# Durablow SH3002-RH John Fitzgerald

### Introduction

- John Fitzgerald, Massachusetts
- Hardware hacker
- Software hacker
- Reverse engineer
- Circuit designer
- Sails boats, builds mini boats, and fixes old motors, among many other hobbies

https://johnfitz.me/







### SH3002-RH basic design

- Simple device designed to toggle a fireplace blower fan
- It uses a relay to accomplish this task
- Communicates over WiFi/BLE and a remote
- Use your phone with the application to heat your home
  - WAN or LAN

### Device setup

- Download Smart Life App
  - Register account and sign up
  - App is pretty basic, reverse engineering the android app yielded some interesting information
- Three ways to add the device
  - $\circ$  The device wants to connect to WiFi/cloud, so you need to give it credentials to your AP
  - Auto scan mode uses Bluetooth? to detect device from app then gives it credentials
  - Manual AP connect to the AP setup by the tuya module and send it credentials that way
  - Add manually Bluetooth find the bluetooth device and then give it credentials to your AP

### Board overview and layout



### Research on WiFi/Bluetooth

I first sniffed packets by ARP poisoning the device. A few things were discovered...

- LAN packets for on/off have same encrypted data body, but different header and some form of a hash
- TLS communicate with the tuya backend is made with a pre-shared key (weak)

As for Bluetooth, I did not look much into this. I quickly replayed some things over Ubertooth but no luck. Did not look further as I wanted to do other things.

I looked at the Android App for a bit and discovered some secret values used for generating an HMAC key used in signatures of some data packets? (the LAN packets? cloud backend?)

### What about the remote?

I theorize the security for the remote control is sub-optimal. I did not end up taking my LimeSDR to it, but it would be an interesting demonstration. If it does implement some rolling code or other basic checksum/crypto, it may be fun to try to crack.



### The plan

I can probably do something over WiFi/Bluetooth/RF, but I wanted to demonstrate some some hardware vectors. It seemed the App over LAN sent packets to the device with a poor HMAC based replay protection/auth mechanism. The key for data encryption was not rolling either and so the packet body at least could be replayed. But I did not look into this much more...

After I undermine the hardware "security" and dump the firmware, I can find bugs or look into software side of things more later (i.e. .... App for iOS/Android or the firmware for the Tuya app, or other MCU firmwares).

### Tuya module

WBR1 is a low-power embedded Wi-Fi and Bluetooth module that Tuva has developed. It consists of a highly integrated RF chip (RTL8720CF) with an embedded Wi-Fi network protocol stack and robust library functions. WBR1 also contains a low-power KM4 multipoint control unit (MCU), WLAN MAC, 1T1R WLAN, 256 KB static random-access memory (SRAM), and 2 MB flash memory, and has extensive peripherals.

WBR1 is an RTOS platform that integrates all function libraries of the Wi-Fi MAC and TCP/IP protocols. You can develop embedded Wi-Fi products as required.



Figure 1-1 shows the WBR1 architecture.

### 14. 14.1. Application scenario

The Ameba-Z II series security engine provides low SW computing and high performance cryptographic operation (such as authentication, encryption and decryption). In other words, it's more secure, faster and saves more CPU and Memory resources than software cryptographic operation.

Ameba-Z II Data Sheet

### 14.2. Feature list

REALTEK

Supported authentication algorithms:

**Security Engine** 

- MD5
- SHA-1
- SHA-2 (SHA-224 / SHA-256)
- HMAC-MD5
- HMAC-SHA1
- HMAC-SHA2 ( SHA-224 / SHA-256 )
- Supported Encryption / Decryption mechanisms
  - AES-128 ( CBC / ECB / CTR / CFB / OFB / GCTR / GCM )
  - AES-192 (CBC/ECB/CTR/CFB/OFB/GCTR/GCM)
  - AES-256 ( CBC / ECB / CTR / CFB / OFB / GCTR / GCM )
- Supported programmable CRC

Figure 1-1 WBR1 architecture

# Tuya module



Figure 1 RTL8720CF-VA1 QFN40 Pin Assignments





Overview of the chip, notice the external inductor for the switching supply. This will generate the ~1.15V core voltage. There is a low amount of DC coupling required for this chip. Notice also the RF matching region, clock region, some external transistor, and various passives.

### Sniffing interesting pins

Lets go right to sniffing this Tuya module. The ISP header was interesting but let's compromise this first.



### UART log and debug mode...

== Rtl8710c IoT Platform == Chip VID: 5, Ver: 1 ROM Version: v2.1

== Boot Loader == Dec 5 2019:14:02:18

fwx SELE[fffffff]
fw SELE Bitidx 0, fw1 valid 1, sn 100, fw2 valid 1, sn 101
fw1 USE, return sn 100

Boot Loader <== == RAM Start ==

Build @ 12:51:08, Jul 29 2020 Create Task init, stack 0x1000fb28, len 5120 Create Task app\_init, stack 0x10010f88, len 8192 Create Task IDLE, stack 0x10013f80, len 2048 Create Task TCP\_IP, stack 0x10013fb8, len 4000 [......] [01-01 18:12:15 TUYA Debug][tuya\_device.c:19] < TUYA IOT SDK V:1.0.12 BS:40.00\_PT:2.2\_LAN:3.3\_CAD:1.0.2\_CD:1.0.0 > < BUILD AT:2020\_07\_28\_19\_56\_28 BY embed FOR ty\_iot\_wf\_bt\_sdk\_rtos AT rtl8720cf\_ameba > IOT DEFS < WIFI\_GW:1 DEBUG:1 KV\_FILE:0 SHUTDOWN\_MODE:0 LITTLE\_END:1 TLS\_MODE:2 ENABLE\_LOCAL\_LINKAGE:0 ENABLE\_CLOUD\_OPERATION:0 ENABLE\_SUBDEVICE:0 ENABLE\_ENGINEER\_TO\_NORMAL:0 OPERATING\_SYSTEM:2 ENABLE\_SYS\_RPC:0 TY\_SECURITY\_CHIP:0 RELIABLE\_TRANSFER:RELIABLE\_TRANSFER ENABLE\_LAN\_ENCRYPTION:1 ENABLE\_LAN\_LINKAGE:0 ENABLE\_LAN\_LINKAGE\_MASTER:0 > [......] [01-01 18:12:15 TUYA Debug][tuya\_device.c:20] rt18720cf\_common\_user\_config\_ty:2.1.6 [......] [01-01 18:12:15 TUYA Notice][simple\_flash.c:498] get key: [01-01 18:12:15 TUYA Notice][simple\_flash.c:498] get key:

### The other UART

This communicates with 5V MCU using transistors as level shifters and a few resistors. If the WBR1 module was in circuit, the other MCU would talk to it over UART. If it is out of circuit, it would wait for UART communication trying different bit rates.

The format is all on Tuya's website for developers. We could add a hardware implant here.

[01-01 18:12:15 TUYA Notice][tuya\_uart\_common\_api.c:118] ty\_uart\_common\_main\_com ponents\_version:1.0.5,memrory left:67400...

[01-01 18:12:15 TUYA Notice][tuya\_uart\_adapt.c:421] ty\_uart\_public\_auto\_adapt\_co mponent\_version:1.0.1

```
Create Task uart_adapt_task, stack 0x1002e850, len 2048

[01-01 18:12:15 TUYA Notice][tuya_uart_adapt.c:358] try:9600/3/1/0

[01-01 18:12:15 TUYA Notice][tuya_uart.c:134] 1 9600

[01-01 18:12:18 TUYA Notice][tuya_uart_adapt.c:358] try:9600/3/1/0

[01-01 18:12:22 TUYA Notice][tuya_uart_adapt.c:358] try:9600/3/1/0

[01-01 18:12:22 TUYA Notice][tuya_uart_adapt.c:358] try:9600/3/1/0

[01-01 18:12:22 TUYA Notice][tuya_uart.c:134] 1 9600

[01-01 18:12:25 TUYA Notice][tuya_uart_adapt.c:358] try:15200/3/1/0
```

....]

Durablow State On - Tuya: 55 AA 00 00 00 00 FF - MCU: 55 AA 03 00 00 01 04 07 [...] [MCU sends more packets]

Durablow State Off - Tuya: 55 AA 00 00 00 00 FF - MCU: 55 AA 03 00 00 01 06 09 [stops sending packets]

#### Frame format description

| Field          | Length (byte) | Description                                                                                            |
|----------------|---------------|--------------------------------------------------------------------------------------------------------|
| Header         | 2             | It is fixed as 0x55aa                                                                                  |
| Version        | 1             | It is used for upgrade and extension                                                                   |
| Command        | 1             | Specific frame type                                                                                    |
| Data<br>length | 2             | Big-endian                                                                                             |
| Data           | Ν             | Entity data                                                                                            |
| Checksum       | 1             | Start from the header, add up all the bytes,<br>and then divide the sum by 256 to get the<br>remainder |

### Datasheet finding... debug mode? SWD/JTAG?

| Symbol        | Туре | RTL8720CF-VA1 | RTL8720CM-VA1 | RTL8720CN-VA1           | Description                      |
|---------------|------|---------------|---------------|-------------------------|----------------------------------|
| TEST_MODE_SEL | 1    | 15            | 15            | 15                      | Shared with GPIOA_0              |
|               |      | XV            | >             | $\langle \cdot \rangle$ | 1: Enter into test/debug mode    |
|               |      | $\sim$        |               |                         | 0: Normal operation mode         |
| Autoload_Fail | 7-1  | 16            | 16            | 16                      | Shared with GPIOA_1              |
|               | C    |               | X             | X                       | 1: eFUSE settings are not loaded |
| X             |      | <             |               | .0                      | 0: eFUSE settings are loaded     |
| SPS_LDO_SEL   | 1    | 3             | 3             | 3                       | Shared with GPIOA_23             |
| N             |      | 10            | 1             | $0^{\prime}$            | 1: LDO                           |
|               |      | ~~~           | -             |                         | 0: SWR                           |

### Trying to get into SWD/JTAG

I own a real JLink :P and an XDS110, but also FT2232H, bus pirate, etc

There shouldn't be an issue if there is SWD/JTAG/cJTAG, but I was unable to get this working. I think there is an eFuse that controls access overriding the strap pin? Maybe I can glitch into it? I would have came back to this if not for other attacks.



### Side channel profile on reset



You can see the chip has variation in the electromagnetic signature over time. It could be that during the period where the main processor core is off, it is computing some cryptographic hash or decrypting something with the hardware engine and the main processor is waiting to be interrupted. There is some variation in currents flowing during the flat region still though.

Then the second block of code running continuously is after that (flash?). If we were targeting to glitch some code in the ROM it would be in the beginning of either of these blocks. These gives us some idea of timing operations.

NRST/enable net had a lot of capacitance (rise time long, it has internal pull up), telling me they might have had problems with noise on reset line causing misbehavior. This could be solved by adding capacitance externally or some sort of schmitt trigger input inside the chip (or clean relay delay generator circuit). The circuit may be susceptible to reset glitches.

### Side channel profile largest component

Related to clock?

Variation in features is pronounced. Good for SPA.





### A hypothesis has a chance of being true...

Are there 8 possible test modes? What do they have in this ROM... I wonder? Notice the devs didn't even change the part number from RTL8710 to RTL8720. There are typos in strings all over the ROM/firmware. Both from Realtek and Tuya.

== Rtl8710c IoT Platform == Chip VID: 5, Ver: 1 ROM Version: v2.1 Test Mode: boot\_cfg1=0x20 Test Mode GPIOA[14, 3, 2] = 0x4

### Playing with on strapping pins

I started searching... and messing with the power pin, GND and 3.3V wire, pulling some pins high and messing with ones I had attached to the JTAG pins after I tried SWD. I eventually figured out what was the internal pin numbers referred to by the ROM UART messages.

# ROM debug menu!

== Rtl8710c IoT Platform == Chip VID: 5, Ver: 1 ROM Version: v2.1 Test Mode: boot\_cfgl=0x20 Test Mode GPIOA[14, 3, 2] = 0x6

\$8710c> \$8710c>

\$8710c; DB

DB <Address, Hex> <Len, Dec>: Dump memory byte or Read Hw byte register

#### DHW

DHW <Address, Hex> <Len, Dec>: Dump memory helf-word or Read Hw helf-word register;

#### DW

DW <Address, Hex> <Len, Dec>: Dump memory word or Read Hw word register;

#### ΕB

EB <Address, Hex> <Value, Hex>: Write memory byte or Write Hw byte register Supports multiple byte writting by a single command Ex: EB Address Value0 Value1

#### ΕW

EW <Address, Hex> <Value, Hex>: Write memory word or Write Hw word register Supports multiple word writting by a single command Ex: EW Address Value0 Value1

#### WDTRST

WDTRST: To trigger a reset by WDT timeout



### Thanks for the feature!

Now I have the ROM and can do some more reverse engineering.

The flash is not mapped though so lets get code execution and map/dump it.

| <pre>piVar6 = (int *)flash_init(0x1002a0e0,uVar19,uVar17);</pre>                             |
|----------------------------------------------------------------------------------------------|
| if (piVar6 != (int *)0x0) {                                                                  |
| uVar4 = 0;                                                                                   |
| _DAT_100000ac = (int *)0x0;                                                                  |
| if ((int) (_DAT_100000c4 << 0x1f) < 0) {                                                     |
| <pre>printf("\r[BOOT Err]Flash init error (io_mod=%u, pin_sel=%u)\r\n",uVar19,uVar17);</pre> |
| goto LAB_00001b2e;                                                                           |

| COM3 - PuTTY                                                                                                                                                                     |                                                |
|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------|
| 0001CAC0: 33 f8 0b 46 02 46 31 46 0e 48<br>0001CAD0: 04 4f 63 1c al d1 0b f1 01 0b<br>0001CAE0: 11 46 63 1c al d1 0b f1 01 0b                                                    | 13 f0 22 ft ff                                 |
| 0001CAD0: 04 4f 63 1c al 46 02 46 31 46 0e 48<br>0001CAD0: 14 4f 63 1c al 41 0b fl 0l 0b<br>0001CAE0: 11 b0 bd e8 f0 8f 59 46 07 48<br>0001CAE0: 06 4b 09 93 83 e7 00 bf 60 cc   | bb f1 0b 0f 80 d1 00                           |
| 0001CB00: 00 00 93 83 e7 00 bf 60 cc                                                                                                                                             | 13 10 23 fb 8a e7                              |
| 0001CB00: 00 00 68 42 09 93 63 67 00 bf 60 cc<br>0001CB10: 14 fd 03 10 0b 78 ff 2b 08 d0<br>0001CB20: 83 42 05 d0 11 f8 02 3f ff 2b                                              | 02         00         32         00         .K |
| 0001CB30: 45 70 d0 11 f8 02 3f ff 2b                                                                                                                                             | 50 42 U2 d1 07 e0                              |
| 0001CB50: 02 03 e0 98 42 07 d0 11 46                                                                                                                                             | 00 DI 88 DI 02 23 Kx : FDC                     |
| 0001CB50: 02 02 f7 d1 18 46 70 47 cb 78 2001CB60: 70 47 01 23 f6 70 47 cb 78 2001CB60: 70 47 01 23 f6 70 00 bf 2c cc 0001CB70: 03 23 09 49 03 e0 96 42 07 d0                     | 20 3b db b2 18 46                              |
| 0001CB80, 01 53 09 49 03 e0 98 42 07 d0                                                                                                                                          | DI 00 01 28 11 d0 pG.#                         |
| 0001CB80: 01 f1 02 02 f7 d1 18 46 70 47 c<br>0001CB90: 18 46 70 47 03 46 f6 e7 04 cc<br>0001CB90: 19 23 09 49 03 e0 98 42 07 d0 cc<br>0001CB80: 01 23 09 49 03 e0 98 42 07 d0 cc | cb 78 20 3b db b2                              |
| 0001CBB0: 01 CT 09 49 03 e0 98 42 07 d0 1                                                                                                                                        | FpG.F.                                         |
| 0001CBD0: 02 02 04 47 01 23 f6 e7 20 cc 0                                                                                                                                        | 1 00 20 3b db b2                               |
| 0001CBD0: 0a 23 09 49 03 e0 98 42 07 d0 1<br>0001CBE0: 01 f1 02 02 f7 d1 18 46 70 47<br>0001CBE0: 18 46 70 47 01 23 f6 67 14 cr                                                  | 1 46 93 78 ff 2b                               |
| 0001CC00: 02 01 10 47 01 23 f6 e7 14 cc 0                                                                                                                                        | 1 00 00 3b db b2                               |
| 0001CC20: 05 23 ff ff 04 21 0a 20 13 22 8                                                                                                                                        | 3 22 56 22 16 22                               |
|                                                                                                                                                                                  |                                                |
| 0001CC50: 44 00 92 00 aa 00 b5 00 bb 00 a                                                                                                                                        |                                                |
| 00010070: bb 00 20 00 44 00 24 01 94 02 a                                                                                                                                        | D 01 ef 01 00 00 DU.                           |
|                                                                                                                                                                                  |                                                |
|                                                                                                                                                                                  |                                                |
| 00010000 00 02 00 00 02 03 01 04 03 00 00                                                                                                                                        | 5 00 04 00 04 02                               |
| 0001CCE0: 05 00 05 02 03 02 00 00 02 03 01<br>0001CCE0: fd 45 00 02 03 02 00 00 02 03 01                                                                                         | 00 02 00 04 00                                 |
| 0001CCF0: d0 00 7e 00 68 00 3f 00 34 00 17                                                                                                                                       | 00 1a 00 1a 00 .FA                             |
| 0001CD10. 02 00 02 00 01 00 00 00 00 00 00 00 00                                                                                                                                 | 00 02 00 02 00                                 |
| 0001CD30: 0a 0b 0a 0b 0a 0b 0a 0b 0a 0b 0a 14 14 14                                                                                                                              | 14 14 11 11 06                                 |
| 0001CD50: 2c 01 00 00 50 03 03 04 06                                                                                                                                             | 00 6e 00 00 00                                 |
| 0001CD70: 80 70 00 00 00 00 40 38 00                                                                                                                                             | 00 00 4b 00 00                                 |
| 0001CD90; f0 cd 05 00 00 11 01 00 00 58 02                                                                                                                                       | 00 00 84 03 00                                 |
| 0001CDA0: 40 42 0f 00 00 08 07 00 20 al 07<br>0001CDB0: 40 42 0f 00 00 18 15 00 30 0a 16                                                                                         | 00 00 10 0e 00                                 |

### So much for "secure" boot

Now I have all the keys used in decryption of flash header (even though flash is internal on this part) and for HMAC SHA authentication. They should have used asymmetric schemes and locked out access to keys after use, or before entering a debug menu that shouldn't exist.

```
LAB 00002bfe:
15
       get super sec key( DAT 400000e8,&DAT 1002dd20,0);
16
       memcpy(0x1002dd40,&header key,0x10);
17
       memcpy (0x1002dd60, 0x98000020, 0x40);
18
       if ((int)((uint)DAT 40000039 << 0x19) < 0) {
19
         FUN 0000d540(0x1002ddc0,0x21,&DAT 1002dd20,0x20);
         iVar3 = crypto(0x1002ddc0,0x21,0x1002dd60,0x20,0x1002dd40,0x10,0,0
22
         if (iVar3 != 0) goto LAB 00002cd4;
23
24
       else {
25
         FUN 00056f3c(&DAT 1002dda0,&DAT 1002dd20,0x1002dd60);
26
27
       FUN 000027d4(0x1002dd60);
28
       FUN 0000d540(0x1002ddc0,0x21);
29
       if (-1 < (char)bVar1) goto LAB 00002bca;
       iVar3 = crypto(0x1002ddc0,0x21,&DAT 98000060,0x60,0x1002dd40,0x10,0,
31
       if (iVar3 != 0) {
        if ( DAT 100000c4 << 0x1f < 0) {
32
           printf("\r[BOOT Err]Parttiton Table Header Decry Err!\r\n");
34
           return Oxfffffff;
35
         return 0xfffffff;
36
```

### So much for "secure" boot

```
FUN 00009ab0( DAT 400000e8,0x1002e2e0,0,0x20,0);
  copy setup(0x1002ddc0,0x21,&super secret key,0x20);
  iVar3 = crypto(0x1002ddc0,0x21,0x1002e2e0,0x20,0x1002dd40,0x10,0,0,
  if (iVar3 != 0) {
    if (-1 < DAT 100000c4 << 0x1f) {
     return Oxfffffff;
    printf("\r[BOOT Err]Hash Priv Key Decrypt Err!\r\n");
    return 0xffffffff:
  if ((int)((uint)DAT 40000039 << 0x19) < 0) {
    copy setup(0x1002ddc0,0x21,0x1002e300,0x20);
    iVar3 = crypto(0x1002ddc0,0x21,0x1002dd80,0x20,0x1002dd40,0x10,0,
    if (iVar3 != 0) {
LAB 00002cd4:
     if (-1 < DAT 100000c4 << 0x1f) {
        return Oxffffffff:
     printf("\r[BOOT Err]NSK-AES key decrypt Err!\r\n");
      return Oxfffffff;
```

```
FUN_0000e698(0x1002ddc0,0x25);
iVar3 = memcmp(0x1002e320,0x1002e340,0x20);
if (iVar3 != 0) {
    if (_DAT_100000c4 << 0x1f < 0) {
        printf("\r[BOOT Err]Boot Img Hash Result Err!\r\n");
    }
    FUN_00010dbc(&DAT_1002e540,0,0x3a0);
    FUN_0000a81c(&DAT_1002e540,0x3a0);
    return 0xfffffff;
```

### Code execution from debug menu

After reverse engineering the ROM... I find the command handler for the debug menu. It is setup so that a variable in SRAM points to an area in ROM that has pointers to the command string, help menu string, and a function pointer to an implementation. I cloned this structure into another region of unused SRAM and added my own command named "golden." I also have python scripts quickly made up to instrument the ROM debug menu for my purposes. Notes:

0x1002f050 command array pointer

0x1002dd08 flash\_already\_init

0x20000000 32kb free sram

0x318d0 command array in the rom length is 84 + the 4 zero bytes at the end

structure:

0: str pointer 4: func addr 8: help string



### Mapping the flash and dumping it

I first map the flash, then call some function that verifies the flash and populates a structure with the pointer to the code entrypoint. We then write some quicker dumping code that writes the raw bytes over the UART console. It is a 2MB flash so this is faster than the read memory commands in

the ROM.

| 🖉 COM3 - PuTT | Y           | 2        |          |          |  |
|---------------|-------------|----------|----------|----------|--|
| \$8710c>golde |             |          |          |          |  |
| \$8710c>DW 0x | 98000000 10 | D        |          |          |  |
| C             |             |          |          |          |  |
| 98000000:     | 96999900    | 66CC3F96 | CC33C0FC | 31DCE503 |  |
| 1098000010:   | FFFFFF62    | FFFFFFFF | FFFFFFFF | FFFFFFFF |  |
| 98000020:     | 3E516800    | 6B393EF8 | 9A05BA12 | B6360F90 |  |
| 98000030:     | FE111DD3    | EB255D1C | 50C5A78A | 249C7F30 |  |
| ¥98000040:    | 23AD4800    | 9EACBDDD | B79D7165 | 4DD494D3 |  |
| ind98000050:  | 190D8262    | 37680DE5 | 7E237467 | 5E30D298 |  |
| 98000060:     | 0001E000    | FFFFFF00 | FF0000FF | ED524200 |  |
| a 98000070:   | 64D9681E    | 00000020 | 4A584C00 | E4166547 |  |
| 98000080:     | 0F549000    | E092C03A | 5802880F | E84554CA |  |
| 98000090:     | DC4C1FBC    | 028A6675 | F94CE2B2 | 33DD6248 |  |
| • 980000A0:   | 2C423200    | 010DD4F2 | 26590F5C | 1F0E9F63 |  |
| Led 980000B0: | 33FB5ABE    | 723585C0 | B06B8168 | D6E349E4 |  |
| a 49800000004 | 00505000    | 02010289 | OOFFFFFF | 50000000 |  |

push { r0, r1, r2, r6, r7, lr } # actually flash init 0x29bc ldr r7, =0x29bd # pin sel ldr r2, =1 # io mod ldr r1, =0 ldr r0, =0x1002a0e0 blx r7 # lets try to init this crypto stuff # flash boot 0x3ad4 ldr r7, =0x3ad5 ldr r0, =0x100000ac blx r7 # dump this structure? # dump the flash # putchar 0x11628 this is for our uart ldr r7, =0x11629 ldr r6, =0x98000000 .LOOP: ldrb r1, [r6] ldr r0, =0 blx r7 add r6, r6, #1 b .LOOP pop { r0, r1, r2, r6, r7, pc }

### Tuya firmware

Now I have the Tuya firmware and ROM. The firmware is not designed too well, it seems to support many features not used in the product. It seems to be a portable firmware that takes in a JSON configuration from Tuya to configure the device?

We could now backdoor the firmware. Since all the keys are known, I can generate a new HMAC signature for the firmware. There is a debug menu mode for UART flash download, but I can also write to the flash via ROM commands.

## Interesting glitches

This device is quite unstable, by just playing with the power pin manually, I can generate interesting glitches and subsequence output over the UART log.

```
== Rtl8710c IoT Platform ==
Chip VID: 5, Ver: 1
ROM Version: v2.1
[SPIF Err]Invalid ID
[SPIF Err]Invalid ID
[BOOT Err]Flash init error (io_mod=0,
pin_sel=0)
StartUp@0x0: Invalid RAM Img Signature!
```

### Interesting glitches

OM Version: v2.1
Test Mode: boot\_cfgc \x5
== Rt18710c IoT Platform ==
Chip VID: 5, Ver: 1
R 5
== Boot Loader ==
Dec 5 2019:14:02:18

This output supports our theory that the large flat low power region in the side channel overview capture is the hash function executing over the whole flash. As this takes a good bit of time and would be easier to corrupt/hit in time.

```
fwx SELE[fffffff]
fw SELE Bitidx 0, fw1 valid 1, sn 100,
fw2 valid 1, sn 101
fw1 USE, return sn 100
[MISC Err]Hash Result Incorrect!
Boot Load Err!
```

### Interesting glitches

Bus Fault: SCB Configurable Fault Status Reg = 0x00000400

Bus Fault Status: BusFault Address Reg is invalid(Asyn. BusFault) Imprecise data bus error: a data bus error has occurred, but the return address in the stack frame is not related to the instruction that caused the error.

S-domain exception from Thread mode, Standard Stack frame on S-PSP Registers Saved to stack

#### Stacked:

R0 = 0x0002fe57 [.....] R12 = 0x0000001c LR = 0x10001eaf PC = 0x00006114 PSR = 0x61000000

Current: LR = 0xffffffd [.....] SVC priority: 0x00 PendSVC priority: 0xe Systick priority: 0xe

#### MSP Data:

| 1003F9E0: |  |          |  |
|-----------|--|----------|--|
| 1003F9F0: |  |          |  |
|           |  |          |  |
|           |  |          |  |
|           |  |          |  |
|           |  |          |  |
|           |  | ABDCF628 |  |
|           |  |          |  |
| 10012BC8: |  |          |  |
|           |  |          |  |
|           |  |          |  |
|           |  |          |  |
|           |  |          |  |

== NS Dump == CFSR\_NS = 0x00000000 [...... PSP\_NS = 0x00000000 NS HardFault Status Reg = 0x00000000 SCB Configurable Fault Status Reg = 0x00000000

== Back Trace ==

msp=0x1003f9e0 psp=0x10012ba8
Process stack back trace:
top=0x10013ba8 lim=0x10012ba8
00006114 @ sp = 00000000
[......]
00030131 @ sp = 10012c28
9b05e171 @ sp = 10012c34

Backtrace information may not correct! Use this command to get C source level in formation: arm-none-eabi-addr2line -e ELF\_file -a -f 00006114 10001eab 0002eaa5 0002fe53 9b 00fef9 9b00fef9 00030131 9b05e171

I guess this chip just loves to be unstable but keep running. Should be able to glitch it if debug mode was not enabled with some limited setup...

### Ah that is boring...

Let's do something more fun!

- Lets see if we can glitch into the debug menu without messing with pins?
- Or encrypt our own new firmware and bypass the HMAC check?
- Overflow UART receive message length to get buffer overflow in firmware?

Many things are possible at this point. The device ROM was actually designed such that it uses an external SPI flash for non-RTL8720CF part numbers... so a correlation power analysis attack (CPA) would be fun to grab the header key then break secure boot because they use an HMAC SHA for authenticity.

### Back to the WiFi/Bluetooth communication

Now that I have the firmware to the Tuya module. I can reverse engineer communication with the backend/cloud, I have the TLS pre-shared key. I can decipher the structures of data on LAN, and send the device my own messages. It is all a matter of time at this point.

Keys are fun! I could have gotten some from the App, but this is better! There may be some provisioned ephemeral keys, but they are not per-session. It would be setup when the device is linked to the Tuya account/app.

```
Cipher Suites (4 suites)

Cipher Suite: TLS_PSK_WITH_AES_256_CBC_SHA (0x008d)

Cipher Suite: TLS_PSK_WITH_AES_128_CBC_SHA256 (0x00ae)

Cipher Suite: TLS_PSK_WITH_AES_128_CBC_SHA (0x008c)

Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)
```

### Questions?