The nRF51 Series SoCs is a family of low power Bluetooth chips from Nordic Semiconductor that is based on ARM Cortex cores. The nRF51822 has the Cortex M0 core and is used in a lot of products. [Loren] has written a blog post in which he claims to be able to circumvent read back protection on the chip, thus giving access to the ROM, RAM and registers as well as allow for interactive debugging sessions.
The hack stems from the fact that the Serial Wire Debug or SWD interface cannot be completely disabled on these chips even if the Memory Protection Unit prevents access to any memory regions directly. The second key piece is the fact that CPU can fetch stuff from the code memory. Combined with the SWD super powers to make changes to the registers themselves, this can be a powerful tool.
The ARM instruction set contains a number of Indirect-Addressing Load Instructions and [Loren] points to a pseudo-instruction for LDR R2,[R0] which permits copying data from the location in the ROM that is specified by R0. The idea is to search for the instruction within the code that is already inside the ROM since we cannot write to the memory ourselves. So how do we do that? Easy just use the Program Counter to cycles through all the code-space keeping R0 and R2 as zero. When you hit an instruction that make R2 the same value as the stuff in 0x00000(as R0 is 0x00000), we have found the instruction. The value at 0x00000 is incidentally identified by the SWD initially as the value in the stack pointer.
Once you have the address(in the PC) for t ..
Support the originator by clicking the read the rest link below.
