Wow. [Dmitry Grinberg] just broke into the SROM on Cypress’ PSoC 4 chips. The supervisory read-only memory (SROM) in question is a region of proprietary code that runs when the chip starts up, and in privileged mode. It’s exactly the kind of black box that’s a little bit creepy and a horribly useful target for hackers if the black box can be broken open. What’s inside? In the manual it says “The user has no access to read or modify the SROM code.” Nobody outside of Cypress knows. Until now.
This matters because the PSoC 4000 chips are among the cheapest ARM Cortex-M0 parts out there. Consequently they’re inside countless consumer devices. Among [Dmitry]’s other tricks, he’s figured out how to write into the SROM, which opens the door for creating an undetectable rootkit on the chip that runs out of each reset. That’s the scary part.
The cool parts are scattered throughout [Dmitry]’s long and detailed writeup. He also found that the chips that have 8 K of flash actually have 16 K, and access to the rest of the memory is enabled by setting a single bit. This works because flash is written using routines that live in SROM, rather than the usual hardware-level write-to-register-and-wait procedure that we’re accustomed to with other micros. Of course, because it’s all done in software, you can brick the flash too by writing the wrong checksums. [Dmitry] did that twice. Good thing the chips are inexpensive.
The nitty-gritty on the ROP (return oriented programming) tricks that [Dmitry] had to pull, and a good look into the design of the system itself, are all up on [Dmitry]’s blog. We can’t wait to see what other buried treasure he’s going to find as he continues to play around with these chips. And in case you’re wondering what type of mad genius it takes to pull this off, consider that [Dmitry] runs Linux on AVRs, fools nRF24 chips into transmitting Bluetooth LE beacons, and re-writes his own airplane’s GPS.
[Main image is a PSoC4200 dev kit, and [Dmitry] has only been working with the 4000 and 4100 series. Just so you know.]