Recon 2024

DaBootZone: Breaking the DA1469x BootROM
06-29, 16:00–17:00 (US/Eastern), Grand Salon

The Renesas DA1469x family of chips are used in various industrial and IoT applications due to their low power consumption, high integration capabilities, and advanced security features, including SecureBoot and firmware encryption. In this presentation, we will present a novel BootROM vulnerability allowing the bypass of secure boot and recovery of encrypted firmware images, as well as walking through the process of discovering and exploiting these vulnerabilities.


This talk provides a detailed overview of the process of analyzing and attacking the DA1469x bootrom's security features, detailing the path from 0x0 to 0x24242424.

This talk will cover the following topics:

  • Overview of the security features provided by the DA1469x family
  • SecureBoot
  • Encrypted Firmware Images
  • The process of reverse engineering the bootrom (0x0)
  • Extracting the bootrom
  • Challenges presented by bootrom code (dense code, no symbols)
  • How to overcome those challenges
  • Identifying areas where bugs may hide
  • Vulnerabilities (0x24242424)
  • In depth overview of the vulnerabilities that were discovered
    • Buffer Overflow (CVE-2024-25076)
    • Crypto Bug (CVE-2024-25077)
  • How these bugs impact the security features provided by the platform
    • Secureboot
    • Encrypted Firmware
  • Developing exploits for the identified vulnerabilities
  • Challenges presented by exploiting a real world target
  • Example of exploitation of a fully secured device using Secureboot and Encrypted Firmware

Attendees will gain a deeper understanding of the process of reverse engineering bootroms for security assessments and vulnerability identification, as well as insights into the techniques and tools used in this process. The presentation is intended for researchers, security professionals, and those interested in embedded systems security.

See also: Slides

Chris is a Research Science Director at Atredis Partners leading and executing highly technical embedded, network, application, and red team assessments, as well as complex reverse engineering and exploit development projects.