帮助
英语(美国) | English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

LPC55S69 - unsealed CMPA erase

取消
开启建议
自动建议可通过在您键入时建议可能的匹配,而快速缩小您的搜索结果范围。
显示结果 
显示  仅  | 搜索替代 
您的意思是: 

LPC55S69 - unsealed CMPA erase

‎11-27-2020 03:26 AM
756 次查看
bricker
Contributor I

Is there any way to erase the CMPA region if it is not locked/sealed, i.e. if doesn't contain the digest at its end?

If not, is there a way to flip the secure boot field (SECURE_BOOT_CFG.SEC_BOOT_EN) back to 0b00 (plain image)? I saw another post where the answer was that, once enabled, secure boot cannot be disabled anymore, but the context was not clear there (how the enabling process was performed, i.e. was the CMPA digest written or remained all zeros).

0 项奖励
回复
2 回复数

‎12-01-2020 03:49 PM
708 次查看
FelipeGarcia
NXP Employee
NXP Employee

Hi,

You can change the configuration as long as CMPA is not sealed (HASH of CMPA written). Also please check below extract from AN12283 that confirms this.

This page could be locked after manufacturer programs the page. This is done by writing the SHA 256 digest of the CMPA page into the SHA memory space of CMPA area.

Regards,

Felipe

-------------------------------------------------------------------------------

Note:

- If this post answers your question, please click the "Mark Correct" button. Thank you!

- We are following threads for 7 weeks after the last post, later replies are ignored. Please open a new thread and refer to the closed one, if you have a related question at a later point in time.

------------------------------------------------------------------------------ 

0 项奖励
回复

‎12-02-2020 01:56 AM
700 次查看
bricker
Contributor I

Hi,

Thank you for the response.

I've noticed in my experiments that, if CMPA is not sealed, I can change (set to zero) any field in it using the ISP API (e.g. blhost write-memory) except for ROTKH.

On the other hand, using the IAP API (FFR_CustFactoryPageWrite), I can set the entire CMPA page to zero, including the ROTKH part.

Please confirm that this is the expected behavior of these APIs.

Also, as it seems that an unsealed CMPA page cannot be erased directly with ISP API, would the erase command work from within an SB2.1 image. In other words, would ROM code agree to perform this kind of sequence from a cmd_file.bd:

options
{
    flags = 0x8; // SB2.1, encrypted + signed
    buildNumber = 0x1;
    productVersion = "1.00.00";
    componentVersion = "1.00.00";
    secureBinaryVersion = "2.1";
}

sources
{
    inputFile = extern(0);
}

section (0)
{
    erase 0x0..0x40000;
    load inputFile > 0x0;
    erase 0x9e400..0x9e5ff;
}

 

Regards,

Z.

0 项奖励
回复