https://devzone.nordicsemi.com/f/nordic-q-a/112628/nrf5340---cannot-read-uicr-otp-in-relase-modeHi, in order to reuse the original factory public Bluetooth MAC of nRF5340 based radio module, I had introduced a function that reads the MAC address out of UICR.OTP area of the Flash, and sends it to the network core after a quick validation. whereen-USTelligent Community 13Fri, 05 Jul 2024 09:07:40 GMThttps://devzone.nordicsemi.com/thread/492399?ContentTypeID=1Fri, 05 Jul 2024 09:07:40 GMT137ad170-7792-4731-bb38-c0d22fbe4515:7597f9a7-3cb5-4843-a09e-0fc95b8957f7Gabriele<p>yes I do. Thank you so much</p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/492377?ContentTypeID=1Fri, 05 Jul 2024 07:58:59 GMT137ad170-7792-4731-bb38-c0d22fbe4515:b4139a0e-221e-4736-b2df-d2530f65e20eHieu<p>I&#39;m not sure what you mean by hacking the UICR lock. I assume you disable the lock altogether. Please just be aware that it is locked for security reasons, and by disabling the lock, you compromise that&nbsp;security measure.</p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/492364?ContentTypeID=1Fri, 05 Jul 2024 06:55:28 GMT137ad170-7792-4731-bb38-c0d22fbe4515:b6f3c195-1050-4735-a032-32d956249097Gabriele<p>I&#39;ve hacked the UICR lock. This ticket can be closed&nbsp;</p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/492172?ContentTypeID=1Thu, 04 Jul 2024 06:54:37 GMT137ad170-7792-4731-bb38-c0d22fbe4515:afbb9927-b33d-47df-8b99-bb49ba6a596cGabriele<p>It seems very complicated stuff. Can you guide me with some concrete coding sample ? Alternatively, can I remove the access restriction to UICR ? Or, is there a non-protected register where I can copy the bluetooth address, in such a way I can&nbsp;read it at runtime without any restriction ?</p> <p>I have a bash script on host, used for the first device programming.<br />It does the following</p> <p><pre class="ui-code" data-mode="text">1) Retrieve and save in a local variable the factory MAC from device, using uicrotp=&quot;$(nrfjprog -f nrf53 --memrd 0x00FF8100 --n 8)&quot; 2) Erase and program device with application 3) Restore the original bluetooth address into device from the local variable, using nrfjprog -f nrf53 --memwr 0x00FF8104 --${uicrotp:21:8} 0x nrfjprog -f nrf53 --memwr 0x00FF8100 --${uicrotp:12:8} 0x</pre></p> <p>Is there any 8-bytes flash area, other than 0x00FF8100, where I can copy the MAC address, which is easily readable at runtime, without any restriction ? Maybe a different UICR register ?</p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/491614?ContentTypeID=1Mon, 01 Jul 2024 13:07:17 GMT137ad170-7792-4731-bb38-c0d22fbe4515:fd691888-dc93-47ca-8c06-04b72cceb2c0Hieu<p>Hi Gabriele,</p> <p>The Nordic Secure Immutable Bootloader uses the&nbsp;<a href="https://docs.nordicsemi.com/bundle/ncs-2.6.1/page/nrf/libraries/others/hw_unique_key.html">Hardware unique key</a>&nbsp;library, which in turn uses the nRF5340&#39;s&nbsp;<a href="https://docs.nordicsemi.com/bundle/ps_nrf5340/page/kmu.html/">KMU — Key management unit</a>&nbsp;to&nbsp;limit the access to a part of the&nbsp;UICR. The OTP registers that you want to use is one of the registers with access restricted.</p> <p>To read the OTP, you need to use the Hardware Unique Key library&#39;s API.&nbsp;You can refer to its sample:&nbsp;<a href="https://docs.nordicsemi.com/bundle/ncs-2.6.1/page/nrf/samples/keys/hw_unique_key/README.html">https://docs.nordicsemi.com/bundle/ncs-2.6.1/page/nrf/samples/keys/hw_unique_key/README.html</a>.</p> <p>Hieu</p><div style="clear:both;"></div>