Embedded systems often rely on readout protection to prevent firmware disclosure, yet many designs assume that restricting flash access alone is sufficient. This session explores how runtime behavior exposes sensitive state on STM32 microcontrollers through accessible debugging paths. By observing processor registers, SRAM and execution timing during integrity checks, protected firmware can be reconstructed without direct flash reads. This approach exploits deterministic verification routines, such as CRC operations, combined with repeated power cycling and precise delay control to infer memory contents. The result challenges long-held assumptions about isolation between execution state and code secrecy and highlights systemic weaknesses in common protection schemes used across low-cost microcontroller families.

In this session, you will learn:

• How STM32 readout protection isolates flash but leaves execution state observable;
• How to use integrity-check routines to infer protected firmware contents;
• How to correlate register evolution and timing jitter to reconstruct memory.