- Forums
- Product Forums
- General Purpose MicrocontrollersGeneral Purpose Microcontrollers
- i.MX Forumsi.MX Forums
- QorIQ Processing PlatformsQorIQ Processing Platforms
- Identification and SecurityIdentification and Security
- Power ManagementPower Management
- MCX Microcontrollers
- S32G
- S32K
- S32V
- MPC5xxx
- Other NXP Products
- Wireless Connectivity
- S12 / MagniV Microcontrollers
- Powertrain and Electrification Analog Drivers
- Sensors
- Vybrid Processors
- Digital Signal Controllers
- 8-bit Microcontrollers
- ColdFire/68K Microcontrollers and Processors
- PowerQUICC Processors
- OSBDM and TBDML
-
- Solution Forums
- Software Forums
- MCUXpresso Software and ToolsMCUXpresso Software and Tools
- CodeWarriorCodeWarrior
- MQX Software SolutionsMQX Software Solutions
- Model-Based Design Toolbox (MBDT)Model-Based Design Toolbox (MBDT)
- FreeMASTER
- eIQ Machine Learning Software
- Embedded Software and Tools Clinic
- S32 SDK
- S32 Design Studio
- GUI Guider
- Zephyr Project
- Voice Technology
- Application Software Packs
- Secure Provisioning SDK (SPSDK)
- Processor Expert Software
- MCUXpresso Training Hub
-
- Topics
- Mobile Robotics - Drones and RoversMobile Robotics - Drones and Rovers
- NXP Training ContentNXP Training Content
- University ProgramsUniversity Programs
- Rapid IoT
- NXP Designs
- SafeAssure-Community
- OSS Security & Maintenance
- Using Our Community
-
- Cloud Lab Forums
-
- Knowledge Bases
- Home
- :
- Product Forums
- :
- S32K
- :
- S32K144: Cannot access device after mass erase(CSEc enabled, with no master key loaded)
S32K144: Cannot access device after mass erase(CSEc enabled, with no master key loaded)
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I have an S32K144 device where the program partition command (PGMPART) was used to allocate CSEc with keysize = 1 to 20.
But no MASTER_ECU_KEY was installed. That means no CMD_LOAD_KEY was executed.
Afterwards a mass erase was issued using a JLink debugger and the `Erase` command
Now the debugger cannot connect and displays the following:
$ JLinkExe -if swd -device "S32K144 (allow security)" -speed 4000 -autoconnect 1
SEGGER J-Link Commander V7.80d (Compiled Oct 4 2022 16:40:45)
DLL version V7.80d, compiled Oct 4 2022 16:40:22
Connecting to J-Link via USB...O.K.
Firmware: J-Link V10 compiled Sep 22 2022 14:59:36
Hardware version: V10.10
J-Link uptime (since boot): N/A (Not supported by this model)
S/N: 50124738
License(s): GDB
VTref=4.982V
Device "S32K144 (ALLOW SECURITY)" selected.
Connecting to target via SWD
InitTarget() start
Device will be unsecured now.
InitTarget() end
Found SW-DP with ID 0x2BA01477
DPIDR: 0x2BA01477
CoreSight SoC-400 or earlier
Scanning AP map to find all available APs
AP[2]: Stopped AP scan as end of AP map has been reached
AP[0]: AHB-AP (IDR: 0x24770011)
AP[1]: JTAG-AP (IDR: 0x001C0000)
Iterating through AP map to find AHB-AP to use
AP[0]: Skipped. Could not read CPUID register
AP[1]: Skipped. Not an AHB-AP
InitTarget() start
Device will be unsecured now.
Timeout while halting CPU.
InitTarget() end
Found SW-DP with ID 0x2BA01477
DPIDR: 0x2BA01477
CoreSight SoC-400 or earlier
Scanning AP map to find all available APs
AP[2]: Stopped AP scan as end of AP map has been reached
AP[0]: AHB-AP (IDR: 0x24770011)
AP[1]: JTAG-AP (IDR: 0x001C0000)
Iterating through AP map to find AHB-AP to use
AP[0]: Skipped. Could not read CPUID register
AP[1]: Skipped. Not an AHB-AP
****** Error: Could not find core in Coresight setup
InitTarget() start
Device will be unsecured now.
Timeout while halting CPU.
InitTarget() end
Found SW-DP with ID 0x2BA01477
DPIDR: 0x2BA01477
CoreSight SoC-400 or earlier
Scanning AP map to find all available APs
AP[2]: Stopped AP scan as end of AP map has been reached
AP[0]: AHB-AP (IDR: 0x24770011)
AP[1]: JTAG-AP (IDR: 0x001C0000)
Iterating through AP map to find AHB-AP to use
AP[0]: Skipped. Could not read CPUID register
AP[1]: Skipped. Not an AHB-AP
InitTarget() start
Device will be unsecured now.
Timeout while halting CPU.
InitTarget() end
Found SW-DP with ID 0x2BA01477
DPIDR: 0x2BA01477
CoreSight SoC-400 or earlier
Scanning AP map to find all available APs
AP[2]: Stopped AP scan as end of AP map has been reached
AP[0]: AHB-AP (IDR: 0x24770011)
AP[1]: JTAG-AP (IDR: 0x001C0000)
Iterating through AP map to find AHB-AP to use
AP[0]: Skipped. Could not read CPUID register
AP[1]: Skipped. Not an AHB-AP
****** Error: Could not find core in Coresight setup
Cannot connect to target.
Is it possible to recover this device?
As pointed out in this answer it is not possible to reset the partition without the master key. But I think this scenario is a little different because of the mass erase.
Solved! Go to Solution.
lukaszadrapa
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @nschwabe
Once CSEc is enabled by PGMPART command, the mass erase is blocked until the partition is destroyed by CMD_DBG_CHAL and CMD_DBG_AUTH commands with knowledge of MASTER_ECU_KEY. So, JLink definitely could not perform mass erase. If the flash was erased by Erase Flash Block or by Erase Flash Sector commands leaving the Flash Configuration Field at 0x400 erased, the device is secured (because FSEC byte in the Flash Configuration Field is 0xFF and not in unsecured state 0xFE) while mass erase command is disabled due to CSEc. The result: the device is bricked with no way to recover.
Regards,
Lukas
lukaszadrapa
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @nschwabe
Once CSEc is enabled by PGMPART command, the mass erase is blocked until the partition is destroyed by CMD_DBG_CHAL and CMD_DBG_AUTH commands with knowledge of MASTER_ECU_KEY. So, JLink definitely could not perform mass erase. If the flash was erased by Erase Flash Block or by Erase Flash Sector commands leaving the Flash Configuration Field at 0x400 erased, the device is secured (because FSEC byte in the Flash Configuration Field is 0xFF and not in unsecured state 0xFE) while mass erase command is disabled due to CSEc. The result: the device is bricked with no way to recover.
Regards,
Lukas
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi lukaszadrapa
If the CSEc partition command is executed, and the master key command is not executed, after brushing into the MCU, if I want to erase the partition, is it valid to reprogram and set the master key to load and then execute the erase command?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @lukaszadrapa,
thanks for the explanation.
This matches pretty much what I observed. I used the JLink Erase command which probably erases individual sectors leaving the device in secured state.
When I connect the JLink, I get a message that I need to mass erase the device. And I know understand that this operation is blocked by the CSEc partitioning.
Thanks again!
