nRF52 Debug Resurrection (APPROTECT Bypass) Part 2

After the Part 1 describing the APPROTECT Bypass, this new post presents how to:

exploit a real product based on nRF52840 to extract the Firmware and reactivate the SWD interface.

reproduce the attack on others nRF52 SoCs to confirm the vulnerability in all the nRF52 versions.

Exploit Validation on real Product

Let’s start by a classic scenario, where an hacker needs to access the Firmware of a product. If this product is based on nRF52, it is likely protected to avoid the firmware readout, in order to prevent reverse-engineering.

The Target: Logitech G Pro

For the exploit validation, I selected the first device I have on hand. It is my Logitech G Pro Mouse based on nRF52840.

Note: My goal is not to attack the Logitech product here.

Getting Access

I skip the teardown part but for people interesting in, here is a nice YouTube video.

The device is dismantled to access the main board:

*Front PCB of the Logitech PRO G. Take a look to the HERO sensor, beautiful.*

The SWD pins (SWDCLK, SWDIO) are silkscreened, so these are easy to identify (red frame).

Then, some pin headers are soldered to connect the target to a Segger J-Link Debug probe:

*SWDCLK, SWDIO, VDD_NRF and GND jumper wires between the target and the JTAG probe. USB cable is also plugged because battery is not connected..*

Any attempt to connect via OpenOcd and GDB is rejected:

$ openocd -f /usr/local/share/openocd/scripts/interface/jlink.cfg -c "transport select swd" -f /usr/local/share/openocd/scripts/target/nrf52.cfg

$ arm-none-eabi-gdb

*APPROTECT is enabled. And connection to SWD is rejected.*

Of course, the APPROTECT feature is enabled on this device.

Reproducing the APPROTECT Bypass

Preparation

The nRF52840 is located on the PCB back-side and acts as the main processor of the system.

The PCB design matches perfectly the nRF52840 reference design (found in the Nordic Datasheet). It’s like a copy-paste design.

Decoupling capacitors C5 and C15 are removed and the glitch output is connected to VDD_CPU (DEC1) :

*C5 and C15 are removed (black frame). VDD_CPU_DEC1 (red wire) and GND (black wire).*

The VDD_CPU (DEC1) is connected to the glitcher via an SMA connector. Here is a view of the full attack setup:

Fault attack Time

The fault attack is launched by running a python script, which is in charge to synchronise the glitch system, the oscilloscope and to reset the device after each fault attempt.

This screenshot shows a normal boot-up (classic behaviour of the device):

*Normal behaviour (no glitch effect). CH1=UART, CH2= VDD_nRF (Scope trigger), CH3 = CPU current consumption, CH4= VDD_CPU.*

Then, the result you want to obtain, after a successful fault:

*Successful attack. CH1=UART, CH2= VDD_nRF (Scope trigger), CH3 = CPU current consumption, CH4= VDD_CPU.*

The VDD_nRF signal on the board is used as scope trigger reference. After a specific delay, the injected fault is disrupting the normal initialisation of the nRF52840.

From the shell point-of-view, the external debugger can now connect to the mouse:

Firmware extraction

Once connected, the next step is to dump the Firmware and the UICR:

#openocd via telnet
dump_image FLASH.bin 0x0 0x100000
dump_image UICR.bin 0x10001000 0x1000
#optional
dump_image FICR.bin 0x10000000 0x1000

Here are the boot loader version and the Device Name at 0xE5CD8 in the flash memory:

Static Code Analysis can then be performed, in order to find vulnerabilities (or just to understand how it works).

Permanent Debug Reactivation

In order to reactivate persistently the debug interface, the APPROTECT is disabled (see Part 1) and re-flashed with the extracted FLASH.bin and the UICR.bin (of course with APPROTECT patched to 0xFFFFFFFF):

*Logitech PRO-G Mouse back to development mode…*

The mouse is back to “Development Mode” where dynamic Code Analysis is a tremendous advantage (especially during exploit development).

The Family Burden

Until now, all the results have been obtained on the nRF52840.

The nRF52 SoCs shares the Cortex-M4 CPU, the same Debug Ports, the same Flash Memory (except the memory array), and the same NVMC. In this context, it is likely the vulnerability is common to the entire nRF52 series SoC family. Here is my vision of the nRF52 ecosystem:

After this little review, I decided to focus on the nRF52832 and the nRF52833. Nordic provides development-kit for these two platforms.

Two dev-kits have been ordered. Cost = 150$.

Results on nRF58232

Tests are achieved on the nRF52-DK , based on nRF52832. The development board is modified by removing capacitors and soldering wires:

*nRF52832 thin wire soldered to DEC1, red wire to DEC4.*

Note: only the thin wire connected to DEC1 is sufficient to realise the attack.

Oscilloscope is used to identify the interesting pattern.

I have improved a little bit my way to monitor the power consumption on the DEC1 line. The signal noise ratio is higher.

According to the power consumption shown below, the behaviour during the the Flash Controller initialisation is the same:

*Analysis on CPU power consumption during the boot. CH1= UART TX, CH2 = DEC1 power consumption, CH3 = glitch command.*

Here is an example of a successful glitch:

*Successful glitch. CH1= UART TX, CH2 = DEC1 power consumption, CH3 = glitch command.*

SWD Debug is reactivated:

*Debugger is attached to the nRF52832 target.*

These results demonstrate the nRF52832 is vulnerable to the APPROTECT exploit.

Results on nRF58233

Once more, similar tests are achieved on the nRF52833-DK, based on nRF52833.

Schematic and PCB view for reference:

*nRF52833 thin wire soldered to DEC1, red wire to DEC4.*

On the nRF52833, the initialisation of the Flash Controller is equivalent to the previous analysed nRF52s. Fault injection is performed on CPU Power line DEC1:

Same here, SWD is reactivated:

*Debugger is attached to the nRF52833 target.*

The nRF52833 is vulnerable to the APPROTECT exploit.

After these tests, no doubt all nRF52 versions are vulnerable.

Impact

Nordic confirmed the security issues in their information notice sent to all their customers the 12th of June 2020.

in my opinion, the nRF52 APPROTECT feature can be defeated in a short amount of time and with a very limited budget.

CVSS Score is 7.6 (Severity = High) CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H.

The following Nordic nRF52 versions are vulnerable:

nRF52810
nRF52811
nRF52820
nRF52832
nRF52833
nRF52840

and by consequence, Modules based on nRF52 are vulnerable too.

These modules can leverage all the features of Nordic’s SoC Hardware and Software architecture to make a ‘single module product’ without the need for an additional microcontroller to run your application.

Nordic provides references of third-party modules here, such as:

Fanstel Corp.
Laird
Minew
Raytac
Taio Yuden
U-blox
Wurth Elektronik
Murata
Dynastream
Fujitsu
…. and more

Conclusion

The APPROTECT Bypass has been demonstrated on a commercial device, the Logitech Pro G Mouse.

Additional tests have been achieved on nRF52832 and nRF52833. The results show these platforms are vulnerable too. NordicSemiconductor confirmed all their nRF52 versions are vulnerable.

This is impacting a tremendous number of devices on the field right now, from nRF52-based products to Third-party Modules (using nRF52 platforms).

The vulnerability resides in Silicon. There is no way to patch without HW revision.

Timeline Disclosure

NordicSemiconductor and LimitedResults did not agree on a responsible disclosure. (See Part 1 for more details). They made their decision and I respect that. Life goes on.

9 Replies to “nRF52 Debug Resurrection (APPROTECT Bypass) Part 2”

backahasten says:

June 15, 2020 at 1:59 am

What a wonderful attack!
Looking forward to your more research.

Lei says:

June 17, 2020 at 3:05 am

Curious to know if you think this attack also applies to the nRF53x family?

1. Tyler says:
  
  September 17, 2020 at 8:12 pm
  
  What is the CVE number?
  
  1. LimitedResults says:
    
    November 4, 2020 at 6:27 am
    
    it’s a good one 😉
    
Vu Nguyen says:

November 3, 2020 at 9:39 pm

Thank you for your post! Do you have plans on hacking Silicon Labs BLE SoCs (e.g, BG22 family)?

1. LimitedResults says:
  
  November 4, 2020 at 6:32 am
  
  thanks, which consumer products are efr32bg22-based?
  
  1. Vu Nguyen says:
    
    November 4, 2020 at 4:40 pm
    
    I don’t know if consumer products based on EFR32BG22 are available on the market yet. Bluetooth LE asset tags from Quuppa will be on the market as mentioned in the link below.
    
    https://news.silabs.com/2020-01-07-Silicon-Labs-and-Quuppa-Team-Up-to-Deliver-Best-in-Class-Bluetooth-Location-Solution
    
    There is a $20 development kit called Thunderboard from Siliab. You can try with this.
    https://www.silabs.com/development-tools/thunderboard/thunderboard-bg22-kit
    
    1. LimitedResults says:
      
      November 4, 2020 at 9:02 pm
      
      why not…thanks for the links
      
Robert says:

February 11, 2021 at 2:02 pm

Hi. Can anyone help me with firmware for Logitech MX Master 3? I purchased nRF52832 and it’s empty. Need to replace it in my mouse.