I don't know why you are being downvoted. I also clicked on the link expecting another article on exploits being found on cycling gear. Last week I posted one about Shimano. The top comment was a joke about SRAM.
DRAM is not a safe place to store your secrets due to cold boots, so it gets stored in SRAM (which includes registers and L1/L2 cache) instead.
Buuuuut, you might be able to dump SRAM across boots with this technique.
If I understand correctly: SRAM/cache/registers all require a lower voltage to maintain their state than the cpu requires to run.
So attach that intermediate voltage on the VCC pin closest to/running the SRAM and pull the plug on everything else. I guess they’re either not cross-connected internally or the choice of voltage stops that from being a problem. Just don’t let your voltage sag lower than required to maintain the SRAM.
Now your cache/registers/SRAM are maintained. Power up with JTAG or a custom/debugging bootrom/mode that hopefully doesn’t overwrite much/any and dump away.
> Our experiments across various devices reveal that hardware SRAM resets during boot are uncommon. Most boot with undefined SRAM states, persisting until overwritten by software.
> Now your cache/registers/SRAM are maintained. Power up with JTAG or a custom/debugging bootrom/mode that hopefully doesn’t overwrite much/any and dump away.
If you care about security, you'd be disabling these. Every product I've worked on disables JTAG and other debug features on production boards and enables secure boot.
This looks like another extremely obscure attack vector which is largely leveraged only to secure devices against their rightful owners.
Physical access to these devices leads to a wide range of security exploits
Physical ownership = real ownership. That's how it's always been and should've stayed that way, if it weren't for the greedy megacorps. Valid exceptions to this level of paranoia are state secrets and other military-adjacent applications.
8 comments
[ 4.8 ms ] story [ 38.0 ms ] thread[0] https://www.youtube.com/watch?v=Tsk3zAZyLaQ
and I'm in the same boat. Or bike, as it were, what with hours of watching the Tour this month.
https://news.ycombinator.com/item?id=44614837
Layman’s article: https://cacm.acm.org/research-highlights/technical-perspecti...
Also seems like ACM republished the author’s paper from 2022? https://dl.acm.org/doi/pdf/10.1145/3503222.3507710
My summary:
DRAM is not a safe place to store your secrets due to cold boots, so it gets stored in SRAM (which includes registers and L1/L2 cache) instead.
Buuuuut, you might be able to dump SRAM across boots with this technique.
If I understand correctly: SRAM/cache/registers all require a lower voltage to maintain their state than the cpu requires to run.
So attach that intermediate voltage on the VCC pin closest to/running the SRAM and pull the plug on everything else. I guess they’re either not cross-connected internally or the choice of voltage stops that from being a problem. Just don’t let your voltage sag lower than required to maintain the SRAM.
Now your cache/registers/SRAM are maintained. Power up with JTAG or a custom/debugging bootrom/mode that hopefully doesn’t overwrite much/any and dump away.
> Our experiments across various devices reveal that hardware SRAM resets during boot are uncommon. Most boot with undefined SRAM states, persisting until overwritten by software.
Oops.
If you care about security, you'd be disabling these. Every product I've worked on disables JTAG and other debug features on production boards and enables secure boot.
Physical access to these devices leads to a wide range of security exploits
Physical ownership = real ownership. That's how it's always been and should've stayed that way, if it weren't for the greedy megacorps. Valid exceptions to this level of paranoia are state secrets and other military-adjacent applications.