Debug Resurrection on Nordic nRF52 Series

Conference:  BlackHat EU 2020



Nordic nRF52 System-on-Chips (SoCs) are unquestionably dominating the IoT dedicated platforms market today, especially for short range communications (BLE, Zigbee…) and asset tracking segments.The entire family consists of six different nRF52 platforms, all built around the ARM Cortex-M4F CPU. In order to prevent an attacker with physical access to dump the Code/Data stored in Flash memory and start reverse-engineering, Nordic Semiconductors has implemented a security feature called APPROTECT. Once this feature set, the SWD Debug Interface is permanently disabled and there is no way to deactivate this protection without erasing the entire Flash Memory (according to the vendor).During this talk, LimitedResults will present a way to bypass the APPROTECT, leading to a permanent reactivation of the Debug Interface, offering full debug capabilities on the target (R/W access to Flash/RAM/Registers, Code Exec and Reflash). All the nRF52 versions are impacted, from the classic nRF52810 to the most advanced nRF52840 platforms. Due to its intrinsic characteristics, the exploit cannot be patched without silicon redesign, leading to a countless number of vulnerable devices on the field for ever.