- Forums
- Product Forums
- General Purpose MicrocontrollersGeneral Purpose Microcontrollers
- i.MX Forumsi.MX Forums
- QorIQ Processing PlatformsQorIQ Processing Platforms
- Identification and SecurityIdentification and Security
- Power ManagementPower Management
- MCX Microcontrollers
- S32G
- S32K
- S32V
- MPC5xxx
- Other NXP Products
- Wireless Connectivity
- S12 / MagniV Microcontrollers
- Powertrain and Electrification Analog Drivers
- Sensors
- Vybrid Processors
- Digital Signal Controllers
- 8-bit Microcontrollers
- ColdFire/68K Microcontrollers and Processors
- PowerQUICC Processors
- OSBDM and TBDML
-
- Solution Forums
- Software Forums
- MCUXpresso Software and ToolsMCUXpresso Software and Tools
- CodeWarriorCodeWarrior
- MQX Software SolutionsMQX Software Solutions
- Model-Based Design Toolbox (MBDT)Model-Based Design Toolbox (MBDT)
- FreeMASTER
- eIQ Machine Learning Software
- Embedded Software and Tools Clinic
- S32 SDK
- S32 Design Studio
- GUI Guider
- Zephyr Project
- Voice Technology
- Application Software Packs
- Secure Provisioning SDK (SPSDK)
- Processor Expert Software
- MCUXpresso Training Hub
-
- Topics
- Mobile Robotics - Drones and RoversMobile Robotics - Drones and Rovers
- NXP Training ContentNXP Training Content
- University ProgramsUniversity Programs
- Rapid IoT
- NXP Designs
- SafeAssure-Community
- OSS Security & Maintenance
- Using Our Community
-
- Cloud Lab Forums
-
- Knowledge Bases
- ARM Microcontrollers
- i.MX Processors
- Identification and Security
- Model-Based Design Toolbox (MBDT)
- QorIQ Processing Platforms
- S32 Automotive Processing Platform
- Wireless Connectivity
- CodeWarrior
- MCUXpresso Suite of Software and Tools
- MQX Software Solutions
-
- Home
- :
- Product Forums
- :
- S12 / MagniV Microcontrollers
- :
- S12 Flash Protection, Security, and the Backdoor
S12 Flash Protection, Security, and the Backdoor
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
S12 Flash Protection, Security, and the Backdoor
11-05-2008
10:32 PM
2,536 Views
dkelly
Contributor I
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Going around in circles trying to retrofit a fielded product. Believe I have finally demonstrated and found documentation confirming our situation is hopeless but want a second opinion. Briefly:
CPU is an S12NE64. The FPROT initial value stored in 0xff0d is 0xc7, protecting 0xf800 through 0xffff from being written or erased. Is there any way from inside the S12NE64 to modify this memory region without physical access to the chip and/or product?
Have no problems updating the contents outside of 0xf800 to 0xffff.
The FSEC initial value stored in 0xff0f is 0xfe which is the "unsecured" value, and apparently not relevant to my problem.
The Backdoor key apparently has nothing to do with protection (against accidental write), only security (locked against copying using a BDM). The backdoor will do nothing to allow me to change 0xf800 through 0xffff from within, even if SEC[1:0] in FSEC was not already 0b10 unsecured.
The FPROT register is essentially moot when running on the BDM. Firmware has no problem updating 0xf800 through 0xffff when running with the BDM attached but fails when BDM is not attached. Is there anything I can do in firmware to make the S12 think a BDM is attached when it is not?
Related problem: There is apparently no way to RESET the CPU from inside if COP is disabled. Someone disabled COP from within our _Startup() which is located in the protected region. This is the primary thing I'm trying to fix with a remote firmware update. If COP was enabled "ARMCOP = 0" promptly trips the COP and produces a RESET. Nobody thought to route an output pin to the RESET pin for software initiated hardware resets.
CPU is an S12NE64. The FPROT initial value stored in 0xff0d is 0xc7, protecting 0xf800 through 0xffff from being written or erased. Is there any way from inside the S12NE64 to modify this memory region without physical access to the chip and/or product?
Have no problems updating the contents outside of 0xf800 to 0xffff.
The FSEC initial value stored in 0xff0f is 0xfe which is the "unsecured" value, and apparently not relevant to my problem.
The Backdoor key apparently has nothing to do with protection (against accidental write), only security (locked against copying using a BDM). The backdoor will do nothing to allow me to change 0xf800 through 0xffff from within, even if SEC[1:0] in FSEC was not already 0b10 unsecured.
The FPROT register is essentially moot when running on the BDM. Firmware has no problem updating 0xf800 through 0xffff when running with the BDM attached but fails when BDM is not attached. Is there anything I can do in firmware to make the S12 think a BDM is attached when it is not?
Related problem: There is apparently no way to RESET the CPU from inside if COP is disabled. Someone disabled COP from within our _Startup() which is located in the protected region. This is the primary thing I'm trying to fix with a remote firmware update. If COP was enabled "ARMCOP = 0" promptly trips the COP and produces a RESET. Nobody thought to route an output pin to the RESET pin for software initiated hardware resets.
4 Replies
11-06-2008
06:06 AM
673 Views
kef
Specialist I
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
dkelly wrote:
CPU is an S12NE64. The FPROT initial value stored in 0xff0d is 0xc7, protecting 0xf800 through 0xffff from being written or erased. Is there any way from inside the S12NE64 to modify this memory region without physical access to the chip and/or product?
No way. That's possibly only using BDM, when you can reset into special chip modes.
Have no problems updating the contents outside of 0xf800 to 0xffff.
The FSEC initial value stored in 0xff0f is 0xfe which is the "unsecured" value, and apparently not relevant to my problem.
The Backdoor key apparently has nothing to do with protection (against accidental write), only security (locked against copying using a BDM). The backdoor will do nothing to allow me to change 0xf800 through 0xffff from within, even if SEC[1:0] in FSEC was not already 0b10 unsecured.
That's right
The FPROT register is essentially moot when running on the BDM. Firmware has no problem updating 0xf800 through 0xffff when running with the BDM attached but fails when BDM is not attached. Is there anything I can do in firmware to make the S12 think a BDM is attached when it is not?
No.
Related problem: There is apparently no way to RESET the CPU from inside if COP is disabled. Someone disabled COP from within our _Startup() which is located in the protected region. This is the primary thing I'm trying to fix with a remote firmware update. If COP was enabled "ARMCOP = 0" promptly trips the COP and produces a RESET. Nobody thought to route an output pin to the RESET pin for software initiated hardware resets.
Is bootloader at f800-ffff writing write-once COPCTL register with CR0-CR2 bits all 0? If so, then yes, COP can't be enabled in your case.
But there's still one possibility. I think you can reset your chip using clock monitor reset. You should try to disable oscilator self clock mode and then do full stop. This should cause clock monitor reset. I don't remember details, what register and what bits to write, but I think it's possible.
11-06-2008
03:33 PM
673 Views
dkelly
Contributor I
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kef wrote:dkelly wrote:
Related problem: There is apparently no way to RESET the CPU from inside if COP is disabled. Someone disabled COP from within our _Startup() which is located in the protected region. This is the primary thing I'm trying to fix with a remote firmware update. If COP was enabled "ARMCOP = 0" promptly trips the COP and produces a RESET. Nobody thought to route an output pin to the RESET pin for software initiated hardware resets.Is bootloader at f800-ffff writing write-once COPCTL register with CR0-CR2 bits all 0? If so, then yes, COP can't be enabled in your case.But there's still one possibility. I think you can reset your chip using clock monitor reset. You should try to disable oscilator self clock mode and then do full stop. This should cause clock monitor reset. I don't remember details, what register and what bits to write, but I think it's possible.
Yes, thats the first problem. COP is disabled almost immediately in _Startup() which is in the protected region. Have other problems with the old bootloader but appears we'll have to live with them. Fortunately all vectors but the RESET vector are redirected through a jump table low in FLASH allowing most everything to be replaced other than the startup code.
I spent a day or two trying to trick the clock monitor into an unreasonable state. Seemed to me that once its running its too smart to let me do bad things to it. Perhaps that was because I was testing with the BDM attached. If you have code that will trash the clock and trip the clock monitor I would appreciate it.
Oh! Thought of something! The clock monitor interrupt is a RESET that clears the write-once flag protecting COPCTL? I have a redirected vector for the clock monitor interrupt! If my code finds COP disabled I might cause a clock monitor reset and run my _Startup() rather than the old _Startup().
11-06-2008
07:13 PM
673 Views
kef
Specialist I
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry for misleading you! Looks like it's not possible to force clock monitor reset since, like CME bit description says, clock monitor is disabled in Stop Mode (PSTP=0) :smileysad:. And another show stopper is that SCME bit is write once bit. I guess PLL is enabled in your case, so most probably SCME is locked in SCME=1 state.
I'm sure it was possible to force CME reset this way on old 912D60A. The same looks not possible on S12.
11-06-2008
07:51 PM
673 Views
dkelly
Contributor I
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks anyway! What I found was that somebody did their job too well at Motorola/Freescale in making the clock foolproof, at least once its running.
