1/ Here are some insights on the Ledger attack on the old Coldcard secure element (ATECC508A) now that I have had more time to review.

We'll look at the exact function of the SE in the CC design and exactly what Ledger broke.

https://donjon.ledger.com/coldcard-pin-code/

2/ The MCU can, READ, WRITE, or run crypto commands (eg CheckMAC) on a SE slot depending on the permissions. A slot is just a memory location with individual permissions that limit how it is used.

This device has 16 slots. There are 3 involved in this attack.

3/ Organization

Slot 9: Seed

Slot 3: PIN hash. If you know this you can unlock slot 9 for reading.

Slot 1: Holds a secret only the MCU knows. Knowing slot 1 unlocks slot 3 for crypto commands.

"Knowing" is proved by running a crypo command that ends in success

4/ Example - Unlock slot 3
1. MCU sends RANDOM command to SE
2. SE creates and saves a rnd and also returns to MCU
3. MCU hashes rnd + secret (slot 1 that MCU knows)
4. MCU runs CheckMAC command including that data
5. SE verifies MCU sent value matches its own calc

5/ If value matches the SE remembers "slot 1 authenticated". Slot 3 is set to check if slot 1 auth before allowing commands. You run a similar process to auth the PIN using slot 3. Now the MCU can read the seed from slot 9 which is also encrypted by the value in slot 3.

6/ Ledger's attack as described on their blog can only read slot 1 and slot 3. So they cannot directly read slot 9. It is also interesting that they cannot seem to directly read slot 3 because they read slot 1.

7/
One confusing thing is they spent a lot of time discussing the PIN brute-forcing. However PIN recovery is not necessary for seed recovery. All you need is the hashed PIN from slot 3.

Conclusion:

It seems their attack needs the "slot auth" true to work. Also encrypted reads may prevent it as well.

Ledger does their full disclosure next week. Stay tuned for more...