Got an nRF52 or nRF51 device you need to flash? Got an ESP32 laying around collecting dust? If so, then firmware hacking extraordinaire [Aaron Christophel] has the open source code you need. His new project allows the affordable WiFi-enabled microcontroller to read and write to the internal flash of Nordic nRF52 series chips via their SWD interface. As long as you’ve got some jumper wires and a web browser, you’re good to go.
In the first video below [Aaron] demonstrates the technique with the PineTime smartwatch, but the process will be more or less the same regardless of what your target device is. Just connect the CLK and DIO lines to pins GPIO 21 and GPIO 19 of the ESP32, point your web browser to its address on the local network, and you’ll be presented with a straightforward user interface for reading and writing the chip’s flash.
As demonstrated in the second video, with a few more wires and a MOSFET, the ESP32 firmware is also able to perform a power glitch exploit on the chip that will allow you to read the contents of its flash even if the APPROTECT feature has been enabled. [Aaron] isn’t taking any credit for this technique though, pointing instead to the research performed by [LimitedResults] to explain the nuts and bolts of the attack.
We’re always excited when a message from [Aaron] hits the inbox, since more often that not it means another device has received an open source firmware replacement. From his earlier work with cheap fitness trackers to his wildly successful Bluetooth environmental sensor hacking, we don’t think this guy has ever seen a stock firmware that he didn’t want to immediately send to /dev/null.
You can SWD flash the device with it. But can you also delete the flash easily with it? From my experience I always needed a jlink for that.
I’m not familiar with these particular devices, but isn’t deleting the flash functionally equivalent to flashing it with all zeros? In other words doesn’t having the ability to flash it also give you the ability to “delete” it?
Yes, full erase is implemented in this ESP32 firmware as well, so an unlock is very easy without other hardware
Interesting… Would this work on other SWD-programmable deviced such as STM32F4 microcontrollers?
While in general this is basically a default SWD interface, so it can be used on any Microcontroller with SWD, for simplicity i concentrated on the nRF series only.
The source is open so other devices could be added if needed.
Could an ESP32 be used to glitch another ESP32?
https://limitedresults.com/2019/11/pwn-the-esp32-forever-flash-encryption-and-sec-boot-keys-extraction/
I would make it a standalone glitcher, and an external programmer to make it universal.
Also python scripting would be nice.
Thanks for creating this. I couldn’t remember what I had with nRF’s in it but the watch pictures jogged my memory.
Having an easy option to flash them makes it more likely I’ll get back to my pocketfob watch conversion.
Not quite. Functionally you are right it’s the same thing, but there’s also a “wipe”/”delete” command that’s needed if the current data has the read and write protect bits set so that you can’t read the firmware over SWD. Without that you might not be able to write to the device.