Some background to J-Link, the device in question

  • a huge list of supported microcontrollers and processor cores
  • support for all common debugging protocols
  • high-speed performance
  • excellent free software

J-Link models

  • can operate at higher speeds.
  • has an Ethernet port.
  • is based on a different microcontroller and has an integrated field-programmable gate array (FPGA).
Fig. 1. J-Link EDU Terms of Use

Our research: the milestones

Collecting the info

Digging into J-Link EDU v10

Fig. 2. J-Link EDU v10 and v11 after disassembly
Fig. 3. J-Link configuration area
  1. When launched, the firmware reads the serial number of the device, the unique ID of the microcontroller and checks the digital signature RSASSA-PSS(SHA1(serial_number + uniq_chip_ID)). While the device serial number and the signature itself are stored in the flash memory, the unique ID is burned in by the microcontroller manufacturer (NXP) during production and cannot be changed. All LPC4322 microcontrollers have their own unique IDs that cannot be overwritten. This way, the serial number and signature of one licensed J-Link device cannot be used to make its clones.
  2. The PC software checks the same digital signature of the device by requesting the microcontroller’s unique ID with a special command. Naturally, this check can be bypassed by “patching” it in the original firmware, but such clones will lose functionality after the first update.

We found some flaws and reported them to the vendor

Fig. 4. Beginning of the main firmware area
  • The exploitation of these flaws does not require device disassembly or PCB soldering manipulations — just a PC and a USB interface will suffice.
  • The device continues to operate with the original bootloader and firmware.
  • The device continues to receive firmware updates and continues to be recognized as original (fixed starting from software version v7.58).
  • The script that replaces the licenses needs to be run only once.
  • The device can be reverted to its original state at any time without any traces of modification.
  • October 25, 2021: BI.ZONE reported the flaws to SEGGER via a technical support form. After SEGGER’s request, we sent the technical details and PoCs to demonstrate the flaws.
  • October 28, 2021: SEGGER confirmed the flaws.
  • November 1, 2021: SEGGER informed that a new version of the software was being prepared that would contain partial fixes.
  • November 5, 2021: SEGGER released software v7.58 that contained the partial fixes.

Possible implications of the flaws. What is at stake?

User piracy

Supply chain attacks

Conclusions

A bonus picture of a debugger debugging itself. Watch for free, no registration

--

--

--

BI.ZONE: an expert in digital risks management. We help organizations around the world to develop their businesses safely in the digital age

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Single Sign-On (SSO): One credential for all

What will cybersecurity look like in 2025?

Exploiting Subdomain Takeover on S3

FLEDGE: a privacy-friendly alternative to third-party cookies in Chrome

MetaVisa AMA and Bounty Rewards Event

{UPDATE} Cooking & Puzzle Hack Free Resources Generator

Slashing in Proof of Stake Oracles

Tachyon Protocol Weekly Report #34

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
BI.ZONE

BI.ZONE

BI.ZONE: an expert in digital risks management. We help organizations around the world to develop their businesses safely in the digital age

More from Medium

Presentation on the motivation and architecture of Celestia by Mustafa

Highly Anticipated Ramadan Drama Faten Amal Harby is Now on Shahid!

GitHub — oneplus-x/Awesome-Hacking: A collection of awesome works and penetration testing resources.

Human Influences On The Environment