LPC552x: How to write CMPA to disable debug subdomains from application?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

LPC552x: How to write CMPA to disable debug subdomains from application?

Jump to solution
4,181 Views
bas_v
Contributor II

Hi,

We are currently working with a LPC5526 and LPC5528 (both JBD64 non-S variant) and for production purposes we want to disable debug access through SWD and ISP to prevent code readout.

From https://community.nxp.com/t5/LPC-Microcontrollers/LPC5528-how-to-reach-code-security-equal-to-CRP2-i... and the user manual I understand we can write the CC_SOCU_PIN and CC_SOCU_DFLT to disable debug subdomains.

For this I wrote the following code:

 

 

 

#define CMPA_PAGE_LENGTH (512)

// Initialize ROM API for reading CMPA
flash_config_t flashInstance;
FFR_Init(&flashInstance);

// Allocate memory
cmpa_cfg_info_t* cmpaPageData = (cmpa_cfg_info_t*)calloc(CMPA_PAGE_LENGTH, 1);
if (cmpaPageData != NULL) {
	// Read CMPA page back
	FFR_GetCustomerData(&flashInstance, (uint8_t*)cmpaPageData, 0, CMPA_PAGE_LENGTH);

	// Disable all debug subdomains by writing 1/0 for PIN/DFLT
	cmpaPageData->dcfgPin =  0b1111111111;
	// Mirror the value as described in the forum post
	cmpaPageData->dcfgPin |= (~cmpaPageData->dcfgPin << 16);

	cmpaPageData->dcfgDflt = 0b0000000000;
	cmpaPageData->dcfgDflt |= (~cmpaPageData->dcfgDflt << 16);

	// Disable ISP
	cmpaPageData->bootCfg = 0b1110000;

	// Write CMPA page
	FFR_CustFactoryPageWrite(&flashInstance, (uint8_t*)cmpaPageData, false);

	// Free allocated memory
	free(cmpaPageData);
}

 

 

 

 

So for this we read the content from the CMPA page back, configure the CC_SOCU registers and write the page with the modified page content.

Result of running this is code is that the SWD and ISP are disabled, which is good. But additionally the application that was programmed will not run after resetting the microcontroller. The FFR_GetCustomerData function returns success status.

Next to this, I've attempted to leave out modifying the registers and just write the result of FFR_GetCustomerData back using FFR_CustFactoryPageWrite. This also had the same result.

I cannot find any clue in the documentation why our application won't run anymore after a reset/power-cycle. Is there something I'm missing? Is there another way to write CMPA from the application?

Labels (1)
1 Solution
3,930 Views
Erik_M
Contributor I

For those who are interested; see the attached example to see how to write the CMPA page correctly.

With this example you are able to enable/disable flash protect.

 

View solution in original post

9 Replies
3,016 Views
paplewski
Contributor I

Hello,

I was trying to enable flash protect on LPC55s28 with the solution marked as working from Erik_M and after reset I am unable to connect to the board, but the board runs correctly (I can see that on the UART output). This is the debugger output when trying to connect:

paplewski_1-1644949640880.png

Output from the UART suggests that the CMPA page was written correctly:

paplewski_2-1644950213853.png

 

---

On the other hand I've previously tried the code from original poster bas_v on custom hardware with LPC5528 it seems to be bricked after reset (on output on the UART, no LED turns on)...

Could you please help me with enabling the flash protection on these platforms?? Also is there a way to recover access any of this boards?

Output from the Jlink commander for LPC5528:

SEGGER J-Link Commander V7.60c (Compiled Jan 7 2022 16:15:01)
DLL version V7.60c, compiled Jan 7 2022 16:13:45

Connecting to J-Link via USB...O.K.
Firmware: J-Link V11 compiled Dec 9 2021 14:14:49
Hardware version: V11.00
S/N: 601012298
License(s): RDI, FlashBP, FlashDL, JFlash, GDB
USB speed mode: High speed (480 MBit/s)
VTref=2.806V


Type "connect" to establish a target connection, '?' for help
J-Link>connect
Please specify device / core. <Default>: LPC5528
Type '?' for selection dialog
Device>
Please specify target interface:
J) JTAG (Default)
S) SWD
T) cJTAG
TIF>s
Specify target interface speed [kHz]. <Default>: 4000 kHz
Speed>
Device "LPC5528" selected.


Connecting to target via SWD
ConfigTargetSettings() start
Disabling flash programming optimizations: Compare, SkipBlankDataOnProg
ConfigTargetSettings() end
InitTarget() start
Enabling debug access failed (timeout).
InitTarget() end
ConfigTargetSettings() start
Disabling flash programming optimizations: Compare, SkipBlankDataOnProg
ConfigTargetSettings() end
InitTarget() start
Enabling debug access failed (timeout).
InitTarget() end
ConfigTargetSettings() start
Disabling flash programming optimizations: Compare, SkipBlankDataOnProg
ConfigTargetSettings() end
InitTarget() start
ERROR: Wrong DM-AP IDCODE detected: 0xFFFFFFFF
InitTarget() end
ConfigTargetSettings() start
Disabling flash programming optimizations: Compare, SkipBlankDataOnProg
ConfigTargetSettings() end
InitTarget() start
Enabling debug access failed (timeout).
InitTarget() end
Cannot connect to target.

0 Kudos
2,857 Views
diego_charles
NXP TechSupport
NXP TechSupport

Hi @paplewski 

I am very sorry that we missed your post! When the threads gets old (more than 7 weeks )  new replies  could not arrive directly  into email inbox. 

Regarding : Also is there a way to recover access any of this boards?

You provided a  failed output from the Output from the J-link commander, but was ISP disabled? 

if the MCU has SWD and ISP  disabled it can be permanently bricked, or can not be unlocked from the outside world. Unless you try to recover it with an 1-bit SPI Flash memory as described in the user manual, but this  recovery method needs to be enabled before hand in the PFR. 

regarding : Could you please help me with enabling the flash protection on these platforms?

I tested the  solution marked by Erik_M published from my end, one of my colleagues provide us with demo software. You should be fine to enabled and disabled ISP from application. However , are you looking for another permanent  or wanting to make it permanent?

Best regards, 

Diego.

0 Kudos
3,931 Views
Erik_M
Contributor I

For those who are interested; see the attached example to see how to write the CMPA page correctly.

With this example you are able to enable/disable flash protect.

 

3,914 Views
airios_arno
Contributor II

An important note is that because of the flash operations being performed, the system clock needs to be below 100 MHz.
This is one of the things we ran into while using this code.

4,079 Views
bas_v
Contributor II

Hi,

We have attempted the following code on an EVK with LPC55S28 to write CMPA with plain zeros. After this, the whole micro seems to be bricked. I cannot access the ISP interface anymore, nor the application runs or SWD works.

#define CMPA_PAGE_LENGTH (512)

// Initialize ROM API for reading CMPA
flash_config_t flashInstance;
FFR_Init(&flashInstance);

// Allocate memory
cmpa_cfg_info_t* cmpaPageData = (cmpa_cfg_info_t*)calloc(CMPA_PAGE_LENGTH, 1);
if (cmpaPageData != NULL) {
// Read CMPA page back
FFR_GetCustomerData(&flashInstance, (uint8_t*)cmpaPageData, 0, CMPA_PAGE_LENGTH);

// Write CMPA page
FFR_CustFactoryPageWrite(&flashInstance, (uint8_t*)cmpaPageData, false);

// Free allocated memory
free(cmpaPageData);
}

We are doing something wrong here. Could you provide an example to write CMPA from application code? What are we missing?

0 Kudos
4,038 Views
Erik_M
Contributor I

This implementation was also tested with a SDK example project resulting the same outcome. Please find the project attached.

Simply reading the CMPA page and write the same page back seems to brick the micro. Any ideas what we are doing wrong here?

4,012 Views
diego_charles
NXP TechSupport
NXP TechSupport

Hi @bas_v  and @Erik_M 

Many thanks  for providing us your additional inputs.

Currently we are working in this. We have seen that there is a internal ticket with the same inquiries with a representant of yours. He let me know that  we could continue through the ticket. After having a resolution we could publish here in the forum. 

Diego.

 

0 Kudos
4,107 Views
bas_v
Contributor II

Hi,

Thank you for your response.

Unfortunately, the ISP pins are not easy accessible on our custom hardware. Therefore I cannot use them.

I will describe the observation in further detail. When I read back the CMPA using FFR_GetCustomerData, it seems the CMPA is completely empty when unused before. It reads all zeros. I have written the CMPA with the disabled debug configuration and in another attempt just plain zeros that I've read back using FFR_GetCustomerData. But when I power-cycle the LPC, it doesn't jump to the application anymore. My application in flash isn't started.

So the debugging interfaces are disabled, but the application isn't executed anymore after a power-cycle. It doesn't seem to jump to the application.

When I erase and reprogram my application using J-Flash, it is executed again.

My goal is to disable the debug interfaces from application code by writing SOCU_PIN and SOCU_DFLT in CMPA. Is there example code available on how to do this?

Kind regards,

Bas

0 Kudos
4,114 Views
Alice_Yang
NXP TechSupport
NXP TechSupport

Hello,

1) Recommend make the ISP mode is enabled all the time. The ISP mode is used for testing purposes in case of a wrong configuration is loaded. There is a possibility to reload the configuration.

2) What about your application, what about the detail about it doesn't work.

3) I just curious about how to read after disable debug and ISP。

 

BR

Alice

0 Kudos