FAQs
English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

Securing Kinetis, but then flash sectors are still readable.Where is my error?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Securing Kinetis, but then flash sectors are still readable.Where is my error?

3 weeks ago
224 Views
diegocolombo
Contributor IV

Hi,
I'm working with an entry level microcontroller(MKL03 family) using P&E Universal Multilink as programmer-debugger.

I have some code and some data in declared sectors of the Flash area ,say at address 0x3200 until 0x32FF.
In startup_MKL03Z4.s i change the byte showed in bold format

/* Flash Configuration */
.section .FlashConfig, "a"
.long 0xFFFFFFFF
.long 0xFFFFFFFF
.long 0xFFFFFFFF
.long 0xFFFF3DFE -> 0xFFFF3DFF

I was confident this should be enough to secure the memory.

Then I launch debugging from a different- almost-empty project ,in Debug Configurations ->Debugger-> Advanced Options i flag Preserve this range  0x3200 - 0x32FF .I still can see the data previously stored in this area.I guess this is because some error i did ,or something still missing.

I would like the no one ,me neither ,should be able to read code or data already present in microcontroller .It is possible to secure it without Flash protection ,so that the microcontroller could be erased or reprogrammed?
And is it possible with some standalone tool ?
Thanks,
Diego.


0 Kudos
Reply
4 Replies

2 weeks ago
192 Views
xiangjun_rong
NXP TechSupport
NXP TechSupport

Hi,

Pls refer to section 27.3.1 Flash Configuration Field Description in RM of KL03, the flash configuration field is located at 0x400 to 0x40F.

xiangjun_rong_0-1719374051119.png

xiangjun_rong_1-1719374172104.png

 

__attribute__ ((used,section(".FlashConfig"))) const struct {

unsigned int word1;

unsigned int word2;

unsigned int word3;

unsigned int word4;

} Flash_Config = {0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFF3DFF};

The 0xFFFFF3DFF/0xFFFFF3DFC/0xFFFFF3DFD all can set the chip in security mode.

I suppose it is correct that the last word is 0xFFFF3DFF, which will set the chip in

security mode

Pls check if the the flash configuration field address is correct or not.

Hope it can help you

BR

XiangJun Rong

 

0 Kudos
Reply

a week ago
122 Views
diegocolombo
Contributor IV

Hi XiangJun Rong,
thanks to you for your reply.
I am still far to have my microcontroller secured.
My doubt is that something in the debugging environment is wrong and overrides the codes about the settings in FTFA_SEC.
Let me explain:
Programmer USB Multilink Universal, Kinetis Design Studio  (it is a reprise of an old project ,of before MCUXpresso).
I use the debugging environment to check if it is possible to peep inside the memory.
What i notice is
1) The memory looks fully exposed to the Memoy Browser
2)The data in FlashConfig sector looks different fom what expected , FTFA_SEC=0xFFFF3DFE despite in code it was set FTFA_SEC=0xFFFF3DFF.It looks that in code there are at least 2 ways to do that .
In startup_MKL03Z4.s or ,as you suggested ,in code ,by the declaration of FlashConfig.
In both ways something else overrides this configuration,as shown in screensot
FTFA_SEC.jpg

Could it be something in debug confguration?
The only thing that i see related to flash security is in the box Commands
Debug configuration.jpg

 

Thank you

0 Kudos
Reply

a week ago
111 Views
xiangjun_rong
NXP TechSupport
NXP TechSupport

Hi,

The security mode can block JTAG port so that the external user can not read the data from flash.

But the security mode can work only after you write the flash configuration area and RESET. After reset, the data in flash configuration area are copied to registers automatically then the security mode is valid.

Pls press reset and check if the JTAG is blocked.

Hope it can help you

BR

XiangJun Rong

0 Kudos
Reply

a week ago
93 Views
diegocolombo
Contributor IV

Thank you so much for your further reply Mr Rong.
Issuing Reset(even with power off-on) does noto change the situation
I think is better to use 0xFFFF3BFF instead of 0xFFFF3DFF ,with 0x3D looks running only in debug mode
(notice that you added an extra 'F' in your example).
Resuming last tests: I used the Flash Programmer Tool,the button with the lighting symbol, to program and to write the "secret sector".In this way I have no doubt that debugger does not override the FlashConfig settings,in order to allow the debug itself.In this way the MKL03 is programmed in Secure Mode(0xFFFF3BFF).
Then i load a simple "Hello Word " almost empty program,having attention in setting my "secret sector" address and size in "Preserve this range" in DebugConfiguration->Debugger->Advanced Options .
FlashConfig last word is set at 0xFFFF3BFE (not secured).Launching debug the "secret sector" is in view and I can read the data from previous program(the data i want to be inaccessible).

Thanks

0 Kudos
Reply