HSE installation without JTAG debugger interface

carloswei · ‎11-05-2024

We are currently using the S32K344 and S32K312 chips and aiming to enable HSE installation and secure boot activation on the production line. However, we are facing a challenging issue. At this stage, HSE installation requires using the JTAG interface (with a PE to run the HSE firmware installation program). However, on production boards, the JTAG interface has been disabled, preventing the use of a debugger for downloading and enabling HSE. Do you have any suggestions?

carloswei · ‎11-05-2024

I have successfully tested the "HSE DEMOAPP" you mentioned using the PE debugger, which worked as expected.

However, "The JTAG interface has been disabled" indicates that the JTAG interface has been physically removed from the board, and the JTAG pins are not routed from the chip to the PCB. Given this situation, I am seeking guidance on how to install the HSE firmware for a virgin device (no password, no secure debug) without relying on the JTAG interface.

VaneB · ‎11-06-2024

Hi @carloswei

It is possible to install HSE FW using a bootloader. The bootloader can receives new firmware data from a host via communication protocols like CAN, LIN, UART, ETHERNET, among others.

I am afraid , LIN, UART, ETHERNET, etc.
I'm afraid to load the Bootloader and application using a flash programming tool which usualy requires JTAG/SWD/Trace pins.

carloswei · ‎11-07-2024

Could you please help review whether this process is feasible?

Option 1:
In the mass production stage, we first program the S32K3 chip with firmware that includes the HSE firmware installation, secure boot configuration, and the business logic binary. Next, we mount the S32K3 chip onto the PCB. Finally, after the chip has been mounted, we power on the S32K3 board and allow the firmware to complete the HSE firmware installation, secure boot configuration, and loading of the business logic binary. Once all these steps are completed, the board initializes HSE and secure boot, and the business logic runs as expected.

Option 2:
In the mass production stage, we first program the S32K chip with firmware containing a custom-developed bootloader capable of flashing firmware via CAN. Next, we mount the chip with the bootloader onto the PCB. On the next power cycle, the chip enters the bootloader. Using the bootloader, we then flash an application (App) that includes the HSE firmware, secure boot initialization, and the business logic binary loading. After flashing, we power up the board and let the App configure the HSE firmware and secure boot. On subsequent starts, the business logic binary will run as expected.

Please let us know if both options seem feasible. We are in communication with the production line, coordinating the programming method. Thank you very much for your response, and wishing you a pleasant day.

VaneB · ‎11-08-2024

Hi @carloswei

You can use both options. But we have some observations:

Both are not the best options. First reason - it is unnecessary complication in production. Second - we think it is not the best solution to not bond JTAG/SWD signals out. An alternative would be to use test points. In your current situation, you would not be able to troubleshoot or debug any problems in production or in the field. Your only option for fault analysis will be to desolder the chip from the board.

We understand that you want to use this as a protection, so no-one can attach JTAG probe. It makes sense in this case. However, we consider dynamic ADKP as a protection which is strong enough.

VaneB · ‎11-05-2024

Hi @carloswei

Please help me to clarify the following information, when you say "the JTAG interface has been disabled" you mean that password protection has been enabled without installing HSE? Or did you just change the JTAG pin configuration to another functionality?

If you have enabled JTAG password protection without any HSE firmware installed, it will no longer be possible to install HSE firmware on the device. If this is not the case, for HSE FW installation currently, we only have the HSE DEMOAPP (demo works with Lauterbach debugger only) and S32K3 MCUs for General Purpose HSE Demo Examples, which helps to install the firmware and examine HSE features.

Additionally, we also provide document AN744810 “HSE FW install for S32K3xx” which describes how to install the firmware. It can be downloaded from:

S32K3 Microcontrollers for Automotive General Purpose > Documentation > Secure Files.

BR, VaneB

carloswei · ‎11-05-2024

I have successfully tested the "HSE DEMOAPP" you mentioned using the PE debugger, which worked as expected.

However, "The JTAG interface has been disabled" indicates that the JTAG interface has been physically removed from the board, and the JTAG pins are not routed from the chip to the PCB. Given this situation, I am seeking guidance on how to install the HSE firmware for a virgin device (no password, no secure debug) without relying on the JTAG interface.