DRAM is not a safe place to store your secrets due to cold boots, so it gets stored in SRAM (which includes registers and L1/L2 cache) instead.
Buuuuut, you might be able to dump SRAM across boots with this technique.
If I understand correctly: SRAM/cache/registers all require a lower voltage to maintain their state than the cpu requires to run.
So attach that intermediate voltage on the VCC pin closest to/running the SRAM and pull the plug on everything else. I guess they’re either not cross-connected internally or the choice of voltage stops that from being a problem. Just don’t let your voltage sag lower than required to maintain the SRAM.
Now your cache/registers/SRAM are maintained. Power up with JTAG or a custom/debugging bootrom/mode that hopefully doesn’t overwrite much/any and dump away.
> Our experiments across various devices reveal that hardware SRAM resets during boot are uncommon. Most boot with undefined SRAM states, persisting until overwritten by software.
This looks like another extremely obscure attack vector which is largely leveraged only to secure devices against their rightful owners.
Physical access to these devices leads to a wide range of security exploits
Physical ownership = real ownership. That's how it's always been and should've stayed that way, if it weren't for the greedy megacorps. Valid exceptions to this level of paranoia are state secrets and other military-adjacent applications.
SRAM Has No Chill: Exploiting Power Domain Separation to Steal On-Chip Secrets
(cacm.acm.org)35 points by zdw 14 hours ago | 18 comments
Comments
Layman’s article: https://cacm.acm.org/research-highlights/technical-perspecti...
Also seems like ACM republished the author’s paper from 2022? https://dl.acm.org/doi/pdf/10.1145/3503222.3507710
My summary:
DRAM is not a safe place to store your secrets due to cold boots, so it gets stored in SRAM (which includes registers and L1/L2 cache) instead.
Buuuuut, you might be able to dump SRAM across boots with this technique.
If I understand correctly: SRAM/cache/registers all require a lower voltage to maintain their state than the cpu requires to run.
So attach that intermediate voltage on the VCC pin closest to/running the SRAM and pull the plug on everything else. I guess they’re either not cross-connected internally or the choice of voltage stops that from being a problem. Just don’t let your voltage sag lower than required to maintain the SRAM.
Now your cache/registers/SRAM are maintained. Power up with JTAG or a custom/debugging bootrom/mode that hopefully doesn’t overwrite much/any and dump away.
> Our experiments across various devices reveal that hardware SRAM resets during boot are uncommon. Most boot with undefined SRAM states, persisting until overwritten by software.
Oops.
Physical access to these devices leads to a wide range of security exploits
Physical ownership = real ownership. That's how it's always been and should've stayed that way, if it weren't for the greedy megacorps. Valid exceptions to this level of paranoia are state secrets and other military-adjacent applications.
[0] https://www.youtube.com/watch?v=Tsk3zAZyLaQ