How to trigger mass erase on somehow locked K32L2A device

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

How to trigger mass erase on somehow locked K32L2A device

Jump to solution
3,271 Views
jh0
Contributor IV

Hi,

Due to bad flashing I ended with somehow locked K32L2A device. I am using mcuxpresso with mcu-link probe. New program can not be downloaded, but memory can be read, and here is protection related part ...

memory.gif

Device can not be unlocked / mass erased by mcuxpresso flash tool.

It is very strange to me that mcuxpresso doesn't check for operation success (or I don't know where the right checkbox is). After program is download to device there is no automatic verify, so user think that everything is OK. Same for erase or unlock because result of all this operations is OK (green / blue). Only if dedicate verify against file is executed than will be reported error (red).

0 Kudos
Reply
1 Solution
3,195 Views
jh0
Contributor IV

I unlocked device by triggering mass erase with writing right value (mass erase under reset, because reset pin was disabled) to MDM-AP control register. I started once with development of my own hardware / software SWD tool (never finished), so used this because didn't found anything for low level SWD operations by CMSIS-DAP using MCU-Link.

; Select MDM-AP control reg

SWD_REG_WRITE DP_RESEND_SELECT, ((001h << 24) | (001h << 2))

; Set BIT3 to force a system reset. Set BIT0 to cause mass erase.

SWD_REG_WRITE_AD AP_DRW, (BIT3 | BIT0)

I really don't understand why this is not covered by mass erase in MCUXpresso.

EDIT:

After device was unlocked I found note inside device reference manual (9.4.1 MDM-AP Control Register) related to my case. It was in front of my eyes all the time, but I didn't see it.

note.jpg

I am not sure if solution by Erich Styger using j-link should help in my case. Because here ...

https://wiki.segger.com/Kinetis_Series_Devices

there is ...

It is mandatory to connect the reset pin of the Kinetis devices to J-Link. Otherwise, proper functionality and a stable connection cannot be guaranteed.

Note: The Kinetis manuals advertise that a reset can also be issued via the MDM-AP, so no pin is required. However, this way is unreliable and does not work properly when trying to unsecure a secured device.

... and on my device reset pin was disabled.

View solution in original post

0 Kudos
Reply
6 Replies
3,255 Views
nxf77486
NXP TechSupport
NXP TechSupport

Hello @jh0 ,

Please follow the next guide, on the section Unlocking and Erasing with J-Link Commander.

Unlocking and Erasing with J-Link Commander 

Also let me know any error message (in case of it) if it works also let me know.

0 Kudos
Reply
3,247 Views
jh0
Contributor IV

Hi @nxf77486,

Unfortunately I don't have Segger probe. AFAIK only MCU-Link Pro can be used as J-Link probe with Segger firmware. MCU-Link non-Pro can't, even Segger firmware can be found inside MCU-Link non-Pro driver pack.

Here is log from MCUXpresso with mass erase executed (with reset target checked) and message that part is not secured (I hope so, that only flash is) ...

Executing flash operation 'Erase' (Erase flash) - Tue Oct 12 22:03:17 CEST 2021
Checking MCU info...
Scanning for targets...
Executing flash action...
MCUXpresso IDE RedlinkMulti Driver v11.4 (Jul 2 2021 12:03:47 - crt_emu_cm_redlink.exe build 1)
( 0) Reading remote configuration
Wc(03). No cache support.
Found chip XML file in D:/workspace/K32L2A31A_Project___/Debug\K32L2A31xxxxA.xml
( 5) Remote configuration complete
Reconnected to existing LinkServer process.
============= SCRIPT: kinetisconnect.scp =============
Kinetis Connect Script
Connecting to Probe Index = 1
This probe = 1
This TAP = 0
This core = 0
DpID = 2BA01477
Assert NRESET
Reset pin state: 01
Power up Debug
MDM-AP APID: 0x001C0020
MDM-AP System Reset/Hold Reset/Debug Request
MDM-AP Control: 0x0000001C
MDM-AP Status (Flash Ready) : 0x008801B2
Part is not secured
MDM-AP Control: 0x00000014
Release NRESET
Reset pin state: 01
MDM-AP Control (Debug Request): 0x00000004
MDM-AP Status: 0x008901BA
MDM-AP Core Halted
============= END SCRIPT =============================
Probe Firmware: MCU-LINK (r0FF) CMSIS-DAP V2.245 (NXP Semiconductors)
Serial Number: XXXXXXXXXX
VID:PID: 1FC9:0143
USB Path: \\?\hid#vid_1fc9&pid_0143&mi_00#7&29063fc9&0&0000#{4d1e55b2-f16f-11cf-88cb-001111000030}
Using memory from core 0 after searching for a good core
On debug connection - reset using system reset
( 30) Emulator Connected
( 40) Debug Halt
( 50) CPU ID
debug interface type = CoreSight DP (DAP DP ID 2BA01477) over SWD TAP 0
processor type = Cortex-M0+ (CPU ID 00000C60) on DAP AP 0
number of h/w breakpoints = 2
number of flash patches = 0
number of h/w watchpoints = 2
Probe(0): Connected&Reset. DpID: 2BA01477. CpuID: 00000C60. Info: <None>
Debug protocol: SWD. RTCK: Disabled. Vector catch: Enabled.
Content of CoreSight Debug ROM(s):
RBASE F0002000: CID B105100D PID 000008E000 ROM (type 0x1)
ROM 1 F0000000: CID B105900D PID 04001BB932 CSt ARM MTB type 0x31 Trace Sink - Basic trace router
ROM 1 F0001000: CID B105900D PID 000008E000 CSt MTBDWT type 0x4 Debug Control - Other
ROM 1 F0006000: CID B105900D PID 04000BB9A6 CSt ARM CTIv2 type 0x14 Debug Control - Trigger, e.g. ECT
ROM 1 E00FF000: CID B105100D PID 04000BB4C0 ROM (type 0x1)
ROM 5 E000E000: CID B105E00D PID 04000BB008 Gen SCS (type 0x0)
ROM 5 E0001000: CID B105E00D PID 04000BB00A Gen DWT (type 0x0)
ROM 5 E0002000: CID B105E00D PID 04000BB00B Gen FPB (type 0x0)
NXP: K32L2A31xxxxA
DAP stride is 1024 bytes (256 words)
Inspected v.2 On chip Kinetis Flash memory module K32L2A.cfx
Image 'Kinetis K32L Jul 12 2021 22:06:17'
Opening flash driver K32L2A.cfx
Sending VECTRESET to run flash driver
Flash variant 'K32L2B FTFA 2K' detected (256KB = 128*2K at 0x0)
Closing flash driver K32L2A.cfx
( 65) Chip Setup Complete
Connected: was_reset=false. was_stopped=true
( 70) License Check Complete
Opening flash driver K32L2A.cfx (already resident)
Sending VECTRESET to run flash driver
Flash variant 'K32L2B FTFA 2K' detected (256KB = 128*2K at 0x0)
Mass Erase flash at 0x0
Closing flash driver K32L2A.cfx
MassErase completed (in 9ms)

 

0 Kudos
Reply
3,225 Views
nxf77486
NXP TechSupport
NXP TechSupport

Hello @jh0 ,

 

Can you please make a image memory dump in order to see the 0x400 memory section in order to discard any security.

Also please send me the command prompt of the error you are receiving in order to have more info.

0 Kudos
Reply
3,214 Views
jh0
Contributor IV

Hi @nxf77486 

Here is 0x400 ...

Image1.gif

If I decoded right ...

Backdoor key: 30 30 30 35 30 30 44 34

FPROT: FF FF FF FF  flash is protected

reserved FF

reserved FF

FOPT: 46  0100 0110

BIT7-6: 01 Boot reserved     BIT5: 0 Slow init    BIT4,0: 00 VLPR mode

BIT3: 0 Reset pin disabled    BIT2: 1 NMI enabled    BIT1: 1 Boot source from BIT7-6

FSEC: FE 1111 1110

BIT7-6: 11 Backdoor key access disabled

BIT5-4: 11 Mass erase enabled

BIT3-2: 11 NXP factory access granted

BIT1-0: 10 MCU security status is unsecure

 

I know that flash does not change, because verify fail after mass erase or after program with unchanged flash memory contest starting from address zero and so on.

...
( 65) Chip Setup Complete
Connected: was_reset=true. was_stopped=true
( 70) License Check Complete
Verifying 'K32L2A31A_Project___.axf' ELF code section 0 at 0x00000000 len 0x35A0
Opening flash driver K32L2A.cfx (already resident)
Sending VECTRESET to run flash driver
Flash variant 'K32L2B FTFA 2K' detected (256KB = 128*2K at 0x0)
( 0) Comparing Flash against file at 0x00000000
Flash file verification failed at (at least) these memory addresses
@@@@00000000 - file 20018000 '... ' != flash 3038303A ':08
( 0) Comparing Flash against file at 0x00000004
@00000004 - file 00000135 '5...' != flash 30303030 '0000'
( 0) Comparing Flash against file at 0x00000008
@00000008 - file 000001A3 '....' != flash 38303030 '0008'
( 0) Comparing Flash against file at 0x0000000C
@0000000C - file 000006D1 '....' != flash 31464634 '4FF1'
( 0) Comparing Flash against file at 0x00000010
@00000010 - file 00000000 '....' != flash 34373946 'F974'
( 0) Comparing Flash against file at 0x00000014
@00000014 - file 00000000 '....' != flash 30303030 '0000'
( 0) Comparing Flash against file at 0x00000018
@00000018 - file 00000000 '....' != flash 0D463730 '07F.'
( 0) Comparing Flash against file at 0x0000001C
@0000001C - file DFFE7657 'Wv..' != flash 30313A0A '.:10'
( 0) Comparing Flash against file at 0x00000020
@00000020 - file 00000000 '....' != flash 30303430 '0400'
( 0) Comparing Flash against file at 0x00000024
@00000024 - file 00000000 '....' != flash 46463030 '00FF'
( 0) Comparing Flash against file at 0x00000028
@00000028 - file 00000000 '....' != flash 46464646 'FFFF'
( 0) Comparing Flash against file at 0x0000002C
@0000002C - file 000001A7 '....' != flash 46464646 'FFFF'
( 0) Comparing Flash against file at 0x00000030
@00000030 - file 00000000 '....' != flash 46464646 'FFFF'
( 0) Comparing Flash against file at 0x00000034
@00000034 - file 00000000 '....' != flash 46464646 'FFFF'
( 0) Comparing Flash against file at 0x00000038
@00000038 - file 000001A9 '....' != flash 46464646 'FFFF'
( 0) Comparing Flash against file at 0x0000003C
@0000003C - file 000001AB '....' != flash 45464646 'FFFE'
( 0) Comparing Flash against file at 0x00000040
@00000040 - file 000001AF '....' != flash 46464433 '3DFF'
( 0) Comparing Flash against file at 0x00000044
@00000044 - file 000001B7 '....' != flash 46424646 'FFBF'
( 0) Comparing Flash against file at 0x00000048
@00000048 - file 000001BF '....' != flash 313A0A0D '..:1'
( 0) Comparing Flash against file at 0x0000004C
@0000004C - file 000001C7 '....' != flash 30303130 '0100'
Closing flash driver K32L2A.cfx
(100) File matches flash.
Read 0x42D88 bytes in 3697ms (about 74kB/s) - verify FAILED
(100) Target Connection Failed
Unable to perform operation!
Command failed with exit code 1

0 Kudos
Reply
3,205 Views
nxf77486
NXP TechSupport
NXP TechSupport

Hello @jh0 ,

 

Please find a guide provided by us that could help you out. Please let me know anything else.

Production Flash Programming Best Practices for Kinetis K- and L-series MCUs 

3,196 Views
jh0
Contributor IV

I unlocked device by triggering mass erase with writing right value (mass erase under reset, because reset pin was disabled) to MDM-AP control register. I started once with development of my own hardware / software SWD tool (never finished), so used this because didn't found anything for low level SWD operations by CMSIS-DAP using MCU-Link.

; Select MDM-AP control reg

SWD_REG_WRITE DP_RESEND_SELECT, ((001h << 24) | (001h << 2))

; Set BIT3 to force a system reset. Set BIT0 to cause mass erase.

SWD_REG_WRITE_AD AP_DRW, (BIT3 | BIT0)

I really don't understand why this is not covered by mass erase in MCUXpresso.

EDIT:

After device was unlocked I found note inside device reference manual (9.4.1 MDM-AP Control Register) related to my case. It was in front of my eyes all the time, but I didn't see it.

note.jpg

I am not sure if solution by Erich Styger using j-link should help in my case. Because here ...

https://wiki.segger.com/Kinetis_Series_Devices

there is ...

It is mandatory to connect the reset pin of the Kinetis devices to J-Link. Otherwise, proper functionality and a stable connection cannot be guaranteed.

Note: The Kinetis manuals advertise that a reset can also be issued via the MDM-AP, so no pin is required. However, this way is unreliable and does not work properly when trying to unsecure a secured device.

... and on my device reset pin was disabled.

0 Kudos
Reply