• State Verified Answer
  • Replies 6 replies
  • Subscribers 87 subscribers
  • Views 2079 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 274232
Options
This post is older than 2 years and might not be relevant anymore
More Info: Consider searching for newer posts

NRF52840 FLASH PROTECTION WITH SDK 15.0.0

sne_333

Hello Everyone, 

                         I am using NRF52840 development kit, I have compiled the code using SDK15.0.0. I am using soft device as well. I have to implement flash protection in my device so that any third party member can't read the firmware from device. I am a beginner for flash programming on Nordic devices. So actually don't know where to start. I read few tickets but I am confused about the process. I have to implement this flash protection for the DFU firmware as well. Can anyone help me guide on this? How to enable this protection?

1) Reading firmware should be disabled.

2) I should be able to erase and reprogram/write the firmware.

3) OTA update should not be blocked. OTA update should happen.

4) Want to protect firmware of DFU as well.

 

Thank you,

 

Parents
  • +1

    Hi,

    You can call "nrfjprog --rbp ALL && nrfjprog --reset" to readback protect and reset the device (to latch the new configuration). This is the equivalent to writing to this register, and then do a reset.

    In addition, you can build the bootloader with NRF_BL_DEBUG_PORT_DISABLE set to 1 in sdk_config.h, the bootloader will then check if approtect is enabled, and if not, enable it and reset.

    4) Want to protect firmware of DFU as well.

     DFU: To protect the target device against malicious attackers trying to impersonate the rightful sender of the firmware update, the init packet of the firmware package must be signed. But the package is not encrypted. See this post: https://devzone.nordicsemi.com/f/nordic-q-a/60249/official-encrypted-secure-dfu/

     

  • 0 in reply to Sigurd

    Hi.. Thank you for your reply. I have added the below code in my firmware in main.c:- 

    uint32_t APPPROTECT_reg;

    APPPROTECT_reg = NRF_UICR->APPROTECT;
    NRF_LOG_INFO("APPROTECT REG VAL IS %x",APPPROTECT_reg);

    if (NRF_UICR->APPROTECT == 0xFFFFFFFF)
    {
    NRF_LOG_INFO("PROTECTING FIRMWARE...SETTING APPROTECT");
    nrf_nvmc_write_word((uint32_t)&(NRF_UICR->APPROTECT), 0xFFFFFF00);

    //NVIC_SystemReset();
    }

    static void nrf_nvmc_write_word(uint32_t address, uint32_t value)
    {
    // Enable write.
    NRF_NVMC->CONFIG = NVMC_CONFIG_WEN_Wen;
    __ISB();
    __DSB();

    *(uint32_t*)address = value;
    while (NRF_NVMC->READY == NVMC_READY_READY_Busy) {;}

    NRF_NVMC->CONFIG = NVMC_CONFIG_WEN_Ren;
    __ISB();
    __DSB();
    }

    It seems to be working.I have added this in DFU BLE firmware as well. SWD,JTAG,USB gets blocked but OTA works fine.

    Is it the right way to do?

  • 0 in reply to sne_333

    Looks like you have commented out the system reset.

    This is what the bootloader will do if NRF_BL_DEBUG_PORT_DISABLE  is set( NRF_BL_DEBUG_PORT_DISABLE  was first introduced in SDK v16):

    void nrf_bootloader_debug_port_disable(void)
{
    if (NRF_UICR->APPROTECT != 0x0)
    {
        nrf_nvmc_write_word((uint32_t)&NRF_UICR->APPROTECT, 0x0);
        NVIC_SystemReset();
    }
#if (!defined (NRF52810_XXAA) && !defined (NRF52811_XXAA) && !defined (NRF52832_XXAA) && !defined (NRF52832_XXAB))
    if (NRF_UICR->DEBUGCTRL != 0x0)
    {
        nrf_nvmc_write_word((uint32_t)&NRF_UICR->DEBUGCTRL, 0x0);
        NVIC_SystemReset();
    }
#endif
}

  • 0 in reply to Sigurd

    Thank you for your reply. I am using SDK15, so this feature "NRF_BL_DEBUG_PORT_DISABLE" is not available.

    Yes I have commented the system reset line. What happens is I have to upload 4 files

    1) Bootloader file

    2)Softdevice file

    3)Application Hex file

    4)Config file.

    Now what happens if I uncomment this line"NVIC_SystemReset();" , I upload the bootloader file first, after uploading it automatically gives a reset to board and then I am not able to upload the rest 3 files in the device as it blocks SWD. Thts the reason I commented "NVIC_SystemReset();". 

    What will be the right way to upload the 4 files?? 

  • 0 in reply to sne_333
    sne_333 said:
    What will be the right way to upload the 4 files?? 

     You could use mergehex, to merge these 4 files into a single hex file.

    https://infocenter.nordicsemi.com/topic/ug_nrf_cltools/UG/cltools/nrf_mergehex.html

Reply Children
No Data
Related
Terms of service