Breaking the Flash Encryption Feature of Espressif’s Parts

Posted on Mon 08 January 2024 in Projects • Tagged with Reverse Engineering, Electronics, FPGA, Cryptography

Breaking the Flash Encryption Feature of Espressif's Parts

I recently read the Unlimited Results: Breaking Firmware Encryption of ESP32-V3 paper.

This paper is about breaking the firmware encryption feature of the ESP32 SoC using a Side-Channel attack.

This was an interesting read, and soon, I wanted to try to reproduce these results with the following constraints:

  • To understand everything about this attack, I wanted to start from scratch, even if it meant sometimes reinventing the wheel.
  • I wanted to keep things low-cost. This means no five-figure digital oscilloscope could be used, as it’s sometimes the case for such attacks.

A few weeks later, not only have I been able to reproduce the paper’s results regarding the ESP32, but I have also:

  • Mounted a similar attack against the ESP32-C3 and ESP32-C6.
  • Mounted a secure boot bypass attack based on voltage glitches for both the ESP32-C3 and ESP32-C6.

The first article will detail the side-channel attacks, starting from the basics. A second one will focus on Secure Boot bypass techniques.

Continue reading