LPC55S28 - Debug Credential issue with PyOCD/ICE probe

GaryLPC · ‎06-20-2023

Hi,

I'm using a LPC55S28 device with signature enabled. Security is working fine, CMPA/CFPA have been programmed so that only signed binaries are booting, this part is ok.

Now, I'd like to use my JTAG to debug some issues and I can't get my current probe (ICE + PyOCD) to authenticate properly. Here is the output I get:

$ nxpdebugmbox --version
nxpdebugmbox, version 1.10.1
$ nxpdebugmbox --debug -p 1.0 auth -b 0 -c dc/dck_rsa_2048.dc -k dc/dck_rsa_2048.pem
INFO:spsdk.apps.nxpdebugmbox:Starting Debug Authentication
# Interface Id Description
------------------------------------------------------------------
0 PyOCD J42700018269 Atmel Corp. Atmel-ICE CMSIS-DAP
DEBUG:spsdk.debuggers.debug_probe_pyocd:The SPSDK PyOCD Interface has been initialized (1363ms since start, debug_probe_pyocd.py:66)
DEBUG:pyocd.core.session:Project directory: /home/user/workspace/thing/lpc-sb (1373ms since start, session.py:177)
DEBUG:pyocd.core.session:Project directory: /home/user/workspace/thing/lpc-sb (1373ms since start, session.py:177)
DEBUG:pyocd.probe.pydapaccess.interface.pyusb_backend:Detaching Kernel Driver of Interface 0 from USB device (VID=03eb PID=2141). (1377ms since start, pyusb_backend.py:108)
DEBUG:pyocd.probe.pydapaccess.dap_access_cmsis_dap:CMSIS-DAP v1 probe J42700018269: protocol version 1.0.0 (1381ms since start, dap_access_cmsis_dap.py:783)
DEBUG:pyocd.probe.pydapaccess.interface.pyusb_backend:closing interface (1383ms since start, pyusb_backend.py:238)
DEBUG:pyocd.coresight.coresight_target:Using default Cortex-M memory map (no memory map supplied) (1384ms since start, coresight_target.py:50)
DEBUG:pyocd.probe.pydapaccess.interface.pyusb_backend:Detaching Kernel Driver of Interface 0 from USB device (VID=03eb PID=2141). (1388ms since start, pyusb_backend.py:108)
DEBUG:pyocd.probe.swj:Sending deprecated SWJ sequence to select SWD (1394ms since start, swj.py:162)
DEBUG:spsdk.debuggers.debug_probe_pyocd:DPIDR(idr=1805657207, partno=186, version=2, revision=6, mindp=False) (1398ms since start, debug_probe_pyocd.py:119)
DEBUG:spsdk.debuggers.debug_probe_pyocd:Coresight read DP, address: 00000004, data: F0000F40 (1398ms since start, debug_probe_pyocd.py:190)
DEBUG:spsdk.debuggers.debug_probe:Checked Sticky Errors: 0xf0000f40 (1398ms since start, debug_probe.py:283)
DEBUG:spsdk.debuggers.debug_probe:Power up the debug connection (1398ms since start, debug_probe.py:361)
DEBUG:spsdk.debuggers.debug_probe:Power Control the debug connection:
System power: True
Debug power: True (1398ms since start, debug_probe.py:334)
DEBUG:spsdk.debuggers.debug_probe_pyocd:Coresight write DP, address: 00000004, data: 50000F00 (1399ms since start, debug_probe_pyocd.py:220)
DEBUG:spsdk.debuggers.debug_probe_pyocd:Coresight read DP, address: 00000004, data: F0000F40 (1399ms since start, debug_probe_pyocd.py:190)
INFO:spsdk.debuggers.debug_probe_pyocd:PyOCD connected via Atmel-ICE CMSIS-DAP probe.
DEBUG:spsdk.dat.debug_mailbox:Reset mode: True (1399ms since start, debug_mailbox.py:66)
DEBUG:spsdk.debuggers.debug_probe_pyocd:Coresight write DP, address: 00000008, data: 000000F0 (1400ms since start, debug_probe_pyocd.py:220)
DEBUG:spsdk.debuggers.debug_probe:Selected AP: 0, Bank: 0xf (1400ms since start, debug_probe.py:382)
DEBUG:spsdk.debuggers.debug_probe_pyocd:Coresight read AP, address: 0000000C, data: 00000000 (1401ms since start, debug_probe_pyocd.py:190)
DEBUG:spsdk.debuggers.debug_probe_pyocd:Coresight write DP, address: 00000008, data: 020000F0 (1401ms since start, debug_probe_pyocd.py:220)
DEBUG:spsdk.debuggers.debug_probe:Selected AP: 2, Bank: 0xf (1401ms since start, debug_probe.py:382)
DEBUG:spsdk.debuggers.debug_probe_pyocd:Coresight read AP, address: 0000000C, data: 002A0000 (1402ms since start, debug_probe_pyocd.py:190)
DEBUG:spsdk.dat.debug_mailbox:Found debug mailbox access port at AP2, IDR: 0x002A0000 (1402ms since start, debug_mailbox.py:190)
DEBUG:spsdk.debuggers.debug_probe_pyocd:Coresight write DP, address: 00000008, data: 02000000 (1402ms since start, debug_probe_pyocd.py:220)
DEBUG:spsdk.debuggers.debug_probe:Selected AP: 2, Bank: 0x0 (1402ms since start, debug_probe.py:382)
DEBUG:spsdk.debuggers.debug_probe_pyocd:Coresight write AP, address: 00000000, data: 00000021 (1402ms since start, debug_probe_pyocd.py:220)
DEBUG:spsdk.debuggers.debug_probe:Trying to re-initialize debug connection (1404ms since start, debug_probe.py:319)
DEBUG:spsdk.debuggers.debug_probe:Power down the debug connection (1404ms since start, debug_probe.py:367)
DEBUG:spsdk.debuggers.debug_probe:Power Control the debug connection:
System power: False
Debug power: True (1404ms since start, debug_probe.py:334)
DEBUG:spsdk.debuggers.debug_probe_pyocd:Coresight write DP, address: 00000004, data: 10000F00 (1404ms since start, debug_probe_pyocd.py:220)
DEBUG:spsdk.debuggers.debug_probe_pyocd:Coresight read DP, address: 00000004, data: 30000F00 (1407ms since start, debug_probe_pyocd.py:190)
DEBUG:spsdk.debuggers.debug_probe:Power Control the debug connection:
System power: False
Debug power: False (1407ms since start, debug_probe.py:334)
DEBUG:spsdk.debuggers.debug_probe_pyocd:Coresight write DP, address: 00000004, data: 00000F00 (1407ms since start, debug_probe_pyocd.py:220)
DEBUG:spsdk.debuggers.debug_probe:Power up the debug connection (1407ms since start, debug_probe.py:361)
DEBUG:spsdk.debuggers.debug_probe:Power Control the debug connection:
System power: True
Debug power: True (1407ms since start, debug_probe.py:334)
DEBUG:spsdk.debuggers.debug_probe_pyocd:Coresight write DP, address: 00000004, data: 50000F00 (1407ms since start, debug_probe_pyocd.py:220)
DEBUG:spsdk.debuggers.debug_probe_pyocd:Coresight read DP, address: 00000004, data: F0000F00 (1408ms since start, debug_probe_pyocd.py:190)
DEBUG:spsdk.debuggers.debug_probe_pyocd:Coresight read DP, address: 00000004, data: F0000F00 (1409ms since start, debug_probe_pyocd.py:190)
DEBUG:spsdk.debuggers.debug_probe:Checked Sticky Errors: 0xf0000f00 (1409ms since start, debug_probe.py:283)
DEBUG:spsdk.debuggers.debug_probe:Debug interface: Read OK fail detected:

- READOK: Read operation failed (1409ms since start, debug_probe.py:299)
DEBUG:spsdk.debuggers.debug_probe_pyocd:Coresight write DP, address: 00000000, data: 0000001F (1409ms since start, debug_probe_pyocd.py:220)
DEBUG:spsdk.debuggers.debug_probe_pyocd:Coresight write DP, address: 00000008, data: 02000000 (1459ms since start, debug_probe_pyocd.py:220)
DEBUG:spsdk.debuggers.debug_probe:Selected AP: 2, Bank: 0x0 (1459ms since start, debug_probe.py:382)
DEBUG:spsdk.debuggers.debug_probe_pyocd:Coresight read AP, address: 00000000, data: 00000000 (1461ms since start, debug_probe_pyocd.py:190)
DEBUG:spsdk.utils.misc:Loading binary file from /home/user/workspace/thing/lpc-sb/dc/dck_rsa_2048.dc (1511ms since start, misc.py:213)
DEBUG:spsdk.dat.debug_mailbox:<- spin_write: 0x0000_0010 (1511ms since start, dm_commands.py:52)
DEBUG:spsdk.debuggers.debug_probe_pyocd:Coresight write AP, address: 00000004, data: 00000010 (1511ms since start, debug_probe_pyocd.py:220)
DEBUG:spsdk.debuggers.debug_probe_pyocd:Coresight read AP, address: 00000000, data: 00000000 (1512ms since start, debug_probe_pyocd.py:190)
DEBUG:spsdk.debuggers.debug_probe_pyocd:Coresight read AP, address: 00000008, data: 80000001 (1544ms since start, debug_probe_pyocd.py:190)
DEBUG:spsdk.dat.debug_mailbox:-> spin_read: 0x8000_0001 (1544ms since start, dm_commands.py:72)
DEBUG:pyocd.probe.pydapaccess.interface.pyusb_backend:closing interface (1544ms since start, pyusb_backend.py:238)
Debug Mailbox authentication failed:
SPSDK: Problem with debug probe occurred

I'm wondering if the issue comes from the DC setup, the probe or pyocd.

Couple more remarks:

1- I can use that probe fine when security isn't enabled, but I need to provide the target:

pyocd load test.elf --target lpc55s28

But the log says nxpdebugmbox says "Using default Cortex-M memory map (no memory map supplied)", can we provide the pyocd target to the nxpdebugmbox?

2- the DC hash matches the hash generated with the CMPA, but I'm providing the yml files in case it helps

Can someone confirm if pyocd/ICE worked for them to load the DC?

Regards,

Gary

Alice_Yang · ‎06-26-2023

Hello @GaryLPC

1) LPC55S28 doesn't support JTAG debug, support SWD.

2) About debug authentication, you can refer to

https://www.nxp.com.cn/docs/en/application-note/AN13037.pdf

BR

Alice

GaryLPC · ‎06-26-2023

Hi @Alice_Yang ,

Thanks for your answer, here are mine:

1) Yes sorry I meant SWD, not JTAG

2) I already refered to this App Note, hence my post here. You can see the output of the authentication command in my case. Do you have any advice?

Also, I want to point out that this appliaction note seems outdated as it includes commands that simply do not work any longer. For instance, `nxpkeygen` does NOT have a `gendc` option to create the debug credentials. It seems like `nxpdebugmbox` should be used instead. Do you have a more recent version of the app note?

Regards,

Gary

Alice_Yang · ‎06-28-2023

Hello @GaryLPC

1) Yes, this application note outdated, because the SPSDK tool update, so some commands changed,

you can use --help to check usage if there is error. While the steps almost the same.

New version API you can also refer to:

https://spsdk.readthedocs.io/en/latest/api/dat.html

2) About your case, does it can enter ISP mode now? If yes, read back CMPA and CFPA, send them to me, I help you check.

3) And when use it pay attention every step to configure CMPA and CFPA, before program them check the value refer to UM, confirm there is no issue, then download to grogram. As my experience, always have issue in here.

BR

Alice

GaryLPC · ‎06-29-2023

Hi @Alice_Yang ,

Thanks for the answer.

1) Noted.

2) Yes ISP is working fine, please find the cfpa/cmpa I dumped as follows:

pfr read -d lpc55s2x -u 0x1fc9:0x0021 -t cmpa -o cmpa.bin -y cmpa-parsed.txt --show-diff
pfr read -d lpc55s2x -u 0x1fc9:0x0021 -t cfpa -o cfpa.bin -y cfpa-parsed.txt --show-diff

3) I even tried setting DBGEN PIN & DFLT to 1 but I couldn't generate the CMPA as the tool wouldn't allow the generation.

Regards,

Gary

Alice_Yang · ‎07-03-2023

Hello @GaryLPC

From you cmpa.bin and cfpa.bin, not enabled Debug authenticaiton.

Pay attention, for the CC_SOCU_PIN and CC_SOCU_DFLT of cmpa and cfpa, 31:16 bits are inverse valule of 15:0 , detail refer to UM11126 as below:

In your cmpa&cfpa, they are all "0".

I attached a example for lpc55s69, the same with lpc55s28, it includes all the files you can refer to.

Pay attention, when you change cmpa and cfpa, please in one cycle, I mean, after finished all the changes, then reset, do not reset in middle. And the CFPA update mechanism checks the value of version at each update. The new version must be higher than the previous one

BR

Alice

GaryLPC · ‎07-03-2023

Hi @Alice_Yang ,

Yes I've found that issue, this is because the generation commands in the documentation you pointed to is wrong and is missing an argument to enable the inverted values.

Now with the updated cmpa/cfpa I can communicate to the DAP, however it is still impossible to properly authenticate, it gives the following output:

nxpdebugmbox -v -p 1.0 auth -b 0 -c dc/dck_rsa_2048.dc -k dc/dck_rsa_2048.pem
INFO:spsdk.apps.nxpdebugmbox:Starting Debug Authentication
  #   Interface   Id             Description                      
------------------------------------------------------------------
  0   PyOCD       J42700018269   Atmel Corp. Atmel-ICE CMSIS-DAP  
INFO:spsdk.debuggers.debug_probe_pyocd:PyOCD connected via Atmel-ICE CMSIS-DAP probe.
INFO:spsdk.apps.nxpdebugmbox:DAC:
Version                : 1.0
SOCC                   : 1, LPC550x, LPC55s0x, LPC551x, LPC55s1x, LPC552x, LPC55s2x, LPC55s6
UUID                   : 00000000000000000000000000000000
CC_VU                  : 0
ROTID_rkh_revocation   : 00000000
ROTID_rkth_hash        : 3114e0dba5d002422f43d4f3f785ddbf1a6fef24e918552b3a3f8109cc5b0f26
CC_soc_pinned          : 00000000
CC_soc_default         : 00000000
Challenge              : b35c7ee9fd21da82c86923c3a705cc275e12b7a36f5c84b4c8a3ccafbd35bf1b

Debug Mailbox authentication failed:
SPSDK: Problem with debug probe occurred

I'm attaching an archive containing my updated public keys & CMPA/CFPA for you to check.

Please confirm that you have tested this procedure on LPC55S28 and not only the LPC55S69?

Regards,

Gary

Alice_Yang · ‎07-04-2023

Hello @GaryLPC

Sorry I add attachment for last reply.

I checked your files, there is still issue with cmpa.bin, please refer to my attachment to change, it includes all the files. and sorry I have no lpc55s28 to test, it is the same with lpc55s69.

BR

Alice

GaryLPC · ‎07-04-2023

Hi,

Can you be more specific about what is wrong with my CMPA?

When I compare your CMPA with mine i see 2 differences (aprat from the ROTKH, see attached):

1- We disable DICE as suggested in NXP documentation:
https://spsdk.readthedocs.io/en/latest/examples/lpc55sxx_secure_boot.html#CMPA-page-preparation

-> please confirm if the documentation wrong?

2- We enable secure boot, which is the whole purpose of the debug authentication, to be able to use JTAG while the device is secure no?

https://spsdk.readthedocs.io/en/latest/examples/lpc55sxx_secure_boot.html#CMPA-page-preparation

-> can you confirm the debug authentication doesn't work when secure boot is used?

Finally, your log shows that this has been tested on a really old spsdk whereas I just installed mine so it is up to date (version 1.10.1), can you confirm this has been tested with latest version?

Regards,

Gary

Alice_Yang · ‎07-06-2023

Hello @GaryLPC

Firstly do not enable secure boot to test Debug Authentication function.

Yes, these files are used by old version SPSDK, while result of cmpa.bin and cpfa.bin is the same.

BR

Alice

GaryLPC · ‎06-28-2023

Hi @Alice_Yang

Any update on this?

Thanks

GaryLPC · ‎06-22-2023

Hi,

I just tried the same procedure on an LPC55S28 EVK and got the same result using the LPC-LINK2 debugger:

$ nxpdebugmbox -v -p 1.0 auth -b 0 -c dc/dck_rsa_2048.dc -k dc/dck_rsa_2048.pem
INFO:spsdk.apps.nxpdebugmbox:Starting Debug Authentication
  #   Interface   Id         Description                                    
----------------------------------------------------------------------------
  0   PyOCD       LRAZBQEQ   NXP Semiconductors LPC-LINK2 CMSIS-DAP V5.224  
INFO:spsdk.debuggers.debug_probe_pyocd:PyOCD connected via LPC-LINK2 CMSIS-DAP V5.224 probe.
Debug Mailbox authentication failed:
SPSDK: Problem with debug probe occurred

Feels like something is missing in the instructions?

Regards,

Gary

LPC55S28 - Debug Credential issue with PyOCD/ICE probe

LPC55S28 - Debug Credential issue with PyOCD/ICE probe

LPC55xx