• State Not Answered
  • +1 person also asked this people also asked this
  • Replies 4 replies
  • Subscribers 76 subscribers
  • Views 6403 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 214082
Options
This post is older than 2 years and might not be relevant anymore
More Info: Consider searching for newer posts

nRF52840 - securing the device against firmware read, erase, and re-program

mstevens

Hello team,

I found a great conversation on securing my device at https://devzone.nordicsemi.com/f/nordic-q-a/23972/cybersecurity-features-for-nrf52-chips but I wanted to check if there's an application note that discusses the specific subject of steps to take to secure the device from firmware readout, erase, or reprogramming AND not leave the capability to mass erase and reprogram over JTAG or another interface.  

Thanks.

Parents
  • 0

    As far as I know you can't protect against ERASEALL. 

    You use the APPROTECT UICR register to protect against SWD read/write memory access and access to the processor registers. The ERASEALL command clears the entire chip including UICR.  Even with APPROTECT UICR set you can still do OTA/DFU if you implement it.

    You can set APPROTECT either through command line and SWD or you can set it in software.

    Currently I set it in main for our products. But there are good reasons for doing it at command line.

    This is how you do it in  code:

    if (NRF_UICR->APPROTECT != 0x0)
    {
    NRF_NVMC->CONFIG = 0x1;
    NRF_UICR->APPROTECT = 0x0;
    NRF_NVMC->CONFIG = 0x0;
    }

    It writes same way as flash, so erase is all 1's and set is 0's.

Reply
  • 0

    As far as I know you can't protect against ERASEALL. 

    You use the APPROTECT UICR register to protect against SWD read/write memory access and access to the processor registers. The ERASEALL command clears the entire chip including UICR.  Even with APPROTECT UICR set you can still do OTA/DFU if you implement it.

    You can set APPROTECT either through command line and SWD or you can set it in software.

    Currently I set it in main for our products. But there are good reasons for doing it at command line.

    This is how you do it in  code:

    if (NRF_UICR->APPROTECT != 0x0)
    {
    NRF_NVMC->CONFIG = 0x1;
    NRF_UICR->APPROTECT = 0x0;
    NRF_NVMC->CONFIG = 0x0;
    }

    It writes same way as flash, so erase is all 1's and set is 0's.

Children
Related
Terms of service