This post is older than 2 years and might not be relevant anymore
More Info: Consider searching for newer posts
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

APPROTECT and DAP

Hi,

I have a JLink script which sets APPROTECT in the UICR to enable readback protection and disable the debug interface.

For development purposes, I would like to be able to clear these. The process seems to be to write certain values to the CTRL-AP registers. However, I cannot find the base memory address for the DAP or CTRL-AP registers anywhere in the nRF52832 1. 0 data sheet. Does anyone know the base address for this register set? If not part of the memory space register, how would I command JLink to write data to the appropriate place to erase the chip after read back protection has been enabled?

Thanks,

Eric

Parents
  • DAP isn't memory-mapped (well it's allowed to be but it's implementation defined if it is or not). You use the JLink SWDReadDP/AP SWDWriteDP/AP commands to read and write the coresight registers. The nrf51 data sheet isn't going to help you there, you need to read the ARM v7m reference manual and the ARM ADIv5 manual to get very far.

    I hadn't looked at the nRF52 CTRL-AP, a quick poke around with JLink and some notes I made after reading the ADIv5 manual last year seems to indicate it's a second AP entirely and doesn't show up in the ROM table ... I guess it wouldn't if the DAP is disabled, not going to disable mine to work it out. The following, checking register 0x0FC of AP number 1 (normal DP is number 0) seems to give the correct AP ID, ie the one in the manual 0x02880000

    SWDWriteDP 2 0x010000f0
    SWDReadAP 3
    SWDReadAP 3
    

    note the double-read as data is returned on the second one.

    So if that's the right AP, APPPROTECTSTATUS is at 0x00C, reading that on mine with the following

    SWDWriteDP 2 0x01000000
    SWDReadAP 3
    SWDReadAP 3
    

    gives

    Read AP register 3 = 0x00000001
    

    which seems correct as indeed protection is off on my chip, you should get 0x00000000

    keeping going .. reading the ERASEALLSTATUS just requires reading register 0x008

    SWDReadAP 2
    SWDReadAP 2
    
    Read AP register 2 = 0x00000000
    

    seems right, the chip isn't erasing currently

    Resetting the chip you want to write 0x00000001 to 0x000

    SWDWriteAP 0 0x00000001
    

    That reset the chip for me and held the thing in reset and then I failed to get much done after that, I think I needed to switch back to port 0 but didn't and upset JLink .. power cycle.

    So to erase everything it seems you should write 0x00000001 to register 0x004 which would be

    SWDWriteAP 1 0x00000001
    

    and I'm not going to try that myself, but I'd love to hear how you got on :)

    Note all those SWDReadAP and SWDWriteAP commands for 0x000 to 0x00C registers are predicated on your having written the DP port to the correct value with that

    SWDWriteDP 2 0x01000000
    

    command which I executed before reading the APPPROTECTSTATUS. It's sticky so you don't have to keep doing it.

    Usually you don't have to muck about like that, Segger usually implements this stuff, so did you just try the JLink erase command to see if it's CTRL-AP aware? If not, it's a good question for their forums, and would be a good thing for them to implement.

Reply
  • DAP isn't memory-mapped (well it's allowed to be but it's implementation defined if it is or not). You use the JLink SWDReadDP/AP SWDWriteDP/AP commands to read and write the coresight registers. The nrf51 data sheet isn't going to help you there, you need to read the ARM v7m reference manual and the ARM ADIv5 manual to get very far.

    I hadn't looked at the nRF52 CTRL-AP, a quick poke around with JLink and some notes I made after reading the ADIv5 manual last year seems to indicate it's a second AP entirely and doesn't show up in the ROM table ... I guess it wouldn't if the DAP is disabled, not going to disable mine to work it out. The following, checking register 0x0FC of AP number 1 (normal DP is number 0) seems to give the correct AP ID, ie the one in the manual 0x02880000

    SWDWriteDP 2 0x010000f0
    SWDReadAP 3
    SWDReadAP 3
    

    note the double-read as data is returned on the second one.

    So if that's the right AP, APPPROTECTSTATUS is at 0x00C, reading that on mine with the following

    SWDWriteDP 2 0x01000000
    SWDReadAP 3
    SWDReadAP 3
    

    gives

    Read AP register 3 = 0x00000001
    

    which seems correct as indeed protection is off on my chip, you should get 0x00000000

    keeping going .. reading the ERASEALLSTATUS just requires reading register 0x008

    SWDReadAP 2
    SWDReadAP 2
    
    Read AP register 2 = 0x00000000
    

    seems right, the chip isn't erasing currently

    Resetting the chip you want to write 0x00000001 to 0x000

    SWDWriteAP 0 0x00000001
    

    That reset the chip for me and held the thing in reset and then I failed to get much done after that, I think I needed to switch back to port 0 but didn't and upset JLink .. power cycle.

    So to erase everything it seems you should write 0x00000001 to register 0x004 which would be

    SWDWriteAP 1 0x00000001
    

    and I'm not going to try that myself, but I'd love to hear how you got on :)

    Note all those SWDReadAP and SWDWriteAP commands for 0x000 to 0x00C registers are predicated on your having written the DP port to the correct value with that

    SWDWriteDP 2 0x01000000
    

    command which I executed before reading the APPPROTECTSTATUS. It's sticky so you don't have to keep doing it.

    Usually you don't have to muck about like that, Segger usually implements this stuff, so did you just try the JLink erase command to see if it's CTRL-AP aware? If not, it's a good question for their forums, and would be a good thing for them to implement.

Children
  • Hi RK, thanks for the comments.

    Since I have many eval board around for our module, I was able to lock one of them for this testing. After enabling APPROTECT the SWDWriteDP, SWDWriteAP, and their respective read commands all return something in the form of Write DP Register x = <data> ***ERROR or Read AP register x = ERROR. The erase command returns ERROR: Erase returns with error code -1..

    I know it is possible to recover devices using nrfjprog but that doesn't help me in this case since I am trying to support many different system types. Since there isn't an answer from Nordic here, I will ask them directly and post back with the result.

    Thanks again for the help so far.

  • Hi Eric!

    Did you find a solution for your problem? I get the same ERROR when trying to erase the chip with the JLink Commander.

  • In our factory programming script, we do the following with via JLink:

    //Clear App Protect and Erase All
    SWDSelect //Selects the SWD Interface
    SWDWriteDP 1 0x50000000 //Enables power
    SWDWriteDP 2 0x01000000 //Selects the 0x01XXXXXX Access Port and 0xXXXX00XX Register bank in the access port
    SWDWriteAP 1 0x00000001 //CTRL-AP Bank 0, register offset 1 (ERASEALL 0x004): Erase all command
    sleep 1000 
    SWDReadAP 2 //CTRL-AP Bank 0, register offset 2 (ERASEALL 0x008): Erase all command status
    SWDReadAP 2 //Second read returns the value
    SWDWriteAP 0 0x00000001 
    SWDWriteAP 0 0x00000000 
    SWDWriteAP 1 0x00000000 
    SWDReadAP 3 //CTRL-AP Bank 0, register offset 3 (APPROTECTSTATUS 0x00C): Access port protection status
    SWDReadAP 3 //Second read returns the value: 0: enabled 1: not enabled
    

    HTH,

    Eric

Related