Skip to main content

An embedded security research tool for unlocking and reading memory from Nordic nRF51 SoCs

Project description

nrfsec

nrfsec is security research tool used for unlocking and reading memory on nrf51 series SoCs from Nordic Semiconductor.

  • Read all target memory, bypassing the Memory Protection Unit (MPU) settings with integrated read gadget searching.
  • Automated unlock feature: read all program and UICR memory, erase all memory, patch UICR image, reflash target into unlocked state.
  • Boot delay command flag for interacting with target prior to performing memory read, allowing for RAM dumps.
  • All firmware images are saved for importing into your favorite disassembler.

Installation

nrfsec is built on the pyswd library and currently only works with the ST-Link debugging interface.

nrfsec requires python 3.7+ to run and can be installed with pip:

pip3 install nrfsec

Info

A quick info check will ensure that nrfsec is able to communicate with both the debugger and the target. The output for the info will also specify if the target is currently locked with some additional interesting target information.

nrfsec info

Get chip information Specifying the verbose flag here with dump the previously mentioned information plus the full contents of both the UICR and FICR. All the information displayed here can be found by interpreting registers contained within the UICR and FICR.

Read

nrfsec will automatically find a useable read gadget and dump all memory on a locked target. nrfsec will store all the extracted images in /fw of the current working directory. The below example can be used to automatically read all memory regions by parsing memory specifications located in the FICR.

nrfsec read -a

Read all memory

Read specified memory regions with an optional delay before beginning memory extraction. Great for interacting with the target though any associated mobile applications in order to populate RAM and intialize peripherals.

nrfsec read -s 0x1000 -e 0x2000 -d 8 -o outfile.bin 

Read Delay

Lock

Issuing the lock sub-command will the target again. This was useful in developing nrfsec but can also be used if you simply want to lock your target if it is not already locked.

nrfsec lock

Lock target

Unlock

The unlock sub command will perform the following steps:

  1. Read all memory regions (most importantly, ROM and UICR) and save the images.
  2. Perform a full target erase, this will enable writing to the UICR again
  3. Patch the UICR image extracted during step 1 to disable read back protection
  4. Re-flash the ROM and patched UICR back to the target
nrfsec unlock

Unlock target

Debug sessions are now possible.

Usage

 nrfsec -h
usage: nrfsec <command> [<args>]

perform security related tasks on nRF51 targets through SWD interface

optional arguments:
  -h, --help            show this help message and exit
  -f FREQUENCY, --frequency FREQUENCY
                        frequency to run the SWD interface (default 4 MHz)
  -v, --verbose         increase output verobsity

supported subcommands:
  {info,erase,restore,read,unlock,lock}
    info                display chip information
    erase               perform a complete erase
    restore             restore specific images to an unlocked chip
    read                read memory contents to outfile
    unlock              unlock the device if locked
    lock                lock the device if unlocked

Todos

  • Test on moar targets

License

GNU GPLv3

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

nrfsec-0.1.8.tar.gz (11.4 kB view details)

Uploaded Source

File details

Details for the file nrfsec-0.1.8.tar.gz.

File metadata

  • Download URL: nrfsec-0.1.8.tar.gz
  • Upload date:
  • Size: 11.4 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.1.1 pkginfo/1.5.0.1 requests/2.23.0 setuptools/45.2.0 requests-toolbelt/0.9.1 tqdm/4.28.1 CPython/3.7.5

File hashes

Hashes for nrfsec-0.1.8.tar.gz
Algorithm Hash digest
SHA256 8c42ff7e418890a728bc2ac486077f906654a9a2c46eec2c1dd54fb49b97b2e0
MD5 1ed76fa4e7bb49a79e0476d8b3dbf1cc
BLAKE2b-256 061ed2c16f610e13b06f10edb8b4f7516e74504665e352c308db1c223d3cf365

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page