• State Verified Answer
  • Locked Locked
  • Replies 4 replies
  • Subscribers 75 subscribers
  • Views 1986 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 289173
Options
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Disabling CTRL-AP for nRF52840 DK does not work for new nRF52833 board

cor10

Hello,

System Details:

  • Board: Custom
  • Chip: nRF52833
  • PCA Number: PCA10100
  • SoftDevice: S140, v7
  • nRF5 SDK: Version 16.0.0
  • mdk version: 8.46.0
  • nrfjprog version: 10.15.4 external
  • JLinkARM.dll version: 7.64d

I recently made a Nordic DevZone post to get help working through the CTRL-AP access protection mechanism on my nRF52840 DK board (rev3) so that I could debug my project. The solution, among many other attempts, was to incorporate an approtect_hw_disable() function into my dfu/secure_bootloader/main.c file that would run on start up. This added function (along with the APPROTECT_HW_DISABLE preprocessor definition) is meant to disable approtect in UICR.APPROTECT at runtime in case the setting has been erased by the debugger. I have included it here (from this other post) for reference:

void approtect_hw_disable(void)
{
    if ((NRF_UICR->APPROTECT & UICR_APPROTECT_PALL_Msk) 
       == (UICR_APPROTECT_PALL_Msk))
    {
        NRF_NVMC->CONFIG = NVMC_CONFIG_WEN_Wen << NVMC_CONFIG_WEN_Pos;
        while (NRF_NVMC->READY == NVMC_READY_READY_Busy) {}
        NRF_UICR->APPROTECT = (UICR_APPROTECT_PALL_HwDisabled << UICR_APPROTECT_PALL_Pos);
        while (NRF_NVMC->READY == NVMC_READY_READY_Busy) {}
        NRF_NVMC->CONFIG = NVMC_CONFIG_WEN_Ren << NVMC_CONFIG_WEN_Pos;
        while (NRF_NVMC->READY == NVMC_READY_READY_Busy) {}
        NVIC_SystemReset();
    }  
}

/**@brief Application main function.
 */
int main(void)
{
    bool erase_bonds;
#if APPROTECT_HW_DISABLE
    approtect_hw_disable();
#endif //APPROTECT_HW_DISABLE

I am now trying to program a new board, with the nRF52833 hardware. Unfortunately I am running into the same issue as last time, but now the previous solution is not working for me. I use a straightforward script to make 1) the dfu secure_bootloader for pca10100/s140, and 2) my custom application built on top of supported SDK examples (not all of which come with pca10100/140 support explicitly: ble_app_buttonless_dfu). The script then generates bootloader settings, and then attempts to flash everything onto my device. When I execute the script, all goes well, everything compiles and flashes successfully, but the moment my script finishes up and executes the final 'nrfjprog --reset' command, something goes wrong with the CTRL-AP access protection and I get locked out of the device and am forced to run 'nrfjprog --recover' in order to re-establish communication. This means I cannot debug my device/project using the SEGGER Embedded Studio debugger like usual... Also, I make sure to explicitly write the value 0x5A to address 0x10001208, and this write persists on the device until the moment I run the 'nrfjprog --reset' command, and everything gets erased. Here is the script for your reference:

#! /bin/bash

# nRF52833

## Compile bootloader and application:
boot_make='../nrf-sdk/examples/dfu/secure_bootloader/pca10100_s140_ble/armgcc/'
boot=${boot_make}_build/nrf52833_xxaa_s140.hex
softdevice='../nrf-sdk/components/softdevice/s140/hex/s140_nrf52_7.0.1_softdevice.hex'

app_make='../nrf-sdk/examples/ble_peripheral/ble_app_technolingus/pca10100/s140/armgcc/'
app=${app_make}_build/nrf52833_xxaa.hex

make -C "$boot_make"
make -C "$app_make"

nrfutil settings generate --family NRF52 --application "$app" --application-version 1 --bootloader-version 1 --bl-settings-version 2 settings.hex

nrfjprog --recover
nrfjprog -e
nrfjprog --memwr 0x10001208 --val 0x5a
nrfjprog --memrd 0x10001208
nrfjprog --program "$softdevice" --verify
nrfjprog --program "$boot" --verify
nrfjprog --program "$app" --verify
nrfjprog --program settings.hex --verify

nrfjprog --reset

Any ideas as to why this CTRL-AP mechanism keeps enabling itself? Is there a way that I can stop this behavior in general? Thank you for your patience with me, and thanks in advance for your help here.

Best,

Corten

Parents
  • +1

    Hi Corten,

    Any ideas as to why this CTRL-AP mechanism keeps enabling itself?

    This should be the same on both nRF52840 and nRF52833. And the mechanism you describe should disable access port protection on the latest revisions of both variants. Which revision of the nRF52833 are you using? Also, you write that you are using SDK 16. If you do, you need to update the MDK to disable access port protection (APPROTECT.DISABLE). Perhaps you did something specific for this for the nRF52840 but not for the nRF52833? (The first  nRF5 SDK with support for the updated devices out of the box is 17.1.0).

    Is there a way that I can stop this behavior in general?

    For the latest revision devices with combined HW and SW based access port protection the intended behavior is that debugger access is blocked by default, and i tis only enabled when conditions are met (both that debug is allowed in UICR.APPROTECT and firmware writes to APPROTECT.DISABLE. If those conditions are not met, debugger access will always be blocked until you do a recover (which is an ERASEALL operation).

  • 0 in reply to Einar Thorsrud

    Hi Einar,

    Thanks for the response!

    Einar Thorsrud said:
    Which revision of the nRF52833 are you using?

    For our custom board, we are currently trying out this nRF52833: https://www.lairdconnect.com/wireless-modules/bluetooth-modules/bluetooth-5-modules/bl653-micro-series-bluetooth-51-802154-nfc-modules. In the datasheet they provide, it doesnt really mention the nRF52833 chip revision, except for a small link to some design file with a reference to rev1.3. I had mistakenly assumed that this chip was the newest revision since we just ordered it, and because I also ran into the CTRL-AP pop-up message when I tried to debug the device. I had only seen this pop-up when I was using the newest nRF52840 DK, so I was primed into thinking the nRF52833 must also be the newest revision. But, thanks to your question, I removed the Preprocessor Definition for APPROTECT_HW_DISABLE so that the bootloader does not execute the approtect_hw_disable() function in main, and now I have access to my device!

    Things are working again now, but I have a couple of questions related to this that will help me understand things better...

    1. As mentioned above, when I first tried debugging my nRF52833 with the code changes that were required to disable CTRL-AP on my nRF52840 DK (approtect_hw_disable()), I ran into a pop-up message that required me to erase all contents before connecting to the target. I have never seen this CTRL-AP pop-up message when working with our older nRF52832 nor with our nRF52840 rev1 DK - only with the nRF52840 rev3 DK. So seeing this pop-up made me mistakenly think that the nRF52833 had the newest revision. If it is truly an older revision and the code that is running is meant to specifically prevent the CTRL-AP pop-up, then why did this pop-up appear? Is this CTRL-AP behavior the expected behavior in nRF most chips (not just the very newest), and I am simply working with outdated chips?
    2. How can I tell the revision number of a new nRF chip if the datasheets do not say anything about it? Do you look at chip markings, or is there a register to read somewhere?

    Many thanks,

    Corten

  • 0 in reply to cor10

    Hi Corten,

    1. The newest revision devices (with improved APPROTECT) always requires a recover as the first step to program a blank IC (as it is locked by default, and the recover unlocks it, allowing you to write to the UICR and include firmware that unlocks it semi-permanently). For older devices, you can also get this warning if the device is locked, but that only happens if they have explicitly been locked by writing to the UICR.APPROTECT (on the old devices, APPROTECT was disabled by default). It seems odd that a module should whip with firmware at all, and that it should have APPROTECT enabled, though - but perhaps you could ask Laird about that.

    2. You can read the build code from the chip marking, and the refer to the SoC revisions and variants in the product specification to see which revision you have.

    Einar

Reply
  • 0 in reply to cor10

    Hi Corten,

    1. The newest revision devices (with improved APPROTECT) always requires a recover as the first step to program a blank IC (as it is locked by default, and the recover unlocks it, allowing you to write to the UICR and include firmware that unlocks it semi-permanently). For older devices, you can also get this warning if the device is locked, but that only happens if they have explicitly been locked by writing to the UICR.APPROTECT (on the old devices, APPROTECT was disabled by default). It seems odd that a module should whip with firmware at all, and that it should have APPROTECT enabled, though - but perhaps you could ask Laird about that.

    2. You can read the build code from the chip marking, and the refer to the SoC revisions and variants in the product specification to see which revision you have.

    Einar

Children
Related
Terms of service