Zero Day in Microchip SAM Microcontrollers

Bypassing Lock - Microchip/Atmel SAM4C32 Hash Salehi Introduction This write-up will cover analysis of the Microchip (ATMEL) SAM4C32 microcontroller vulnerability that allows an attacker to gain unlocked JTAG access to a previously locked device. This attack appears to affect many devices (though not all) in the SAM family. It was discovered that essentially the same attack performed by 0x01 Team on the SAM E70/S70/V70/V71 works on many SAM processors. What's novel about this write-up is identification of the Reset pin as a side channel . While the attack method used was voltage fault injection, I believe EMFI (electromagnetic fault injection) could also be a viable method to bypass security. EMFI generally permits attacks without the need to remove all the capacitors on the power rail. This is helpful when attacking devices where you don't want to alter the target board. Why attack the SAM4C32? The SAM4C32 is used in this Landis+Gyr Generation 5 smart meter. I have a long histor ... Read full article.