Renesas (formerly NEC) claims their XXXXX Series processors have no ability to read out their flash contents through the programming interface. Yet, we identified two methods to do exactly that - regardless of the protection settings used. Even after 40 years on the market, these chips are still used in actively marketed products, including consumer security products. In this talk, we will take you through our journey of identifying both these readout methods, and our approach of “reading between the lines” - as believe it or not, both our methods are more or less described in the datasheet, albeit in different terms. We will also be sharing tools and documentation to exploit these two vulnerabilities, and a disassembler for this processor family.
Mark Omo leads the engineering team at Marcus Engineering (but is not the Marcus in Marcus Eng. ); he is a former Googler and has a background in highly regulated systems design, Medical, Military, and consumer.
James Rowley is an engineer at Marcus Engineering, with over 5 years of experience in embedded systems development, both hardware and software, as well as reverse engineering such systems.