Some background to J-Link, the device in question

J-Link is one of the most popular microcontroller debuggers among developers, enthusiasts, and cybersecurity specialists. Its benefits include:

  • a huge list of supported microcontrollers and processor cores
  • support for all common debugging protocols
  • high-speed performance
  • excellent free software

J-Link models

J-Link is not just one device, but a whole line of products that differ both in their hardware and software features. The available features are defined by licenses that can be integrated into the device or purchased separately from the manufacturer’s website.

  • can operate at higher speeds.
  • has an Ethernet port.
  • is based on a different microcontroller and has an integrated field-programmable gate array (FPGA).
Fig. 1. J-Link EDU Terms of Use

Our research: the milestones

Collecting the info

As with any hardware and software appliance, we should start security analysis from its attacker model. For J-Link, it is quite interesting. While researching the device, we realized that protection mechanisms are aimed at preventing a single scenario: a cloned device works with the original software and firmware and continues to operate even after upgrading to new software versions.

Digging into J-Link EDU v10

Having disassembled the device (Fig. 2), we found a NXP LPC4322 microcontroller, which implements all the low-level logic, stores embedded licenses, and is controlled from a PC via the USB interface.

Fig. 2. J-Link EDU v10 and v11 after disassembly
Fig. 3. J-Link configuration area
  1. When launched, the firmware reads the serial number of the device, the unique ID of the microcontroller and checks the digital signature RSASSA-PSS(SHA1(serial_number + uniq_chip_ID)). While the device serial number and the signature itself are stored in the flash memory, the unique ID is burned in by the microcontroller manufacturer (NXP) during production and cannot be changed. All LPC4322 microcontrollers have their own unique IDs that cannot be overwritten. This way, the serial number and signature of one licensed J-Link device cannot be used to make its clones.
  2. The PC software checks the same digital signature of the device by requesting the microcontroller’s unique ID with a special command. Naturally, this check can be bypassed by “patching” it in the original firmware, but such clones will lose functionality after the first update.

We found some flaws and reported them to the vendor

Flaw 1. The OEM string and the list of embedded licenses do not have a cryptographic signature and are not tied, in any way, to the device serial number. By overwriting this data, a J-Link EDU can be easily converted into a J-Link PLUS.

Fig. 4. Beginning of the main firmware area
  • The exploitation of these flaws does not require device disassembly or PCB soldering manipulations — just a PC and a USB interface will suffice.
  • The device continues to operate with the original bootloader and firmware.
  • The device continues to receive firmware updates and continues to be recognized as original (fixed starting from software version v7.58).
  • The script that replaces the licenses needs to be run only once.
  • The device can be reverted to its original state at any time without any traces of modification.
  • October 25, 2021: BI.ZONE reported the flaws to SEGGER via a technical support form. After SEGGER’s request, we sent the technical details and PoCs to demonstrate the flaws.
  • October 28, 2021: SEGGER confirmed the flaws.
  • November 1, 2021: SEGGER informed that a new version of the software was being prepared that would contain partial fixes.
  • November 5, 2021: SEGGER released software v7.58 that contained the partial fixes.

Possible implications of the flaws. What is at stake?

Here is what can happen because of the problems in the user device security mechanisms.

User piracy

This is quite costly for the manufacturer. A simple way to bypass the licensing system that does not require disassembly of the device can be attractive to a large number of users. After all, a J-Link Plus is roughly 10 times more expensive than a J-Link EDU.

Supply chain attacks

In this case, it is hard to imagine that someone would introduce malicious code into the debugger firmware. Nevertheless, the very example of the incorrect implementation of firmware signature verification is quite revealing. Such flaws allow a malicious code to be implanted into various user devices while they are en route to the end user.

Conclusions

Correct implementation of protection mechanisms is not an easy task, even for engineers with extensive experience. It is important that security features be examined not only by the developer, but also by third-party experts. Some fresh outlook certainly won’t hurt.

A bonus picture of a debugger debugging itself. Watch for free, no registration

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
BI.ZONE

BI.ZONE

BI.ZONE: an expert in digital risks management. We help organizations around the world to develop their businesses safely in the digital age