https://community.nxp.com/t5/Wireless-MCU/Securing-the-QN90x0/m-p/1443680#M13094 <P>There is no document describing how to secure the flash content on a QN90x0<BR />part. The only information is scattered through the UM and there's also a Python<BR />script example called 'dk6_image_tool.py'. That's all, nothing else.<BR />The 'DK6Programmer.exe' tool only reads/writes areas of the flash but it's up<BR />to you what to write in the various areas.</P><P>So I've turned to internal ROM disassembly and this is the flash layout for<BR />a QN9090:</P><BLOCKQUOTE><P><BR />{ 0, 0x9DE00}, // 0 Flash<BR />{0x9E800, 0x400}, // 1 Psect<BR />{0x9EC00, 0x400}, // 2 Pflash<BR />{0x9FC00, 0x400}, // 3 Config<BR />{0, 0x80}, // 4 Efuse<BR />{0x9DE00, 0xA00}, // 5 Unk1<BR />{0x9F000, 0xC00}, // 6 Unk2</P></BLOCKQUOTE><P>The Efuse is not part of the flash, those are 128 bytes containing random data<BR />which cannot be read the MCU, only the AES peripheral can load them as a key<BR />to generate temporary transport keys.<BR />Beside these fuses the chip has another 11 efuse bits which can be read by<BR />the MCU and configure various operating modes (internal ROM). These bits are<BR />not even mentioned in the manual.</P><P>BTW, there is an error in the UM at page 475 the SEC_CODE is described as writing<BR />any value other than 0x87654321 will enable SWD access. That is incorrect and should<BR />be: writing any other other value than 0x87654320 will disable SWD access.</P><P>My understanding is that the part protection works like this:<BR />- right after reset the 2 SWD lines are normal inputs and don't respond to<BR />&nbsp; SWD messages.<BR />- based on the value of the 'SWD_DIS' flash bit&nbsp; (bit 31 of word 0x9FC00 in the 'Config' sector)<BR />&nbsp; the SEC_CODE register is written with 0x87654320 and the 2 lines are<BR />&nbsp; configured as alternate function SWD (to enable SWD), otherwise 0x789ABCDF<BR />&nbsp; is written to SEC_CODE and since this is a write only register the SWD<BR />&nbsp; cannot be re-enabled in the user code.</P><P>Another entry point is via ISP when DIO4 is high and DIO5 is low at reset time.<BR />The 'Psect' and 'Pflash' areas are different from the others because they<BR />each have 2 copies (0x200 bytes long) and a header with a magic number and a checksum.<BR />Via ISP you can only see one of the copies. If one is corrupted the ROM uses the other one.<BR />The ISP access is controlled by a word stored in the 'Psect' area at offset 0x14<BR />which is in fact the word at address 0x9E834 if the first copy is used.</P><P>This word can have 5 values: 0, 0x01010101, 0x02020202, 0x03030303, 0x04040404<BR />Any other value completely disables the ISP. The manual only documents the<BR />0x02020202 one as write-only level. What are the others?</P><P>The reason I am looking into this is that I'm preparing for production and<BR />the ISP method of programming the parts is not suitable for us for two reasons:<BR />it's too slow and we also need to program a 4MB SPI serial flash.</P><P>For programming both the internal flash and the serial I'm using the Segger RTT<BR />via J-Link. I first load a small program which executes in RAM and them I'm<BR />sending at 4Mbps all the programming data for the serial flash, the internal<BR />flash and finally I write to Psect and Config areas to secure the part.<BR />This works great but has one disadvantage: if I want to reprogram the part<BR />(other than via Bluetooth OTA) I need to remove the protection via ISP and<BR />an AES key because the SWD is disabled now. On another part that we've used<BR />in the past (the RSL10) you could re-enable the SWD with unlock registers<BR />via SWD but the QN9090 doesn't support this.</P><P>What I would like to know is how do I set an unlock key?<BR />The ISP Unlock function has a payload of 0x120 bytes, first 0x20 are<BR />a magic number and a hash (signature) followed by 0x100 AES encrypted<BR />unlock key. The plain unlock key is at offset 0x100 in 'Psect' and<BR />another flag at offset 0x3C signals if it needs to be encrypted.</P><P>The ISP Unlock Key setting is not documented at all!</P> Thu, 14 Apr 2022 02:07:06 GMT EmilS 2022-04-14T02:07:06Z https://community.nxp.com/t5/Wireless-MCU/Securing-the-QN90x0/m-p/1443680#M13094 <P>There is no document describing how to secure the flash content on a QN90x0<BR />part. The only information is scattered through the UM and there's also a Python<BR />script example called 'dk6_image_tool.py'. That's all, nothing else.<BR />The 'DK6Programmer.exe' tool only reads/writes areas of the flash but it's up<BR />to you what to write in the various areas.</P><P>So I've turned to internal ROM disassembly and this is the flash layout for<BR />a QN9090:</P><BLOCKQUOTE><P><BR />{ 0, 0x9DE00}, // 0 Flash<BR />{0x9E800, 0x400}, // 1 Psect<BR />{0x9EC00, 0x400}, // 2 Pflash<BR />{0x9FC00, 0x400}, // 3 Config<BR />{0, 0x80}, // 4 Efuse<BR />{0x9DE00, 0xA00}, // 5 Unk1<BR />{0x9F000, 0xC00}, // 6 Unk2</P></BLOCKQUOTE><P>The Efuse is not part of the flash, those are 128 bytes containing random data<BR />which cannot be read the MCU, only the AES peripheral can load them as a key<BR />to generate temporary transport keys.<BR />Beside these fuses the chip has another 11 efuse bits which can be read by<BR />the MCU and configure various operating modes (internal ROM). These bits are<BR />not even mentioned in the manual.</P><P>BTW, there is an error in the UM at page 475 the SEC_CODE is described as writing<BR />any value other than 0x87654321 will enable SWD access. That is incorrect and should<BR />be: writing any other other value than 0x87654320 will disable SWD access.</P><P>My understanding is that the part protection works like this:<BR />- right after reset the 2 SWD lines are normal inputs and don't respond to<BR />&nbsp; SWD messages.<BR />- based on the value of the 'SWD_DIS' flash bit&nbsp; (bit 31 of word 0x9FC00 in the 'Config' sector)<BR />&nbsp; the SEC_CODE register is written with 0x87654320 and the 2 lines are<BR />&nbsp; configured as alternate function SWD (to enable SWD), otherwise 0x789ABCDF<BR />&nbsp; is written to SEC_CODE and since this is a write only register the SWD<BR />&nbsp; cannot be re-enabled in the user code.</P><P>Another entry point is via ISP when DIO4 is high and DIO5 is low at reset time.<BR />The 'Psect' and 'Pflash' areas are different from the others because they<BR />each have 2 copies (0x200 bytes long) and a header with a magic number and a checksum.<BR />Via ISP you can only see one of the copies. If one is corrupted the ROM uses the other one.<BR />The ISP access is controlled by a word stored in the 'Psect' area at offset 0x14<BR />which is in fact the word at address 0x9E834 if the first copy is used.</P><P>This word can have 5 values: 0, 0x01010101, 0x02020202, 0x03030303, 0x04040404<BR />Any other value completely disables the ISP. The manual only documents the<BR />0x02020202 one as write-only level. What are the others?</P><P>The reason I am looking into this is that I'm preparing for production and<BR />the ISP method of programming the parts is not suitable for us for two reasons:<BR />it's too slow and we also need to program a 4MB SPI serial flash.</P><P>For programming both the internal flash and the serial I'm using the Segger RTT<BR />via J-Link. I first load a small program which executes in RAM and them I'm<BR />sending at 4Mbps all the programming data for the serial flash, the internal<BR />flash and finally I write to Psect and Config areas to secure the part.<BR />This works great but has one disadvantage: if I want to reprogram the part<BR />(other than via Bluetooth OTA) I need to remove the protection via ISP and<BR />an AES key because the SWD is disabled now. On another part that we've used<BR />in the past (the RSL10) you could re-enable the SWD with unlock registers<BR />via SWD but the QN9090 doesn't support this.</P><P>What I would like to know is how do I set an unlock key?<BR />The ISP Unlock function has a payload of 0x120 bytes, first 0x20 are<BR />a magic number and a hash (signature) followed by 0x100 AES encrypted<BR />unlock key. The plain unlock key is at offset 0x100 in 'Psect' and<BR />another flag at offset 0x3C signals if it needs to be encrypted.</P><P>The ISP Unlock Key setting is not documented at all!</P> Thu, 14 Apr 2022 02:07:06 GMT https://community.nxp.com/t5/Wireless-MCU/Securing-the-QN90x0/m-p/1443680#M13094 EmilS 2022-04-14T02:07:06Z https://community.nxp.com/t5/Wireless-MCU/Securing-the-QN90x0/m-p/1444181#M13100 <P>Hello Emil,</P> <P>I am going to provide you additional details on it in a private support project.<BR />I will set that up and get back to you early next week, after the Easter break.</P> <P>Best Regards,<BR />Antonio</P> Thu, 14 Apr 2022 13:45:02 GMT https://community.nxp.com/t5/Wireless-MCU/Securing-the-QN90x0/m-p/1444181#M13100 antonioconcio 2022-04-14T13:45:02Z https://community.nxp.com/t5/Wireless-MCU/Securing-the-QN90x0/m-p/1446009#M13116 <P>I'm still waiting for that support. I presume the majority of QN90x0 buyers would want to secure their parts so why isn't a document about this?</P> Wed, 20 Apr 2022 02:08:57 GMT https://community.nxp.com/t5/Wireless-MCU/Securing-the-QN90x0/m-p/1446009#M13116 EmilS 2022-04-20T02:08:57Z