Вісник Львівського університету. Серія прикладна математика та інформатика

The potential for man-in-the-middle (MITM) attacks targeting secure bootloaders in microcontrollers without internal ash memory is examined, utilizing a device that monitors SPI bus communication. The possibility of bypassing cryptographic signature verication of embedded rmware is demonstrated by precisely identifying the optimal moment for fault injection or executing modied rmware immediately after signature validation. Additionally, the limited ability to modify AES-CTR encrypted code without knowledge of the encryption key is illustrated. A hardware-based protection mechanism is proposed to mitigate the described MITM attack during execution by employing message authentication codes

Raspberry Pi Ltd. RP2040 datasheet: A microcontroller by Raspberry Pi / Raspberry Pi Ltd. 2021. 2. NXP Semiconductors B.V. LPC18S50/S30/S10 32-bit ARM Cortex-M3 ashless MCU with security features. Product data sheet / NXP Semiconductors B.V. 2020. 3. Inneon Technologies AG. CYW20829 AIROCTM BluetoothOR Low Energy 5.4 MCU / Inneon Technologies AG. 2025. 4. Winbond Electronics Corporation. W25Q128JW 1.8V 128M-BIT Serial Flash Memory With Dual, Quad SPI /Winbond Electronics Corporation. 2023. 5. Shcherbyna M. Improving Code Compression for ARM Cortex M Microcontrollers Using Pre-Filtering / M. Shcherbyna // Visnyk Nacional'nogo universitetu L'vivs'ka politehnika. Ser. Information Systems and Networks. 2023. Vol. 14. P. 225234. 6. den Herrewegen J.V. Fill your Boots: Enhanced Embedded Bootloader Exploits via Fault Injection and Binary Analysis / J.V. den Herrewegen, D. Oswald, F.D. Garcia, Q. Temeiza // IACR Transactions on Cryptographic Hardware and Embedded Systems. 2020. Vol. 2021,  1. P. 56 81. 7. MCUboot. [Electronic resource] / MCUboot. March 5, 2025. Available at: https://github. com/mcu-tools/mcuboot 8. Maxwell B. Analysis of CRC methods and potential data integrity exploits / B. Maxwell, D.R. Thompson, G. Amerson, L. Johnson // International Conference on Emerging Technologies. 2003. 9. Krovetz T. UMAC: Message Authentication Code using Universal Hashing / T. Krovetz // RFC 4418. 2006. 10. Cysecuretools. [Electronic resource] / Cysecuretools. March 5, 2025. Available at: https://github.com/Inneon/cysecuretools/tree/master 11. Microchip Technology Inc. CEC1712 Data Sheet / Microchip Technology Inc. 2020