unlocking NRF52480

Dear all,

I have pca10059 nrf52480 dongle which I accidentally erased and I could not upload any elf file to run moreover it was not blinking red anymore, no presence in system.

I managed to restore the bootloader with this procedure:

https://devzone.nordicsemi.com/f/nordic-q-a/87495/nrf52480-dongle-bricked-after-recover-in-openocd/365842

Thenafter, the dongle started to flash red again and I could flash the dongle with my custom blinky example and the diode was blinking again.

The problem I am facing now is, I want to have a look at the running process via OpenOCD, but anytime I start openocd with this command:

openocd -f rpi_as_debugger.cfg -c "transport select swd" -c "adapter speed 100" -f target/nrf52.cfg

I get following problem:

(THE DONGLE IS RUNNING JUST FINE, I CAN SEE THE DIODE BLINKING, BUT AFTER FIRMWARE RESTORATION, IT SEEMS THE CHIP IS LOCKED, BUT WHY? AFTER I RECEIVED THE DONGLE FROM MOUSER, I COULD EASILY DEBUG THE SAME EXAMPLE AND OPENOCD WAS NOT PRINTING ANY PROBLEM, ANYWAY I AM USING SWD OVER RASPBERRY)

Is the chip detecting any internal error at startup being the reason it gets locked?

Open On-Chip Debugger 0.11.0+dev-00651-g9de084e00 (2022-04-24-10:22)
Licensed under GNU GPL v2
For bug reports, read
openocd.org/.../bugs.html
BCM2835 GPIO nums: swclk = 24, swdio = 25

swd
adapter speed: 100 kHz

Info : Listening on port 6666 for tcl connections
Info : Listening on port 4444 for telnet connections
Info : BCM2835 GPIO JTAG/SWD bitbang driver
Info : clock speed 1001 kHz
Info : SWD DPIDR 0x2ba01477
Error: [nrf52.cpu] Could not find MEM-AP to control the core
****** WARNING ******
nRF52 device has AP lock engaged (see UICR APPROTECT register).
Debug access is denied.
Use 'nrf52_recover' to erase and unlock the device.

Warn : target nrf52.cpu examination failed
Info : starting gdb server for nrf52.cpu on 3333
Info : Listening on port 3333 for gdb connections

During firmware restoration, I was also facing this, which I haven't a clue what it might be:

Warn : [nrf52.cpu] target was in unknown state when halt was requested
Info : SWD DPIDR 0x2ba01477
Error: Wrong parity detected

Thank you

Parents Reply Children
  • Thank you for your reply, could you please tell me whether APPROTECT is enabled by default?

    The thing is, I can recover the nrf52, it unlock the device and erases all. But once I flash the official bootloader again, it became locked again and you see the enclosed printout of OpenOCD, it is after flashing the firmware. The dongle works, I can flash applications, but it is locked. Even without any application, only with bootloader flashed (the dongle is blinking with red LED diode), it already is locked, at least according to OpenOCD.

    My goal is to, unlock the device, reflash the bootloader and than unlock it again without erasing it and reflashing the bootloader, since I think reflashing of bootloader makes it locked again.

    When I received the dongle, it looked like it was unlocked from factory, so I want to revert it to the same state as it was when I purchased it.

  • Dumping and flashing the image from one dongle to another another did not help, is the dumped image somehow checking the serial number of the board or version? Why I cannot dump image from one dongle and flash it to another dongle? I have to point out that even though both boards are nrf52480 one is version 2.1 and the other 1.2, maybe that is the reason I cannot just swap factory installed images between these two dongles.

    Is there any ftp or repository where can I download firmwares?

    Anyway, I think I found the solution according to all these hints:

    https://devzone.nordicsemi.com/f/nordic-q-a/85671/trying-to-disable-approtect-for-debugging

    https://devzone.nordicsemi.com/f/nordic-q-a/66907/how-to-change-a-uicr-register-value-when-approtect-is-enabled-on-the-nrf52

    https://devzone.nordicsemi.com/nordic/nordic-blog/b/blog/posts/working-with-the-nrf52-series-improved-approtect

    It seems like AP protect must be disabled. But seems like running nrf52_recover in OpenOCD unlocks the device temporarily and as long as you keep the dongle powered or you ONLY reset the dongle it stays unlocked.Seems like reset does not effect the locking mechanism, but if you unplug the dongle from power and plug in back, it automatically locks the dongle again. nrf52_recover really unlocks the device, but it probably does not write HwDisabled (0x5A) to UICR.APPROTECT, for the dongle to stay unlocked even after power down. Moreover if you flash original pca10059 firmware, it sets UICR.APPROTECT (0x10001208) to 0x00 at startup, because the dongle is locked in both cases with or without flashing the image:

    1) after nrf52_recover (becoming unlocked) and power down/up (becoming locked  again)

    2) after nrf52_recover (becoming unlocked) and then init, halt, nrf5 mass_erase, program write_image nordic_firmware.hex verify, power down/up (becoming locked again)

    From this I assume the factory firmware locks the dongle for the SWD debug to be accessible (which does not correspond to the fact that after I purchased the dongle and first flashed zephyr blinky example and tried to debug it via Raspberry SWD OpenOCD and Eclipse remote debugger, I could debug it without any problems that means it was unlocked. Is it possible that my dongle had factory firmware which did not enable locking at startup?

    Anyway, the solution/workaround to disable locking after power down was to place code snippet mentioned at the end of this conversation:

    https://devzone.nordicsemi.com/f/nordic-q-a/85671/trying-to-disable-approtect-for-debugging

    Anyway, my question is, is it possible to somehow modify the UICR.APPROTECT register or to get firmware where UICR.APPROTECT is set to 00 or do you have any other way how to start up the dongle unlocked without having the unlocking code snipped attached to my blinky code?I am complete newbie in micro controllers as well as Nordic devices.

    Thank you

  • There was a HW update for the nRF52 series where the APPROTECT is enabled instead of disabled by default, and this needs to be disabled from UICR and from the SW. I am not sure whether there exists any precompiled bootloader that takes this into account.

    That being said. Do you really need to disable the APPROTECT? The point of the bootloader is that you can program it over USB, and skip the bootloader, right? If you have a debugger (your OpenOCD), then why do you need the bootloader in the first place?

    BR,
    Edvin

  • Dear sir, I am a complete newbie in microcontrollers.I just needed to unlock it to have debugging capability of the dongle via SWD.

    Before the accident,I could debug the code easily,now I have to add these unlocking lines of code beforecmy code runs.I am fine with that anyway.I was just curious whether ir is possible to unlock the device without those lines of code.I had an idea to dump factory firmware from my another dongle which is unlocked from factory a flash the locked dongle,but I am wondering why this procedure does not work as the devices are identical,but hardware versions are different.

  • It sounds like there was a different bootloader.hex file flashed on the dongle before you erased it. One that turned off the APPROTECT. I guess the bootloader file from the first link doesn't have this patch. 

    However, the dongle is not really a development board, as it doesn't have a debugger. This is why it has a bootloader in the first place. The bootloader is a way to update the FW on the dongle without a debugger. 

    If you have a programmer that you can use on the dongle, I suggest you just erase the bootloader, and debug without the bootloader being present. Then, when you are happy with your application, you can flash the bootloader back in together with the application (and softdevice/MBR) if you want to keep the possibility to update FW without a debugger/programmer. 

    Another option would be to build your own bootloader. The bootloader on the dongle is heavily based on the nRF5 SDK\examples\dfu\open_bootloader\pca10059_usb\ and then you can apply the fix from here:

    https://devzone.nordicsemi.com/nordic/nordic-blog/b/blog/posts/working-with-the-nrf52-series-improved-approtect

    ("fix", as in disabling the approtect in your bootloader code, e.g. in main.c).

    Debugging is usually easier when a bootloader is not present either way, so I suggest you just add it when you are done developing.

    Best regards,

    Edvin

Related