FAQs
English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

S32K3 JTAG Password Protection

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

S32K3 JTAG Password Protection

‎07-08-2025 01:56 AM
1,541 Views
ASN7
Contributor III
MCU: S32K314
RTD: 3.0
HSE_B : For S32K3X4 - v0.2.1.0
 
I am try to password protect my JTAG on the board using HSE(I am not using Challenge/Response).
 
These are the steps that I am following:
 
1. Read the HSE Version to make sure it is active. 
SOC Type ID= 5, Major Version= 2, Minor Version=1
HSE Response = 0x55a5aa33 = Success
2. Read the current lifecycle. 
Current LC = 0x4 = HSE_LC_CUST_DEL
HSE Response = 0x55a5aa33 = Success
3. Check if HSE_APP_DEBUG_KEY_ATTR_ID is already set.
I do not get HSE_SRV_RSP_NOT_ALLOWED, which means ADKP is set. 
HSE Response = 0x55a5aa33 = Success
4. If not set, then Set up the ADKP.
5. Check if debug auth mode set to password mode 
I see 0x00 which is HSE_DEBUG_AUTH_MODE_PW. 
6. I advance the Lifecycle. 
 
    hseAttrSecureLifecycle_t programLC = HSE_LC_SIMULATED_OEM_PROD;
    HSE_AdvanceLifecycle(programLC);
 
In this step, I get this error: 0xAA55A21CUL = HSE_SRV_RSP_NOT_ALLOWED = The operation is not allowed because of some restrictions (in attributes, life-cycle dependent operations, key-management, etc.) */
And the program is now stuck in  ASSERT(HSE_SRV_RSP_OK == srvResponse);. 
 
What is it that is causing the issue ? I tried to change the lifecycle to HSE_LC_IN_FIELD, HSE_LC_OEM_PROD and even HSE_LC_SIMULATED_OEM_PROD (which is what I want). But all of them throw the same error. I have set everything that is needed. 
Tags (4)
0 Kudos
Reply
4 Replies

‎07-10-2025 12:29 AM
1,508 Views
davidtosenovjan
NXP TechSupport
NXP TechSupport

This procedure seems to be right. Question is how it is actually done.

Which example code are you based on?

0 Kudos
Reply

‎07-10-2025 04:09 AM
1,501 Views
ASN7
Contributor III

I created a new project just to test locking of JTAG and all my reference have been from S32K344_DemoAppTemplate. 

I have copied the files and functions from S32K344_DemoAppTemplate\services\src\fw_attribute\otp\hse_debug_auth_mode.c. 

0 Kudos
Reply

‎07-11-2025 05:56 AM
1,477 Views
davidtosenovjan
NXP TechSupport
NXP TechSupport

Don't you have set CUST_START_AS_USER what would lead in having User rights after reset?

0 Kudos
Reply

a month ago
303 Views
kerti1
Contributor III
Thanks for the reply. If user rights set CUST_START_AS_USER then it won't be able to change the LC and also cannot format the keycatalogs. Even If the LC is changed to SIMULATED_OEM using super user rights. The JTAG is not getting locked
0 Kudos
Reply
%3CLINGO-SUB%20id%3D%22lingo-sub-2130009%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3ES32K3%20JTAG%20Password%20Protection%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2130009%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CDIV%3EMCU%3A%20S32K314%3C%2FDIV%3E%3CDIV%3ERTD%3A%203.0%3C%2FDIV%3E%3CDIV%3EHSE_B%20%3A%20For%20S32K3X4%20-%20v0.2.1.0%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3EI%20am%20try%20to%20password%20protect%20my%20JTAG%20on%20the%20board%20using%20HSE(I%20am%20not%20using%20Challenge%2FResponse).%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3EThese%20are%20the%20steps%20that%20I%20am%20following%3A%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E1.%20Read%20the%20HSE%20Version%20to%20make%20sure%20it%20is%20active.%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3ESOC%20Type%20ID%3D%205%2C%20Major%20Version%3D%202%2C%20Minor%20Version%3D1%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3EHSE%20Response%20%3D%200x55a5aa33%20%3D%20Success%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E2.%20Read%20the%20current%20lifecycle.%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3ECurrent%20LC%20%3D%200x4%20%3D%20HSE_LC_CUST_DEL%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3EHSE%20Response%20%3D%200x55a5aa33%20%3D%20Success%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E3.%20Check%20if%20HSE_APP_DEBUG_KEY_ATTR_ID%20is%20already%20set.%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3EI%20do%20not%20get%20HSE_SRV_RSP_NOT_ALLOWED%2C%20which%20means%20ADKP%20is%20set.%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3EHSE%20Response%20%3D%200x55a5aa33%20%3D%20Success%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E4.%20If%20not%20set%2C%20then%20Set%20up%20the%20ADKP.%3C%2FDIV%3E%3CDIV%3E5.%20Check%20if%20debug%20auth%20mode%20set%20to%20password%20mode%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3EI%20see%200x00%20which%20is%20HSE_DEBUG_AUTH_MODE_PW.%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E6.%20I%20advance%20the%20Lifecycle.%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%20%26nbsp%3B%20hseAttrSecureLifecycle_t%20programLC%20%3D%20HSE_LC_SIMULATED_OEM_PROD%3B%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%20%26nbsp%3B%20HSE_AdvanceLifecycle(programLC)%3B%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3EIn%20this%20step%2C%20I%20get%20this%20error%3A%200xAA55A21CUL%20%3D%20HSE_SRV_RSP_NOT_ALLOWED%20%3D%20The%20operation%20is%20not%20allowed%20because%20of%20some%20restrictions%20(in%20attributes%2C%20life-cycle%20dependent%20operations%2C%20key-management%2C%20etc.)%20*%2F%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3EAnd%20the%20program%20is%20now%20stuck%20in%26nbsp%3B%20ASSERT(HSE_SRV_RSP_OK%20%3D%3D%20srvResponse)%3B.%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3EWhat%20is%20it%20that%20is%20causing%20the%20issue%20%3F%20I%20tried%20to%20change%20the%20lifecycle%20to%20HSE_LC_IN_FIELD%2C%20HSE_LC_OEM_PROD%20and%20even%20HSE_LC_SIMULATED_OEM_PROD%20(which%20is%20what%20I%20want).%20But%20all%20of%20them%20throw%20the%20same%20error.%20I%20have%20set%20everything%20that%20is%20needed.%26nbsp%3B%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2351662%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%20translate%3D%22no%22%3ERe%3A%20S32K3%20JTAG%20Password%20Protection%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2351662%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3EThanks%20for%20the%20reply.%20If%20user%20rights%20set%20CUST_START_AS_USER%20then%20it%20won't%20be%20able%20to%20change%20the%20LC%20and%20also%20cannot%20format%20the%20keycatalogs.%20Even%20If%20the%20LC%20is%20changed%20to%20SIMULATED_OEM%20using%20super%20user%20rights.%20The%20JTAG%20is%20not%20getting%20locked%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2132537%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%20translate%3D%22no%22%3ERe%3A%20S32K3%20JTAG%20Password%20Protection%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2132537%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CP%3EDon't%20you%20have%20set%20CUST_START_AS_USER%20what%20would%20lead%20in%20having%20User%20rights%20after%20reset%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2131657%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%20translate%3D%22no%22%3ERe%3A%20S32K3%20JTAG%20Password%20Protection%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2131657%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CP%3EI%20created%20a%20new%20project%20just%20to%20test%20locking%20of%20JTAG%20and%20all%20my%20reference%20have%20been%20from%26nbsp%3BS32K344_DemoAppTemplate.%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3EI%20have%20copied%20the%20files%20and%20functions%20from%26nbsp%3BS32K344_DemoAppTemplate%5Cservices%5Csrc%5Cfw_attribute%5Cotp%5Chse_debug_auth_mode.c.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2131502%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%20translate%3D%22no%22%3ERe%3A%20S32K3%20JTAG%20Password%20Protection%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2131502%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CP%3EThis%20procedure%20seems%20to%20be%20right.%20Question%20is%20how%20it%20is%20actually%20done.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22HwtZe%22%3E%3CSPAN%20class%3D%22jCAhz%20ChMk0b%22%3E%3CSPAN%20class%3D%22ryNqvb%22%3EWhich%20example%20code%20are%20you%20based%20on%3F%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E