[S32K3] Restrict the debug access with a password when HSE is not used

2 项奖励

The procedure to restrict JTAG access on the S32K3 MCU depends on whether HSE Firmware (FW) is used:

With HSE FW: This scenario is not covered in this document.

Without HSE FW:

WARNING: ONCE THIS PROCESS IS COMPLETED, HSE CANNOT BE INSTALLED ON THE DEVICE.

Development Environment:
All code snippets provided represent the essential parts of the application and were developed using:

Test HW: S32K344 (not EVB)

MCU: S32K344

IDE: S32DS v3.5

Debugger: PEmicro USB Multilink Universal FX (unless otherwise noted)

Drivers: S32K3 Real-Time Drivers v3.0.0 (released March 31, 2023)

Base Project: Modified version of C40_Ip_Example_S32K344

Step 1: Program the CUST_DB_PSWD_A Field

The UTEST Sector is an OTP (One Time Programmable), meaning erase operations are not allowed. You can only append or read data.

Memory Range: 0x1B00_0080 to 0x1B00_009
Only the first 16 bytes (0x1B00_0080 to 0x1B00_008F) are usable.
The rest is reserved (see Table 202 in the S32K3xx Reference Manual, Rev. 11).

Programming Steps:

I. Unlock the UTEST sector using PFCBLKU_SPELOCK[SLCK].

II. Write the 16-byte password to address 0x1B00_0080.

Code Adjustments:

/*============================================================================
*                                       LOCAL MACROS
============================================================================*/
#define FLS_MASTER_ID                0U
#define FLS_BUF_SIZE                 16U
#define FLS_SECTOR_ADDR              0x1B000080U
#define FLS_SECTOR_TEST              C40_UTEST_ARRAY_0_S000

NOTE: Ensure FLS_MAX_VIRTUAL_SECTOR and C40_SECTOR_ERROR are correctly defined in C40_Ip_Cfg.h:

Instead of:
#define FLS_MAX_VIRTUAL_SECTOR              (527U)
… 
#define C40_SECTOR_ERROR                    (528U)    
Use:
#define FLS_MAX_VIRTUAL_SECTOR              (528U) 
…
#define C40_SECTOR_ERROR                    (529U)    

/*============================================================================
*                                      GLOBAL CONSTANTS
============================================================================*/
uint8 TxBuffer[FLS_BUF_SIZE] = {0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,0x09,0x0A,0x0B,0x0C,0x0D,0x0E,0x0F}; /* Password */

You can verify the password using the Memory Viewer (not covered here).

Step 2: Advance the MCU Lifecycle

I. Set the lifecycle configuration word address in the IVT/boot header. Refer to sections 32.5 and 32.5.3 of the Reference Manual.

NOTE: Ensure the structure of the boot_header (located in Project_Settings → Startup_Code → startup_cm7.s) is defined as follows:

#define LF_CONFIG_ADDR              (0x007D2000) /* The LC word can be at any flash address, taking care that does not interfere with HSE */

II. Write the LC word to the defined address:

Life cycle stage	Valid Values for LC Advancement
OEM_PROD	DADA_DADAh
IN_FIELD	BABA_BABAh

Code Adjustments:

/*===========================================================================
*                                       LOCAL MACROS
===========================================================================*/
#define FLS_MASTER_ID                0U
#define FLS_BUF_SIZE                 8U
#define FLS_SECTOR_ADDR              0x007D2000U
#define FLS_SECTOR_TEST              C40_CODE_ARRAY_0_BLOCK_3_S489 /* Look into C40_Ip_Cfg.h file to find the corresponding sector */
/*===========================================================================
*                                      GLOBAL CONSTANTS
===========================================================================*/
uint8 LC_TxBuffer[FLS_LC_SIZE] = {0xDA, 0xDA, 0xDA, 0xDA, 0x0, 0x0, 0x0, 0x0}; /* Minimum data length 8 bytes */

Confirm the LC word using the Memory Viewer.

III. Reset the MCU using the RESET_B pin, not the debugger.

If the procedure was done correctly, you should see the following message:

Step 3: Debugger Authentication

To unlock the MCU, PEmicro provides Python scripts (PEmicro support files package) to facilitate debugger authentication when the password is set.

In summary:

I. Ensure Python 3.5 or later is installed.
II. Open Command Prompt.
III. Use cd to navigate to the directory containing the file package.
IV. Run the script: py authenticate_password_mode.py -hardwareid=USB1 -password=…

hardwareid: Debug hardware IP, name, serial number, or port
password: 16-byte hexadecimal password

NOTE: This must be done every time the MCU is reset or power cycled.

Step 4: Secure Debugging in S32DS

In S32DS, when configuring the Debug Configurations of a project, change the Target to "SECUREDEBUG". This is necessary because during debug entry, a hard reset is toggled, which clears the authentication.

Once authenticated, you can securely debug the device in S32DS.

*Additional Resources

iSystem: How to unlock secure debug on NXP S32G2/3xx, S32R45x, and S32K3
Segger: NXP S32K3xx - Debug Authentication

Yiming2 · ‎11-28-2023

Can the CUST_DB_PSWD_A area be programmed by JTAG?

We want to directly program this ares at ICT by PE.