Breaking STM32 readout protection: From UV light to CPU state tracing

Following up on the evolution of STM32 RDP attacks covered above → here’s a concrete illustration of where things stand in practice (150 yuans).

(source: An Interesting Find: STM32 RDP1 "Decryptor" - Karolis Stasaitis)

Karolis Stasaitis (@carlossless) recently documented something interesting: while browsing Xianyu (闲鱼, China’s second-hand marketplace), he found a whole market of turnkey STM32 RDP1 “decryptors”: search for “STM32解密” and you’ll see dozens of listings.

For about 150 yuan (~19 EUR), you get a USB dongle, adapter PCBs for F0/F1/F2/F4 packages, and a Windows utility. Solder the chip on the adapter, plug it in, click a button → full flash dump. No glitching rig, no tuning parameters, no understanding the underlying attack. It just works.

He tested it on an STM32F205RBT6 with RDP Level 1 enabled and got a clean 128KB flash readout at room temperature: the seller’s recommendation to use freeze spray wasn’t even necessary. The only quirk was the tool overshooting past the flash boundary and padding with 0xFF, but the actual contents were correct.

The dongle has an SOP-16 IC with its markings scraped off, and the Windows app triggers Defender and requires Chinese Simplified encoding to run, so the UX isn’t exactly polished. But the point stands: what took research labs, custom rigs, and careful timing a few years ago is now a commodity product on a Chinese flea market.

This is exactly the trajectory we described above:

  • 2017: UV-C + decapping + custom tooling (Obermaier & Tatschner)
  • 2020: Debug interface logic bugs (CVE-2020-8004)
  • 2021–2024: Voltage glitching with ChipWhisperer setups
  • 2025: Pure CPU state tracing with a Raspberry Pi Pico (TraceRip)
  • Now: solder, plug, click, done :smiley:

What is missing there?

Full writeup from Karolis: An Interesting Find: STM32 RDP1 "Decryptor" - Karolis Stasaitis

Has anyone here bought one of these or similar devices? Would be curious to know what’s actually inside that dongle, and whether it’s doing a known attack (voltage glitch? race condition?) or something else entirely.