- Forums
- Product Forums
- General Purpose MicrocontrollersGeneral Purpose Microcontrollers
- i.MX Forumsi.MX Forums
- QorIQ Processing PlatformsQorIQ Processing Platforms
- Identification and SecurityIdentification and Security
- Power ManagementPower Management
- Wireless ConnectivityWireless Connectivity
- RFID / NFCRFID / NFC
- Advanced AnalogAdvanced Analog
- MCX Microcontrollers
- S32G
- S32K
- S32V
- MPC5xxx
- Other NXP Products
- S12 / MagniV Microcontrollers
- Powertrain and Electrification Analog Drivers
- Sensors
- Vybrid Processors
- Digital Signal Controllers
- 8-bit Microcontrollers
- ColdFire/68K Microcontrollers and Processors
- PowerQUICC Processors
- OSBDM and TBDML
- S32M
- S32Z/E
-
- Solution Forums
- Software Forums
- MCUXpresso Software and ToolsMCUXpresso Software and Tools
- CodeWarriorCodeWarrior
- MQX Software SolutionsMQX Software Solutions
- Model-Based Design Toolbox (MBDT)Model-Based Design Toolbox (MBDT)
- FreeMASTER
- eIQ Machine Learning Software
- Embedded Software and Tools Clinic
- S32 SDK
- S32 Design Studio
- GUI Guider
- Zephyr Project
- Voice Technology
- Application Software Packs
- Secure Provisioning SDK (SPSDK)
- Processor Expert Software
- Generative AI & LLMs
-
- Topics
- Mobile Robotics - Drones and RoversMobile Robotics - Drones and Rovers
- NXP Training ContentNXP Training Content
- University ProgramsUniversity Programs
- Rapid IoT
- NXP Designs
- SafeAssure-Community
- OSS Security & Maintenance
- Using Our Community
-
- Cloud Lab Forums
-
- Knowledge Bases
- ARM Microcontrollers
- i.MX Processors
- Identification and Security
- Model-Based Design Toolbox (MBDT)
- QorIQ Processing Platforms
- S32 Automotive Processing Platform
- Wireless Connectivity
- CodeWarrior
- MCUXpresso Suite of Software and Tools
- MQX Software Solutions
- RFID / NFC
- Advanced Analog
-
- NXP Tech Blogs
已解决! 转到解答。
Peter,
I wonder what is DIY, do it yourself? Not sure 100% about S08, but to unsecure S12 over BDM you first mass erase, then simply reset and reenter BDM mode. On entry to active BDM mode, BDM firmware performs blank check of EEPROM and FLASH, and if both are erased, then you get read/write access to everything until next reset. Read/write access to mass erased part is granted, though security bits are both set and part should be secured. Since read/write accesses over BDM are granted, there's no problem to reflash whole part or just security bits
I don't see in SH8 RM how to unsecure it over BDM, I would try resetting and reentering active BDM mode, then flashing new firmware or just NVOPT.
Peter,
I wonder what is DIY, do it yourself? Not sure 100% about S08, but to unsecure S12 over BDM you first mass erase, then simply reset and reenter BDM mode. On entry to active BDM mode, BDM firmware performs blank check of EEPROM and FLASH, and if both are erased, then you get read/write access to everything until next reset. Read/write access to mass erased part is granted, though security bits are both set and part should be secured. Since read/write accesses over BDM are granted, there's no problem to reflash whole part or just security bits
I don't see in SH8 RM how to unsecure it over BDM, I would try resetting and reentering active BDM mode, then flashing new firmware or just NVOPT.
Hi kef,
1. yes, I need to bulit a stand-alone programmer for our company.
2. I ignore the blank_check action after mass_erase command. So that the NVOPT can not be updated secure state. Now my pcb can work normally. Thanks a lot.
3. Another problem is how to reserve the content of feq. trim value if want to reprogram a old mcu with secure state?only re-trim?
2. You don't have to do blank check after masserase. I meant each chip (at least it is so on S12, and I guess on S08 too), has small BDM firmware, which is not accessible from user code, normally not mapped into CPU address space. When BDM and BDM firmware gets activated, CPU executes code from this hidden BDM firmware; BDM firmware blankchecks flash and EEPROM and decides to allow or to inhibit accesses to secure memories.
3. BDM accesses to trim values in flash are not possible when secured. Yes, retrimming is required.
Hello,
At the raw, chip and BDM command level (ignoring what programming software may do automagically) this is what you need to do. (for S08)
Mass erase the device (cmd 41)
Blank check the device (cmd 05)
whenever a blank check is successful this sets the bits in FOPT to 1:0.
Now you have full access until you reset.
If you want full access to continue after a reset programme NVOPT to 1:0.
The only other possibility is backdoor access if that had previously been setup.
Hi kef,peg,
I think the blank_check command could be omitted previously. I recover a blank_check command after mass_erase command today. The security is disengaged and my master pcb can work unexpectedly.
Now I can mass_erase target mcu. But I am also lost the trim vaule of the factory. If the target mcu has set secure mode. I want to re-program it. At first, I must mass_erase it. So I should how to re-trim over BDM.
regards,
Peter
Hello Peter,
The only way to retain the factory trim value is to read it before you erase and then programme it back.
However it is best to determine the exact value required under YOUR operating conditions. The value varies quite a bit with voltage and temperature and so you are best to determine this "in circuit".
If using the P&E BDM it has the facility to measure the actual operating frequency and then recommend a value to correct any error. There are also many AN's with various methods of doing this.
e.g. AN2312, AN2496 & AN2498
Hi peg,
these AN's document all need to use external pulse generator. I am curious about the P&E BDM how to measeur the actual frequency without any additional equipment.
I have attempted to due to SYNC command to count the singal of the 128 clock of slave. But the result seems inaccurate.
What is your opinion about re-trim frequency without anything?
Regards,
Peter
Hello Peter,
I don't know exactly but presume that they are using the speed/power of the UF MCU to accurately measure the sync pulse length.
I know that OSBDM developers have commented that they were unable to do this with sufficient accuracy although that was before they moved on to the faster MCU's that they are using currently.
Even the P&E's ability to do this seems to be only just sufficient. On devices without a fine trim bit it generally gives a value that is always the same (sometimes + or - 1) and varies by one from cold to run temp. However on devices with a fine trim this value is different almost every time you check it.
