17 lines
1.2 KiB
Markdown
17 lines
1.2 KiB
Markdown
# esp-bootrom-exploit
|
|
Working on an exploit to break the security on the ESP32-S3
|
|
Highly a work in progress
|
|
|
|
[entropy](entropy/) - entropy images of the bootroms
|
|
[esp-rom-elfs-20230320](esp-rom-elfs-20230320/) - all of the ESP32-X bootloader elfs from [here](https://github.com/espressif/esp-rom-elfs/releases/tag/20230320)
|
|
[ESP32-S3_Exploit_FPGA](ESP32-S3_Exploit_FPGA/) - runs the exploit, based on a cheap [Tang Nano 9K FPGA](https://www.aliexpress.us/item/3256807026232976.html?channel=twinner) using [Lushay Code](https://learn.lushaylabs.com/vscode-extension/) for VS Code
|
|
[existing_files](existing_files/) - assorted existing roms I found
|
|
[Ghidra](Ghidra/) - Ghidra project for reverse engineering and exploit dev
|
|
[libs](libs/) - extra libraries that Espressif disclosed was used in the roms, excepting those found natively in esp-idf (useful for reverse engineering and debugging)
|
|
[sillyfillyespdumper](sillyfillyespdumper/) - tool I made to dump arbitrary data from ESP32-Xs
|
|
[silltfillyespdumper/live-roms](sillyfillyespdumper/live-roms/) - full, redundant rom dumps from two production ESP32-S3s
|
|
|
|
|
|
Based much on [Coruk's attack on the ESP32-C3](https://courk.cc/esp32-c3-c6-fault-injection)
|
|
|