Breaking The Flash Encryption Feature Of Espressif’s Microcontrollers

Espressif’s ESP32 microcontrollers come with a Flash encryption feature that when enabled ensures that the data and code stored on the (usually external) Flash chip is encrypted with AES-256 (ESP32) or better (ESP32-C3, -C6). For the ESP32 this encryption feature has been shown to be vulnerable to side channel attacks (SCA), leading [courk] to not only replicate this result with a custom ESP Correlation Power Analysis (CPA) board (pictured) that captures power usage of the MCU, but also to try his luck with the ESP32-C3 and ESP32-C6 parts that should be tougher nuts to crack.

Whereas the ESP32 uses a fairly straightforward AES-256 encryption routine that together with the exposed Flash communication lines on the QSPI bus make for a textbook SCA example, the ESP32-C3 ups the encryption to XTS-AES, which uses two 128-bit keys on the -C3 part (XTS-256). This particular MCU is still susceptible to the same SCA attack with CPA, making it somewhat harder to attack than the ESP32, but by no means impossible.

Continue reading “Breaking The Flash Encryption Feature Of Espressif’s Microcontrollers”

Reverse-Engineering The ESP32’s WiFi Binary Blob With A Faraday Cage

The Faraday cage constructed by Jasper Devreker.
The Faraday cage constructed by Jasper Devreker.

As part of a team reverse-engineering the binary blob driver for the ESP32’s WiFi feature at Ghent University, [Jasper Devreker] saw himself faced with the need to better isolate the network packets coming from the ESP32-under-test. This is a tough call in today’s WiFi and 2.4 GHz flooded airwaves. To eliminate all this noise, [Jasper] had to build a Faraday cage, but ideally without racking up a massive invoice and/or relying on second-hand parts scavenged from eBay.

We previously reported on this reverse-engineering project, which has since seen an update. Although progress has been made, filtering out just the packets they were interested in was a big challenge. The solution was a Faraday cage, but on a tight budget.

Rather than relying on exotic power filters, [Jasper] put a battery inside a Faraday cage he constructed out of wood and conductive fabric. To get Ethernet data in and out, a fiber link was used inside a copper tube. Initial testing was done using a Raspberry Pi running usbip and a WiFi dongle.  The Faraday cage provided enough attenuation that the dongle couldn’t pick up any external WiFi signals in listening mode.

The total cost of this build came down to a hair over €291, which makes it feasible for a lot of RF experiments by hobbyists and others. We wish [Jasper] and the rest of the team a lot of luck in figuring out the remaining secrets of Espressif’s binary WiFi blob using this new tool.

No DAC? Try PDM

Ever notice that the ESP32-S3 doesn’t have a digital-to-analog converter? [Chris] did and asserts that he doesn’t care because he can just use the PDM system to get the same result. PDM — pulse density modulation — is similar to PWM and, like PWM, requires a filter that could range from a simple RC network to an active filter. You can see the result in the video below.

There are several ways [Chris] could produce the output he wanted. PWM was one choice, and some example code uses a timer to do PDM. However, that is not very efficient. The other alternative is to use the I2S output. However, this does require a few workarounds.

In particular, the I2S output is always stereo and incorporates a clock output that isn’t needed for this application. [Chris] simply output the same value on both channels and routed the clock to some pins that are normally used for startup options. That means they can’t easily be used for your own inputs, but it’s OK to use them for unimportant outputs.

We always enjoy seeing solutions like this because it can give you ideas for use in your own projects. Of course, this won’t apply to every project where you need a DAC, but it still might give you some ideas.

We have looked at PDM before. You could, too, build your own DAC hardware.

Continue reading “No DAC? Try PDM”

Telescope Rides On 3D Printed Equatorial Table

In the realm of amateur astronomy, enthusiasts find themselves navigating a cosmos in perpetual motion. Planets revolve around stars, which, in turn, orbit within galaxies. But the axial rotation of the Earth and the fact that its axis is tilted is the thing that tends to get in the way of viewing celestial bodies for any appreciable amount of time.

Amateur astronomy is filled with solutions to problems like these that don’t cost an arm and a leg, though, like this 3D printed equatorial table built by [aeropic]. An equatorial table is a device used to compensate for the Earth’s rotation, enabling telescopes to track celestial objects accurately. It aligns with the Earth’s axis, allowing the telescope to follow the apparent motion of stars and planets across the night sky.

Equatorial tables are specific to a location on the Earth, though, so [aeropic] designed this one to be usable for anyone between around 30° and 50° latitude. An OpenSCAD script generates the parts that are latitude-specific, which can then be 3D printed.

From there, the table is assembled, mounted on ball bearings, and powered by a small stepper motor controlled by an ESP32. The microcontroller allows a telescope, in this case a Newtonian SkyWatcher telescope, to track objects in the sky over long periods of time without any expensive commercially-available mounting systems.

Equatorial tables like these are indispensable for a number of reasons, such as long-exposure astrophotography, time lapse imaging, gathering a large amount of observational detail for scientific purposes, or simply as an educational tool to allow more viewing of objects in the sky and less fussing with the telescope. They’re also comparatively low-cost which is a major key in a hobby whose costs can get high quickly, but not even the telescope needs to be that expensive. A Dobsonian telescope can be put together fairly quickly sometimes using off-the-shelf parts from IKEA.

Current-Based Side-Channel Attacks, Two Ways

Funny things can happen when a security researcher and an electronics engineer specializing in high-speed circuits get together. At least they did when [Limpkin] met [Roman], which resulted in two interesting hardware solutions for side-channel attacks.

As [Limpkin] relates it, the tale began when he shared an office with [Roman Korkikian], a security researcher looking into current-based attacks on the crypto engine inside ESP32s. The idea goes that by monitoring the current consumption of the processor during cryptographic operations, you can derive enough data to figure out how it works. It’s difficult to tease a useful signal from the noise, though, and [Roman]’s setup with long wire runs and a noisy current probe wasn’t helping at all. So [Limpkin] decided to pitch in.

The first board he designed was based on a balun, which he used to isolate the device under test from the amplification stage. He found a 1:8 balun, normally used to match impedances in RF circuits, and used its primary as a shunt resistance between the power supply — a CR1220 coin cell — and the DUT. The amplifier stage is a pair of low-noise RF amps; a variable attenuator was added between the amp stages on a second version of the board.

Board number two took a different tack; rather than use a balun, [Limpkin] chose a simple shunt resistor with a few twists. To measure the low-current signal on top of the ESP32’s baseline draw would require such a large shunt resistor that the microcontroller wouldn’t even boot, so he instead used an OPA855 wideband low-noise op-amp as an amplified shunt. The output of that stage goes through the same variable attenuator as the first board, and then to another OPA855 gain stage. The board is entirely battery-powered, relying on nice, quiet 18650s to power both the DUT and the shunt.

How well does it work? We’ll let you watch the talk below and make up your own mind, but since they’ve used these simple circuits to break a range of different chips, we’d say this approach a winner.

Continue reading “Current-Based Side-Channel Attacks, Two Ways”

Open Source DC UPS Keeps The Low-Voltage Gear Going

We all like to keep our network gear running during a power outage — trouble is, your standard consumer-grade uninterruptible power supply (UPS) tends to be overkill for routers and such. Their outlet strips built quickly get crowded with wall-warts, and why bother converting from DC to AC only to convert back again?

This common conundrum is the inspiration for [Walker]’s DC UPS design, which has some interesting features. First off, the design is open source, which of course invites tinkering and repurposing. The UPS is built for a 12 volt supply and load, but that obviously can be changed to suit your needs. The battery bank is a 4S3P design using 18650 cells, and that could be customized as well. There’s an ideal diode controller that prevents DC from back-feeding into the supply when the lights go out, and a really interesting synchronous buck-boost converter in place of the power management chip you’d normally see in a UPS. The converter chip takes a PWM signal from an RP2040; there’s also an ESP32 onboard for web server and UI duties as well as an STM32 to run the BMS. The video below discusses the design and shows a little of the build.

We’ve seen a spate of DC UPS designs lately, some more elaborate than others. This one has quite a few interesting chips that most of us don’t normally deal with, and it’s nice to see how they’re used in a practical design.

Continue reading “Open Source DC UPS Keeps The Low-Voltage Gear Going”

Bed Sensors Do More Than You’d Think

Bed sensors do sort of sound like a gimmick — after all, who cares whether someone is occupying the bed? But if you think about it, that information is quite useful from a home automation standpoint. A person could do all sorts of things in this state, from ensuring the overhead lights in the room can’t come on, to turning off other smart devices that are likely not being used while both occupants are sleeping.

[The Home Automation Guy] presents a couple of ways of doing this, but both center around a fairly inexpensive pressure-sensing mat.

In the first method, he connects the pressure mat up to a Zigbee Aqara Leak Sensor, which conveniently has two terminals on the back to accept the wires from the pressure sensor. Then he simply connects it up to a Zigbee-compatible home assistant like the Aqara Hub.

In slightly harder mode, he forgoes the Aqara Leak Sensor and connects the pressure mat up to an ESP32 using a nifty screw terminal dev board. Then he sets up the sensor and all the desired actions in ESPHome. Of course, with an ESP32, it’s easy to add a second pressure mat for [Mrs. The Home Automation Guy]’s side of the bed.

Now, once they’ve both gone off to bed, the house goes into night mode — all the smart plugs, Sonos devices, and other things are powered down, and the alarm system is put into night mode. Be sure to check out the build video after the break.

Continue reading “Bed Sensors Do More Than You’d Think”