Ezport broken when MCU security status is secure

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Ezport broken when MCU security status is secure

2,151 Views
rickbronson
Contributor II

  We have been seeing an issue with the MK20FN1M0VMD12 that happens very

randomly that ends up causing the Ezport to be broken.  The only way

we have figured out to get out of this scenario is using "unlock

kinetis" via the JLINK debugger.

  Unfortunately, we have not figured out what causes the part to get

into this mode but we are working on it.  Separately, I was able to

get the part into this mode via the JLINK with these commands:

J-Link>loadfile file1.bin

J-Link>r

J-Link>g

J-Link>loadfile file2.bin

  Nothing special about these two files, they are both valid K20

executables.

  At this point the JLINK spits out:

J-Link: Flash download: Restarting flash programming due to program error (possibly skipped erasure of half-way erased sector).

J-Link: Flash download: Skip optimizations disabled for second try.

Error while programming flash: Programming failed.

  The following debug output yields (I annotated some stuff below with

--->):

r0 //system reset 

writedp 2, 0x01000000           //select MDM-AP 

readap 0 

sleep 10 

readap 0 // read MDM-AP register status

Reading AP register 0 = 0x00000037 (0 read repetitions needed)

---> System Security bit set

J-Link>mem 0x40020000 20 // FTFE memory map

40020000 = 90 06 CA 11 00 10 01 09 00 00 00 00 00 00 00 00

40020010 = CB 11 00 00 00 00 00 00 00 00 00 00 00 00 00 00

--->Flash Option Register(40020003)=EzPort operation is enabled

--->Flash Protection Violation Flag

--->Freescale Failure Analysis Access Code=Freescale factory access denied

--->Program Flash Protection Registers=different

--->Backdoor Access Key Enable(40020002)=Backdoor key access disabled

J-Link>mem 0x400 10

00000400 = FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF

--->Flash Security Register=MCU security status is secure

  So at this point when the Ezport is used to program, not even this

command:

EZPORT_RDSR  0x05  /* Read Status Register */

  works.  The return value is 0xff.  According to Table 31-2 of

K20P144M120SF3RM.pdf, this command should function even if the part is

secure.

  Any ideas/comments greatly appreciated.

  Rick

Tags (1)
0 Kudos
Reply
6 Replies

1,455 Views
jorge_a_vazquez
NXP Employee
NXP Employee

Hi Rick Bronson

Sorry for late reply. I've bee looking and consulting this issue. How is the status for this? we have some questions that we like to ask to continue working in your case.

1. Did you find what exactly cause your device to get secured? you mentioned that you were working on it. Can I assume that your application doesn't change Flash Configuration fields?

2. You mentioned that you are no able to use the EZPORT_RDSR command, but can you try other commands that should work when device is secured? for example, can you try issuing the BE (Flash Bulk Erase) Command without reading the Status Register?

Regards

Jorge Alcala

0 Kudos
Reply

1,455 Views
rickbronson
Contributor II

HI Jorge,

  We still have not been able to reproduce the original problem.  So I've just been assuming that the original problem is the same problem that I can make happen with the Jlink.  The good news is that doing the BE command, then programming as usual seems to bring the part out of security mode.  So I'd like to mark this discussion as resolved until we can reproduce the original problem and hopefully see if the changes I've made to our Ezport programming code fixes it.

  Thanks for all the help!

  Rick

0 Kudos
Reply

1,455 Views
rickbronson
Contributor II

Hi Jorge,

Thanks again for the help.

  Yes the Ezport works 100% of the time UNLESS we are in this stange

mode.  The K20 is programmed via Ezport from a iMX53.  We've really

tested the Ezport programming quite a lot, even interrupting it while

in the middle of programming, and it's pretty solid.

   

  It occurred to me that maybe you wanted me to do the erase (without

connect), unlock kinetis, connect, and mem 0x400 10 commands when I

was in the secure mode.  I did that and the log is below.

  I put file1.bin and file2.bin here if you wanted to try something.

http://members.efn.org/~rick/pub/springdale/file1.bin

http://members.efn.org/~rick/pub/springdale/file2.bin

  Thanks,

  Rick

----------------------

/opt/SEGGER/JLink/JLinkExe -device MK20FN1M0xxx12 -if JTAG -speed 4000 -JTAGConf -1,-1 -AutoConnect 1

SEGGER J-Link Commander V5.10g (Compiled Jan  6 2016 13:54:12)

DLL version V5.10g, compiled Jan  6 2016 13:54:07

Connecting to J-Link via USB...O.K.

Firmware: J-Link ARM-OB STM32 compiled Aug 22 2012 19:52:04

Hardware version: V7.00

S/N: 20090928

License(s): RDI,FlashDL,FlashBP,JFlash,GDBFull

Emulator has Trace capability

VTref = 3.300V

Device "MK20FN1M0XXX12" selected.

TotalIRLen = 4, IRPrint = 0x01

TotalIRLen = 4, IRPrint = 0x01

Found Cortex-M4 r0p1, Little endian.

FPUnit: 6 code (BP) slots and 2 literal slots

CoreSight components:

ROMTbl 0 @ E00FF000

ROMTbl 0 [0]: FFF0F000, CID: B105E00D, PID: 000BB00C SCS

ROMTbl 0 [1]: FFF02000, CID: B105E00D, PID: 003BB002 DWT

ROMTbl 0 [2]: FFF03000, CID: B105E00D, PID: 002BB003 FPB

ROMTbl 0 [3]: FFF01000, CID: B105E00D, PID: 003BB001 ITM

ROMTbl 0 [4]: FFF41000, CID: B105900D, PID: 000BB9A1 TPIU

ROMTbl 0 [5]: FFF42000, CID: B105900D, PID: 000BB925 ETM

ROMTbl 0 [6]: FFF43000, CID: B105900D, PID: 003BB907 ETB

ROMTbl 0 [7]: FFF44000, CID: B105900D, PID: 001BB908 CSTF

Found 1 JTAG device, Total IRLen = 4:

#0 Id: 0x4BA00477, IRLen: 04, IRPrint: 0x1, CoreSight JTAG-DP (ARM)

Cortex-M4 identified.

J-Link>loadfile /opt/springdale/rd/opt/testing/bin/k20_test.bin

Downloading file [/opt/springdale/rd/opt/testing/bin/k20_test.bin]...

Comparing flash   [100%] Done.

Erasing flash     [100%] Done.

Programming flash [100%] Done.

Verifying flash   [100%] Done.

J-Link: Flash download: Flash programming performed for 1 range (81920 bytes)

J-Link: Flash download: Total time needed: 2.523s (Prepare: 0.423s, Compare: 0.023s, Erase: 0.052s, Program: 1.993s, Verify: 0.006s, Restore: 0.024s)

O.K.

J-Link>r

Reset delay: 0 ms

Reset type NORMAL: Resets core & peripherals via SYSRESETREQ & VECTRESET bit.

J-Link>g

J-Link>loadfile /opt/springdale/achc-56.bin

Downloading file [/opt/springdale/achc-56.bin]...

Comparing flash   [100%] Done.

Erasing flash     [100%] Done.

Verifying flash   [100%] Done.

J-Link: Flash download: Restarting flash programming due to program error (possibly skipped erasure of half-way erased sector).

J-Link: Flash download: Skip optimizations disabled for second try.

Error while programming flash: Programming failed.

J-Link>exit

/opt/SEGGER/JLink/JLinkExe -device MK20FN1M0xxx12 -if JTAG -speed 4000 -JTAGConf -1,-1

SEGGER J-Link Commander V5.10g (Compiled Jan  6 2016 13:54:12)

DLL version V5.10g, compiled Jan  6 2016 13:54:07

Connecting to J-Link via USB...O.K.

Firmware: J-Link ARM-OB STM32 compiled Aug 22 2012 19:52:04

Hardware version: V7.00

S/N: 20090928

License(s): RDI,FlashDL,FlashBP,JFlash,GDBFull

Emulator has Trace capability

VTref = 3.300V

Type "connect" to establish a target connection, '?' for help

J-Link>erase

Target connection not established yet but required for command.

Device "MK20FN1M0XXX12" selected.

TotalIRLen = 4, IRPrint = 0x01

Secured Kinetis device detected. For debugger connection the device needs to be unsecured.

Device will be unsecured now.

Note: Unsecuring will trigger a mass erase of the internal flash.

TotalIRLen = 4, IRPrint = 0x01

Found Cortex-M4 r0p1, Little endian.

FPUnit: 6 code (BP) slots and 2 literal slots

CoreSight components:

ROMTbl 0 @ E00FF000

ROMTbl 0 [0]: FFF0F000, CID: B105E00D, PID: 000BB00C SCS

ROMTbl 0 [1]: FFF02000, CID: B105E00D, PID: 003BB002 DWT

ROMTbl 0 [2]: FFF03000, CID: B105E00D, PID: 002BB003 FPB

ROMTbl 0 [3]: FFF01000, CID: B105E00D, PID: 003BB001 ITM

ROMTbl 0 [4]: FFF41000, CID: B105900D, PID: 000BB9A1 TPIU

ROMTbl 0 [5]: FFF42000, CID: B105900D, PID: 000BB925 ETM

ROMTbl 0 [6]: FFF43000, CID: B105900D, PID: 003BB907 ETB

ROMTbl 0 [7]: FFF44000, CID: B105900D, PID: 001BB908 CSTF

Found 1 JTAG device, Total IRLen = 4:

#0 Id: 0x4BA00477, IRLen: 04, IRPrint: 0x1, CoreSight JTAG-DP (ARM)

Cortex-M4 identified.

Erasing device (MK20FN1M0xxx12)...

Comparing flash   [100%] Done.

Erasing flash     [100%] Done.

Verifying flash   [100%] Done.

J-Link: Flash download: Total time needed: 1.973s (Prepare: 0.402s, Compare: 0.000s, Erase: 1.547s, Program: 0.000s, Verify: 0.000s, Restore: 0.023s)

Erasing done.

J-Link> mem 0x400 10

00000400 = FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF

J-Link>unlock kinetis

Found SWD-DP with ID 0x2BA01477

Unlocking device...O.K.

J-Link>connect

Device "MK20FN1M0XXX12" selected.

TotalIRLen = 4, IRPrint = 0x01

TotalIRLen = 4, IRPrint = 0x01

Found Cortex-M4 r0p1, Little endian.

FPUnit: 6 code (BP) slots and 2 literal slots

CoreSight components:

ROMTbl 0 @ E00FF000

ROMTbl 0 [0]: FFF0F000, CID: B105E00D, PID: 000BB00C SCS

ROMTbl 0 [1]: FFF02000, CID: B105E00D, PID: 003BB002 DWT

ROMTbl 0 [2]: FFF03000, CID: B105E00D, PID: 002BB003 FPB

ROMTbl 0 [3]: FFF01000, CID: B105E00D, PID: 003BB001 ITM

ROMTbl 0 [4]: FFF41000, CID: B105900D, PID: 000BB9A1 TPIU

ROMTbl 0 [5]: FFF42000, CID: B105900D, PID: 000BB925 ETM

ROMTbl 0 [6]: FFF43000, CID: B105900D, PID: 003BB907 ETB

ROMTbl 0 [7]: FFF44000, CID: B105900D, PID: 001BB908 CSTF

Found 1 JTAG device, Total IRLen = 4:

#0 Id: 0x4BA00477, IRLen: 04, IRPrint: 0x1, CoreSight JTAG-DP (ARM)

Cortex-M4 identified.

J-Link> mem 0x400 10

00000400 = FF FF FF FF FF FF FF FF FF FF FF FF FE FF FF FF

0 Kudos
Reply

1,455 Views
jorge_a_vazquez
NXP Employee
NXP Employee

Hi Rick Bronson

Sorry if I misunderstand something, but you overlap file1.bin and file2.bin?

What do you get when you do "unlock kinetis"?

Could you do the following steps and tell me what is the output that you get?

1. Launch Jlink.exe, use "Device MK20FN1M0XXX12" and use "erase" command (without connect)

2. After you receive "Erasing done" message, use "unlock kinetis" command.

3. After you get the "Unlocking device ... O.K". Use "connect" command.

4. Use "mem 0x400 10".

Please tell me what is the output of the step 4, or if you receive an error in the steps please tell me what you get.


Have a great day.
Jorge Alcala

-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------

0 Kudos
Reply

1,455 Views
rickbronson
Contributor II

Hi Jorge,

Thanks so much for the help.

  The intention was not to overlap files.  I did this by mistake but

noticed that it put the K20 into the same mode that we have been

seeing occasionally.  That mode being the inability to use Ezport.

  I followed your steps and below is the output.  Please tell me if

  you need more information.

  Thanks,

  Rick

----------------------

/opt/SEGGER/JLink/JLinkExe -device MK20FN1M0xxx12 -if JTAG -speed 4000 -JTAGConf -1,-1

SEGGER J-Link Commander V5.10g (Compiled Jan  6 2016 13:54:12)

DLL version V5.10g, compiled Jan  6 2016 13:54:07

Connecting to J-Link via USB...O.K.

Firmware: J-Link ARM-OB STM32 compiled Aug 22 2012 19:52:04

Hardware version: V7.00

S/N: 20090928

License(s): RDI,FlashDL,FlashBP,JFlash,GDBFull

Emulator has Trace capability

VTref = 3.300V

Type "connect" to establish a target connection, '?' for help

J-Link>erase

Target connection not established yet but required for command.

Device "MK20FN1M0XXX12" selected.

TotalIRLen = 4, IRPrint = 0x01

TotalIRLen = 4, IRPrint = 0x01

Found Cortex-M4 r0p1, Little endian.

FPUnit: 6 code (BP) slots and 2 literal slots

CoreSight components:

ROMTbl 0 @ E00FF000

ROMTbl 0 [0]: FFF0F000, CID: B105E00D, PID: 000BB00C SCS

ROMTbl 0 [1]: FFF02000, CID: B105E00D, PID: 003BB002 DWT

ROMTbl 0 [2]: FFF03000, CID: B105E00D, PID: 002BB003 FPB

ROMTbl 0 [3]: FFF01000, CID: B105E00D, PID: 003BB001 ITM

ROMTbl 0 [4]: FFF41000, CID: B105900D, PID: 000BB9A1 TPIU

ROMTbl 0 [5]: FFF42000, CID: B105900D, PID: 000BB925 ETM

ROMTbl 0 [6]: FFF43000, CID: B105900D, PID: 003BB907 ETB

ROMTbl 0 [7]: FFF44000, CID: B105900D, PID: 001BB908 CSTF

Found 1 JTAG device, Total IRLen = 4:

#0 Id: 0x4BA00477, IRLen: 04, IRPrint: 0x1, CoreSight JTAG-DP (ARM)

Cortex-M4 identified.

Erasing device (MK20FN1M0xxx12)...

Comparing flash   [100%] Done.

Erasing flash     [100%] Done.

Verifying flash   [100%] Done.

J-Link: Flash download: Total time needed: 1.977s (Prepare: 0.406s, Compare: 0.000s, Erase: 1.547s, Program: 0.000s, Verify: 0.000s, Restore: 0.023s)

Erasing done.

J-Link>unlock kinetis

Found SWD-DP with ID 0x2BA01477

Unlocking device...O.K.

J-Link>connect

Device "MK20FN1M0XXX12" selected.

TotalIRLen = 4, IRPrint = 0x01

TotalIRLen = 4, IRPrint = 0x01

Found Cortex-M4 r0p1, Little endian.

FPUnit: 6 code (BP) slots and 2 literal slots

CoreSight components:

ROMTbl 0 @ E00FF000

ROMTbl 0 [0]: FFF0F000, CID: B105E00D, PID: 000BB00C SCS

ROMTbl 0 [1]: FFF02000, CID: B105E00D, PID: 003BB002 DWT

ROMTbl 0 [2]: FFF03000, CID: B105E00D, PID: 002BB003 FPB

ROMTbl 0 [3]: FFF01000, CID: B105E00D, PID: 003BB001 ITM

ROMTbl 0 [4]: FFF41000, CID: B105900D, PID: 000BB9A1 TPIU

ROMTbl 0 [5]: FFF42000, CID: B105900D, PID: 000BB925 ETM

ROMTbl 0 [6]: FFF43000, CID: B105900D, PID: 003BB907 ETB

ROMTbl 0 [7]: FFF44000, CID: B105900D, PID: 001BB908 CSTF

Found 1 JTAG device, Total IRLen = 4:

#0 Id: 0x4BA00477, IRLen: 04, IRPrint: 0x1, CoreSight JTAG-DP (ARM)

Cortex-M4 identified.

J-Link>mem 0x400 10

00000400 = FF FF FF FF FF FF FF FF FF FF FF FF FE FF FF FF

0 Kudos
Reply

1,454 Views
jorge_a_vazquez
NXP Employee
NXP Employee

Hi Rick

I'm currently consulting your information with some colleagues, I will test some configuration and keep you inform.

Just to be sure, you can manage to run the EZport if you device is no secured, right? or this behavior is in both cases (secured and unsecured). Also you can confirm that the EZP_CS pin is as it should during reset?


Have a great day,
Jorge Alcala

0 Kudos
Reply