FAQs
English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

Unlock flash on S32K144W from firmware

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Unlock flash on S32K144W from firmware

‎10-23-2023 06:46 AM
799 Views
kdc
Contributor I

Hello there,

We are using a S32K144W. Every time we do a power cycle and want to connect our j-link we have to unlock and erase it.

JLink.exe -device S32K144W -if SWD -speed auto -IP 192.168.2.XXX
> connect
> unlock Kinetis
> erase
> exit

We would like to avoid this by doing this from the C-code running on the MCU.
We're using S32 SDK for S32K1xx v4.0.2.
I thought this could be done the following way:

static void unlock_flash(void)
{
flash_ssd_config_t flash_ssd_config;
const flash_user_config_t flash_init_config = {
.PFlashBase = 0x0U,
.PFlashSize = 0x80000U,
.DFlashBase = 0x10000000U,
.EERAMBase = 0x14000000U,
.CallBack = NULL_CALLBACK };
DEV_ASSERT(STATUS_SUCCESS == FLASH_DRV_Init(&flash_init_config, &flash_ssd_config));
const uint8_t key[] = {
2, 2, 2, 2, 2, 2, 2, 2,
};
DEV_ASSERT(8 == sizeof(key));
uint32_t ret = FLASH_DRV_SecurityBypass(&flash_ssd_config, key);
DEV_ASSERT(STATUS_SUCCESS == ret);
}


However, the FLASH_DRV_SecurityBypass returns STATUS_ERROR.
I couldn't find any example of how to use this function.
Can someone help me?


Best regards,

K.

0 Kudos
Reply
3 Replies

‎10-24-2023 02:37 AM
764 Views
kdc
Contributor I

Hi,

Yes, I have changed the startup file:
kdc_0-1698139945268.png

I also verified via gdb that this value is correctly loaded:

kdc_1-1698139998097.png

kdc_2-1698140074223.png

Can you confirm that the FLASH_DRV_SecurityBypass function allows me to connect with my debugger and reprogram the MCU?

 
0 Kudos
Reply

‎10-24-2023 04:00 AM
758 Views
danielmartynek
NXP TechSupport
NXP TechSupport

Hi @kdc,

You did not enable the backdoor key function in FSEC.

It should be something like this

.long 0xFFFF7FBF     /* FDPROT:FEPROT:FOPT:FSEC(0xBF = Backdoor key enabled, mass erese enabled, MCU secured)*/

 

The FLASH_DRV_SecurityBypass() then unlocks the MCU on a match.

danielmartynek_0-1698145028955.png

And the MCU stays unlocked until it is reset.

The J-link must not reset the MCU, this would lock the MCU again.

A special J-link script is necessary, which can be found here:

https://wiki.segger.com/S32Kxxx#Attach_to_debug_session


J-Link commander has to be called in the following way:
C:\Programme\SEGGER\JLink\JLink.exe -JLinkScriptFile NXP_Kinetis_S32_Attach.JLinkScript

Then the MCU is not reset and access to all the memory and registers is possible.

Please contact SEGGER support if you need more information.

 

Thank you,

BR, Daniel

 

 

0 Kudos
Reply

‎10-24-2023 12:34 AM
777 Views
danielmartynek
NXP TechSupport
NXP TechSupport

Hi @kdc,

Is the key programed at 0x400?

danielmartynek_0-1698132722833.png

startup_S32K144W.S

danielmartynek_1-1698132792703.png

 

Regards,

Daniel

 

 

 

0 Kudos
Reply