals 0x03 0x10 0xa0 0xe3 in little-endian. For example, if a fault flips the 15th bit during the fetch phase or execution of the instruction, it becomes mov r3, #0x03 ( 0x03 0x30 0xa0 0xe3 ). Depending on the instruction logic, an unexpected value of register r1 may change the execution path, looking like an instruction skipping. Fault injection technique used For this study, we worked with a crowbar voltage glitch attack. Voltage glitching technique is performed by underpowering or overpowering the chip for a controlled amount of time to alter its behavior. The crowbar attack is a specific type of voltage glitch where the power supply is shorted to the ground instead of injecting a specific voltage, using a MOSFET for example. On a very basic microcontroller, the voltage glitch can be executed on any power input pins, commonly named VCC . However many chips have one or several pins tied to the internal regulators to connect external capacitors, commonly labeled VCAP or VREG . Targeting these pins is often more effective as the attack will affect the internal regulator, providing better results. Removing capacitors connected to the VCAP and VCC improves results and requires shorter glitches but is not always mandatory, depending on the setup. Setting the input power to a lowest running voltage, like 2.3V, allowed to generate...