• State Not Answered
  • Replies 14 replies
  • Subscribers 26 subscribers
  • Views 507 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 288952
Options

UICR won't be completely erased (APPROTECT)

user3223

It seems that not all UICR registers are erased on this nRF52840 chip

nrfjprog -f nrf52 --recover

Just make sure one more time:

nrfjprog -f nrf52 --eraseuicr

nrfjprog -f nrf52 --readuicr uicr.bin --log
Storing data in 'uicr.bin'.

Displaying uicr:

It's indeed there

nrfjprog -f nrf52 --memrd 0x10001208 --w 8 --n 4    

0x10001208: 5A 00 00 00                                       |Z...|

And it can't be overwritten:

What's happening here?

The APPROTECT register should show 0xFF!

This is the chip:

0FAA as INFO.VARIANT (https://infocenter.nordicsemi.com/index.jsp?topic=%2Fcom.nordic.infocenter.nrf52832.ps.v1.1%2Fficr.html&anchor=register.INFO.VARIANT)

I now also found https://infocenter.nordicsemi.com/index.jsp?topic=%2Fps_nrf52840%2Frev_history.html that 0x5A (HwDisabled) is an option for "Hardware disable of access port protection for devices where access port protection is controlled by hardware and software"

My problem is that after each power cycle it failed to flash without clearing UICR first.

Parents Reply
  • 0 in reply to user3223

    Well, improved in the sense that it is not as easily bypassed I guess.

    user3223 said:
    Apart from that, let's just assume I want to write 0xFF rather than 0x5A there. Can I do this?

    I suppose, but then it would still be locked, I think.

    You need the firmware on the device to also write some magic words to keep the device 'unlocked'.

    This is copied from the guide I linked above:

    1. Start with a CTRL-AP ERASEALL operation.
    2. Program code compiled with an MDK 8.44.1 or later, without ENABLE_APPROTECT defined.
    3. Write HwDisabled (0x5A) to UICR.APPROTECT
    4. Perform any reset to run the code. The programmed code from step 2 will open access port by writing to APPROTECT.DISABLE during start-up.

    So you need the firmware to actively allow access. Otherwise the device will be locked after a power cycle.

Children
  • 0 in reply to user14028

    Thanks for your help, but I want to know why I can't write 0xFFFFFFFF rather than 0x5A towards that register. Or what I've to do to make that happen.

    I think I understand what's happening, namely that the nrfjprog tool automatically writes 0x5A towards that register after a recover operation.

    And of course I've read the documentation as well https://devzone.nordicsemi.com/nordic/nordic-blog/b/blog/posts/working-with-the-nrf52-series-improved-approtect and no, I just don't want to do protection in firmware.

    If someone wants to glitch the thing, go ahead. Our code is open source and not locked down to begin with. So everything making flashing more cumbersome is to be removed from the process. I don't want this stuff to be suddenly interfering with our flash tools in the factory depending if there has been or has not been a power cycle in that process.

  • 0 in reply to user3223
    user3223 said:
    Thanks for your help, but I want to know why I can't write 0xFFFFFFFF rather than 0x5A towards that register. Or what I've to do to make that happen.

    The thing is that this new hardware revision doesn't work like that. They've changed the way the chip operates in this respect and we users can only adapt to it.

    have you seen the change notice IN141?

    user3223 said:
    I don't want this stuff to be suddenly interfering with our flash tools in the factory depending if there has been or has not been a power cycle in that process.

    I have actually today ordered a sample set of our product to be built with this new revision of 52840, for checking exactly this. So shortly I will be in the same situation as you.

Related
Terms of service