Loren Browman's nrfsec Automatically Unlocks Any Protected nRF51-Series System-on-Chip for Debug

Security analyst Loren Browman has published a guide to automated unlocking of supposedly-protected Nordic Semiconductor nRF51-series systems-on-chips (SoCs), allowing for a full memory dump or interactive debugging regardless of protection settings.

"Recently, while conducting an assessment for a product based on the nRF51822 System on Chip (SoC), I found my target’s debug interface was locked — standard stuff," Browman writes in a blog piece for security firm Optiv. "Reading up on the nRF51 series SoCs revealed that this is how these chips are designed. It’s always possible to perform a full memory recovery/dump, even if read back protection is enabled.

"I wanted to build on what others have discovered, extending the attack to completely and automatically bypass the memory protection mechanism offered by these SoCs. Beyond reading memory, I also wanted to unlock the device to support interactive debug sessions with my target."

The result is nrfsec, an open source tool published under the GNU General Public License 3, which allows for the entire memory contents from ROM, RAM, UICR, and FICR to be dumped, automated delayed reading for populated RAM and peripheral image dumping, automated patching of the extracted UICR to disable the read-back protection, and finally to wipe the device and reprogram the UICR and ROM — only this time with read-back protection disabled.

"[nrfsec] can automate the entire outlined process for you," Browman explains, "letting you uncover the internal working of any nRF51 based product." Once unlocked, the tool even establishes a debug session to the now-unprotected SoC.

Full details of how the tool works and how to use it can be found on the Optiv blog; nrfsec itself is available to download from GitHub, or can be installed from the pip Python package manager.