Loren Browman, a security analyst recently published a guide to automated unlocking of Nordic Semiconductor’s nRF51-series systems-on-chips (SoCs) which claims to be protected, enabling a full memory dump or interactive debugging regardless of protection settings. In a blog piece for security firm Optiv, Loren Browman writes
Recently, while conducting an assessment for a product based on the nRF51822 System on Chip (SoC), I found my target’s debug interface was locked — standard stuff… Reading up on the nRF51 series SoCs revealed that this is how these chips are designed. It’s always possible to perform a full memory recovery/dump, even if read back protection is enabled.
I wanted to build on what others have discovered, extending the attack to completely and automatically bypass the memory protection mechanism offered by these SoCs. Beyond reading memory, I also wanted to unlock the device to support interactive debug sessions with my target.
This resulted to nrfsec, which is an open source research security tool published under the GNU General Public License 3, used for unlocking and reading memory on nrf51 series SoCs from Nordic Semiconductor.
Features of the nrfsec includes:
- Read all target memory, bypassing the Memory Protection Unit (MPU) settings with integrated read gadget searching.
- Automated unlock feature: read all program and UICR memory, erase all memory, patch UICR image, reflash target into unlocked state.
- Boot delay command flag for interacting with target prior to performing memory read, allowing for RAM dumps.
- All firmware images are saved for importing into your favorite disassembler.