ESP32 Flash Encryption and Sec. Boot Keys Extraction #ESP32 #Encryption #PWN @LimitedResults

Yikes! The LimtedResults blog discusses a persistent exploit, bypassing the Secure Boot and the Flash Encryption on an ESP32 board.

In this report, I disclose a full readout of protected E-Fuses storing two secret keys, one used for Flash Encryption (BLK1) and the other for the Secure Boot (BLK2).

This attack cannot be patched by the vendor on existing devices. It’s a FOREVER pwn.

Espressif and I decided to go to Responsible Disclosure for this vulnerability (CVE-2019-17391).

The conclusion:

The ESP32 platform, set in Full Secure mode (Flash Encryption + Secure Boot), is the target of this investigation. It is the maximum security level recommended by Espressif.

Using voltage glitching to modify the Read Protection Values of the E-Fuses Controller, a full Readout of Flash Encryption Key (FEK) and Secure Boot Key (SBK) has been achieved.

This FATAL exploit allows an attacker to decrypt an encrypted firmware because they now possess the AES Flash Encryption Key.

Worst case scenario, one is able to forge their own valid firmware (using the Secure Boot Key) then encrypt it (using the Flash Encryption Key) to replace the original firmware PERMANENTLY.

There is no way to patch this without a hardware revision.

Due to the low-complexity, this attack can be reproduced on the field easily. In their opinion, a proficient hacker can reproduce this attack in less than one day and with less than $1000 in equipment.

See the full post with a description and exploitation code here.


As 2022 starts, let’s take some time to share our goals for CircuitPython in 2022. Just like past years (full summary 2019, 2020, and 2021), we’d like everyone in the CircuitPython community to contribute by posting their thoughts to some public place on the Internet. Here are a few ways to post: a video on YouTub, a post on the CircuitPython forum, a blog post on your site, a series of Tweets, a Gist on GitHub. We want to hear from you. When you post, please add #CircuitPython2022 and email circuitpython2022@adafruit.com to let us know about your post so we can blog it up here.

Stop breadboarding and soldering – start making immediately! Adafruit’s Circuit Playground is jam-packed with LEDs, sensors, buttons, alligator clip pads and more. Build projects with Circuit Playground in a few minutes with the drag-and-drop MakeCode programming site, learn computer science using the CS Discoveries class on code.org, jump into CircuitPython to learn Python and hardware together, TinyGO, or even use the Arduino IDE. Circuit Playground Express is the newest and best Circuit Playground board, with support for CircuitPython, MakeCode, and Arduino. It has a powerful processor, 10 NeoPixels, mini speaker, InfraRed receive and transmit, two buttons, a switch, 14 alligator clip pads, and lots of sensors: capacitive touch, IR proximity, temperature, light, motion and sound. A whole wide world of electronics and coding is waiting for you, and it fits in the palm of your hand.

Join 32,000+ makers on Adafruit’s Discord channels and be part of the community! http://adafru.it/discord

Have an amazing project to share? The Electronics Show and Tell is every Wednesday at 7pm ET! To join, head over to YouTube and check out the show’s live chat – we’ll post the link there.

Join us every Wednesday night at 8pm ET for Ask an Engineer!

Follow Adafruit on Instagram for top secret new products, behinds the scenes and more https://www.instagram.com/adafruit/

CircuitPython – The easiest way to program microcontrollers – CircuitPython.org


Maker Business — Pololu’s account of the chip shortage

Wearables — Monster-inspired costuming!

Electronics — How to make your own magnetic field probe!

Python for Microcontrollers — Python on Microcontrollers Newsletter: New Releases of MicroPython and CircuitPython and more! #Python #CircuitPython @micropython @ThePSF

Adafruit IoT Monthly — 2021 in Recap!

Microsoft MakeCode — MakeCode Thank You!

EYE on NPI — Maxim’s Himalaya uSLIC Step-Down Power Module #EyeOnNPI @maximintegrated @digikey

New Products – Adafruit Industries – Makers, hackers, artists, designers and engineers! — New Products 1/19/22 Feat. Adafruit 7-Segment LED Matrix Backpack – STEMMA QT / qwiic!

Get the only spam-free daily newsletter about wearables, running a "maker business", electronic tips and more! Subscribe at AdafruitDaily.com !



No Comments

No comments yet.

Sorry, the comment form is closed at this time.