Summary of NRFSEC, FOR UNLOCKING ANY PROTECTED NRF51-SERIES SYSTEM-ON-CHIP FOR DEBUG
Loren Browman published a guide and open source tool, nrfsec, that automates unlocking Nordic Semiconductor nRF51-series SoCs to permit full memory dumps and interactive debugging regardless of protection settings. nrfsec can read all target memory, bypass MPU protections, automatically unlock devices by reading and erasing memory and patching UICR, support boot-delay RAM dumps, and save firmware images for analysis. The tool is GPLv3 and intended for security research and recovery on nRF51-series chips.
Parts used in the nrfsec project:
- nrfsec software (open source tool published under GNU GPLv3)
- nRF51-series System on Chip (SoC), e.g., nRF51822
- Debug interface connection to the target SoC (hardware debugger or probe)
- Host computer to run nrfsec and disassembler tools
- Disassembler or reverse-engineering tools for firmware analysis
Loren Browman, a security analyst recently published a guide to automated unlocking of Nordic Semiconductor’s nRF51-series systems-on-chips (SoCs) which claims to be protected, enabling a full memory dump or interactive debugging regardless of protection settings. In a blog piece for security firm Optiv, Loren Browman writes
“Recently, while conducting an assessment for a product based on the nRF51822 System on Chip (SoC), I found my target’s debug interface was locked — standard stuff… Reading up on the nRF51 series SoCs revealed that this is how these chips are designed. It’s always possible to perform a full memory recovery/dump, even if read back protection is enabled.”
He continue:
“I wanted to build on what others have discovered, extending the attack to completely and automatically bypass the memory protection mechanism offered by these SoCs. Beyond reading memory, I also wanted to unlock the device to support interactive debug sessions with my target.”
This resulted to nrfsec, which is an open source research security tool published under the GNU General Public License 3, used for unlocking and reading memory on nrf51 series SoCs from Nordic Semiconductor.
Features of the nrfsec includes:
- Read all target memory, bypassing the Memory Protection Unit (MPU) settings with integrated read gadget searching.
- Automated unlock feature: read all program and UICR memory, erase all memory, patch UICR image, reflash target into unlocked state.
- Boot delay command flag for interacting with target prior to performing memory read, allowing for RAM dumps.
- All firmware images are saved for importing into your favorite disassembler.
Read more: NRFSEC, FOR UNLOCKING ANY PROTECTED NRF51-SERIES SYSTEM-ON-CHIP FOR DEBUG
- What does nrfsec do?
nrfsec automates unlocking and reading memory on nRF51-series SoCs, enabling full memory dumps and interactive debugging regardless of protection. - Can nrfsec bypass memory protection on nRF51-series SoCs?
Yes; it reads all target memory and bypasses MPU settings using integrated read gadget searching. - Does nrfsec support automated unlocking?
Yes; it can read program and UICR memory, erase memory, patch the UICR image, and reflash the target into an unlocked state. - Can nrfsec capture RAM contents?
Yes; a boot delay command flag allows interaction with the target prior to memory read, enabling RAM dumps. - Are firmware images saved by nrfsec?
Yes; all firmware images are saved for importing into disassemblers. - Under what license is nrfsec released?
nrfsec is published under the GNU General Public License version 3 (GPLv3). - Is nrfsec intended for debugging interactive sessions?
Yes; the tool unlocks devices to support interactive debug sessions with the target.
