I recently read the Unlimited Results: Breaking Firmware Encryption of ESP32-V3 paper.
This was an interesting read, and soon, I wanted to try to reproduce these results with the following constraints:
- To understand everything about this attack, I wanted to start from scratch, even if it meant sometimes reinventing the wheel.
- I wanted to keep things low-cost. This means no five-figure digital oscilloscope could be used, as it’s sometimes the case for such attacks.
A few weeks later, not only have I been able to reproduce the paper’s results regarding the
ESP32, but I have also:
- Mounted a similar attack against the
- Mounted a secure boot bypass attack based on voltage glitches for both the
The first article will detail the side-channel attacks, starting from the basics. A second one will focus on Secure Boot bypass techniques.