Is there any secure way to reset entire memory of LPC15xx?

jonathon_generac · ‎03-15-2022

Per user manual:

NO_ISP is insecure since it allows access to device memory through SWD.
CRP1 is insecure since a third party could load a program into a small section of flash or RAM, branch to that program and use that program to read the remainder of device memory through one of the device interfaces.
CRP2 does not allow the boot sector to be erased, which cannot bring the device back to fully programmable state.
CRP3 allows the device to be reprogrammed via IAP or by reinvoking the ISP from the IAP but does not appear to allow the boot sector to be erased.

It seems like none of these options provide a secure means to reset all of flash memory to its original state without potentially allowing someone to extract a portion of the application.

PabloAvalos · ‎04-19-2022

Hi @jonathon_generac

I truly appreciate that you were so patient. Thank you so much.

I have a concrete answer for the confusion, actually with the CRP2 level on LPC15xx can only be erased all the sectors only and exclusively (not only user sectors as it was being mentioned), so maybe the description on the UM is not accurate about user sectors. This screenshot taken from UM is more clear.

Hoping the information was helpful, please let me know if you have more questions.

Thank you so much, again.
Sincerely,
Pablo Avalos.

元の投稿で解決策を見る

PabloAvalos · ‎03-21-2022

Hi @jonathon_generac

Please accept my apologies for the delay. We are overloaded on the requests these days. I really appreciate your patience.

Regarding to your question, my understanding about it is not fully right, may you clarify me this part "a secure means to reset all of flash memory to its original state without potentially allowing someone to extract a portion of the application", because it is unclear for me what do you mean, because when you reset the whole flash memory to its original state, the application is erased and nobody can access for the same reason.

I will stay tuned to your reply, so I can further assist you. We are more than glad to help you.

Thank you.
Sincerely,
Pablo Avalos.

jonathon_generac · ‎03-21-2022

Thanks for taking the time to look into this Pablo.

My application has the following requirements:

Firmware updates will normally be performed using IAP and would not write to the boot sector.
The device must be protected such that an unauthorized third-party may not use the ISPs and/or SWD to extract all or part of the programmed firmware, since it contains sensitive proprietary information.
Occasionally, it may be necessary to write to the boot sector and/or enable programming via the SWD or ISP interfaces. In these cases, it would be acceptable to erase all of memory to obtain access.

Based on my understanding:

CRP2 and CRP3 would not allow the boot sector to be erased or modified, even using the ISP reinvoke command in the ISP.
CRP1 allows the boot sector to be erased if all of memory is erased. However, it also allows a third-party to load a program to flash and/or RAM and execute the program using the ISP Go command. This would potentially allow an unauthorized third-party to load a program into memory, execute the program and use the program to extract the contents of flash memory.

Considering this, there may be no way to meet the requirements noted above.

Is this correct?

Regards,

Jonathon

PabloAvalos · ‎03-29-2022

Hello @jonathon_generac

Thank you so much for your patience!

I was checking in more detail your requirement, and I realized that you are correct, since datasheet shows this information:

"CRP Level 3 is the highest level supported by the LPC1100/LPC1300 devices. In sophisticated reverse engineering, an intellectual property thief may be able to learn proprietary information about a design by fully erasing and then programming the target device with custom test code and analyzing how the PCB behaves. This would then enable the thief to implement a counterfeit design without ever having read original object code. CRP Level 3 effectively disables ISP functionality1 and SWD, thus the device’s flash memory can no longer be modified. Should there be instances where hardware cannot be allowed to run unauthorized code, CRP Level 3 should be used. Be aware that there is no built-in recovery for designs once CRP Level 3 is enabled. The most simplistic way of implementing a custom recovery mechanism involves the “Re-Invoke ISP” IAP call."

It applies exactly equal to LPC15xx,

Also, I would like to suggest you to check the following application note that might be helpful (it applies to LPC15xx too):

https://www.nxp.com/docs/en/application-note/AN10968.pdf

Hope the information provided was helpful, please let me know if you have more questions. I'll be more than happy to assist you.

Thank you again for your patience.
Sincerely,
Pablo Avalos.

jonathon_generac · ‎03-30-2022

Pablo,

Thanks for this additional feedback. The application note was enlightening.

There is one discrepancy that I would like to clarify regarding CRP2.

AN10968 Section states: "To prevent this, CRP Level 2 further increases security by only supporting full
chip erasure. This ensures that devices are entirely blank prior to updates, and therefore
not susceptible to modification by an attacker."

UM10736 Table 486, regarding the ISP Erase Sector command, states: "This command is used to erase one or more sector(s) of on-chip flash memory. The boot block can not be erased using this command. This command only allows erasure of all user sectors when the code read protection is enabled."

UM10736 Table 501, regarding the IAP Erase Sector command, states: "The boot sector can not be erased by this command."

UM10736 Table 474, regarding CRP2, states: "When CRP2 is enabled the ISP erase command only allows erasure of all user sectors."

It looks like the application note (AN10968) contradicts the LP15xx user manual (UM10736) regarding memory erasure in CRP2 as the application notes that CRP2 supports "full chip" erasure, but the LP15xx user manual states that CRP2 only supports erasure of user sectors.

It seems like the intent of CRP2 would be to allow the chip to be restored to factory state, as explained in the application note, but this contradicts the LPC15xx user manual, which indicates that the boot sector may not be erased even when full erasure is selected.

Thanks,

Jonathon

PabloAvalos · ‎04-19-2022

Hi @jonathon_generac

I truly appreciate that you were so patient. Thank you so much.

I have a concrete answer for the confusion, actually with the CRP2 level on LPC15xx can only be erased all the sectors only and exclusively (not only user sectors as it was being mentioned), so maybe the description on the UM is not accurate about user sectors. This screenshot taken from UM is more clear.

Hoping the information was helpful, please let me know if you have more questions.

Thank you so much, again.
Sincerely,
Pablo Avalos.

PabloAvalos · ‎04-12-2022

Hi @jonathon_generac

Please accept my apologies for the delay. The number of requests these days were too high. I truly appreciate that you were so patient.

Your questions about CRP2, I am still double-checking with my teammates to give you the proper answer possible. Please let me know if you have any other questions. I will answer you as soon as possible with the proper information.

Thank you so much again.
Sincerely,
Pablo Avalos.

Is there any secure way to reset entire memory of LPC15xx?

Is there any secure way to reset entire memory of LPC15xx?

lpc15xx