The STM32 family of microcontrollers is deployed in billions of embedded systems, making them desirable, high-value targets. In particular, the STM32F2 and STM32F4 series have been heavily scrutinized due to their use in popular cryptocurrency hardware wallets like the KeepKey, Trezor One, and Trezor Model T. Previous research has shown that fault injection can bypass protection mechanisms and enable flash memory extraction. However, those techniques can lead to device corruption or permanent loss of data.

In this talk, Joe and Lennert present three years of work refining and extending these attacks into a more repeatable and reliable process for extracting protected flash memory from STM32F2 and STM32F4 devices. They will discuss the practical engineering behind the work, including failures, breakthroughs, and new attack strategies. Using these techniques, they have recovered the cryptocurrency recovery seeds from dozens of customer-owned hardware wallets with a 100% success rate.