nRF52 Debug Access Port protection
This post explains some low-level details related to nRF52 Debug Access Port (DAP) protection.
Nordic produces a multitude of ARM System-on-Chip (SoC) products. Among those, nRF52 is a popular ARMv7 chip with Bluetooth 5 support, running at 64 MHz.
Debugging with OpenOCD
For this chip, OpenOCD offers support for basic debugging features (
nrf52.cpu commands), flash manipulation (
flash commands), and advanced debugging via the Debug Access Port (
Upon starting a debugging session via OpenOCD, it will be identified as such:
However, on some chips OpenOCD may instead complain when trying to access the debug port:
The above error means that the vendor have disabled debugging capabilities (and firmware access) when flashing this chip.
nRF52 chips come with (optional) flash read-back protection to prevent firmware dumping (among many other things). Such a feature works by disabling access to the default debug port in the CPU (AHB-AP).
Section 14.1.62 of the nRF52 manual describes the
APPROTECT field, which can be written in order to lock access to the debug access port. It is a flash-backed value memory-mapped to address
0x10001208, with the following semantics:
However the chip includes an additional custom Control Access Port (CTRL-AP), which is always available for core debug access.
This can be used in order to unlock R/W access to the flash, as well as full debug features. Unlocking automatically erases all flash and RAM content, and is performed via the
Its semantics is described in section 16.2.1 of the nRF52 manual, and shown below:
Similarly, AP-protection status can be checked at any time via the the
APPROTECTSTATUS field, which is described in the same section.
OpenOCD can be extended with custom scripts to directly support those operations. The Tcl code below (and submitted as a patch upstream) adds three helper methods:
nrf52_is_ap_protectedreturns whether nRF52 debug access is locked
nrf52_erase_unlockerases all nRF52 content and unlock debug access
nrf52_protect_apenables nRF52 debug access protection