- Forums
- Product Forums
- General Purpose MicrocontrollersGeneral Purpose Microcontrollers
- i.MX Forumsi.MX Forums
- QorIQ Processing PlatformsQorIQ Processing Platforms
- Identification and SecurityIdentification and Security
- Power ManagementPower Management
- Wireless ConnectivityWireless Connectivity
- RFID / NFCRFID / NFC
- Advanced AnalogAdvanced Analog
- MCX Microcontrollers
- S32G
- S32K
- S32V
- MPC5xxx
- Other NXP Products
- S12 / MagniV Microcontrollers
- Powertrain and Electrification Analog Drivers
- Sensors
- Vybrid Processors
- Digital Signal Controllers
- 8-bit Microcontrollers
- ColdFire/68K Microcontrollers and Processors
- PowerQUICC Processors
- OSBDM and TBDML
- S32M
- S32Z/E
-
- Solution Forums
- Software Forums
- MCUXpresso Software and ToolsMCUXpresso Software and Tools
- CodeWarriorCodeWarrior
- MQX Software SolutionsMQX Software Solutions
- Model-Based Design Toolbox (MBDT)Model-Based Design Toolbox (MBDT)
- FreeMASTER
- eIQ Machine Learning Software
- Embedded Software and Tools Clinic
- S32 SDK
- S32 Design Studio
- GUI Guider
- Zephyr Project
- Voice Technology
- Application Software Packs
- Secure Provisioning SDK (SPSDK)
- Processor Expert Software
- Generative AI & LLMs
-
- Topics
- Mobile Robotics - Drones and RoversMobile Robotics - Drones and Rovers
- NXP Training ContentNXP Training Content
- University ProgramsUniversity Programs
- Rapid IoT
- NXP Designs
- SafeAssure-Community
- OSS Security & Maintenance
- Using Our Community
-
- Cloud Lab Forums
-
- Knowledge Bases
- ARM Microcontrollers
- i.MX Processors
- Identification and Security
- Model-Based Design Toolbox (MBDT)
- QorIQ Processing Platforms
- S32 Automotive Processing Platform
- Wireless Connectivity
- CodeWarrior
- MCUXpresso Suite of Software and Tools
- MQX Software Solutions
- RFID / NFC
- Advanced Analog
-
- NXP Tech Blogs
- Home
- :
- CodeWarrior
- :
- CodeWarrior for MCU
- :
- Re: DisengageSecurity & FlashBlock
DisengageSecurity & FlashBlock
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I'd like to ask... we have a school project and I'm rather webdeveloper so please pardon my great noobness
We are to create subroutines for manipulating with flash (erase, program...). The ones I have issues with are
1) Disengage flash security
So I follow the 3-step way from manual page 58. However it says that I can write the code only from RAM, but it seems to me the only instruction, that can write to 16bit address ($FFB0-7) is STA/STHX ... which I'd guess to be located among D/H-page registers -> so it seems impossible to solve it
2) Flash Block protection
"FPROT cannot be changed directly from application software" + "protected, NVPROT is itself protected and cannot be
altered by the application software"
It again seems impossible ... there's a background regime mentioned, but I thought it's only operated by debug soft and not the program I load into flash
(the task description does not state any more details/hints)
The installed version in school is CW 5.9.0, project is Full Chip Simulation, MC9S08JM60
Could anyone point me in the right direction?
Thank you very much!
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Again, flash is not readable while KEYACC is set. The only way to backdoor unsecure is to copy unsecure routine to RAM and call its copy in RAM.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
1) All 3 steps, setting KEYACC, writing to NVBACKKEY locations and clearing KEYACC should be done from routine in flash. Of course it's possible. I have no idea what is D/H-page.
2) Right, without BDM debugger you can't unprotect what is write protected.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for response! and sorry for not being totally clear
1) I mean - from what I understand the manual says that when I issue intruction to move the key# (the user-entered to be compared) to NVBACKKEY#, key# has to be placed inside RAM or Flash.
Now NVBACKKEY# afaik resides in 16bit address AND the only instruction storing to 16bit address is STA/STHX, but it takes only from register, not RAM or Flash...
By D/H-page I meant Direct-page registers, High-page registers
2) So it is not possible to create a subroutine altering the last unprotected page? Hmm... maybe I misunderstood the task, unless we should write it's impossible, but it's less likely
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
1) No, #key source can't reside in flash. Flash is not readable while KEYACC is set.
I don't undested what's the problem with STA/STHX. S08 CPU is powerful enough to copy 8 bytes from one place to another :smileyhappy:. Both, from D to H and from H to D.
2) Yes, it is not possible to create such routine.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
:-) yes, it's not about performance, it's solely about this sentence from manual:
(so not performance but security/protocol? thing)
"The security key can be written only from secure memory (either RAM or flash)"
...and as far as I know STA/STHX takes from registers, not RAM/flash
but it's of course more than likely I am incorrect in whatever I posted
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Again, flash is not readable while KEYACC is set. The only way to backdoor unsecure is to copy unsecure routine to RAM and call its copy in RAM.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Oh wait - so the sentence speak about the address of the CODE that is executing the insertion of key and not of DATA (key) itself? Ok, it seems solvable now
Thank you for your time and effort!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not only code, but also key to compare should be in RAM before calling unsecure routine in RAM. Setting KEYACC will "break" all your flash memory. That means CPU couldn't execute code from flash, also could read backdoor key from flash. Do you have interrupts enabled? - Disable them, because CPU couldn't read interrupt vectors from flash and jump to ISR routines in flash.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, ok.... as long as one is allowed to use STA (which does not seem 100% sure according to sentence I posted, but according to your response it is so I'll believe you) it's ok
(allegedly it's not possible to use STHX "STHX must not be used for these writes because these writes cannot be done
on adjacent bus cycles." but it's not a problem since the data get easily be written in 8bits)
I'm really grateful for your responses
