An Interesting Find: STM32 RDP1 Decryptor

Source: Hacker News

Recently while browsing Xianyu (闲鱼) looking for BYK-series chips (Sinowealth 8051 MCUs) for another project, I stumbled across a device claiming to bypass STM32 RDP1 (Read‑Out Protection Level 1) on F0, F1, F2 and F4 series chips. A quick search for “STM32解密” (STM32 decryption) shows a whole market for these tools.

At about 150 yuan (≈ 19 EUR) plus shipping, I decided to buy one and see if it actually works.

What arrived

The package contained:

• a blue USB dongle (the programmer)
• two green adapter PCBs
• a row of double‑row and a row of single 2.54 mm pin headers
• a couple of 10 kΩ resistors

The adapter boards have footprints for the various packages of F0, F1 and F2/F4 chips, along with pads for decoupling capacitors on the required VCAP pins and a resistor pulling BOOT1 down. I had to supply the 0.1 µF caps for the VCAP pads myself.

Testing with an STM32F205RBT6

I desoldered an STM32F205RBT6 and placed it on the adapter board.

The device comes with a Windows utility. Before it could run, I had to address two hurdles:

1. The software immediately triggered Windows Defender, which I disabled in a throwaway VM.
2. The application wouldn’t launch until I changed the system encoding for non‑Unicode programs to Chinese Simplified (Settings → Time & language → Language & region → Language for non‑Unicode programs → Chinese (Simplified, Mainland China)).

The instructions recommended using freeze spray on the chip during the read process, but it proved unnecessary; the read succeeded at room temperature.

A quirk: the software always overshoots when reading. An STM32F205RB has 128 KB of flash, but the tool reads past that boundary, padding the excess with 0xFF. The actual flash contents within the valid 128 KB region are correct, so trimming the output to the proper size resolves the issue.

Conclusion

The device does work. It successfully dumped the full flash contents of an RDP1‑protected STM32F205RBT6 without any external fault injection such as cooling the chip.

This is not the first method for circumventing RDP1. Documented approaches include:

• Voltage glitching on STM32F4
• The Exception(al) Failure debug interface exploit on STM32F1 (blog)
• Cold‑Boot Stepping on STM32F0 (FAIR)
• Reproducible glitching setups with open‑source tooling (Secglitcher)

All of those require a deeper understanding of the attack, building or buying a glitching rig, and tuning parameters. This turnkey product lets you solder the chip onto the adapter and click a button, which is both concerning and exciting.

I have not yet examined the PCB in detail; it contains an SOP‑16 IC with the label scraped off (presumably the microcontroller). The Windows‑only host app is not ideal, but it should be possible to recreate it if someone is interested. A deeper analysis of the device’s internals may be worthwhile in the future.