As of August 2020 the site you are on ( is deprecated, and content is now at


Jump to: navigation, search

Tutorial A9 Bypassing LPC1114 Read Protect

564 bytes added, 08:05, 17 April 2018
Background on Code Read Protect
To help protect proprietary code from being dumped via a bootloader or a debugging interface, many microcontrollers include some mechanism that locks down the flash and prevents reads. In the case of NXP's LPC1114, this is done by reading a value from flash during the boot sequence, with different values corresponding to different levels of protection. As is shown in the figure below, there are 4 levels of read protection, with the rest of the values representing an unlocked device. This makes this a great target for glitching, as corrupting one bit from this read will unlock the device and give us full access. Since higher CRP levels are harder (or in the case of CRP level 3, "impossible") to remove, we'll be using the device in CRP level 1.
{| class="wikitable"!Name!Value in FLASH!JTAG/SWD!Serial Bootloader (ISP)|-|NO_ISP|0x4E697370|enabled|disabled.|-|CRP1|0x12345678|disabled|Subset of commands only available. Read memory disabled. Sector erase and mass erase possible (which also removes CRP).|-|CRP2|0x87654321|disabled|Subset of commands only available. Read memory disabled. Mass erase only (which also removes CRP).|-|CRP3|0x43218765|disabled|disabled. Claimed impossible to recover from since no reprogramming interface.|-|INVALID|Any other Value|enabled|enabled.|}
This was first published by Chris Gerlinsky at RECON Brussels. You can see his [ slides here] or [ watch his presentation here]. It was re-created by [ Dmitry Nedospasov on his blog], which has additional details and examples of how you can achieve this attack.
Approved_users, bureaucrat, administrator

Navigation menu