MCUs Serve Up Solutions for Car Infotainment

Dashboard Dazzle

As automotive dashboard displays get more sophisticated, information and entertainment are merging into so-called infotainment systems. The new systems are driving a need for powerful MCU solutions that support the connectivity, computing and interfacing requirements particular to these designs.

(Caption for lead image Figure 1: The Cypress Wi-Fi and Bluetooth combo solution uses Real Simultaneous Dual Band (RSDB) technology so that Apple CarPlay (shown) and Android Auto can operate concurrently without degradation caused by switching back and forth between bands.).

By Jeff Child, Editor-in-Chief

Microcontroller (MCU) vendors have a rich legacy of providing key technologies for nearly every aspect of an automobile’s electronics—everything from the powertrain to the braking system to dashboard displays. In recent years, they’ve taken on a new set of challenges as demands rise for ever more sophisticated “infotainment” systems. Advanced touchscreen, processing, networking, voice recognition and more are parts of these subsystems tasked with providing drivers with information and entertainment suited to today’s demands—demands that must rival or exceed what’s possible in a modern smartphone or tablet. And, as driverless cars inch toward mainstream reality, that hunger for rich infotainment functionality will only increase.

In order to meet those system design needs, MCU vendors are keeping pace with highly integrated chip-level solutions and embedded software tailored specifically to address various aspects of the automotive infotainment challenge. Over the past 12 months, MCU companies have announced products aimed at everything from advanced dashboard graphics to connectivity solutions to security technologies. At the same time, many have announced milestone design wins that illustrate their engagement with this dynamic sub-segment of automotive system development.

Smartphone Support

Exemplifying these trends, in July Cypress Semiconductor announced that Pioneer integrated Cypress’ Wi-Fi and Bluetooth Combo solution into its flagship in-dash navigation AV receiver. The solution enables passengers to display and use their smartphone’s apps on the receiver’s screen via Apple CarPlay (Figure 1–lead image above) or Android Auto, which provide the ability to use smartphone voice recognition to search for information or respond to text messages. The Cypress Wi-Fi and Bluetooth combo solution uses Real Simultaneous Dual Band (RSDB) technology so that Apple CarPlay and Android Auto can operate concurrently without degradation caused by switching back and forth between bands.

The Pioneer AVH-W8400NEX receiver uses Cypress’ CYW89359 combo solution, which includes an advanced coexistence engine that enables optimal performance for dual-band 2.4- and 5-GHz 802.11ac Wi-Fi and dual-mode Bluetooth/Bluetooth Low Energy (BLE) simultaneously for advanced multimedia experiences. The CYW89359’s RSDB architecture enables two unique data streams to run at full throughput simultaneously by integrating two complete Wi-Fi subsystems into a single chip. The CYW89359 is fully automotive qualified with AECQ-100 grade-3 validation and is being designed in by numerous top-tier car OEMs and automotive suppliers as a full in-vehicle connectivity solution, supporting infotainment and telematics applications such as smartphone screen-mirroring, content streaming and Bluetooth voice connectivity in car kits.

In October, Cypress announced another infotainment-related design win with Yazaki North America implementing Cypress’ instrument cluster solution to drive the advanced graphics in Yazaki’s instrument cluster for a leading American car manufacturer. According to Cypress, Yazaki selected the solution based on its unique offering of five chips that combine to drive dual displays and provide instant-on memory performance with automotive-grade, ASIL-B safety compliance. The Cypress solution is based on a Traveo MCU, along with two high-bandwidth HyperBus memories in a multi-chip package (MCP), an analog power management IC (PMIC) for safe electrical operation, and a PSoC MCU for system management support. The Traveo devices in the Yazaki instrument cluster were the industry’s first 3D-capable Arm Cortex-R5 cluster MCUs.

Virtualization Embraced

The complexity of automotive infotainment systems has pushed system developers to embrace advanced operating system approaches such as virtualization. Feeding those needs, last June Renesas Electronics rolled out its “R-Car virtualization support package” designed to enable easier development of hypervisors for the Renesas R-Car automotive system-on-chip (SoC). The R-Car virtualization support package includes, at no charge, both the R-Car hypervisor development guide document and sample software for use as reference in such development for software vendors who develop the embedded hypervisors that are required for integrated cockpits and connected car applications.

A hypervisor is a virtualization operating system (OS) that allows multiple guest OSs— such as Linux, Android and various real-time OSs (RTOS)—to run completely independently on a single chip. Renesas announced the R-Car hypervisor in April of 2017 and the new R-Car virtualization Support Package was developed to help software vendors accelerate their development of R-Car hypervisors.

The company’s third-generation R-Car SoCs were designed assuming that they would be used with a hypervisor. The Arm CPU cores, graphics cores, video/audio IP and other functions include virtualization functions. Originally, for software vendors to make use of these functions, they would have had to understand both the R-Car hardware manuals and the R-Car virtualization functions and start by looking into how to implement a hypervisor. Now, by following development guides in the R-Car virtualization support package, not only can software vendors easily take advantage of these functions, they will be able to take full advantage of the advanced features of R-Car. Also, by providing sample software that can be used as a reference, this package supports rapid development.

Technology partnerships have been playing a key role in automotive infotainment trends. Along just those lines, in September Renesas and OpenSynergy, a supplier of automotive hypervisors, announced that the Renesas’ SoC R-Car H3 and OpenSynergy’s COQOS Hypervisor SDK were adopted on Parrot Faurecia’s automotive safe multi-display cockpit. The latest version of Android is the guest OS of the COQOS Hypervisor, which executes both the instrument cluster functionality, including safety-relevant display elements based on Linux, and the Android-based in-vehicle infotainment (IVI) on a single R-Car H3 SoC chip (Figure 2). The COQOS Hypervisor SDK shares the R-Car H3 GPU with Android and Linux allowing applications to be presented on multiple displays, realizing a powerful and flexible cockpit system.

Figure 2
With Android as the guest OS of the COQOS Hypervisor, it executes both the instrument cluster functionality, including safety-relevant display elements based on Linux, and the Android-based in-vehicle infotainment (IVI) on a single R-Car H3 SoC chip.

According to OpenSynergy’s CEO Stefaan Sonck Thiebaut, the COQOS Hypervisor SDK takes full advantage of the hardware and software virtualization extensions provided by Renesas. The OpenSynergy solution includes key features, such as shared display, which allows several virtual machines to use multiple displays flexibly and safely. The R-Car H3 GPU and video/audio IP incorporates virtualization functions, making virtualization by the hypervisor possible and allowing for multiple OSs to operate independently and safely. OpenSynergy’s COQOS Hypervisor SDK is built around a safe and efficient hypervisor that can run software from multipurpose OSs such as Linux or Android, RTOS and AUTOSAR-compliant software simultaneously on one SoC.

Large Touchscreen Support

As the content provided by automotive infotainment systems gets more sophisticated, so too must the displays and user interface technologies that interact with that content. With that in mind, MCU vendors are offering more advanced touchscreen control solutions. Dashboard screens have unique design challenges. Screens in automobiles need to meet stringent head impact and vibration tests. That means thicker cover lenses that potentially impact the touch interface performance. Meanwhile, as screens get larger, they are also more likely to interfere with other frequencies such as AM radio and car access systems. All of these factors become a major challenge in the design of modern automotive capacitive touch systems.

Along just those lines, Microchip in December announced its maXTouch family of single-chip touchscreen controllers designed to address these issues for screens up to 20 inches in size (Figure 3). The MXT2912TD-A, with nearly 3,000 touch sensing nodes, and MXT2113TD-A, supporting more than 2,000 nodes, bring consumers the touchscreen user experience they expect in vehicles. These new devices build upon Microchip’s existing maXTouch touchscreen technology that is widely adopted by manufacturers worldwide. Microchip’s latest solutions offer superior signal-to-noise capability to address the requirements of thick lenses, even supporting multiple finger touches through thick gloves and in the presence of moisture.

Figure 3
The maXTouch family of single-chip touchscreen controllers is designed for screens up to 20 inches in size, and supports up to 3,000 touch sensing nodes. The devices even support multiple finger touches through thick gloves and in the presence of moisture.

As automakers use screens to replace mechanical switches on the dash for sleeker interior designs, safe and reliable operation becomes even more critical. The MXT2912TD and MXT2113TD devices incorporate self- and sensor-diagnostic functions, which constantly monitor the integrity of the touch system. These smart diagnostic features support the Automotive Safety Integrity Level (ASIL) classification index as defined by the ISO 26262 Functional Safety Specification for Passenger Vehicles.

The new devices feature technology that enables adaptive touch utilizing self-capacitance and mutual-capacitance measurements, so all touches are recognized and false touch detections are avoided. They also feature Microchip’s proprietary new signal shaping technology that significantly lowers emissions to help large touchscreens using maXTouch controllers meet CISPR-25 Level 5 requirements for electromagnetic interference (EMI) in automobiles. The new touch controllers also meet automotive temperature grade 3 (-40°C to +85°C) and grade 2 (-40°C to +105°C) operating ranges and are AEC-Q100 qualified.

3D Gesture Control

Aside from the touchscreen display side of automotive infotainment, Microchip for its part has also put its efforts toward innovations in 3D human interface technology. With that in mind, in July the company announced a new 3D gesture recognition controller that offers the lowest system cost in the automotive industry, providing a durable single-chip solution for advanced automotive HMI designs, according to Microchip. The MGC3140 joins the company’s family of easy-to-use 3D gesture controllers as the first qualified for automotive use (Figure 4).

Figure 4
The MGC3140 3D gesture controller is Microchip’s first qualified for automotive use. It’s suited for a range for applications such as navigating infotainment systems, sun shade operation, interior lighting and more.

Suited for a range for applications that limit driver distraction and add convenience to vehicles, Microchip’s new capacitive technology-based air gesture controller is ideal for navigating infotainment systems, sun shade operation, interior lighting and other applications. The technology also supports the opening of foot-activated rear liftgates and any other features a manufacturer wishes to incorporate with a simple gesture action.

The MGC3140 is Automotive Electronics Council AEC-Q100 qualified with an operating temperature range of -40°C to +125°C, and it meets the strict EMI and electromagnetic compatibility (EMC) requirements of automotive system designs. Each 3D gesture system consists of a sensor that can be constructed from any conductive material, as well as the Microchip gesture controller tuned for each individual application.

While existing solutions such as infrared and time-of-flight technologies can be costly and operate poorly in bright or direct sunlight, the MGC3140 offers reliable sensing in full sunlight and harsh environments. Other solutions on the market also come with physical constraints and require significant infrastructure and space to be integrated in a vehicle. The MGC3140 is compatible with ergonomic interior designs and enables HMI designers to innovate with fewer physical constraints, because the sensor can be any conductive material and hidden from view.

Vehicle Networking

While applicable to areas beyond infotainment, an automobile’s ability to network with the outside world has become ever more important. As critical vehicle powertrain, body, chassis, and infotainment features increasingly become defined by software, securely delivering updates such as fixes and option packs over the air (OTA) enhances cost efficiency and customer convenience. Serving those needs, in October STMicroelectronics released its latest Chorus automotive MCU that provides a gateway/domain-controller solution capable of handling major OTA updates securely.

With three high-performance processor cores, more than 1.2 MB RAM and powerful on-chip peripherals, ST’s new flagship SPC58 H Line joins the Chorus Series of automotive MCUs and can run multiple applications concurrently to allow more flexible and cost-effective vehicle-electronics architectures (Figure 5). Two independent Ethernet ports provide high-speed connectivity between multiple Chorus chips throughout the vehicle and enable responsive in-vehicle diagnostics. Also featuring 16 CAN-FD and 24 LINFlex interfaces, Chorus can act as a gateway for multiple ECUs (electronic control units) and support smart-gateway functionality via the two Ethernet interfaces on-chip.

Figure 5
The SPC58 H Line of MCUs can run multiple applications concurrently to allow more flexible and cost-effective vehicle-electronics architectures. Two independent Ethernet ports provide high-speed connectivity between multiple Chorus chips throughout the vehicle.

To protect connected-car functionalities and allow OTA updates to be applied safely, the new Chorus chip contains a Hardware Security Module (HSM) capable of asymmetric cryptography. Being EVITA Full compliant, it implements industry-leading attack prevention, detection and containment techniques.

Working with its large on-chip 10 MB flash, the SPC58NH92x’s context-swap mechanism allows current application code to run continuously even while an update is downloaded and made ready to be applied later at a safe time. The older software can be retained, giving the option to roll-back to the previous version in an emergency. Hyperbus and eMMC/SDIO high-speed interfaces to off-chip memory are also integrated, enabling further storage expansion if needed.

Single Cable Solution

Today’s automotive infotainment systems comprise mobile services, cross-domain communication and autonomous driving applications as part of in-vehicle networking. As a result, these systems require a more flexible solution for transporting packet, stream and control content. Existing implementations are either costly and cumbersome, or too limited in bandwidth and packet data capabilities to support system updates and internetworking requirements.

To address this need, Microchip Technology in November announced an automotive infotainment networking solution that supports all data types—including audio, video control and Ethernet—over a single cable. Intelligent Network Interface Controller networking (INICnet) technology is a synchronous, scalable solution that significantly simplifies building audio and infotainment systems, offering seamless implementation in vehicles that have Ethernet-oriented system architectures (Figure 6).

Figure 6
INICnet technology is a synchronous, scalable solution that significantly simplifies building audio and infotainment systems, offering seamless implementation in vehicles that have Ethernet-oriented system architectures.

Audio is a key infotainment feature in vehicles, and INICnet technology provides full flexibility through supporting a variety of digital audio formats with multiple sources and sinks. INICnet technology also provides high-speed packet-data communications with support for file transfers, OTA software updates and system diagnostics via standard Ethernet frames. In this way, INICnet technology supports seamless integration of Internet Protocol (IP)-based system management and data communications, along with very efficient transport of stream data. INICnet technology does not require the development and licensing of additional protocols or software stacks, reducing development costs, effort and time.

INICnet technology provides a standardized solution that works with both Unshielded Twisted Pair (UTP) at 50 Mbps and coaxial cable at 150 Mbps. With low and deterministic latency, INICnet technology supports deployment of complex audio and acoustics applications. Integrated network management supports networks ranging from two to 50 nodes, as well as processor-less or slim modules where the node is remotely configured and managed. The solution’s Power over Data Line (PoDL) capability saves costs on power management for microphones and other slim modules. Nodes can be arranged in any order with the same result, and any node in the system can directly communicate with any other node in the system.

Security for Connected Cars

As cars become more network-connected, the issue of security takes on new dimensions. In October, Infineon Technologies announced a key effort in cybersecurity for the connected car by introducing a Trusted Platform Module (TPM) specifically for automotive applications—the first on the market, according to the company. The new OPTIGA TPM 2.0 protects communication between the car manufacturer and the car, which increasingly turns into a computer on wheels. A number of car manufacturers already designed in Infineon’s OPTIGA TPM.

The TPM is a hardware-based security solution that has proven its worth in IT security. By using it, car manufacturers can incorporate sensitive security keys for assigning access rights, authentication and data encryption in the car in a protected way. The TPM can also be updated so that the level of security can be kept up to date throughout the vehicle’s service life.

Cars send real-time traffic information to the cloud or receive updates from the manufacturer “over the air,” for example to update software quickly and in a cost-effective manner. The senders and recipients of that data—whether car makers or individual components in the car—require cryptographic security keys to authenticate themselves. These critical keys are particularly protected against logical and physical attacks in the OPTIGA TPM as if they were in a safe.

Early Phase Critical

Incorporating the first or initial key into the vehicle is a particularly sensitive moment for car makers. When the TPM is used, this step can be carried out in Infineon’s certified production environment. After that, the keys are protected against unauthorized access; there is no need for further special security precautions. The TPM likewise generates, stores and administers further security keys for communication within the vehicle. And it is also used to detect faulty or manipulated software and components in the vehicle and initiate troubleshooting by the manufacturer in such a case.

Figure 7
The SLI 9670 consists of an attack-resistant security chip (shown) and high-performance firmware developed in accordance with the latest security standard. The firmware enables immediate use of security features, such as encryption, decryption, signing and verification.

The SLI 9670 consists of an attack-resistant security chip and high-performance firmware developed in accordance with the latest security standard (Figure 7). The firmware enables immediate use of security features, such as encryption, decryption, signing and verification. The TPM can be integrated quickly and easily in the system thanks to the open source software stack (TSS stack) for the host processor, which is also provided by Infineon. It has an SPI interface, an extended temperature range from -40°C to 105°C and the advanced encryption algorithms RSA-2048, ECC-256 and SHA-256. The new TPM complies with the internationally acknowledged Trusted Computing Group TPM 2.0 standard, is certified for security according to Common Criteria and is qualified in accordance with the automotive standard AEC-Q100.

Side by side with driverless vehicle innovations, there’s no doubt that infotainment systems represent one of the most dynamic subsets of today’s automotive systems design. MCU vendors offer a variety of chip and software solutions addressing all the different pieces of car infotainment requirements from display interfacing to connectivity to security. Circuit Cellar will continue to follow these developments. And later this year, we’ll take a look specifically at MCU solutions aimed at enabling driverless vehicles and assisted driving technologies.

RESOURCES

Cypress Semiconductor | www.cypress.com
Infineon Technologies | www.infineon.com
Microchip | www.microchip.com
OpenSynergy | www.opensynergy.com
Renesas Electronics America | www.renesas.com
STMicroelectronics | www.st.com

Read the February 343 issue of Circuit Cellar

Don’t miss out on upcoming issues of Circuit Cellar. Subscribe today!

Note: We’ve made the October 2017 issue of Circuit Cellar available as a free sample issue. In it, you’ll find a rich variety of the kinds of articles and information that exemplify a typical issue of the current magazine.

Security Takes Center Stage for MCUs

Enabling Secure IoT

Embedded systems face security challenges unlike those in the IT realm. To meet those needs, microcontroller vendors continue to add ever-more sophisticated security features to their devices—both on their own and via partnerships with security specialists.

By Jeff Child, Editor-in-Chief

For embedded systems, there is no one piece of technology that can take on all the security responsibilities of a system on their own. Indeed, everything from application software to firmware to data storage has a role to play in security. That said, microcontollers have been trending toward assuming a central role in embedded security. One driving factor for this is the Internet-of-Things (IoT). As the IoT era moves into full gear, all kinds of devices are getting more connected. And because MCUs are a key component in those connected systems, MCUs have evolved in recent years to include more robust security features on chip.

That trend has continued over the last 12 months, with the leading MCU vendors ramping up those embedded security capabilities in a variety of ways—some on their own and some by teaming up with hardware and software security specialists.

Built for IoT Security

Exemplifying these trends, Microchip Technology in June released its SAM L10 and SAM L11 MCU families (Figure 1). The devices were designed to address the increasing risks of exposing intellectual property (IP) and sensitive information in IoT-based embedded systems. The MCU families are based on the Arm Cortex-M23 core, with the SAM L11 featuring Arm TrustZone for Armv8-M, a programmable environment that provides hardware isolation between certified libraries, IP and application code. Security features on the MCUs include tamper resistance, secure boot and secure key storage. These, combined with TrustZone technology, protect applications from both remote and physical attacks.

Figure 1
The SAM L10 and SAM L11 MCU families provide TrustZone for Armv8-M hardware isolation between certified libraries, IP and application code. The MCUs also feature tamper resistance, secure boot and secure key storage.

In addition to TrustZone technology, the SAM L11 security features include an on-board cryptographic module supporting Advanced Encryption Standard (AES), Galois Counter Mode (GCM) and Secure Hash Algorithm (SHA). The secure boot and secure key storage with tamper detection capabilities establish a hardware root of trust. It also offers a secure bootloader for secure firmware upgrades.

Microchip has partnered with Trustonic, a member of Microchip’s Security Design Partner Program, to offer a comprehensive security solution framework that simplifies implementation of security and enables customers to introduce end products faster. Microchip has also partnered with Secure Thingz and Data I/O Corporation to offer secure provisioning services for SAM L11 customers that have a proven security framework.

Wireless MCU

Likewise focusing on IoT security, NXP Semiconductor in February announced its K32W0x wireless MCU platform. According to NXP, it’s the first single-chip device with a dual-core architecture and embedded multi-protocol radio. It provides a solution for miniaturizing sophisticated applications that typically require a larger, more costly two-chip solution. Examples include consumer devices such as wearables, smart door locks, thermostats and other smart home devices.

The K32W0x embeds a dual-core architecture comprised of an Arm Cortex-M4 core for high performance application processing and a Cortex-M0+ core for low-power connectivity and sensor processing. Memory on chip includes 1.25 MB of flash and 384 KB of SRAM. Its multi-protocol radio supports Bluetooth 5 and IEEE 802.15.4 including the Thread IP-based mesh networking stack and the Zigbee 3.0 mesh networking stack.

Figure 2
Security features of the K32W0x MCU include a cryptographic sub-system that has a dedicated core, dedicated instruction and data memory for encryption, signing and hashing algorithms including AES, DES, SHA, RSA and ECC.

Features of the K32W0x’s security system include a cryptographic sub-system that has a dedicated core, dedicated instruction and data memory for encryption, signing and hashing algorithms including AES, DES, SHA, RSA and ECC. Secure key management is provided for storing and protecting sensitive security keys (Figure 2). Support is enabled for erasing the cryptographic sub-system memory, including security keys, upon sensing a security breach or physical tamper event. The device has a Resource Domain Controller for access control, system memory protection and peripheral isolation. Built-in secure boot and secure over-the-air programming is supported to assure only authorized and authenticated code runs in the device.

To extend the on-chip security features of the K32W0x MCU platform, NXP has collaborated with B-Secur, an expert in biometric authentication, to develop a system that uses an individual’s unique heart pattern (electrocardiogram/ECG) to validate identity, making systems more secure than using an individual’s fingerprint or voice.

IP Boosts Security

For its part, Renesas Electronics addressed the IoT security challenge late last year when it expanded its RX65N/RX651 Group MCU lineup.  …

Read the full article in the October 339 issue of Circuit Cellar

Don’t miss out on upcoming issues of Circuit Cellar. Subscribe today!

Note: We’ve made the October 2017 issue of Circuit Cellar available as a free sample issue. In it, you’ll find a rich variety of the kinds of articles and information that exemplify a typical issue of the current magazine.

MCUs Bring Enhanced Security to IoT Systems

Microchip has announced its SAM L10 and SAM L11 MCU families addressing the growing need for security in IoT applications. The new MCU families are based on the Arm Cortex-M23 core, with the SAM L11 featuring Arm TrustZone for Armv8-M, a programmable environment that provides hardware isolation between certified libraries, IP and application code. Security features on the MCUs include tamper resistance, secure boot and secure key storage. These, combined with TrustZone technology, protect applications from both remote and physical attacks.

In addition to TrustZone technology, the SAM L11 security features include an on-board cryptographic module supporting Advanced Encryption Standard (AES), Galois Counter Mode (GCM) and Secure Hash Algorithm (SHA). The secure boot and secure key storage with tamper detection capabilities establish a hardware root of trust. It also offers secure bootloader for secure firmware upgrades.

Microchip has partnered with Trustonic, a member of Microchip’s Security Design Partner Program, to offer a comprehensive security solution framework that simplifies implementation of security and enables customers to introduce end products faster. Microchip has also partnered with Secure Thingz and Data I/O Corporation to offer secure provisioning services for SAM L11 customers that have a proven security framework.

Both MCU families offer Microchip’s latest-generation Peripheral Touch Controller (PTC) for capacitive touch capabilities. Designers can easily add touch interfaces that provide an impressively smooth and efficient user experience in the presence of moisture and noise while maintaining low power consumption. The touch interface makes the devices ideal for a myriad of automotive, appliance, medical and consumer Human Machine Interface (HMI) applications.

The SAM L10 and SAM L11 Xplained Pro Evaluation Kits are available to kick-start development. All SAM L10/L11 MCUs are supported by the Atmel Studio 7 Integrated Development Environment (IDE), IAR Embedded Workbench, Arm Keil MDK as well as Atmel START, a free online tool to configure peripherals and software that accelerates development. START also supports TrustZone technology to configure and deploy secure applications. A power debugger and data analyzer tool are available to monitor and analyze power consumption in real time and fine tune the consumption numbers on the fly to meet application needs. Microchip’s QTouch Modular Library, 2D Touch Surface Library and QTouch Configurator are also available to simplify touch development.

Devices in the SAM L10 series are available starting at $1.09 (10,000s). Devices in the SAM L11 series are available starting at $1.22 (10,000s).

Microchip Technology | www.microchip.com

Verifying Code Readout Protection Claims

Think Like an Attacker

How do you verify the security of microcontrollers? MCU manufacturers often make big claims, but sometimes it is in your best interest to verify them yourself. In this article, Colin discusses a few threats against code readout and looks at verifying some of those claimed levels.

By Colin O’Flynn

You’ve got your latest and greatest IoT toaster designed, and you’re looking to move forward with production. But one thing concerns you: How do you know this stellar code isn’t going to be cloned as soon as you release it to the market?

You turn to the firmware protection features of your chosen microcontroller, but how good is it? This article can’t hope to answer that question in general, rather it will instead give you a short example of how to help answer that question for any specific microcontroller.

In particular, it will teach you to “think like an attacker” when reading through datasheets. Look for small loopholes that could have big consequences, and you will have a much better time navigating the landscape of potential attacks.

Know What’s Out There

One of the most important things is to keep an eye out for new and interesting attacks against these devices. In my January 2018 article (Circuit Cellar 330) I described how there is a published attack against some of the NXP LPC devices, which makes it very easy to unlock them. You can see the presentation entitled “Breaking Code Read Protection on the NXP LPC-family Microcontrollers” by Chris Gerlinsky which describes this attack. Another recent one is an attack against STMicroelectronics’ STM32F0 devices entitled “Shedding Too Much Light on a Microcontroller’s Firmware Protection” by Johannes Obermaier and Stefan Tatschner. That one is a little more limited, but still has some interesting information regarding potential security attacks.

I’m hoping to distill some of these attacks down into common problems, which will help you close a few loopholes before someone rips off your IoT toaster design. At least now if it fails in the marketplace you have no one to blame but yourself.
To give you something concrete to read (and for me to reference), I’ve chosen to use the ST STM32F303 series because it’s a device I’ve been using myself lately. I’m not going to be revealing any unknown vulnerabilities—so if you’re reading this from your office at  STMicroelectronics, no need to sweat. It also has some pretty common configuration options, so makes for a nice reference you can apply to a range of other devices.

ST Read Protection (RDP)

The first step when you are looking at a new device should be to very carefully inspect the security or debug lock protection portion of the datasheet. They will typically go into a fair amount of detail around how the protection mechanism works.
The STM32F3 Reference Manual (RM0316) has this split into two sections. Section 5, entitled “Option byte description” provides information about how the flags are stored in flash. Section 4.3 entitled “Memory Protection” details how this is actually used to protect the code in your device.

Table 1
This excerpt from the datasheet shows how the flash memory read protection levels are defined for the STM32F3 device.

The two important pieces of information for us are replicated in Table 1 and
Table 2. They are the flash memory protection levels, and the associated access allowed at each level. The RDP byte is a special “option byte”, which is the value of a specific location in flash memory. Note the scheme they have chosen uses two bytes, where one is always programmed to be the complement of the other byte. This is presumably used for error checking, and if a byte is not matched with a complement, an error flag is set.

Table 2
Code protection levels 1 and 2 have differing protection abilities. This excerpt from the datasheet shows where flash memory can be read/written/executed from.

Right away you should notice that this scheme does not fall victim to the same problem as the LPC attack I talked about before. In particular the LPC attack exploited the fact a fault or glitch could corrupt the flag value, which caused the CPU to disable the protection.

With the STM32F303, these invalid levels will all map to Protection Level 1. This protection level does not allow external flash access, which “should” be a good sign. The highest protection level also claims to be impossible to remove, but if we could corrupt the value of the option bytes in memory we could downgrade from Protection Level 2 to Protection Level 1. In fact, this “downgrade” is exactly what was presented by Obermaier & Tatschner. The downgrade used a chip decapsulation and light to flip the bits, which is relatively invasive. Other fault attacks (such as voltage or EM) might work but would require investigation before assuming that. Such temporary fault attacks would require the value is read and latched.

But as a good designer, you should assume such faults could be made possible. In this case it would be possible to “downgrade” the device from Protection Level 2 to Protection Level 1. So, what happens if an attacker performed this downgrade? That takes us into the second part of this article. …

Read the full article in the July 336 issue of Circuit Cellar

Don’t miss out on upcoming issues of Circuit Cellar. Subscribe today!

Note: We’ve made the October 2017 issue of Circuit Cellar available as a free sample issue. In it, you’ll find a rich variety of the kinds of articles and information that exemplify a typical issue of the current magazine.