Unsecuring the MCU from Backdoor key to unprotect the Flash

venkataddagatla · ‎02-15-2021

Hi,

I have enabled the Backdoor key to unsecured the flash and I have set the flash configuration, as mentioned below.

(void(*)(void)) 0xAAAAAAAA, /* 0x400 Backdoor Comparison Key */
(void(*)(void)) 0xAAAAAAAA, /* 0x404 Backdoor Comparison Key */
(void(*)(void)) 0xFFFFFFFF, /* 0x408 FPROT */
(void(*)(void)) 0xFFFFFFBD /* 0x40c FSEC, FOPT, FEPROT, FDPROT */

This was added in the vector table after the end of ISRs. This is part of the Bootloader code.

So, to un-secure the MCU, I am running a backdoor key from the Application, not from the Bootloader code.

The code mentioned below, which is running from Application on keypress.

while((FTFE_BASE_PTR->FSTAT & FTFE_FSTAT_CCIF_MASK) == 0); // wait if operation in progress
FTFE_BASE_PTR->FSTAT = FTFE_FSTAT_ACCERR_MASK | FTFE_FSTAT_FPVIOL_MASK; // clear flags

FTFE_BASE_PTR->FCCOB3 = 0x45;
FTFE_BASE_PTR->FCCOB7 = 0xAA;
FTFE_BASE_PTR->FCCOB6 = 0xAA;
FTFE_BASE_PTR->FCCOB5 = 0xAA;
FTFE_BASE_PTR->FCCOB4 = 0xAA;
FTFE_BASE_PTR->FCCOBB = 0xAA;
FTFE_BASE_PTR->FCCOBA = 0xAA;
FTFE_BASE_PTR->FCCOB9 = 0xAA;
FTFE_BASE_PTR->FCCOB8 = 0xAA;

FTFE_BASE_PTR->FSTAT = FTFE_FSTAT_CCIF_MASK; // launch command
while((FTFE_BASE_PTR->FSTAT & FTFE_FSTAT_CCIF_MASK) == 0); // wait until complete

I am printing the status register before and after running the backdoor command, but the FSEC register

does not have any change, it always has the same value

Here, how to verify the Backdoor key is worked or not.

And also one more question, in MEEN bits in FSEC, if we make Mass erase disabled, is it possible to unlock the flash from the Backdoor key.

Because I have tried with this, I didn't succeed, I end up locking my MCU.

Alexis_A · ‎02-18-2021

Hello @venkataddagatla,

In the SDK, there's a function called FTFx_CMD_SecurityBypass in the fsl_ftfx_controller.c, you can check this driver in the pflash example.

Best Regards,

Alexis Andalon

venkataddagatla · ‎02-23-2021

HI,

Thanks for the reply.

I have downloaded SDK for K64 since I didn't get for K61 as we are using the same for our project.

I still did not get the piece of logic based on Backdoor key acceptance , the Flash is unsecure.

Please find the snippet which found in Pflash from SDK

    /* Print security status. */
    switch (securityStatus)
    {
        case kFLASH_SecurityStateNotSecure:
            PRINTF("\r\n Flash is UNSECURE!");
            break;
        case kFLASH_SecurityStateBackdoorEnabled:
            PRINTF("\r\n Flash is SECURE, BACKDOOR is ENABLED!");
            break;
        case kFLASH_SecurityStateBackdoorDisabled:
            PRINTF("\r\n Flash is SECURE, BACKDOOR is DISABLED!");
            break;
        default:
            break;
    }
    PRINTF("\r\n");

    /* Test pflash basic opeation only if flash is unsecure. */
    if (kFLASH_SecurityStateNotSecure == securityStatus)
    {
        /* Debug message for user. */
        /* Erase several sectors on upper pflash block where there is no code */
        PRINTF("\r\n Erase a sector of flash");

Here actually i need based on key acceptance how can we make flash unsecure and it can be ready for mass erase.

Alexis_A · ‎02-23-2021

Hello @venkataddagatla,

The example by itself doesn't implement the enablement of the backdoor key. The API in the example FLASH_GetSecurityState checks if the backdoor key is active in case the debugger writes the key.

To enable the key you need to check the FLASH_SecurityBypassin the fsl_ftfx_flash driver.

Best Regards,

Alexis Andalon