How to write IFR on K32L3A?

取消
显示结果 
显示  仅  | 搜索替代 
您的意思是: 

How to write IFR on K32L3A?

1,546 次查看
Samson88
Contributor II

Hello,

I'm using blhost to write IFR 0x80 to put device into unsecured state.  To do this I must set bits 1:0  in FSEC register to 10.  

Since blhost requires 4 or 8 bytes, I am guessing the value I should write is: 0xFFFFFFFE, because the lowest bits in the E = 1110.   But this doesn't work.  I also tried little endian 0xFEFFFFFF, it did not work either.

When I read back 0x80 after writing, it looks like it worked.  When I reset the device (or cycle power), the state is SECURED.  But I expect it to be UNSECURED, since I wrote 10

What am I doing wrong? 

Thank you

blhost -p COM5 flash-program-once 0x80 4 FFFFFFFE
Ping responded in 1 attempt(s)
Inject command 'flash-program-once'
Successful generic response to command 'flash-program-once'
Response status = 0 (0x0) Success.

blhost -p COM5 flash-read-once 0x80 4
Ping responded in 1 attempt(s)
Inject command 'flash-read-once'
Response status = 0 (0x0) Success.
Response word 1 = 4 (0x4)
Response word 2 = -2 (0xfffffffe)

blhost -p COM5 reset
Ping responded in 1 attempt(s)
Inject command 'reset'
Successful generic response to command 'reset'
Response status = 0 (0x0) Success.

blhost -p COM5 get-property 17
Ping responded in 1 attempt(s)
Inject command 'get-property'
Response status = 0 (0x0) Success.
Response word 1 = 1 (0x1)
Security State = SECURE

Samson88_0-1698647100255.pngSamson88_1-1698647121096.png

 

 

标签 (1)
0 项奖励
回复
6 回复数

1,530 次查看
bobpaddock
Senior Contributor III

To my knowledge the only way to unsecure the device is chip erase or perhaps backdoor key..

0xFFFFFEFF I believe is the byte order.

The documentation often leaves a lot to be desired.

This details the procedure that you are seeking:

https://community.nxp.com/t5/Kinetis-Microcontrollers/Programming-the-K32L3A-MCU-Flash-IFR-Fields/ta...

0 项奖励
回复

1,507 次查看
Samson88
Contributor II

Thanks for the reply @bobpaddock 

Yes, I have read the article you linked.  The example shown is writing an entire register (FOPT) using a single IFR write to 0x84. It makes sense and it's clear what the bytes/bits mean. But I'm struggling to understand how to write individual bits in the FSEC register using IFR 0x80-0x83.

Let's take the case of backdoor key to unlock the device (as you suggested).  To do that I need to set the backdoor key by writing 8 bytes to IFR 0xB0. No problem because it's a "full bytes" type of write, easy to understand. Next I try to set FSEC:KEYEN to 10 by writing IFR 0x83, which is an "individual bits" kind of write, and it doesn't seem to work. See output below.

Any suggestions?

// check that device is unsecure

blhost -p COM4 -- get-property 17
Ping responded in 1 attempt(s)
Inject command 'get-property'
Response status = 0 (0x0) Success.
Response word 1 = 0 (0x0)
Security State = UNSECURE

// Program FSEC:KEYEN (bits 7:6) to 10 

blhost -p COM4 flash-program-once 0x83 4 FFFFFFBF
Ping responded in 1 attempt(s)
Inject command 'flash-program-once'
Successful generic response to command 'flash-program-once'
Response status = 0 (0x0) Success.

// Program backdoor key to 0xBBBBBBBBBBBBBBBB

blhost -p COM4 flash-program-once 0xB0 8 BBBBBBBBBBBBBBBB
Ping responded in 1 attempt(s)
Inject command 'flash-program-once'
Successful generic response to command 'flash-program-once'
Response status = 0 (0x0) Success.

// Program FSEC:SEC (bits 1:0) to 11

blhost -p COM4 flash-program-once 0x80 4 FFFFFFFF
Ping responded in 1 attempt(s)
Inject command 'flash-program-once'
Successful generic response to command 'flash-program-once'
Response status = 0 (0x0) Success.

// reset so settings will take effect (also tried power cycle)

blhost -p COM4 reset
Ping responded in 1 attempt(s)
Inject command 'reset'
Successful generic response to command 'reset'
Response status = 0 (0x0) Success.

// unlock device with backdoor key

blhost -p COM4 -- flash-security-disable BBBBBBBBBBBBBBBB
Ping responded in 1 attempt(s)
Inject command 'flash-security-disable'
Response status = 103 (0x67) kStatus_FlashAccessError

 

0 项奖励
回复

1,490 次查看
bobpaddock
Senior Contributor III
The Freescale/NXP implementation of flash write on the M0+ core is always a 32-bit word.

The only way to undo security, besides backdoor, is with a chip erase. Otherwise it would not be very good security.
0 项奖励
回复

1,482 次查看
Samson88
Contributor II

Yep, I understand that, which is why I'm trying to use the backdoor key. 

I also understand the need to write in multiples of 32-bits, the problem is where in that 32-bits do the bits I'm trying to program go?   For example when I try to set FSEC KEYEN to 10 (see above)? 

If I have the IFR write to FSEC:KEYEN correct, why is it not allowing me to unlock using backdoor key?

0 项奖励
回复

1,371 次查看
RaRo
NXP TechSupport
NXP TechSupport

Hello @Samson88,

Could you please take a look to the following AN? It could be useful.

Also, have you tried use the Option #3: Debugger Script method?

Best regards, Raul.

0 项奖励
回复

1,298 次查看
Samson88
Contributor II

Thanks Raul.  Yes, I have already read the AN you pointed me to.  It contains useful information but not the specific answer I'm looking for here.  Again: what is wrong with the commands I'm using above to unlock device with backdoor key? 

NXP cannot provide me a working example of backdoor key using blhost ? 

Seems like for the right Engineer / support person this would be trivial task and only take a few minutes.

Oh well...

 

 

0 项奖励
回复