S32K144 - JTAG lock can be removed

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

S32K144 - JTAG lock can be removed

1,532 Views
szblaci
Contributor III

Hi,

I would like to activate the JTAG lock on a S32K144 MCU. I write the backdoor key at address 0x400 and the following bytes into the configuration registers 0xFFFF7FAFu (0x408). Apparently the lock is working, I am not able to connect the the MCU and the flash driver gives back positive response when I try to verify my backdoor key (command 0x45).

My problem is that using winIDEA and iSystem iC5700 debugger I can easily remove this protection with "Unsecure" command. In this case the flash memory is erased and the FSEC register is set back to 0xFE. Is this the normal behaviour? Earlier I used S32K146 but there if the JTAG was locked once I was not able the disable the lock any more. (With 146 I used an older winIDEA version)

Thanks in advance!

Laszlo

 

Tags (2)
0 Kudos
Reply
3 Replies

1,501 Views
Robin_Shen
NXP TechSupport
NXP TechSupport

Hi Laszlo,

Sorry for the late reply.
Can you show me the /* Flash Configuration */ of your project?

Flash Configuration 4 bytes program flash protection bytes.png

According to your description, do you set 4 bytes program flash protection bytes .long 0xFFFF7FAF?
But I didn't understand how the protection of the program flash region is related to the JTAG lock?

What is your FSEC value? If Mass Erase Enabled, then debugger can mass erase the chip by "Unsecure" command.

37.5.10 Security.png

36.4.4.1.4 Flash Security Register (FSEC).png


Best Regards,
Robin
-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!

- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

0 Kudos
Reply

1,484 Views
szblaci
Contributor III

Hello Robin,

 

In the startup file I set the whole flash config field to 0xFF (0x400-0x40F) and later on the user can update the backdoor key with help of a diagnostic routine which updates the configuration registers too (Maybe it would be better to write only the key, since the config does not change).

Perhaps last time I was used my former code where the FSEC register was set to 0xBF (0x40C) so the mass erase was enabled and therefore the unsecure was working. If I set it to 0xAF (MEEN = 10b and SEC = 11b) that means there is no way to change the flash content via debug port any longer? I     

My main goal would be to protect the firmware from modification and even from being replaced. 


Thanks in advance!

Laszlo

0 Kudos
Reply

1,469 Views
Robin_Shen
NXP TechSupport
NXP TechSupport

If you set it to 0xAF (MEEN = 10b and SEC = 11b), then "Unsecure" command by debugger can not mass erase the chip. However, if you first "Unsecure" command through a debugger and then unsecure the chip by backdoor key without resetting the chip, it may be mass erased.

0 Kudos
Reply