Implementing flash security feature in Kinetis K66 MCU.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Implementing flash security feature in Kinetis K66 MCU.

5,000 Views
rakesh_kandukur
Contributor I

Hi,

I am working on Kinetis K66 MCU for implementing flash security feature i.e blocking the flashing through JTAG. 

I am trying to write 0x20 at 0x040C(FSEC) at run time which is a customised value required for security implementation in our project. The problem I am facing is, when the MCU is mass erased the value at 0x040C location(FSEC) which is used to implement flash security feature is having 0xFE. In order to write a value to flash for the MCU, the value should be 0xFF. I am able to write a value in flash configuration field at any location but not at 0x040C(FSEC). I had gone through "startup_mk66f18.c" file which has the flash configuration field structure values in it such as {0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFE}.

To implement security feature using the customised value mentioned previously, can I make the last word i.e "0xFFFFFFFE" dynamic in the structure in my code?

Is it recommended in doing so, so that the board can have proper functionality without securing the MCU flash?

Can anybody suggest a way to implement security feature for the MCU using my customised value?

Thanks,

Rakesh Kandukuri  

Labels (1)
0 Kudos
Reply
14 Replies

4,703 Views
mikestanley464
Contributor I

I'm not sure why the bcm2835_init: would be repeatedly called (as this seems to be the case) when using the read function which forms part of the getAccelerometer function, but there doesn't appear to be any source around for the sensor.so library object which is the interface in the python examples. root bluestacks omegle.red

Canli Mac Izle 

0 Kudos
Reply

4,941 Views
rakesh_kandukur
Contributor I

Hi Sabina,

Thank you for your reply.

I have few queries.

How to include override option to program the flash configuration field? Can it be done in the "startup_mk66f18.c" file? I am sure about the value(0x20) which can be written at 0x40C address cannot cause an improper functionality since I had gone through the reference manual and got the value 0x20. And I want to implement the security feature during run time through the application.

Can you provide some sample code to do the same in C?

 

Thanks,

Rakesh.Kandukuri

 

 

0 Kudos
Reply

4,919 Views
Sabina_Bruce
NXP Employee
NXP Employee

Hello ,

Hope you are doing well.

Could you please clarify what do you mean by override?

There is an example included in the SDK for the FRDM-K66 called pflash. This example can get you started in introducing this into your application. 

Best Regards,

Sabina

 

0 Kudos
Reply

4,907 Views
rakesh_kandukur
Contributor I

Hi Sabina,

Thank you for your reply.

Regarding override in my previous comment, it is as per your first reply in this thread. You mentioned as like in the snip. So I had query over that. Can you please let me know how to do it?

rakesh_kandukur_0-1599458344366.png

I had gone through "pflash" example in FRDM-K66 SDK previously. It has the functionality to program the flash with data at a particular address location by erasing 4KB sector(4096 bytes) starting from that address initially. But as erasing is happening before writing to flash, I will be losing data in the sector having the address to be written. If I comment the code for erasing in pflash example that I integrated in my project I am getting a flash error. It is entering into 'error_trap()' function. I cannot proceed further. I want only to write to flash with 0x20 value at 0xFE address location for implementing security feature in my project.

As per your previous comment I can do it in startup file(startup_mk66f18.c) directly in the beginning. But I want to implement the feature at run time using application. Can you guide me how to implement the security feature by writing 0x20 at 0xFE address?

 

Thanks,

Rakesh Kandukuri  

0 Kudos
Reply

4,846 Views
Sabina_Bruce
NXP Employee
NXP Employee

Hope you are well. For the override option description please refer to the following link.

Detail of an overrrie option of flash configuration field

If you have data that you want to save so as to not erase with the command. I would recommend to copy this data to another location, erase and reprogram with your security feature and then return the data as you had it. Unfortunately there is not an example using this method. You may use the pflash example and modify this to fit your needs. Please be careful not to secure the flash and disable the mass erase or you will loose access to the chip.

Best Regards,

Sabina

0 Kudos
Reply

4,799 Views
rakesh_kandukur
Contributor I

Hi Sabina,

Thank you for your reply.

I had gone through FOPT register for modifying FSEC register in the application code in reference manual for Kinetis K66 MCU as per your link in previous reply. But there is a little information about FOPT register in reference manual. In the manual they are mentioning like go through "Chip configuration details" for information on bits in FOPT register. But I could not find Chip configuration details topic in reference manual anywhere.

Can you please send me link or details regarding Chip configuration details for me to work on. 

 

Thanks,

Rakesh Kandukuri 

0 Kudos
Reply

4,780 Views
Sabina_Bruce
NXP Employee
NXP Employee

Hope you are well. The details are provided in the table 7-3 of the reference manual in section 7.3.3. The register contains read-only bits that are loaded from the NVM's option byte in the flash configuration field. The user can reprogram the option byte in flash to change the FOPT values that are used for
subsequent resets.

nxf51209_0-1600197338671.png

nxf51209_1-1600197356299.png

Please let me know if you have further questions.

Best Regards,

Sabina

 

0 Kudos
Reply

4,768 Views
rakesh_kandukur
Contributor I

Hi Sabina,

Thank you for your reply.

I have a query.

By following previous comments I hardcoded a customised hexadecimal value in 'startup_mk66f18.c' file in the flash configuration field in structure having values like {0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFE}. I changed it to values like by including 0x40(KEYEN = 01, MEEN = 00, FSLACC = 00, SEC = 00) in {0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFF40} by modifying last word for enabling security using FTFE_FSEC at 0x40C address. But when I flash the code with above values, the value written at 0x40C address is 0x42 instead of 0x40. If I modify the value as 0x44 as value at 0x40C address 0x46 is written instead of 0x44. I am unable to implement security using that written values at 0x40C address. The bits are forcibly writing as 10 in 'SEC' bits.

Can you please give some suggestion to write the desired value(0x40) at 0x40C address in flash configuration field?

 

 

Thanks,

Rakesh.Kandukuri

0 Kudos
Reply

4,734 Views
Sabina_Bruce
NXP Employee
NXP Employee

Based on your description could you please try FC, FD or FF. These should have the same configuration you are looking for. Please let me know your results. Also which external debugger are you using? It is possible that in order for you to debug and read the memory it is unlocking the chip and therefore you see that the MCU is unsecured.

Best Regards,

Sabina

0 Kudos
Reply

4,730 Views
rakesh_kandukur
Contributor I

Hi Sabina,

As per your advice I replaced the value with 0xFC, 0xFD and 0xFF in the flash configuration field structure. After flashing when I see the flash using J-Mem tool from Jlink I am seeing the value 0xFE is written at 0x040C for all the 3 cases.
I am using JLink Ultra+ debugger from Segger to debug and see the flash memory.

Can you suggest some solution to secure the flash by writing to 0x40C address using a desired value(0x40)?

Also I am getting the below window in snip while flashing the image to MCU. 

rakesh_kandukur_0-1600409781786.png

 

 

Thanks,

Rakesh.Kandukuri

0 Kudos
Reply

4,710 Views
Sabina_Bruce
NXP Employee
NXP Employee

Hope you are well. In fact you are securing the device properly, if not you would not get the message in your screenshot. The reason this pop up occurs is to make sure that you would like to unsecure it in order to use the debugger. If you select no then the device will remain secure but you will not be able to use the debugger.

Since you are selecting yes, in order to read the outcome of these bytes you are seeing that the last byte is unsecured, because the debugger needs it like this in order to have access. 

Essentially you are not doing anything incorrectly, but it depends if you want to continue to use the external debugger. Normally when you are ready to secure the part, it is because your application is ready and you will no longer need to debug your microcontroller.

 

Best Regards,

Sabina

0 Kudos
Reply

4,898 Views
rakesh_kandukur
Contributor I

Hi Sabina,

In my previous comment it was 0x40C address location not 0xFE

 

Thanks,

Rakesh Kandukuri.

0 Kudos
Reply

4,971 Views
Sabina_Bruce
NXP Employee
NXP Employee

Hello ,

Hope you are doing well.

I apologize for the delayed response, there was maintenance done on our community page and was not able to reply. From my understanding to your question, you would like to change the value of the flash byte in your application.If this is correct, I would not recommend doing this as any incorrect handling can lock your device.

The flash configuration field is a 16-byte section of flash memory located at 0x400-0x40F. Values from the flash configuration field are copied to flash registers at reset, so they set the default values for several flash settings, most importantly the flash protection and system security settings.
To prevent accidental securing of devices, the flash configuration field requires special treatment. NXP recommends that by default flash programmers write the following value to the flash configuration field:
{FFFFFFFF,FFFFFFFF,FFFFFFFF,FFFFFFFE}

If you want to program the flash configuration field, an override option should be included to enable users to program other values into the flash configuration field. Note that changes to the flash configuration field will take effect at the next reset. To prevent an updated flash configuration field value that secures the processor and prevents further access to the processor, ensure the programmer  completes all programming steps and any verification of values written before resetting the processor.

If you are sure about the security elements you would like to configure then I would recommend to do it directly in the startup file.

Best Regards,

Sabina

 

0 Kudos
Reply

4,931 Views
rakesh_kandukur
Contributor I

Hi Sabina,

Thank you for your reply.

I have few queries.

How to include override option to program the flash configuration field? Can it be done in the "startup_mk66f18.c" file? I am sure about the value(0x20) which can be written at 0x40C address cannot cause an improper functionality since I had gone through the reference manual and got the value 0x20. And I want to implement the security feature during run time through the application.

Can you provide some sample code to do the same in C?

 

Thanks,

Rakesh.Kandukuri

0 Kudos
Reply