Writing to the nrf9160's OTP register at runtime

Hi Mihail,

Writing to OTP (or may other part of the UICR) from non-secure is not allowed. What is it you want to do it? Could you acomplish what you need to do in a different way? If not, the only way you can write to UICR from non-secure is to make a custom secure service in TF-M and use that. You can refer to TF-M secure peripheral partition as an examle of this (ignoring the parts of the sample that involves the peripheral devices).

Einar

Hi Einar,

thank you for the quick response.

What is it you want to do it?

I want to store the `CLIENT_ID` for AWS on the OTP. Until now I've used `CONFIG_AWS_IOT_CLIENT_ID_STATIC`, however I have a different `CLIENT_ID` for each device. Means that I have to build a separate binary for each device, only changing the client id config. If I use `CONFIG_AWS_IOT_CLIENT_ID_APP`, then I can make an "universal" firmware update that can be updated to all of the devices.

Due to space constraints, the debug and test connectors are located on a part of the PCB that breaks off after programming the device, before assembly. This means that for a small number of test devices, I've broken off the JLink connector and I can only update them OTA.

I was wondering if I can somehow put an OTA update that's going to write the `CLIENT_ID` into the OTP, and from then on use an "universal" firmware image for all devices. I have done that in the past with an application on the nrf52. I have been able to put BLE OTA application, that wrote the BLE name of the device in the UICR->CUSTOMER registers. However it didn't use TF-M, so I didn't have anything preventing me from doing that.

Could you acomplish what you need to do in a different way?

In hindsight, I should have put a storage partition in the flash layout, but I think that I can no longer change that, since I have already built a bootloader and I have to use the `pm_static.yml` from it.

For all the future devices I can program the `CLIENT_ID` to OTP from JLink, so it won't be an issue. For the existing test devices I think my best option would be to keep creating a separate binary for each of them. I don't think that creating a custom TF-M service makes sense in this scenario.

Greetings

Hi Einar,

thank you for the quick response.

What is it you want to do it?

I want to store the `CLIENT_ID` for AWS on the OTP. Until now I've used `CONFIG_AWS_IOT_CLIENT_ID_STATIC`, however I have a different `CLIENT_ID` for each device. Means that I have to build a separate binary for each device, only changing the client id config. If I use `CONFIG_AWS_IOT_CLIENT_ID_APP`, then I can make an "universal" firmware update that can be updated to all of the devices.

Due to space constraints, the debug and test connectors are located on a part of the PCB that breaks off after programming the device, before assembly. This means that for a small number of test devices, I've broken off the JLink connector and I can only update them OTA.

I was wondering if I can somehow put an OTA update that's going to write the `CLIENT_ID` into the OTP, and from then on use an "universal" firmware image for all devices. I have done that in the past with an application on the nrf52. I have been able to put BLE OTA application, that wrote the BLE name of the device in the UICR->CUSTOMER registers. However it didn't use TF-M, so I didn't have anything preventing me from doing that.

Could you acomplish what you need to do in a different way?

In hindsight, I should have put a storage partition in the flash layout, but I think that I can no longer change that, since I have already built a bootloader and I have to use the `pm_static.yml` from it.

For all the future devices I can program the `CLIENT_ID` to OTP from JLink, so it won't be an issue. For the existing test devices I think my best option would be to keep creating a separate binary for each of them. I don't think that creating a custom TF-M service makes sense in this scenario.

Greetings