Skip to content

buildxyz-git/nrfsec

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

11 Commits
images
images
 
 
nrfsec
nrfsec
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
nrfsec-runner.py
nrfsec-runner.py
 
 
setup.py
setup.py
 
 

Repository files navigation

nrfsec

nrfsec is security research tool used for unlocking and reading memory on nrf51 series SoCs from Nordic Semiconductor.

  • Read all target memory, bypassing the Memory Protection Unit (MPU) settings with integrated read gadget searching.
  • Automated unlock feature: read all program and UICR memory, erase all memory, patch UICR image, reflash target into unlocked state.
  • Boot delay command flag for interacting with target prior to performing memory read, allowing for RAM dumps.
  • All firmware images are saved for importing into your favorite disassembler.

Installation

nrfsec is built on the pyswd library and currently only works with the ST-Link debugging interface.

nrfsec requires python 3.7+ to run and can be installed with pip:

pip3 install nrfsec

Info

A quick info check will ensure that nrfsec is able to communicate with both the debugger and the target. The output for the info will also specify if the target is currently locked with some additional interesting target information.

nrfsec info

Get chip information Specifying the verbose flag here with dump the previously mentioned information plus the full contents of both the UICR and FICR. All the information displayed here can be found by interpreting registers contained within the UICR and FICR.

Read

nrfsec will automatically find a useable read gadget and dump all memory on a locked target. nrfsec will store all the extracted images in /fw of the current working directory. The below example can be used to automatically read all memory regions by parsing memory specifications located in the FICR.

nrfsec read -a

Read all memory

Read specified memory regions with an optional delay before beginning memory extraction. Great for interacting with the target though any associated mobile applications in order to populate RAM and intialize peripherals.

nrfsec read -s 0x1000 -e 0x2000 -d 8 -o outfile.bin

Read Delay

Lock

Issuing the lock sub-command will the target again. This was useful in developing nrfsec but can also be used if you simply want to lock your target if it is not already locked.

nrfsec lock

Lock target

Unlock

The unlock sub command will perform the following steps:

  1. Read all memory regions (most importantly, ROM and UICR) and save the images.
  2. Perform a full target erase, this will enable writing to the UICR again
  3. Patch the UICR image extracted during step 1 to disable read back protection
  4. Re-flash the ROM and patched UICR back to the target
nrfsec unlock

Unlock target

Debug sessions are now possible.

Usage

✗ nrfsec -h
usage: nrfsec <command> [<args>]

perform security related tasks on nRF51 targets through SWD interface

optional arguments:
  -h, --help            show this help message and exit
  -f FREQUENCY, --frequency FREQUENCY
                        frequency to run the SWD interface (default 4 MHz)
  -v, --verbose         increase output verobsity

supported subcommands:
  {info,erase,restore,read,unlock,lock}
    info                display chip information
    erase               perform a complete erase
    restore             restore specific images to an unlocked chip
    read                read memory contents to outfile
    unlock              unlock the device if locked
    lock                lock the device if unlocked

Todos

  • Test on moar targets

License

GNU GPLv3

About

No description, website, or topics provided.

Resources

Readme

License

GPL-3.0 license
Activity

Stars

43 stars

Watchers

1 watching

Forks

7 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages