This post is older than 2 years and might not be relevant anymore
More Info: Consider searching for newer posts

nRF52840 - securing the device against firmware read, erase, and re-program

Hello team,

I found a great conversation on securing my device at https://devzone.nordicsemi.com/f/nordic-q-a/23972/cybersecurity-features-for-nrf52-chips but I wanted to check if there's an application note that discusses the specific subject of steps to take to secure the device from firmware readout, erase, or reprogramming AND not leave the capability to mass erase and reprogram over JTAG or another interface.

Thanks.

Top Replies

AmbystomaLabs over 6 years ago +1

As far as I know you can't protect against ERASEALL. You use the APPROTECT UICR register to protect against SWD read/write memory access and access to the processor registers. The ERASEALL command clears…

Parents

0 AmbystomaLabs over 6 years ago

As far as I know you can't protect against ERASEALL.

You use the APPROTECT UICR register to protect against SWD read/write memory access and access to the processor registers. The ERASEALL command clears the entire chip including UICR. Even with APPROTECT UICR set you can still do OTA/DFU if you implement it.

You can set APPROTECT either through command line and SWD or you can set it in software.

Currently I set it in main for our products. But there are good reasons for doing it at command line.

This is how you do it in code:

if (NRF_UICR->APPROTECT != 0x0)
{
NRF_NVMC->CONFIG = 0x1;
NRF_UICR->APPROTECT = 0x0;
NRF_NVMC->CONFIG = 0x0;
}

It writes same way as flash, so erase is all 1's and set is 0's.
Cancel
Vote Up +1 Vote Down

Sign in to reply

Verify Answer

Cancel
0 manoj12345 over 5 years ago in reply to AmbystomaLabs

why NRF_NVMC->CONFIG used for two times?
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Mr. Broshar over 2 years ago in reply to manoj12345

First call enables config write access.

Second call disables config write access.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Reply

0 Mr. Broshar over 2 years ago in reply to manoj12345

First call enables config write access.

Second call disables config write access.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Children

No Data