S32K148EVB-Can't unsecure!

duke_run_run · ‎06-13-2023

1、I Change the configuration parameter to BF;

2、Compile and download firmware to the EVB board;

3、Now ,"Device is secure, Erase to unsecure?" is displayed when the OpenSDA interface is used to debug a connection. However, after you click yes, the erasure operation cannot be performed and the OpenSDA interface connection is abnormal

I tried to send unlock kinetis to unlock using the jtag interface connection, indicating that the unlock was successful, but in fact it did not, the following message was displayed when jtag connected.

May I ask you how to solve this situation?

How can I unlock it?

Thank you all!

VaneB · ‎06-14-2023

Hi @duke_run_run

As you define MEEN as 11b, mass erase, should be able to unlock the MCU.

Also, as the Backdoor key access is also enabled, if you program this function, it can unlock the MCU with the key.

Please read the value of MDM-AP status and control registers by referring to Unbricking S32K146.

B.R.

VaneB

duke_run_run · ‎06-14-2023

Thank you for your reply!

I tried to erase it by writing the DMD-AP control register, but it didn't seem to work;

The operation is recorded as follows:

SEGGER J-Link Commander V6.98e (Compiled Mar 29 2021 14:19:55)
DLL version V6.98e, compiled Mar 29 2021 14:18:39

Connecting to J-Link via USB...O.K.
Firmware: J-Link V9 compiled Feb 2 2021 16:34:10
Hardware version: V9.20
S/N: -1
License(s): RDI, GDB, FlashDL, FlashBP, JFlash
VTref=3.327V

Type "connect" to establish a target connection, '?' for help
J-Link>connect
Please specify device / core. <Default>: S32K148 (ALLOW SECURITY)
Type '?' for selection dialog
Device>
Please specify target interface:
J) JTAG (Default)
S) SWD
T) cJTAG
TIF>s
Specify target interface speed [kHz]. <Default>: 4000 kHz
Speed>
Device "S32K148 (ALLOW SECURITY)" selected.

Connecting to target via SWD
InitTarget() start
InitTarget()
Protection bytes in flash at addr. 0x400 - 0x40F indicate that readout protection is set.
For debugger connection the device needs to be unsecured.
Note: Unsecuring will trigger a mass erase of the internal flash.
Executing default behavior previously saved in the registry.
Device will be unsecured now.
Timeout while unsecuring device. Erase never stops.
InitTarget() end
Found SW-DP with ID 0x2BA01477
DPIDR: 0x2BA01477
Scanning AP map to find all available APs
AP[2]: Stopped AP scan as end of AP map has been reached
AP[0]: AHB-AP (IDR: 0x24770011)
AP[1]: JTAG-AP (IDR: 0x001C0000)
Iterating through AP map to find AHB-AP to use
AP[0]: Skipped. Could not read CPUID register
AP[1]: Skipped. Not an AHB-AP
InitTarget() start
InitTarget()
Protection bytes in flash at addr. 0x400 - 0x40F indicate that readout protection is set.
For debugger connection the device needs to be unsecured.
Note: Unsecuring will trigger a mass erase of the internal flash.
Executing default behavior previously saved in the registry.
Device will be unsecured now.
Timeout while unsecuring device. Erase never stops.
InitTarget() end
Found SW-DP with ID 0x2BA01477
DPIDR: 0x2BA01477
Scanning AP map to find all available APs
AP[2]: Stopped AP scan as end of AP map has been reached
AP[0]: AHB-AP (IDR: 0x24770011)
AP[1]: JTAG-AP (IDR: 0x001C0000)
Iterating through AP map to find AHB-AP to use
AP[0]: Skipped. Could not read CPUID register
AP[1]: Skipped. Not an AHB-AP

****** Error: Could not find core in Coresight setup

InitTarget() start
InitTarget()
Protection bytes in flash at addr. 0x400 - 0x40F indicate that readout protection is set.
For debugger connection the device needs to be unsecured.
Note: Unsecuring will trigger a mass erase of the internal flash.
Executing default behavior previously saved in the registry.
Device will be unsecured now.
Timeout while unsecuring device. Erase never stops.
InitTarget() end
Found SW-DP with ID 0x2BA01477
DPIDR: 0x2BA01477
Scanning AP map to find all available APs
AP[2]: Stopped AP scan as end of AP map has been reached
AP[0]: AHB-AP (IDR: 0x24770011)
AP[1]: JTAG-AP (IDR: 0x001C0000)
Iterating through AP map to find AHB-AP to use
AP[0]: Skipped. Could not read CPUID register
AP[1]: Skipped. Not an AHB-AP
InitTarget() start
InitTarget()
Protection bytes in flash at addr. 0x400 - 0x40F indicate that readout protection is set.
For debugger connection the device needs to be unsecured.
Note: Unsecuring will trigger a mass erase of the internal flash.
Executing default behavior previously saved in the registry.
Device will be unsecured now.
Timeout while unsecuring device. Erase never stops.
InitTarget() end
Found SW-DP with ID 0x2BA01477
DPIDR: 0x2BA01477
Scanning AP map to find all available APs
AP[2]: Stopped AP scan as end of AP map has been reached
AP[0]: AHB-AP (IDR: 0x24770011)
AP[1]: JTAG-AP (IDR: 0x001C0000)
Iterating through AP map to find AHB-AP to use
AP[0]: Skipped. Could not read CPUID register
AP[1]: Skipped. Not an AHB-AP

****** Error: Could not find core in Coresight setup

Cannot connect to target.
J-Link>writedp 2 1000000
Writing DP register 2 = 0x01000000 (0 write repetitions needed)
J-Link>writeap 1 1
Writing AP register 1 = 0x00000001 (0 write repetitions needed)
J-Link>readap 1
Reading AP register 1 = 0x00000001 (0 read repetitions needed)
J-Link>readap 0
Reading AP register 0 = 0x00000074 (0 read repetitions needed)
J-Link>writedp 2 10000f0
Writing DP register 2 = 0x010000F0 (0 write repetitions needed)
J-Link>readap 3
Reading AP register 3 = 0x001C0000 (0 read repetitions needed)
J-Link>

My EVB board is connected normally, reset is not grounded, jlink attempt to unlock will fail, but the command can be executed normally, but actually did not erase successfully, the board still cannot be used normally;

How do I enable mass erase next? Or through a backdoor and what is the back door interface?

thanks!

VaneB · ‎06-19-2023

Hi @duke_run_run

Take a look at section 2.1.3 (How to disable security after it has been enabled) of the application note Using the Kinetis Security and Flash Protection Features.

duke_run_run · ‎06-19-2023

Thank you very much for your reply!

I read the application note you said, and I determined that the value of FSEC is 0xBF, so the bit corresponding to MEEN is 0b11, so mass erase should be enabled, MDM-AP Status reg is 0x74, I don't understand why I can't really erase when I write 1 to bit0 of MDM-AP Control reg?

The following instructions are not really erased completely：

J-Link>writedp 2 1000000
Writing DP register 2 = 0x01000000 (0 write repetitions needed)
J-Link>readap 0
Reading AP register 0 = 0x00000074 (0 read repetitions needed)
J-Link>readap 1
Reading AP register 1 = 0x00000001 (0 read repetitions needed)
J-Link>writeap 1 1
Writing AP register 1 = 0x00000001 (0 write repetitions needed)
J-Link>readap 1
Reading AP register 1 = 0x00000001 (0 read repetitions needed)
J-Link>

VaneB · ‎06-22-2023

Hi @duke_run_run

From the value of the MDM-AP Status Register, the System Security = 1, then communication with the processor's internals, including the flash, will not be possible without issuing a mass erase command or unsecured the part through backdoor key unlock.

See section (3.2) Erasing flash of the application note Production Flash Programming Best Practices for S32K1xx MCUs.

Also, there is also a script for SEGGER Jlink for Kinetis but it should work on S32K1xx as well.

Communication error while accessing MDM-AP