In some early LPC products, such as LPC11xx, LPC17xx, LPC18xx, LPC40xx, LPC43xx, LPC8xx, etc, CRP is used to utilize code protection. CRP has three different security levels: Figure 1 shows the security levels of CRP1, CRP2, and CRP3.
Figure 1
The LPC55 series (LPC55(S)0x, 1x,2x, and 6x) uses Secure boot and Protected Flash Region (PFR) configuration instead of CRP for security protection. The part number with S (eg. LPC55S) supports Secure boot, for instance, LPC55S28 and LPC55S06. However, non-S series products, such as LPC5506, LPC5528, can only utilize code protection by configuring FPR related fields.
CRP2 is the most commonly used protection level. With CRP2, SWD access is blocked, so users can not read, write, or erase Flash via SWD or ISP. In addition, users cannot erase part of Flash to modify existing code. Once in CRP2 mode, Flash can only be recovered by Mass Erase Flash, which effectively prevents attacker from reading and modifying the Flash code.
Unfortunately, the LPC5500 device such as LPC55(S)0x, 1x,2x,6x doesn't have exactly the same functional mechanism as the CRP2, which is questioned by many users. However, if we need to achieve the same functionality as CRP2, we can configure CMPA to disable ISP and SWD debugging port.
1. Disable ISP
Customer Manufacturing/Factory Configuration Area (CMPA) is part of the PFR, Configure BOOT_CFG to select whether the ISP mode is enabled. Table 1 shows the field table starting with 9E40 word address in CMPA. ISP control domains have been marked in red (as shown in Table 1). Table 2 shows the mode selection of ISP domains, 111 is ISP disabled. If the ISP mode is disabled, set BOOT_CFG to 0b1110000.
|
Word Address(HEX) |
Byte Address |
Field Description |
6 |
5 |
4 |
3 |
2 |
1 |
0 |
|
9E40 |
9E400 |
BOOT_CFG |
Default ISP mode |
0 |
0 |
0 |
0 |
||
|
9E404 |
SPI_FLASH_CFG |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
|
|
9E408 |
USB_ID |
USB Vendor ID |
|||||||
|
9E40C |
SDIO_CFG |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
|
|
9E41 |
9E410 |
CC_SOCU_PIN |
ISP_CMD_EN |
MCM33_DBGEN |
0 |
0 |
0 |
0 |
0 |
|
9E414 |
CC_SOCU_DFLT |
ISP_CMD_EN |
MCM33_DBGEN |
TAPEN |
SPIDEN |
SPNIDEN |
DBGEN |
NIDEN |
|
Table 1
|
Default ISP mode |
Bit 【6:4】 |
|
Auto ISP |
000 |
|
USB_HID_MSC |
001 |
|
UART ISP |
010 |
|
SPI Slave ISP |
011 |
|
I2C slave ISP |
100 |
|
Disable ISP |
111 |
Table 2
2. Disable SWD
The DCFG_CC_SOCU is a configuration that specifies debug access restrictions per debug domain. These access restrictions are also referred as constraint attributes in this section. The debug subsystem is sub-divided into multiple debug domains to allow finer access control. Figure 2 shows debug domains and their corresponding control bit position in DCFG_CC_SOCU. Logically, DCFG_CC_SOCU has two components: SOCU_PIN and SOCU_DFLT. The SOCU_PIN and SOCU_DFLT registers are used together to define SWD debug access for the module. Which is logically composed of two components:
- SOCU_PIN: A bitmask that specifies which debug domains are predetermined by device configuration.
- SOCU_DFLT: Provides the final access level for those bits that the SOCU_PIN field indicated are predetermined by device configuration.
In another words, set the corresponding bit of SOCU_PIN and SOCU_DFLT register to 1 at the same time to enable the module. This module is disabled by setting the corresponding bits of the SOCU_PIN and SOCU_DFLT registers to 0 simultaneously. See Figure 2.
Figure 2
Note that the default value of CC_SOCU_PIN and CC_SOCU_DFLT in LPC55 PFR are all zeros. Therefore, in this case, although SOCU_PIN and SOCU_DFLT are both 0, the bit reverse rule is not met (Figure 3 below). Therefore, all debugging permissions are enabled by default when CC_SOCU_PIN and CC_SOCU_DFLT are all 0.
Figure 3
Note: the distinction between CC_SOCU_PIN(CC_SOCU_DFLT) and SOCU_PIN(SOCU_DFLT). The former with CC_ includes the reverse bit of the latter.
For example, if SOCU_PIN and SOCU_DFLT are set to all zeros and the reverse bit is set to 1, all SWD modules are disabled.
Figure 4
3. Implementation
The following uses LPC5506 as an example to configure the CMPA field:
3.1 Disable ISP and SWD
Figure 5
Keep the default CMPA values except for the two highlighted in red in Figure 5.
1) Set BOOT_CFG to 0x70 to disable ISP.
2) Set all SOCU_PIN and SOCU_DFLT to 0, and set all reverse bits to 1. That is, disable all debug accessing subdomains.
3.2 Enable ISP and SWD
Figure 6
Keep the default CMPA values except for the two highlighted in red in Figure 6.
1) Set BOOT_CFG to 0x00 to enable Auto ISP.
2) Restore the default values of DCFG_CC_SOCU, that is, CC_SOCU_PIN and CC_SOCU_DFLT to all zeros. in this case, all debug permissions are restored (turned on) because the rule of bit reversal is not met (see Part 2 of this article).
3.3 Code Implementation
Enable or disable the SWD and ISP functions by serial command (1 or 0).
Figure 7
The demo code is attached. This routine has been tested on the LPCXpresso55S06 development board.
NOTE:
As system security requirements and the attack surface evolves, it is important for customers to understand the types of attacks (especially advanced physical attacks) which NXP does not claim to protect against, or strongly mitigate, so that appropriate mitigation can be taken by the customer at the system level if necessary.
