Update on my firmware extraction: (tl;dr: not good)
I spend most of this weekend on the frauenhofer 3.3 Debug Exploit attack.
- It should works on a locked F051 (but I stupidly only ordered 1)
- It works
on an unlocked
F103
- It does not work on an locked F103
Working on an unlocked F103 is actually not as trivial as you may think:
The attack works by reading one byte per reset cycle in a race condition with the flash lockdown. You can extract the exact same one byte in the exact same method if the flash is not locking down (you simply always win the race). And this shows that the cabling is good and your commands work etc.
Also due to the UART debugging and porting attempt (see below) I feel I am now getting a quite good understandinf of code and attack (definitely more then from just watching the powerpoint and video).
For example, this is how I learned of yet another structural difference: Unlike the F051, on the F103 the SWD (single wire debug) shares its pin with JTAG and you need to send a special bit-train to disable JTAG first. It is not impossible this bit-train is pre-warning the debug-lockdown, thus is slowing us down enough so that we always loose the SWD race. But as mentioned in previous post, it could also be that the F1 family uses a different internal lockdown logic altogether, as witnessed by the fact it does not have a RDP-2 level.
Interesting was that the frauenhofer code already had code to switch the GPIO pin from JTAG to SWD, but it was commented out. Shows that they too had been testing somewhat seriously on the F1 family. Not sure though if they corrected the timing for a 72MHz bus rather then a 48MHz one.
The reason I ordered only one F051 is I naivety though I could run the extraction code on a blue-pill F103 with my F051 as the target.
So I learned the F0 and F1 are *really* different. Even GPIO programming is using completely different methods, and porting the code is a drag.
I will order a 2nd F051 though. But to be honest, only for the learning of it, and maybe because I want to be able to say I did actually extracted code, not just did armchair research. Bug given the huge differences between F0 and F1, I have no real belief anymore on success.
---
Additional rant: I spend half the weekend fighting the wrong enemy. Turns out I had a usb-rs232-ttl cable that "somewhat" worked, enough to make me think it worked (typing; test transfers), but working erratically when driven by the F051 non the less. And no, it was not a Xon/Xoff thing. Its now cut into a thousand pieces in the bin so I never accidentally use it again.