FAQs
English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

S32K3 Secure Boot

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

S32K3 Secure Boot

‎09-11-2025 12:10 AM
1,068 Views
mws
Contributor I

Hello,

I am currently developing Secure Boot on the S32K3 series, and I have encountered an issue where I am unable to program via JTAG.
I would like to ask: when the device enters Recovery Mode, is it expected that JTAG cannot be used together with the IDE for direct programming?

Here are the test conditions:

1.HSE AB Swap is installed

2.ADKP is enabled

3.LifeCycle is set to OEM_PROD

4.Using Basic Secure Boot, with an intentionally incorrect GMAC TAG

5.IVT_AUTH is disabled

6.Before programming, ADKP was successfully unlocked using the official Python script

Could you please advise whether these settings would prevent JTAG programming in Recovery Mode, and if there are any recommended steps to resolve this issue?

Thank you for your support.

Best regards,

0 Kudos
Reply
5 Replies

‎09-11-2025 05:37 AM
1,030 Views
davidtosenovjan
NXP TechSupport
NXP TechSupport

If the device is in OEM_PROD mode, there is only a limited time window (with a 30-second timeout) during which the recovery counter must be between 8 and 16. Within this range, the debugger must establish a connection and likely also perform debug authorization, since the MCU has been reset. If the counter exceeds 16, the device remains in reset.

 

0 Kudos
Reply

‎09-12-2025 12:12 AM
1,011 Views
mws
Contributor I

I am currently using HSE firmware version V2.55. Based on my current configuration:

  • IVT BCW = 0x09 → the RESET_RECOVERY_MODE bit is 0

  • DCMRWP1 was not modified → so it should also be 0

  • According to the Entry into Recovery Mode behavior table in the HSE Reference Manual, if both of these control bits are set to 0, it means that Recovery Mode is disabled.

Therefore, when I attempt to enter Recovery Mode, the device actually does not enter it, which explains why I cannot use JTAG with the IDE for programming under this condition.

My understanding is that:

  • If I want to be able to program/debug through Recovery Mode using JTAG, I would need to configure RESET_RECOVERY_MODE to 1 in either IVT or DCMRWP1.

  • In addition, since the device LifeCycle is already set to OEM_PROD, this may further restrict certain debug and recovery options. I believe this could also be related to why the JTAG functionality is blocked under the current Secure Boot setup.

Could you please confirm if my interpretation is correct?

0 Kudos
Reply

‎09-12-2025 02:36 AM
1,000 Views
davidtosenovjan
NXP TechSupport
NXP TechSupport

Yes, correct.

Recovery mode can be disabled in configuration, so in this case it is not invoked.

 

0 Kudos
Reply

‎09-12-2025 07:10 AM
993 Views
mws
Contributor I

In my current state, is it still possible to program normally using JTAG, or is this already considered a bricked state?

0 Kudos
Reply

‎09-15-2025 12:26 AM
932 Views
davidtosenovjan
NXP TechSupport
NXP TechSupport

Yes, in my opinion you have it is bricked state. Without recovery you cannot connect by JTAG.

0 Kudos
Reply
%3CLINGO-SUB%20id%3D%22lingo-sub-2167530%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3ES32K3%20Secure%20Boot%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2167530%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3EI%20am%20currently%20developing%20Secure%20Boot%20on%20the%20S32K3%20series%2C%20and%20I%20have%20encountered%20an%20issue%20where%20I%20am%20unable%20to%20program%20via%20JTAG.%3CBR%20%2F%3EI%20would%20like%20to%20ask%3A%20when%20the%20device%20enters%20Recovery%20Mode%2C%20is%20it%20expected%20that%20JTAG%20cannot%20be%20used%20together%20with%20the%20IDE%20for%20direct%20programming%3F%3C%2FP%3E%3CP%3EHere%20are%20the%20test%20conditions%3A%3C%2FP%3E%3CP%3E1.HSE%20AB%20Swap%20is%20installed%3C%2FP%3E%3CP%3E2.ADKP%20is%20enabled%3C%2FP%3E%3CP%3E3.LifeCycle%20is%20set%20to%20OEM_PROD%3C%2FP%3E%3CP%3E4.Using%20Basic%20Secure%20Boot%2C%20with%20an%20intentionally%20incorrect%20GMAC%20TAG%3C%2FP%3E%3CP%3E5.IVT_AUTH%20is%20disabled%3C%2FP%3E%3CP%3E6.Before%20programming%2C%20ADKP%20was%20successfully%20unlocked%20using%20the%20official%20Python%20script%3C%2FP%3E%3CP%3ECould%20you%20please%20advise%20whether%20these%20settings%20would%20prevent%20JTAG%20programming%20in%20Recovery%20Mode%2C%20and%20if%20there%20are%20any%20recommended%20steps%20to%20resolve%20this%20issue%3F%3C%2FP%3E%3CP%3EThank%20you%20for%20your%20support.%3C%2FP%3E%3CP%3EBest%20regards%2C%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2169462%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%20translate%3D%22no%22%3ERe%3A%20S32K3%20Secure%20Boot%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2169462%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CP%3EYes%2C%20in%20my%20opinion%20you%20have%20it%20is%20bricked%20state.%20Without%20recovery%20you%20cannot%20connect%20by%20JTAG.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2168983%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%20translate%3D%22no%22%3ERe%3A%20S32K3%20Secure%20Boot%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2168983%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CP%3E%3CSPAN%3EIn%20my%20current%20state%2C%20is%20it%20still%20possible%20to%20program%20normally%20using%20JTAG%2C%20or%20is%20this%20already%20considered%20a%20bricked%20state%3F%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2168852%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%20translate%3D%22no%22%3ERe%3A%20S32K3%20Secure%20Boot%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2168852%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CP%3EYes%2C%20correct.%3C%2FP%3E%0A%3CP%3ERecovery%20mode%20can%20be%20disabled%20in%20configuration%2C%20so%20in%20this%20case%20it%20is%20not%20invoked.%3C%2FP%3E%0A%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2168688%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%20translate%3D%22no%22%3ERe%3A%20S32K3%20Secure%20Boot%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2168688%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CP%3EI%20am%20currently%20using%20HSE%20firmware%20version%20V2.55.%20Based%20on%20my%20current%20configuration%3A%3C%2FP%3E%3CUL%3E%3CLI%3E%3CP%3EIVT%20BCW%20%3D%200x09%20%E2%86%92%20the%20RESET_RECOVERY_MODE%20bit%20is%200%3C%2FP%3E%3C%2FLI%3E%3CLI%3E%3CP%3EDCMRWP1%20was%20not%20modified%20%E2%86%92%20so%20it%20should%20also%20be%200%3C%2FP%3E%3C%2FLI%3E%3CLI%3E%3CP%3EAccording%20to%20the%20%3CEM%3EEntry%20into%20Recovery%20Mode%20behavior%3C%2FEM%3E%20table%20in%20the%20HSE%20Reference%20Manual%2C%20if%20both%20of%20these%20control%20bits%20are%20set%20to%200%2C%20it%20means%20that%20Recovery%20Mode%20is%20disabled.%3C%2FP%3E%3C%2FLI%3E%3C%2FUL%3E%3CP%3ETherefore%2C%20when%20I%20attempt%20to%20enter%20Recovery%20Mode%2C%20the%20device%20actually%20does%20not%20enter%20it%2C%20which%20explains%20why%20I%20cannot%20use%20JTAG%20with%20the%20IDE%20for%20programming%20under%20this%20condition.%3C%2FP%3E%3CP%3EMy%20understanding%20is%20that%3A%3C%2FP%3E%3CUL%3E%3CLI%3E%3CP%3EIf%20I%20want%20to%20be%20able%20to%20program%2Fdebug%20through%20Recovery%20Mode%20using%20JTAG%2C%20I%20would%20need%20to%20configure%20RESET_RECOVERY_MODE%20to%201%20in%20either%20IVT%20or%20DCMRWP1.%3C%2FP%3E%3C%2FLI%3E%3CLI%3E%3CP%3EIn%20addition%2C%20since%20the%20device%20LifeCycle%20is%20already%20set%20to%20OEM_PROD%2C%20this%20may%20further%20restrict%20certain%20debug%20and%20recovery%20options.%20I%20believe%20this%20could%20also%20be%20related%20to%20why%20the%20JTAG%20functionality%20is%20blocked%20under%20the%20current%20Secure%20Boot%20setup.%3C%2FP%3E%3C%2FLI%3E%3C%2FUL%3E%3CP%3ECould%20you%20please%20confirm%20if%20my%20interpretation%20is%20correct%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2167872%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%20translate%3D%22no%22%3ERe%3A%20S32K3%20Secure%20Boot%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2167872%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CP%3E%3CSPAN%3EIf%20the%20device%20is%20in%20OEM_PROD%20mode%2C%20there%20is%20only%20a%20limited%20time%20window%20(with%20a%2030-second%20timeout)%20during%20which%20the%20recovery%20counter%20must%20be%20between%208%20and%2016.%20Within%20this%20range%2C%20the%20debugger%20must%20establish%20a%20connection%20and%20likely%20also%20perform%20debug%20authorization%2C%20since%20the%20MCU%20has%20been%20reset.%20If%20the%20counter%20exceeds%2016%2C%20the%20device%20remains%20in%20reset.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E