To restrict the S32K3 MCU access by JTAG the process depends on whether HSE FW is used or not.
With HSE FW (not covered in this document):
1. Set up ADKP (Application Debug Key/Password).
2. Make sure the password mode or challenge-response mode.
3. Move the lifecycle to the IN-FIELD stage.
NOTE: All the above steps can only be done via HSE services (not via IVT or by direct flash programming).
Without HSE FW:
WARNING: ONCE YOU REALIZE THIS PROCESS YOU CAN NOT CONFIGURE HSE IN THE DEVICE.
NOTE: All the following codes represent just the essential part of the application and, where made using the S32K344 (not EVB), S32DS v3.5, the S32K3 Real-Time Drivers Version 3.0.0 (released on March 31, 2023) and a modified version of the C40_Ip_Example_S32K344, unless otherwise mentioned.
As the debugger the PEmicro’s USB Multilink Universal FX was used, unless otherwise mentioned.
1. Program the field CUST_DB_PSWD_A:
The UTEST Sector is an OTP (One Time Programmable). This causes the erase operations not to be allowed. You only going to be able to append new data or configuration and read data.
This UTEST memory field is defined with a size of 32 bytes located from addresses 1B00_0080h to 1B00_009Fh, but its real size is 16 bytes because from 1B00_0090h to 1B00_009Fh is reserved (Table 184. UTEST memory location usage by SBAF of the S32K3xx Reference Manual, Rev. 7).
To write the desired password in the UTEST Sector is the same process used to program data in other blocks.
I. First, the sector needs to be unlocked to realize program operations. UTEST has its register PFCBLKU_SPELOCK[SLCK].
II. Once the sector is unlocked, write the 16-byte lend password at 1B00_0080h.
The following changes need to be done in the example code:
/*============================================================================
* LOCAL MACROS
============================================================================*/
#define FLS_MASTER_ID 0U
#define FLS_BUF_SIZE 16U
#define FLS_SECTOR_ADDR 0x1B000080U
#define FLS_SECTOR_TEST C40_UTEST_ARRAY_0_S000
NOTE: Make sure that the definition FLS_MAX_VIRTUAL_SECTOR located in C40_Ip_Cfg.h has the same value as the C40_UTEST_ARRAY_0_S000 and that C40_SECTOR_ERROR is one value greater than C40_UTEST_ARRAY_0_S000.
For example instead of:
#define FLS_MAX_VIRTUAL_SECTOR (527U) … #define C40_SECTOR_ERROR (528U)Needs to be:
#define FLS_MAX_VIRTUAL_SECTOR (528U) … #define C40_SECTOR_ERROR (529U)
/*============================================================================
* GLOBAL CONSTANTS
============================================================================*/
uint8 TxBuffer[FLS_BUF_SIZE] = {0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,0x09,0x0A,0x0B,0x0C,0x0D,0x0E,0x0F}; /* Password */
You can confirm the password was written by using the Memory Viewer (not covered by this document).
NOTE: Make sure that the structure of the boot_header (located in Project_Settings -> Startup_Code -> startup_cm7.s) is defined as shown below:
#define LF_CONFIG_ADDR (0x007D2000) /* The LC word can be at any flash address, taking care that does not interfere with HSE */
II. Once defined LF_CONFIG_ADDR, write in such address the value for the LC word corresponding to the target lifecycle:
| Life cycle stage | Valid Values for LC Advancement |
| OEM_PROD | DADA_DADAh |
| IN_FIELD | BABA_BABAh |
The following changes need to be done in the example code (the changes can be done in the same project used before):
/*===========================================================================
* LOCAL MACROS
===========================================================================*/
#define FLS_MASTER_ID 0U
#define FLS_BUF_SIZE 8U
#define FLS_SECTOR_ADDR 0x007D2000U
#define FLS_SECTOR_TEST C40_CODE_ARRAY_0_BLOCK_3_S489 /* Look into C40_Ip_Cfg.h file to find the corresponding sector */
/*===========================================================================
* GLOBAL CONSTANTS
===========================================================================*/
uint8 LC_TxBuffer[FLS_LC_SIZE] = {0xDA, 0xDA, 0xDA, 0xDA, 0x0, 0x0, 0x0, 0x0}; /* Minimum data length 8 bytes */
Once the LC word is written in the memory, you can confirm the LC word was written by using the Memory viewer (not covered by this document).
III. Reset the MCU
NOTE: Directly from the reset pin (RESET_B), not the debugger.
If the procedure was done correctly you should see the following message:
Now to unlock the MCU, PEmicro provides some Python scripts (PEmicro support files package) to facilitate the authentication of the debugger when the password is set.
In summary:
I. Make sure to have already installed Python (3.5 or later).
II. Open Command Prompt.
III. Use cd to change the current working directory to where the file package is.
IV. Run the script using: py authenticate_password_mode.py -hardwareid=USB1 -password=…
Where hardwareid, is the debug hardware IP address, name, serial number, or port name. And the password is the preconfigured 16-byte hexadecimal.
NOTE: This steps need to be done each time the MCU is reset or power cycled.
Once the debugger has been authenticated, you are going to be able to securely debug the device under S32DS.
NOTE: Just make sure that In S32DS when you configure the Debug Configurations of a project, change the Target to the one that says "SECUREDEBUG". This is because during debug entry a hard reset is toggled which clears the authentication.
You can follow the below steps for this:
