APPROTECT and verify with nrfjprog

RE: APPROTECT and verify with nrfjprog

Priyanka — Wed, 23 Jul 2025 11:28:57 GMT

Hi,

This looks like a good approach and the code snippet also looks nice. 🙂

Regards,

Priyanka

RE: APPROTECT and verify with nrfjprog

Dominik Eugster — Tue, 22 Jul 2025 13:54:21 GMT

Hi Priyanaka

With the UIR flags its possible and working like expected.

The logic is the following: Bootloader has its own UICR (index 1), application has its own UICR (index 0).

If the index is empty, the bootloader and app is writing the predefined value to this index. Next restart (Reset, Power Reset) the code is checking this value and is writing the AppProtection Flag following by a reset. This logic is needed to ensure that the fisrt time the AppProtect is not activated, second time yes.

The if is preventing that this is happening at every reset, it will happen only once:

void AppProtection(void)
{
#ifdef ENABLE_APPROTECT
    if (!is_customer_magic_set())
    {
        NRF_LOG_DEBUG("Customer Magic is not active");
        uicr_write_customer_magic();
    }
    else
    {
        NRF_LOG_DEBUG("Enable AppProtection");
        if ((NRF_UICR->APPROTECT & UICR_APPROTECT_PALL_Msk) !=
    		(UICR_APPROTECT_PALL_Enabled << UICR_APPROTECT_PALL_Pos)) 
        {
            NRF_NVMC->CONFIG = NVMC_CONFIG_WEN_Wen;
            while (NRF_NVMC->READY == NVMC_READY_READY_Busy){}

            NRF_UICR->APPROTECT = ((NRF_UICR->APPROTECT & ~((uint32_t)UICR_APPROTECT_PALL_Msk)) |
                (UICR_APPROTECT_PALL_Enabled << UICR_APPROTECT_PALL_Pos));

            while (NRF_NVMC->READY == NVMC_READY_READY_Busy) {}

            NRF_NVMC->CONFIG = NVMC_CONFIG_WEN_Ren;
            while (NRF_NVMC->READY == NVMC_READY_READY_Busy){}

            NVIC_SystemReset();
        }
#else
    	if ((NRF_UICR->APPROTECT & UICR_APPROTECT_PALL_Msk) !=
    		(UICR_APPROTECT_PALL_HwDisabled << UICR_APPROTECT_PALL_Pos))
        {

            NRF_NVMC->CONFIG = NVMC_CONFIG_WEN_Wen;
            while (NRF_NVMC->READY == NVMC_READY_READY_Busy){}

            NRF_UICR->APPROTECT = ((NRF_UICR->APPROTECT & ~((uint32_t)UICR_APPROTECT_PALL_Msk)) |
    		    (UICR_APPROTECT_PALL_HwDisabled << UICR_APPROTECT_PALL_Pos));

            while (NRF_NVMC->READY == NVMC_READY_READY_Busy) {}

            NRF_NVMC->CONFIG = NVMC_CONFIG_WEN_Ren;
            while (NRF_NVMC->READY == NVMC_READY_READY_Busy){}

            NVIC_SystemReset();
    	}
#endif
    }
}

Thank you for your help and if there is any issue or problem in the code please let me know

RE: APPROTECT and verify with nrfjprog

Priyanka — Mon, 14 Jul 2025 09:33:19 GMT

Hi Dominik,

That does sound like a good way. And you are also right that --eraseall resets UICR, including protection flags.

-Priyanka

RE: APPROTECT and verify with nrfjprog

Dominik Eugster — Sat, 12 Jul 2025 07:01:24 GMT

I think it's possible to use NRF_UICR->CUSTOMER[x] flag to enable the NRF_UICR->APPROTECT only after the second Reset/Boot, and with nrfjprog --eraseall the flags in uicr will be reset to default before flashing.I will try

RE: APPROTECT and verify with nrfjprog

Dominik Eugster — Fri, 11 Jul 2025 15:29:52 GMT

Ok, now I managed to enable ReadProtect only the second time after reset because of the Verify issue.
To manage this, I use a command line before program / verify and check this value in the App:

nrfjprog --memwr 0x000F5000 --val 0x12345678

if I read the address before enabling the ReadBackProtection I read 0xDEADC0DE

nrfjprog --memrd 0x000F5000 0x000F5000: DEADC0DE

my bootloader is starting at 0xF6000 and has 32kB, so in the memory map the part lower than 0xF6000 should be empty, but what this 0xDEADC0DE is meaning?

Is it safe to use this region below (grey) or should I avoid this? Is there any other way to do the ReadBackProtection in the App only after the second Reset without this Falsh? UICR is not working, I guess the internal falsh is ok only the 0xDEADC0DE is confusing me...

RE: APPROTECT and verify with nrfjprog

Priyanka — Fri, 11 Jul 2025 11:05:10 GMT

Hi Dominik,

Your understanding is correct. Please take a look at this ticket where a colleague of mine has described clearly regarding the differences between old and new revisions.

Hope this helps.

-Priyanka

RE: APPROTECT and verify with nrfjprog

Dominik Eugster — Thu, 10 Jul 2025 09:21:51 GMT

[quote userid="107899" url="~/f/nordic-q-a/122864/approtect-and-verify-with-nrfjprog"]Informational Notice (IN) - Vulnerability of the nRF52 series.[/quote]

With these Software functions this Bug can be fixed because every restart is protecting the MCU again which is not the case when the APPROTECT function in the bootloader and the App is not active, is this correct? Even if nrfjprog --rbp ALL is used in the flashing process at the end.

RE: APPROTECT and verify with nrfjprog

Dominik Eugster — Thu, 10 Jul 2025 08:53:47 GMT

Hi Priyanka

The --eraseall is needed after a recover?

I tried but its not working, the MCU starts running and enable APPROTECT before verify is finished:

**********************************************************************
"Recover and disable the read back protection"
**********************************************************************
Recovering device. This operation might take 30s.
Erasing user code and UICR flash areas.
Erasing user available code and UICR flash areas.
Applying system reset.
**********************************************************************
"Reset, Program and Verify the Device"
**********************************************************************
[ #################### ]   6.253s | Program file - Done programming
[error] [  nRF52] - Failed while performing 'Verify' operation on target address 0x00001000.
-160: Data does not match in address range [0x00001000 - 0x00026497] (Flash)
Expected byte value 0x00 but read 0xFB at address 0x0001A468.
[error] [ Client] - Encountered error -160: Command verify_file executed for 1777 milliseconds with result -160
[error] [  nRF52] - Failed while verifying device. -160: Data does not match in address range [0x00001000 - 0x00026497] (Flash)
Expected byte value 0x00 but read 0xFB at address 0x0001A468.
[error] [ Worker] - Data does not match in address range [0x00001000 - 0x00026497] (Flash)
Expected byte value 0x00 but read 0xFB at address 0x0001A468.
ERROR: Write verify failed.
Error occurred, errorlevel: 55
Error on the burning process with "nrfjprog --reset --program --verify"
**********************************************************************
"PROGRAMMING and VERIFY ERROR"
**********************************************************************
Drücken Sie eine beliebige Taste . . .

RE: APPROTECT and verify with nrfjprog

Priyanka — Thu, 10 Jul 2025 08:36:10 GMT

Hi Dominik,

[quote user="Dominik Eugster"]Is my understanding and the functions in the bootloader and App correct?[/quote]

Yes that's right. https://docs.nordicsemi.com/bundle/nrf5_SDK_v17.1.1/page/lib_secure_boot.html#secure_boot_debug_prod

[quote user="Dominik Eugster"]If yes, the only question is how to flash the nRF52840 with nrfjprog and use the verify, or is there an option to ensure a correct download without verify?[/quote]

Could you try the following:

nrfjprog -f NRF52 --recover
nrfjprog -f NRF52 --eraseall
nrfjprog -f NRF52 --program file.hex --verify

-Priyanka

RE: APPROTECT and verify with nrfjprog

Dominik Eugster — Thu, 10 Jul 2025 07:55:13 GMT

And in the bootloader the debug_port_disable function will be called aswell when the SDK_config NRF_BL_DEBUG_PORT_DISABLE is enabled:

void nrf_bootloader_debug_port_disable(void)
{
    if (NRF_UICR->APPROTECT != 0x0)
    {
        nrf_nvmc_write_word((uint32_t)&NRF_UICR->APPROTECT, 0x0);
        NVIC_SystemReset();
    }
#if (!defined (NRF52810_XXAA) && !defined (NRF52811_XXAA) && !defined (NRF52832_XXAA) && !defined (NRF52832_XXAB))
    if (NRF_UICR->DEBUGCTRL != 0x0)
    {
        nrf_nvmc_write_word((uint32_t)&NRF_UICR->DEBUGCTRL, 0x0);
        NVIC_SystemReset();
    }
#endif
}

So at the end the device is starting in the bootloader and the function above will enbale the APPROTECT. If a device is running without bootloader (only in development), then the function on top of the main will enable the APPROTECT with the function "AppProtection()"

Is my understanding and the functions in the bootloader and App correct?

If yes, the only question is how to flash the nRF52840 with nrfjprog and use the verify, or is there an option to ensure a correct download without verify?