About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

nRF52 Debug Resurrection (APPROTECT Bypass) Part 1- 206

LimitedResultsPosted 5 Years Ago
  • Most chips have a debug mode for testing. When the device with this chip is put into a production, the debug mode is turned off. It is turned off by a mechanism called Access Port Protection by Nordic.
  • APPROTECT guarantees that no readouts on the port can happen unless the RAM and Flash are completely erased.
  • The author then gets a development kit in order to test out the APPROTECT feature himself. From testing, he discovered that a Power On Reset resets the entire chip, including the Debug port.
  • Because the Boot process is entirely in hardware (no BootROM), this value had to be set in some way!
  • How does this get pwned? The answer is always going to be voltage glitching! After analyzing the voltage of particular areas of the SoC, he noticed a particular pattern that looked to be the Debug Port value being set.
  • From there, he glitches at this exact moment that the value was being set. After the glitch, the debug port is now turned on. This allows for easy connections via GDB with full debugging capabilities (also known as game over).
  • I found the article interesting because the author discusses the chip itself, the entire process for exploitation and the glitching setup. A really good article if you are looking to get into hardware hacking research.

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed