I have a JLink script which sets APPROTECT in the UICR to enable readback protection and disable the debug interface.
For development purposes, I would like to be able to clear these. The process seems to be to write certain values to the CTRL-AP registers. However, I cannot find the base memory address for the DAP or CTRL-AP registers anywhere in the nRF52832 1. 0 data sheet. Does anyone know the base address for this register set? If not part of the memory space register, how would I command JLink to write data to the appropriate place to erase the chip after read back protection has been enabled?
I figured out the solution:
You cannot ask JLink Commander to connect to the device after APPROTECT is set. This causes commander to switch to some state where SWDWriteDP/SWDReadDP always fails with…
DAP isn't memory-mapped (well it's allowed to be but it's implementation defined if it is or not). You use the JLink SWDReadDP/AP SWDWriteDP/AP commands to read and write the coresight registers. The nrf51…
DAP isn't memory-mapped (well it's allowed to be but it's implementation defined if it is or not). You use the JLink SWDReadDP/AP SWDWriteDP/AP commands to read and write the coresight registers. The nrf51 data sheet isn't going to help you there, you need to read the ARM v7m reference manual and the ARM ADIv5 manual to get very far.
I hadn't looked at the nRF52 CTRL-AP, a quick poke around with JLink and some notes I made after reading the ADIv5 manual last year seems to indicate it's a second AP entirely and doesn't show up in the ROM table ... I guess it wouldn't if the DAP is disabled, not going to disable mine to work it out. The following, checking register 0x0FC of AP number 1 (normal DP is number 0) seems to give the correct AP ID, ie the one in the manual 0x02880000
SWDWriteDP 2 0x010000f0
note the double-read as data is returned on the second one.
So if that's the right AP, APPPROTECTSTATUS is at 0x00C, reading that on mine with the following
SWDWriteDP 2 0x01000000
Read AP register 3 = 0x00000001
which seems correct as indeed protection is off on my chip, you should get 0x00000000
keeping going .. reading the ERASEALLSTATUS just requires reading register 0x008
Read AP register 2 = 0x00000000
seems right, the chip isn't erasing currently
Resetting the chip you want to write 0x00000001 to 0x000
SWDWriteAP 0 0x00000001
That reset the chip for me and held the thing in reset and then I failed to get much done after that, I think I needed to switch back to port 0 but didn't and upset JLink .. power cycle.
So to erase everything it seems you should write 0x00000001 to register 0x004 which would be
SWDWriteAP 1 0x00000001
and I'm not going to try that myself, but I'd love to hear how you got on :)
Note all those SWDReadAP and SWDWriteAP commands for 0x000 to 0x00C registers are predicated on your having written the DP port to the correct value with that
SWDWriteDP 2 0x01000000
command which I executed before reading the APPPROTECTSTATUS. It's sticky so you don't have to keep doing it.
Usually you don't have to muck about like that, Segger usually implements this stuff, so did you just try the JLink erase command to see if it's CTRL-AP aware? If not, it's a good question for their forums, and would be a good thing for them to implement.
Did it work?
Hi RK, thanks for the comments.
Since I have many eval board around for our module, I was able to lock one of them for this testing. After enabling APPROTECT the SWDWriteDP, SWDWriteAP, and their respective read commands all return something in the form of Write DP Register x = <data> ***ERROR or Read AP register x = ERROR. The erase command returns ERROR: Erase returns with error code -1..
Write DP Register x = <data> ***ERROR
Read AP register x = ERROR
ERROR: Erase returns with error code -1.
I know it is possible to recover devices using nrfjprog but that doesn't help me in this case since I am trying to support many different system types. Since there isn't an answer from Nordic here, I will ask them directly and post back with the result.
Thanks again for the help so far.
You cannot ask JLink Commander to connect to the device after APPROTECT is set. This causes commander to switch to some state where SWDWriteDP/SWDReadDP always fails with an error. I don't fully understand what state the connect command causes in JLink Commander. Instead, after starting JLInk Commander send only the SWDSelect command.
Start JLink Commander
SWDSelect -> Selects SWD Interface
SWDWriteDP 1 0x50000000 -> Enable power (as suggested by Segger response)
SWDWriteDP 2 0x01000000 -> Seleect CTRL-AP Bank 0
SWDWriteAP 1 0x00000001 -> Full Chip Erase
SWDReadAP 2 -> Repeat until 0
SWDReadAP 3 -> Two reads show 0x00000001 meaning protection cleared
Thanks for the help.
JLink Erase script for locked NRF52: http://pastebin.com/zChcyMtN