Resurrection of the JTAG/SWD interface on protected platforms has always been a sensitive topic in embedded security. LimitedResults dives into this topic:
This security investigation presents a way to bypass the APPROTECT on a protected nRF52840, in order to reactivate the Serial Wire Debug Interface (SWD), offering full debug capabilities on the target (R/W access to Flash/RAM/Registers, Code Exec and reprogramming). All the nRF52 versions are impacted.
Due to its intrinsic characteristics, the vulnerability cannot be patched without Silicon redesign, leading to a countless number of vulnerable devices on the field forever.
The nRF52840 System-on-Chip (SoC) is the most advanced member of the nRF52 Series SoC family. It is an advanced Bluetooth, Thread and Zigbee multi-protocol SoC built around a 64 MHz Cortex-M4F CPU.
The nRF52 has a restricted security mechanism in order to protect against Memory Readout. This security feature is called Access Port Protection (APPROTECT).
NordicSemiconductor does not provide any information about the APPROTECT mechanism.
In the blog post, a low-cost fault attack is successfully achieved on nRF52840. It allows an attacker having physical access to bypass the APPROTECT to reactivate the SWD debug interface permanently(R/W access to memories and registers, control CPU code execution, dump the Flash memory, FICR and UICR…)
See the methodology in the attack in the LimitedResults article.
