The MCU on board is locked, which means you can't do anything over the debug interface unless you do a total chip erase.

I wanted to dump the internal flash to get the bootloader and perhaps some other interesting stuff.

Since I already have the ability to upload my own firmware, dumping the flash over UART seemed straightforward, but turned out to be not so simple.

For some reason I just could not receive the full dump without interruption.

At first, I blamed the notoriously flaky NRF52 UART when used without flow control. But even when I added flow control by using the SPI flash testpoints, it wouldn't work.

Many hacks later I realized it's the MCU that's resetting periodically.

Turns out the bootloader is enabling the watchdog!

With a reload value of 0x50000 it gives you exactly 10 seconds.

Once I fed it properly (via the RR0 register), I could get the full dump.

The flash layout is standard - Softdevice, followed by user firmware, followed by the OTA bootloader at 0x76000.

There is a tiny bit of data between the firmware and bootloader, that may be the persistent app data partition.

The UICR registers are also unused, except for the bootloader addres and bootloader data page.

NRFFW[0]:00076000
NRFFW[1]:0007E000