Ⅰ、Introduction

MCXA153 supports Read Out Protection (ROP) to protect code from reading from the device internal flash. This read out protection is a mechanism that allows user to enable different levels of protection in the system. This article explains in detail the configuration of the four ROP levels as well as the relationships between the different levels and the corresponding life cycles.

Ⅱ、Four levels of Read Out Protection (ROP)

The ROP is controlled by ROP_STATE bits, It is a 32-bit field stored in IFR0. It can be programmed by customer.

Below is an introduction to the four ROP levels：

1.ROP_LEVEL0

• ROP_STATE = 0xFFFF_FFFF (erased FLASH value),
• No ROP. Default for blank state.

2.ROP_LEVEL1

• ROP_STATE = 0x0000_0003
• Debug is disabled and unlocked, however it can be modified by customer, only limited debug mailbox commands are available.

3 .ROP_LEVEL2

• ROP_STATE = 0x0000_0001
• Debug is disabled and locked, it cannot be modified by customer, only limited debug mailbox commands are available.

4.ROP_LEVEL3

• ROP_STATE = 0x0000_0000
• Debug is disabled and locked, it cannot be modified by customer, no debug mailbox commands are available

NOTE：Anything else = ROP3-like behavior (Debug disabled/Locked, ISP disabled).

When the ROP level is 0, we can change the ROP level to 1, 2, and 3 by modifying the value of ROP_STATE in IFR0.When the ROP level is 1 or 2, we can change the ROP level to 0 through the ISP or DM-AP command. ROP level 3 is a one-way trip, so be careful. Below is a diagram of the relationship between the four levels：

Ⅲ、Life cycle and ROP

When the chip is delivered to the customer from NXP, the life cycle is “NXP Provisioned”, we can also call it “OEM Open”, ”OEM Field return”, “NXP Field Return”. Because at this point, the chip is completely blank, and ISP and debugging functions are allowed. Of course, the ROP level at this point is 0. In this lifecycle, customers can develop and debug.

During customer production, customers can impose certain restrictions on ISP and debugging based on their needs through ROP. Customers can choose between ROP level 1 or ROP level 2. The lifecycle at this point is “OEM Closed”. In this lifecycle, when there are some quality issues, customers can use the ISP or DM-AP command to erase the entire chip, or use the DM-AP command “set FA” to transfer the chip life cycle to the initial state, and return it to NXP’s factory for analysis without storing any IP assets.

In some scenarios, customers may need to completely disable ISP and debugging functions. In that case, customers can set the ROP level to 3, and the chip’s lifecycle is “OEM No Return”. Please note that at this point, even NXP cannot restore the chip. So once there are some CQC issues, our factory cannot conduct further analysis.

Also, we can transfer the chip to a ‘Bricked’ state in any lifecycle. During “Bricked” lifecycle, the chip will not be booted and will become a brick. The following table shows the relationship between life cycle and ROP:

Ⅳ. Impact of different ROP levels on SWD and ISP

The supported SWD and ISP commands are different at different ROP levels.

From ROP0 to ROP3, fewer commands are supported. The following figure shows the commands supported by SWD and ISP at different ROP Levels.

• ISP commands supported in ROP0-ROP3:

• SWD DM-AP commands supported in ROP0-ROP3:

Ⅴ、Configure ROP with SEC tool

We can configure ROP through the MCUXpresso Secure Provisioning( SEC) tool. The MCUXpresso Secure Provisioning Tool is a GUI-based application provided to simplify generation and provisioning of bootable executables on NXP MCU devices.

Hardware requirements: FRDM-MCXA153 board、Type-C USB cable

Software requirements: MCUXpresso Secure Provisioning
(MCUXpresso Secure Provisioning v8_b240110 or later.)

Configuration steps:

Step1. Create a new workspace

After opening the software, click File->New Workspace, select "MCX A14x/A15x" -> MCXA153 -> Click "create". Refer to the following figure:

Step2. Connection with Target Processor

Enter ISP mode：Press and hold SW3(ISP key) => Press and release SW1 (RESET key) => Release SW3

Go to your workspace and click “Target”->Connection, the Connection with Target Processor window is displayed. Here, we make Connection through UART and select port and baud rate. Refer to the following figure:

We can click "Test connection" to check whether the connection is successful. If the connection is successful, the result will display "OK". We can also see the life cycle of the current board: OEM Open. Refer to the following figure:

Step3.Select Life Cycle Settings ROP

Click on the toolbar "OEM Open"

According to the requirements, select the appropriate ROP, in this case ROP 2. NOTE: Use ROP 3 with caution.

Refer to the following figure:

Step4. Build image

After completing the above operations, we need to load the .s19 or .hex file generated by MCUXpresso IDE into the Source executable image.

After the file is loaded, the start address is automatically identified. If the start address is not 0x00000000, you cannot "built image". Then click on "built image". Refer to the following figure:

After completing the built image, "SUCCECC: built image" will be displayed. Click "close". Refer to the following figure:

Step5. Write image

We can see that the required .bin file has been generated automatically in "write image", or we can import the corresponding .bin file we wrote by "import". The Image path file will be automatically loaded.

Clicking "write image" will pop up to confirm, and then click "ok" to run the script automatically. After the file is successfully written, the message "SUCCESS: write image" is displayed. Refer to the following figure:

Step6. Check

When we complete the configuration of ROP 2, we can check the status of registers through "PFR configuration". The used registers cannot be read out and unknown is displayed, as shown in the following figure:

Finally, by pressing the RESET key on the board to exit ISP mode. At this point, the board has entered ROP 2, debug is disabled. The method of entering other ROP levels is the same.

So how do we get back to the other ROP levels?

ROP 2 state debugging is disabled, even the IDE cannot operate, we can only use ISP command and SWD command to operate. The SEC tool integrates SWD bulk erase command to return to ROP 0. However, we can also use the Blhost software to use ISP command, enter the ISP mode, enter “blhost -p comxx -- flash-erase-all” and return to ROP 0.

Next, we'll look at using the SWD bulk erase command.

Click on the toolbar "Dbg":

The Select Debug Probe window is displayed. Refer to the following figure:

Select “Probe: ”and click “erase”. After the erase succeeds, the following message is displayed: Flash mass erase succeeded! So we've successfully returned to ROP 0.

Ⅶ、Summary

ROP function protects the security of the chip, users can set different levels of ROP according to the requirements of their own applications. Using MCUXpresso Secure Provisionin simplifies the ROP configuration process. Configuring different ROPs requires modifying the status bits of ROP_STAT and ROP_STAT_DP in CMPA. The SEC tool helps us automate this work through a GUI interface.