ERASEALL and ERASEPROTECT.DISABLE do not delete keys stored in modem.

The documentation for ERASEPROTECT.DISABLE states:

The erase protection mechanism can be disabled in order to return a device to factory default settings upon next reset.

For ERASEALL, it says:

Erase all function gives debugger the possibility of triggering an erase of flash, user information configuration registers (UICR), RAM, including all peripheral settings, as well as removing the access port protection.

However, the command AT%CMNG=1 indicates that certificates and private keys are still stored after erasure by either method.  This is the main issue.

Additionally, regardless of whether the main issue is in software or documentation, the documentation should make it clear whether or not these two methods have the same effect.  The current wording makes it uncertain.

Top Replies

  • However, the command AT%CMNG=1 indicates that certificates and private keys are still stored after erasure by either method. 

    The certificates and private keys are stored in the modem flash…

  • I just noticed that the ERASEPROTECT.DISABLE documentation does mention

    the device is automatically erased as described in Erase all.

    so the secondary issue is not really an issue.  Still, it could be made clearer that a factory reset includes modem keys, if indeed that is what is intended.

  • However, the command AT%CMNG=1 indicates that certificates and private keys are still stored after erasure by either method. 

    The certificates and private keys are stored in the modem flash, not in the application flash. So this is the expected behavior. Use AT%CMNG with opcode 3 to delete certificates.

  • Thanks.  In that case the documentation needs to be fixed.  "Factory default settings" is not accurate; and "flash" is vague if it doesn't include modem flash.  Since the command is named ERASEALL, there should be bold print saying what it doesn't erase.  Especially when it doesn't erase secrets.

    This is not to mention the various issues in the documentation of erase protection.  For example, under Table 1 in this section it says:

    Erase can still be performed through CTRL-AP, regardless of the above settings.

    However, this is only true if you have already prepared the firmware to be involved in disabling erase protection; if you have not, you will end up irrecoverably locking your device.

    And in this section it says:

    ...the CTRL-AP ERASEALL operation is disabled, and all flash write and erase operations are restricted to firmware.

    However, this is inaccurate:  NVMC.ERASEALL is also disabled – it is not possible to erase all from firmware.  It also says:

    In addition, it is still possible to write/erase from debugger as long as APPROTECT is not set.

    This is inaccurate:  Even if APPROTECT is set, you can still erase from a debugger, but only if you have already made preparations.

    Furthermore, there is no documentation about how to use CTRL-AP.  Trial-and-error with JLink commander is risky.  nrfjprog ought to support this access port.

  • Thanks for the feedback. I will forward it to the team.

Related