Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

In Part 1 of this, the author discusses a vulnerability to turn on Debug mode. In Part 2, they exploit a real device. The Logitech G Pro is a computer mouse that uses the nRF52 chip, which is what they choose a target.

The computer mouse had JTag and SWD modes disabled. This was dynamically tested on the chip. So, this was a perfect item to target!

Decoupling capacitors C5 and C15 are removed and the glitch output is connected to VDD_CPU (DEC1). Then, a The CPU is connected to a glitcher, which attempts the voltage glitching attack.

The fault injection is a Python script that is connected to an oscilloscope. After a specific time delay, a fault is injected (lower or raise the voltage) in order to skip over an instruction. This will HOPEFULLY cause the debug mode to never be turned off, resulting in a debug shell!

Once the debug mode is set up, Opencd via Telnet is used in order to dump the firmware of the computer mouse. With the firmware in hand, we can reflash the firmware with any modifications that we want! In particular, we can turn on the debug mode once again.

Overall, this is an incredibly bad vulnerability to find. This can be used to dump the firmware on all devices that use these chips. Unlike software, hardware mistakes are usually impossible to fix.