problems with back-door keys access for MCU security

取消
显示结果 
显示  仅  | 搜索替代 
您的意思是: 

problems with back-door keys access for MCU security

5,894 次查看
ma85_bahar
Contributor II

Hi every body.
i am working on s12xhy using codewarrior 5.1. i know that these steps must be performed for securing micro-controller.
1- backup the sector contains the flash configuration registers.
2- erase the sector.
3- make the desired manipulations:
3-1- clear ACCERR and PVIOL in FSTAT register.
3-2- program the back-door registers using write command (0x06) .
3-3- launch the command (FSTAT = 0x80).
4- restore the rest of flash sector.
is it correct?
now the problem appears: i cant program the configuration registers because their addresses locate on protected region:
FPROT = 0xCF means that the ranges with 0x7F_F000–0x7F_FFFF addresses are protected and backdoor keys locate in 0x7F_FF00 – 0x7F_FF07.
on the other hand it seems that i am not allowed to disable protection of this region. so how can i set the back-door keys?

another question: the the value of FSEC register is 0xFE. it means that MCU is unsecured and the backdoor access is disabled.
is it necessary to enable the backdoor access before securing operations?

10 回复数

5,529 次查看
lama
NXP TechSupport
NXP TechSupport

One more approach for "confusing"....It is for S12G but the approach is the same (S12G is very simplified S12XE which is master device of the 180nm technology devices from S12XE family, like XEG, XHY, XS,...).

Moreover,.. S12(X) MCU Security 

Best regards,

Ladislav

5,529 次查看
ma85_bahar
Contributor II

P&E cyclone should have commands to engage flash security. Choose what suits you best.

what is the command for securing flash. i have searched but nothing is found.

0 项奖励
回复

5,529 次查看
johnny_pe
Contributor III

Hi Mohammad,

If you're using our PROG12Z software or the Cyclone Image Creation utility, the command to engage security is "SD". It should program  0xFC to the NVSEC byte in flash to secure the device. This will disable all access to RAM/FLASH/EEPROM via the BDM BKGD pin. The only way to restore access is a mass erase of the flash (unless your application implemented a backdoor access key). When we erase the device, we always force NVSEC to 0xFE so you don't secure the device everytime you reset it in our software. The "SD" command should be placed at the end of your programming sequence.

Example:

CM Freescale_9S12XHY256_1x16x128k_256k_Linear_Pflash.12P

SS firmware.s19

EN

PM

VC

SD ; Secure Device

Regards,
Johnny

PEMicro Support 

5,529 次查看
ma85_bahar
Contributor II

thanks

I use multi-link programmer and i dont have Cyclone Image Creation utility software.
A- can i use CHIPSECURE command (or any commands) instead ?
(if A is right) is it correct: in> CHIPSECURE SETUP 0xFF0F 0x3 0x1?  // SET SEC[1.0] field in FSEC to secure
(if A is wrong) B- does Cyclone Image Creation utility support multi-link programmer?
(if B is right) how can i get the Cyclone Image Creation utility software.

0 项奖励
回复

5,529 次查看
johnny_pe
Contributor III

Hi Mohammad,

I believe CHIPSECURE is part of the Codewarrior IDE. Unfortunately, I don't have any insight into this command. An NXP application engineer will have to help you there.

The Cyclone Image Creation utility only works with our Cyclone stand alone programmers. 

Regards,

Johnny

PEmicro Support

0 项奖励
回复

5,529 次查看
kef2
Senior Contributor V

I'm not sure. Last time I used Prog12z if memory serves it was SS or something from S letter.

I always integrate security settings (byte at 0xFF0F) in program image.

5,529 次查看
kef2
Senior Contributor V

Hi,

no, backdoor unsecure doesn't involve flash erase/reprogram. After backdoor unsecure MCU stays unsecured until reset (power cycle, reset pin, COP, etc). If you want permanently unsecure, then yes, you need to manipulate NVSEC (0x7F_FF0F) bits erasing reprogramming flash sector. But 1) backdoor unsecure has nothing to do with it and 2) it's not possible if NVPROT bits are set to protect NVPROT location (0x7F_FF0C, see Table 27-3. Flash Configuration Field). Anyway manipulating top flash sector, which includes reset vector is like shooting into you own foot, sudden power loss at bad time and you get dead unit in the field.

First of all let's check if we distinguish properly apples and oranges, security and write protection. You say FPROT is set up to not allow reprogramming 0x7F_F000–0x7F_FFFF. Do we understand that this is flash program/erase protection and not security, right? Security term is only about accessing RAM/FLASH/EEPROM vie BKGD pin.

Backdoor unsecure allows temporary (until first reset) BDM (BKGD pin) access to RAM/FLASH/EEPROM. Backdoor unsecure is there to avoid erasing or reprogramming anything, as well avoid unprotecting write protected FLASH when you need just temporary debug access to secured MCU.


  • 1- backup the sector contains the flash configuration registers.

Not necessary


  • 2- erase the sector.

not necessary


  • 3- make the desired manipulations:
    3-1- clear ACCERR and PVIOL in FSTAT register.
    3-2- program the back-door registers using write command (0x06) .

No. You need to use Verify Backdoor Access Key command (0xC).


  • 3-3- launch the command (FSTAT = 0x80).
    4- restore the rest of flash sector.

Restore is not necessary, Verify Backdoor Access Key command is not destructive, nothing to restore

  • is it necessary to enable the backdoor access before securing operations?

If backdoor is disabled (KEYEN bits at NVKEY location are not 10), you can't use backdoor unsecure.

BTW all flash commands make flash not readable while command executes. This means you need to start command while executing code in RAM and stay in RAM until flash command completes. This means as well interrupt vectors in flash won't be readable to CPU while flash command executes, so you need to disable interrupts for duration of flash command.

0 项奖励
回复

5,529 次查看
ma85_bahar
Contributor II

thanks for reply.
lets see the problem from this point:
i need the program which keeps uc in secured mode. but FSEC = 0xFE, this means that uc is unsecured and back-door access is disabled (KEYEN[1.0] = 11).
so i need do operations that makes back-door access enabled and changes the uc mode to be secured. i will appreciate if you tell me what the operation is.
i have considered that the operation contains theses steps:
1- manipulate the KEYEN[1.0] to 10 (back-door access enabled). (Note that FSEC register locates in protected region)
2- then write the desired keys to locations with addresses 0x7F_FF00 – 0x7F_FF07 (also they locate in protected region).
3- check the SEC field in FSEC. if it changes from 10 to other values the uc securing performed successfully.
now if the user wants to access flash (for example program updates using bootloader) the keys are asked. the user must enter the keys using SCI. i compare the enterd keys with pre-written keys using Verify Backdoor Access Key command (0xC) and if they are matched the uc unsecuring will be acheived.
so my major problem is securing micro-cotroller.
regards.

0 项奖励
回复

5,529 次查看
kef2
Senior Contributor V

FSEC is loaded from location at global address 0x7F_FF0F. So you need to either 1) include this location in your executable flash image or 2) let factory programming setup this location after flashing executable. P&E cyclone should have commands to engage flash security. Choose what suits you best. Any way reprogramming vectors sector at runtime and manipulating KEYEN bits, changing backdoor key is not a good idea. Normally reset vectors, NVSEC, NVPROT, NVBACKKEY locations should be programmed once and write protected.

unsigned char nvsec @ 0xFF0F = 0xBC; // this should make default FSEC = 0xBC.

AFAIK CodeWarrior doesn't support global addresses with @, only nonbanked vanilla CPU address. 0xFF0F is nonbanked equivalent to global 0x7F_FF0F.

Similarly provide backdoor key

unsigned char nvkey[8] @ 0xFF00 = {0,1,2,3,4,5,6,7};

  • 3- check the SEC field in FSEC. if it changes from 10 to other values the uc securing performed successfully.

Yes, read SEC field to check at runtime factory programming didn't miss to engage flash security.

  • i compare the enterd keys with pre-written keys using Verify Backdoor Access Key command (0xC) and if they are matched the uc unsecuring will be achieved.

0xC command unsecures MCU when backdoor key provided in command matches flash locations at 0xFF0F (0x7F_FF0F).

5,529 次查看
kef2
Senior Contributor V

Sorry, missing const keywords:

const unsigned char nvsec @ 0xFF0F = 0xBC;

const unsigned char nvkey[8] @ 0xFF00 = {0,1,2,3,4,5,6,7};

 etc

0 项奖励
回复