• State Not Answered
  • Replies 8 replies
  • Subscribers 76 subscribers
  • Views 3713 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 263062
Options
This post is older than 2 years and might not be relevant anymore
More Info: Consider searching for newer posts

NRF52840 SOC Jtag Port disabling

Srinivas V

Hi Team,

We are using the nRF52840 for our development purpose. For sake Cyber security purpose we need to disable the Jtag debug port. 

For this we have used the below code snippet,

   NRF_UICR->APPROTECT = 0x00;

With this we are not able to disable the Jtag Debug Port, is there any other way to disable the port.

Could any one share the Jtag disabling part of code for nRF52840, without impacting the our rest of the Peripherals means Flash, BLE  and other peripherals.

Regards,

Srinivas.V

Parents
  • 0

    Hi Srinivas,

    You need to enable writing to flash in NVMC before you write to an UICR register. Here is an example of how you can do it:

    APPROTECT_ENABLE 1

void approtect(void) 

{

#if APPROTECT_ENABLE

    if ((NRF_UICR->APPROTECT & UICR_APPROTECT_PALL_Msk) != 
        (UICR_APPROTECT_PALL_Enabled << UICR_APPROTECT_PALL_Pos))
    {
        NRF_NVMC->CONFIG = NVMC_CONFIG_WEN_Wen << NVMC_CONFIG_WEN_Pos;
        while (NRF_NVMC->READY == NVMC_READY_READY_Busy) {}
        NRF_UICR->APPROTECT = (UICR_APPROTECT_PALL_Enabled << UICR_APPROTECT_PALL_Pos);
        while (NRF_NVMC->READY == NVMC_READY_READY_Busy) {}
        NRF_NVMC->CONFIG = NVMC_CONFIG_WEN_Ren << NVMC_CONFIG_WEN_Pos;
        while (NRF_NVMC->READY == NVMC_READY_READY_Busy) {}
        NVIC_SystemReset();
    }  

#endif //APPROTECT_ENABLE

}/**

    Regards,

    Vidar

  • 0 in reply to Vidar Berg

    Hi Vidar,

    Thanks for your reply.

    Is this code works for nRF52840? 

    Which is the correct place to call this function "approtect()", means at start of the main or initialization of any other peripherals like times , flash etc..

    And how to test the above functionality is working or not or is there any specific instructions to debug this code without using the debugger.

    Regards,

    Srinivas.V

  • 0 in reply to Srinivas V

    Hi Srinivas,

    It has to be called before enabling the Softdevice because you are not allowed to access the NVMC while it is enabled.

    It's difficult to debug with readback protection, but you can try to connect the debugger to verify if approtect is enabled or not.

    Regards,

    Vidar

  • 0 in reply to Vidar Berg

    Hi Vidar,

    Once again thanks for your support.

    void approtect(void) 

{

#if APPROTECT_ENABLE

    if ((NRF_UICR->APPROTECT & UICR_APPROTECT_PALL_Msk) != 
        (UICR_APPROTECT_PALL_Enabled << UICR_APPROTECT_PALL_Pos))
    {
        NRF_NVMC->CONFIG = NVMC_CONFIG_WEN_Wen << NVMC_CONFIG_WEN_Pos;
        while (NRF_NVMC->READY == NVMC_READY_READY_Busy) {}
        NRF_UICR->APPROTECT = (UICR_APPROTECT_PALL_Enabled << UICR_APPROTECT_PALL_Pos);
        while (NRF_NVMC->READY == NVMC_READY_READY_Busy) {}
        NRF_NVMC->CONFIG = NVMC_CONFIG_WEN_Ren << NVMC_CONFIG_WEN_Pos;
        while (NRF_NVMC->READY == NVMC_READY_READY_Busy) {}
        NVIC_SystemReset();
    }  

#endif //APPROTECT_ENABLE

}/**

    With the above code changes I am able to disable the debug port and not able to connect the debugger and not able to erase the flash and load the new .hex as well with Jtag port with the connected debugger(i-Jet).

    1. How to enable Jtag port again and how load the new hex file debugger.

    2. Is there any HW changes required to enable the Jtag port again for the particular nRF52840 Board.

    If I am able to enable the Jtag port again it would be helpful to team to debug again.

    Is there any flexible way to enable and disable the Jtag port SW changes itself.

    Regards,

    Srinivas.V

  • 0 in reply to Srinivas V

    Hi Vidar,

    Regarding this Jtag Disable, in forums saying that by using the 

    The CTRL-AP - Control Access Port is a custom access port that enables control of the device even if the other access ports in the DAP are being disabled by access port protection.

    How to execute the above flow, for this any tools or HW changes are required to enable the Jtag port again.

    Regards,

    Srinivas.V

Reply Children
  • 0 in reply to Srinivas V

    Hi Srinivas,

    If you have a j-link, you can use 'nrfjprog --recover' to erase the chip through the control access port. But I'm not sure if there is an easy way to do the same with the i-jet debugger. It will need to perform the following sequence to disable approtect: Erasing all through CTRL-AP

    Regards,

    Vidar

  • 0 in reply to Vidar Berg

    Hi Vidar,

    Once again Thanks for your reply.

    Could you please elaborate the steps with j-link, like directly go to to cmd prompt and execute the "nrfjporg  --recover" command or any other prerequisites are required.

    Is there any terminal or any tool required to execute the below steps, or how to access these CTRL_AP registers externally, why means my j-tag port is already locked.

    Erasing all through CTRL-AP

    Use the standard SWD Arm® CoreSightTm DAP protocol to erase all while the CTRL-AP is still selected by the DP.

    1. Write the value 0x00000001 to the ERASEALL register (0x004) of the CTRL-AP.
      This will start the ERASEALL operation which erases all flash and RAM on the device.
    2. Read the ERASEALLSTATUS register (0x008) of the CTRL-AP until the value read is 0x00 or 15 seconds from ERASEALL write has expired.
    3. Write the value 0x1 to RESET register (0x000) of the CTRL-AP to issue a “soft reset” to the device and complete the erase and unlocking of the chip.
    4. Write the value 0x0 to RESET register (0x000).
    5. Write the value 0x0 to the ERASEALL register (0x004) of the CTRL-AP.
      This is necessary after the erase sequence is completed.

  • 0 in reply to Srinivas V

    Hi Srinivas,

    Yes, If you have nrfjprog installed (from nRF Command Line Tools package) and a j-link debugger connected to your board, then you can call "nrfjprog --recover" from the command line to unlock it.

Related
Terms of service