MPC5777C Censorship Access

cancel
Showing results for 
Search instead for 
Did you mean: 

MPC5777C Censorship Access

Jump to solution
1,136 Views
jeffcampbell
Contributor III

Hi,

My group is currently trying to access an MPC5777C device that we've censored.  We know for sure that the JTAG password is programmed, as well as the password for PASS Group 0 and possibly Group 1, however it's my understanding that we can gain access with only one password.

The life cycle of the device is set to OEM Production.

We are using the Greenhills MULTI environment.  We've successfully been able to reset and halt the device by writing to the jtag_password_hi and jtag_password_lo registers.

We can read flash memory at this point using the "memory view" window.  However, when we try to download a program over the debugger, it seems to fail to read memory at all (i.e. the probe thinks a block is erased when it is actually populated).

Additionally, we're having trouble accessing the CIN0-7 registers.  We've successfully written to the PASS_CHSEL register and have seen it change to acknowledge a new master, but writing the password to the CIN area has no effect.

Can someone help us better understand how to gain access to the device?

Thanks,

Jeff Campbell

P.S.  We figured this out for the most part, turned out it was a matter of having every password group loaded.

The question now, though, is exactly how password words map into CIN0-7.  The manual says that CIN0 matches with the MSB of the password.  Does this mean, for instance, that for Group 0, CIN0 corresponds to the value at 0x00400160?

Thanks again!

Labels (1)
0 Kudos
1 Solution
610 Views
petervlna
NXP Employee
NXP Employee

Hello,

I am not familiar with GHS debugging tools (only with compiler).

However there is no known issue when you unlock memory with programmed JTAG password to censored device.

You are now in OEM production or in field life cycle with programed DCF censorship client (JTAG Password).

pastedImage_1.png

As you can see from above table the device is always read protected. Never only write protected. So without correct password you are not able even to read flash.

Before we can proceed further:

We can read flash memory at this point using the "memory view" window.  However, when we try to download a program over the debugger, it seems to fail to read memory at all (i.e. the probe thinks a block is erased when it is actually populated).

Did you tried to use different debuggers? Like Lauterbach or PEMicro? Or just GHS probe?

Peter

View solution in original post

0 Kudos
2 Replies
611 Views
petervlna
NXP Employee
NXP Employee

Hello,

I am not familiar with GHS debugging tools (only with compiler).

However there is no known issue when you unlock memory with programmed JTAG password to censored device.

You are now in OEM production or in field life cycle with programed DCF censorship client (JTAG Password).

pastedImage_1.png

As you can see from above table the device is always read protected. Never only write protected. So without correct password you are not able even to read flash.

Before we can proceed further:

We can read flash memory at this point using the "memory view" window.  However, when we try to download a program over the debugger, it seems to fail to read memory at all (i.e. the probe thinks a block is erased when it is actually populated).

Did you tried to use different debuggers? Like Lauterbach or PEMicro? Or just GHS probe?

Peter

0 Kudos
610 Views
jeffcampbell
Contributor III

Peter,

Thanks for the quick response.  We only use the GHS probe, and will be in touch with Greenhills for further specific support there.

Thanks!

Jeff

0 Kudos