Day: March 26, 2021

JLink was enable to detect and remove AP protection of the nRF52832

I was trying to program the nRF52_Sensor_R40 using OpenOCD + STLink, but without luck.

Then I decided to use my JLink EDU to erase the nRF52 and it worked! \o/

I powered the nRF52_Sensor_R40 with 3.3V connected the GND to JLink’s pin 20, the 3.3V to JLink’s pin 1, the SWDCLK to JLink’s pin 9 and SWDIO to JLink’s pin 7.

$ sudo JLinkExe -if SWD
SEGGER J-Link Commander V6.80d (Compiled Jun 26 2020 17:19:52)
DLL version V6.80d, compiled Jun 26 2020 17:19:40

Connecting to J-Link via USB...O.K.
Firmware: J-Link ARM V8 compiled Nov 28 2014 13:44:46
Hardware version: V8.00

J-Link>con
Please specify device / core. : NRF52832_XXAA
Type '?' for selection dialog
Device>
Specify target interface speed [kHz]. : 4000 kHz
Speed>
Device "NRF52832_XXAA" selected.

Connecting to target via SWD
InitTarget() start
Device will be unsecured now.
InitTarget() end
Found SW-DP with ID 0x2BA01477
Unknown DP version. Assuming DPv0
Scanning AP map to find all available APs
AP[2]: Stopped AP scan as end of AP map has been reached
AP[0]: AHB-AP (IDR: 0x24770011)
AP[1]: JTAG-AP (IDR: 0x02880000)
Iterating through AP map to find AHB-AP to use
AP[0]: Core found
AP[0]: AHB-AP ROM base: 0xE00FF000
CPUID register: 0x410FXXXX. Implementer code: 0x41 (ARM)
Found Cortex-M4 r0p1, Little endian.
FPUnit: 6 code (BP) slots and 2 literal slots
CoreSight components:
ROMTbl[0] @ E00FF000
ROMTbl[0][0]: E000E000, CID: B105E00D, PID: 000BB00C SCS-M7
ROMTbl[0][1]: E0001000, CID: B105E00D, PID: 003BB002 DWT
ROMTbl[0][2]: E0002000, CID: B105E00D, PID: 002BB003 FPB
ROMTbl[0][3]: E0000000, CID: B105E00D, PID: 003BB001 ITM
ROMTbl[0][4]: E0040000, CID: B105900D, PID: 000BB9A1 TPIU
ROMTbl[0][5]: E0041000, CID: B105900D, PID: 000BB925 ETM
Cortex-M4 identified.
J-Link>

STLink is not a good option to program nRF52xxx

$ sudo openocd -f "interface/stlink.cfg" -f "target/nrf52.cfg" -c "init" -c "flash info 0 "
Open On-Chip Debugger 0.11.0+dev-00062-g6405d35f3-dirty (2021-03-26-17:21)
Licensed under GNU GPL v2
For bug reports, read
http://openocd.org/doc/doxygen/bugs.html
Info : auto-selecting first available session transport "hla_swd". To override use 'transport select '.
Info : The selected transport took over low-level target control. The results might differ compared to plain JTAG/SWD

nRF52 device has a CTRL-AP dedicated to recover the device from AP lock.
A high level adapter (like a ST-Link) you are currently using cannot access
the CTRL-AP so 'nrf52_recover' command will not work.
Do not enable UICR APPROTECT.

Info : clock speed 1000 kHz
Info : STLINK V2J17S4 (API v2) VID:PID 0483:3748
Info : Target voltage: 3.274766
Info : nrf52.cpu: hardware has 0 breakpoints, 2 watchpoints
Info : starting gdb server for nrf52.cpu on 3333
Info : Listening on port 3333 for gdb connections
Info : Unknown device: nRF51xxx (HWID 0x0000) 0kB Flash, 0kB RAM
Error: auto_probe failed

Another try:

$ sudo openocd -f interface/stlink.cfg -f target/nrf52.cfg -c init -c "reset init" -c halt -c "nrf52 mass_erase; reset; shutdown;"
Open On-Chip Debugger 0.11.0+dev-00062-g6405d35f3-dirty (2021-03-26-17:21)
Licensed under GNU GPL v2
For bug reports, read
http://openocd.org/doc/doxygen/bugs.html
Info : auto-selecting first available session transport "hla_swd". To override use 'transport select '.
Info : The selected transport took over low-level target control. The results might differ compared to plain JTAG/SWD

nRF52 device has a CTRL-AP dedicated to recover the device from AP lock.
A high level adapter (like a ST-Link) you are currently using cannot access
the CTRL-AP so 'nrf52_recover' command will not work.
Do not enable UICR APPROTECT.

Info : clock speed 1000 kHz
Info : STLINK V2J17S4 (API v2) VID:PID 0483:3748
Info : Target voltage: 3.274766
Info : nrf52.cpu: hardware has 0 breakpoints, 2 watchpoints
Info : starting gdb server for nrf52.cpu on 3333
Info : Listening on port 3333 for gdb connections
Error: timed out while waiting for target halted
TARGET: nrf52.cpu - Not halted