In a technical paper released today, Duo Labs details research into two personal protection devices based on ARM Cortex M microcontrollers. Tools and techniques are shared, and a novel bypass affecting readback protection in one microcontroller is shown.
The explosion of the Internet of Things in recent years has resulted in the proliferation of microcontrollers into devices that impact many aspects of our daily lives. One such area Duo Labs investigated recently is the personal protection device category of consumer devices. These devices present wearers with a simpler way to more easily notify personal contacts during their daily lives. These notifications can represent a check-in to let people know, “I’m doing ok,” or to notify those contacts, “I’m in trouble and need help.” The personal protection device endeavors to let a wearer do this in a way that doesn’t require retrieving, unlocking, and operating a phone. Now, discrete devices can enable this process faster and simpler.
Duo Labs researchers recently examined two personal protection devices based on ARM Cortex M microcontrollers. The two devices presented in the accompanying paper are the Revolar Instinct and the Athena by ROAR for Good. This paper describes a methodology for retrieving device firmware, and for loading firmware into IDA Pro, a common disassembler. This paper focuses on the disassembly of this firmware, and the discussion of a novel approach to defeating readback protection discovered in one ARM Cortex M implementation.
During the course of this research, I developed code for IDA Pro to assist in loading and grooming Cortex M firmware images. The IDAPython code is comprised of two modules. The first module annotates Cortex M vector tables, which gives IDA Pro hints about where code exists in the firmware image. The Cortex M module can automatically annotate firmware with a vector table located at the start of a firmware image, or can be tailored by the end user to work with relocated tables.
The second module, called Amnesia, uses byte-level heuristics to detect ARM instructions in the firmware. Amnesia also contains heuristics that operate at the ARM instruction level to determine function boundaries based on common ARM function prologues and epilogues.
This code has been released on the Duo Labs Github, and its use is detailed in the accompanying paper.