Exploiting Undocumented Hardware Blocks in the LPC55S69

A write up of the LPC55S69 ROM Patch.

Laura Abbott
14 min readbeginner
--
View Original

Overview

The article discusses the discovery of an undocumented hardware block in the NXP LPC55S69 ROM that poses a security vulnerability, allowing unprivileged user code to modify trusted APIs. It emphasizes the importance of transparency and auditing in hardware security, particularly in the context of secure boot processes.

What You'll Learn

1

How to identify and mitigate vulnerabilities in undocumented hardware blocks

2

Why transparency in firmware and hardware documentation is crucial for security

3

How to use the ROM patcher in the NXP LPC55S69 for modifying ROM content

Prerequisites & Requirements

  • Understanding of secure boot processes and hardware security concepts
  • Familiarity with reverse engineering tools like Ghidra(optional)

Key Questions Answered

What is the security vulnerability found in the NXP LPC55S69?
The vulnerability allows unprivileged user code to access an undocumented hardware block that can modify trusted APIs in the ROM, potentially enabling attackers to hijack execution and bypass security boundaries. This issue is documented as CVE-2021-31532.
How does the ROM patcher in the LPC55S69 work?
The ROM patcher is a hardware block that allows modification of up to 16 32-bit words in the ROM. It can replace values or redirect execution to attacker-controlled addresses, which poses a risk to the integrity of the secure boot process.
What steps can be taken to mitigate the vulnerabilities associated with the ROM patcher?
Mitigations include using the memory protection unit (MPU) to restrict access to the ROM patcher and ensuring that the ROM patcher is not included in the allowed memory regions. This prevents unauthorized modifications to the ROM.
Why is transparency important in hardware security?
Transparency allows for better auditing and understanding of security components. The lack of documentation for the NXP LPC55S69 ROM hindered early detection of vulnerabilities, highlighting the need for open access to hardware specifications.

Technologies & Tools

Hardware
Nxp Lpc55s69
Used as a candidate for hardware root of trust in Oxide's computer system.
Software
Ghidra
Used for reverse engineering the undocumented ROM code.

Key Actionable Insights

1
Conduct thorough audits of undocumented hardware components to identify potential vulnerabilities.
This approach can prevent security issues similar to CVE-2021-31532 from going unnoticed, ensuring that all aspects of the hardware are scrutinized for security flaws.
2
Implement a robust memory protection strategy to safeguard against unauthorized access to critical hardware features.
Using the memory protection unit (MPU) can significantly reduce the risk of privilege escalation attacks by limiting access to sensitive areas of memory.
3
Advocate for open documentation of firmware and hardware to enhance security through community scrutiny.
Open access to documentation allows developers and security researchers to identify and address vulnerabilities more effectively, fostering a more secure ecosystem.

Common Pitfalls

1
Assuming that undocumented code is secure can lead to significant vulnerabilities.
This assumption can result in overlooking critical security flaws, as demonstrated by the discovery of the ROM patcher vulnerability in the LPC55S69.

Related Concepts

Secure Boot Processes
Hardware Root Of Trust
Reverse Engineering Techniques