This means that JTAG access is possible when the system is running code from ROM before handing control over to user software. The following reproduces the official documentation regarding this bit:
#Clickshare download software
The only mention of JTAG access protection comes in the form of the JTAG_SHIELD bit in the HW_DIGCTL_CTRL register, which has to be set by user software on system reset, JTAG access is enabled. The official documentation provided by NXP, the SoC manufacturer, does not specify any way of disabling the JTAG access permanently for production devices.
However, such access can be abused by attackers to manipulate the state of an otherwise secured device. The i.MX28 uses the industry standard JTAG interface to perform debugging, providing insight into the ARM CPU core for developers.
It is possible for an attacker to extract the DEK using vulnerability BCSD-FSC-RND-F002.Īn attacker can bypass the High Assurance Boot security feature and subsequently compromise the device. It was found that due to exploitation requirements outlined above, this measure would not provide any additional protection: an attacker with DEK access can forge the authentication code as it is encrypted with DEK. It was also investigated whether the image authentication code, which is part of the boot image according to the existing documentation, is effective in ensuring authenticity of the image. In order to reach the HAB vulnerability the attacker must either have access to the Data Encryption Key (DEK) to be able to encrypt forged content, or the device is configured to accept unencrypted firmware images. NXP, the manufacturer of the affected SoC devices, has issued an erratum ERR010873 confirming the issue. This revision is known to be affected by a previously disclosed vulnerability pertaining to the High Assurance Boot (HAB) functionality (providing Secure Boot). Taking control over ROM code execution via JTAGĬompromising the integrity of data exposed to end userĮnd user system compromise through an USB deviceĭisclosure of media stream encryption keysĭisclosing contents of and manipulating file systems For clarity reasons and easy referencing, each finding is provided with a unique identifier. Multiple vulnerabilities have been identified that ultimately allow attackers to compromise hardware units and backdoor them, execute arbitrary code on end users' systems, as well as observe and manipulate contents being presented.Īs the amount of findings affecting these products is significant, the technical details below were sorted according to the specific devices and/or software components.