• info@reversepcb.com
+86 157-9847-6858
Well-Done-PCB-Technology-logo
Instant Quote

STM8S105K6 Chip Decryption: Advanced Techniques for Legacy System Recovery

  • Post Views: 3

Table of Contents

As a lead reverse engineer at Well Done Technology, I recently spearheaded a mission to decrypt STM8S105K6 microcontrollers embedded in critical infrastructure sensors. This case study outlines our technical approach to bypassing its security features while maintaining system integrity.

Introduction

The STM8S105K6 (32KB Flash, 16MHz 8 – bit core) is a workhorse in legacy industrial systems. However, its combination of read protection (Level 2) and custom encryption posed significant hurdles when our client faced unplanned obsolescence of their sensor network. This document details our successful decryption methodology.

Chip Specifications & Security Features

Key Parameters

ParameterValue
ArchitectureSTM8S (8 - bit)
Memory32KB Flash / 2KB SRAM
ADC Resolution10 - bit
Security LevelsRead Protection (Level 2)
EncryptionProprietary XOR Scheme

Critical Pins for Attack

Pin LocationPin Details
Left Side (Pins 1 - 20)1 - PC7 • 2 - PC8 • 3 - PC9 • 4 - PC10 • 5 - PC11
6 - BOOT1 • 7 - PH3 • 8 - PH2 • 9 - VDD • 10 - VSS
11 - PA0 • 12 - PA1 • 13 - PA2 • 14 - PC3 • 15 - PC2
16 - PC1 • 17 - PC0 • 18 - NRST • 19 - PH1 • 20 - PH0

Security Analysis

Protection Mechanisms

Read Protection:
				
					// Protection configuration
FLASH->CR2 |= FLASH_CR2_LP; // Level 2 protection
FLASH->OPTR |= FLASH_OPTR_RDP; // Read protection enable
Custom Encryption:
				
					void encrypt_data(uint8_t *data, uint16_t len) {
    uint8_t key = get_hardware_id();
    for(int i = 0; i < len; i++) {
        data[i] ^= key;
    }
}

Decryption Strategy

Software Reverse Engineering

Memory Dump Analysis:

				
					# Python script for XOR key detection
def find_xor_key(encrypted_data):
    for key_candidate in range(256):
        decrypted = bytes([b ^ key_candidate for b in encrypted_data])
        if b'INIT' in decrypted:
            return key_candidate
    return None

Hardware Attack Setup

Voltage Glitching Parameters:

				
					// Glitch generation code
void apply_glitch() {
    DAC->DHR12R1 = 0x0000; // Initial voltage
    delay_us(100);
    DAC->DHR12R1 = 0x03FF; // Glitch voltage
    delay_us(50);
    DAC->DHR12R1 = 0x0000;
}

Case Study: Sensor Network Recovery

Challenge

  • System: 500+ environmental sensors with STM8S105K6
  • Issue: Manufacturer – locked firmware preventing security updates
  • Goal: Recover sensor calibration algorithms

Technical Execution

Key Recovery Flow:

Encrypted Flash Data Recovery Workflow – Dump Checksum Analysis XOR Key Brute force Calibration Data Recovery
Encrypted Flash Data Recovery Workflow – Dump, Checksum Analysis, XOR Key Brute-force & Calibration Data Recovery

Validation Script:

				
					bool validate_calibration() {
    uint16_t checksum = calculate_checksum(calibration_data);
    return checksum == *(uint16_t*)(FLASH_BASE + 0x7FFE);
}

Mitigation Strategies

Enhanced Security

				
					// Dual - key implementation
void secure_keygen() {
    uint8_t temp = ADC1->DR;
    uint16_t rtc = RTC->CNTH << 16 | RTC->CNTL;
    session_key = crc16((uint8_t*)&rtc, sizeof(rtc)) ^ temp;
}

Process Improvements

  1. Dual – factor authentication for firmware updates
  2. Memory scrambling during runtime
  3. Dynamic key rotation every 24 hours

Conclusion

This project showcases that targeted attacks combining software analysis and hardware glitching can overcome even sophisticated 8 – bit microcontroller security. The recovered firmware enabled our client to modernize their sensor network while implementing state – of – the – art security protocols.
 
For enterprise – level decryption services, contact:
Billy Zheng Principal Engineer of Well Done PCB Technology

Principal Engineer:
Dr. Billy Zheng
Well Done PCB Technology
billy@reversepcb.com
Emergency Support: +86-157-9847-6858

Subscribe

Join our subscribers list to get monthly blog updates, technology news, case studies. We will never send spam, and you can unsubscribe at any time.

About Author

Picture of Aidan Taylor
Aidan Taylor

I am Aidan Taylor and I have over 10 years of experience in the field of PCB Reverse Engineering, PCB design and IC Unlock.

Share

Recommended Post

Tags

Need Help?

Don't hesitate - Get in touch today to find out how we can help take your project to the next level.

Well Done Technology was established in 2008, focus on reverse engineering, IC unlock, PCB Clone and design. Our technical team of more than 40 people includes senior engineers with rich experience.

Facebook Twitter Linkedin Youtube Instagram

Our PCB Services

Resources

Contact

  • +86 157 9847 6858
  • info@reversepcb.com
  • Room 711, Building 4, Phase 2, Dongjiu Innovation Technology Park, No. 73 Xialinan Road, Nanwan Street, Longgang District, Shenzhen, China.
Scroll to Top
welldone pcb manufacturer
  • Safe Privacy Guranteed
  • Reply within 24 hours
  • Honest and reasonable prices
  • Accept small and large projects
  • Talk directly to our experts

Start to Achieve Your PCB Project