I recently read the Unlimited Results: Breaking Firmware Encryption of ESP32-V3 paper. This paper is about breaking the firmware encryption feature of the ESP32 SoC using a Side-Channel attack. This was an interesting read, and soon, I wanted to try to reproduce these results with the following constraints: To understand everything about this attack, I wanted to start from scratch, even if it meant sometimes reinventing the wheel. I wanted to keep things low-cost. This means no five-figure digital oscilloscope could be used, as it’s sometimes the case for such attacks. A few weeks later, not only have I been able to reproduce the paper’s results regarding the ESP32, but I have also: Mounted a similar attack against the ESP32-C3 and ESP32-C6. Mounted a secure boot bypass attack based on voltage glitches for both the ESP32-C3 and ESP32-C6. The first article will detail the side-channel attacks, starting from the basics. A second one will focus on Secure Boot bypass techniques.
Love the cartridge board design he uses. Cool article.