RT106X secure JTAG test and IDE debug
1 Introduction
Regarding the usage of RT10XX Secure JTAG, the nxp.com has already released a very good application note AN12419 Secure JTAG for i.MXRT10xx:
https://www.nxp.com/docs/en/application-note/AN12419.pdf
This application note talks about the principle of Secure JTAG, how to modify the fuse to implement the Secure JTAG function, and the content of the related JLINKscript file, and then gives the use of JLINK commander to realize the identification of the ARM core. Usually, if the ARM core can be identified, it indicates that Secure JTAG connection has been passed. But in practical usage, I found many customers encounter the different issues, for example, the Secure JTAG could not find the ARM core directly, or the core identify is not stable, and some customers asked how to use common IDEs, such as MCUXPresso, IAR , MDK to add this Secure JTAG function to realize Secure JTAG debugging.
For the test of secure JTAG, it also needs the cost, because the fuse needs to be modified. If the position of the fuse is accidentally modified, it may cause irreversible problems. Due to the different situations of customers, I also done more tests, borrowing boards with chip socket which can replace the different RT chip, I have tested RT1050, RT1060, RT1064, but in practical usage, there are still some customers mentioned that it will be reproduced on the EVK, so I also tested the secure JTAG function on the RT1060 and RT1064 EVK
This article will share all the previous relevant experience, so that latecomers can have a reference when encountering similar problems, and avoid unnecessary minefields.
This document used the platform:
MIMXRT1064-EVK revA: RT1060-EVK, RT1050-EVKB is similar
SDK_2_13_0_EVK-MIMXRT1064
MCUXpresso IDE v11.7.1_9221
MDK V5.36: higher reversion is the same
IAR 9.30.1: higher reversion is the same
Segger JLINK plus
JLINK driver version:V788D
NXP-MCUBootUtility-5.1.0
2 RT1064 secure JTAG modification
Under normal circumstances, it is not recommended for customers to burn all the related fuses directly and then test it directly. I usually proceeds step by step, hardware layout, to ensure that it can support JTAG, and then save the original read of the fuse, burn JTAG, test JTAG, and finally Burn and test other fuses for secure JTAG.
2.1 MIMXRT1064-EVK Hardware modification
For RT10XX EVK, the board default situation is the same as the chip situation, which supports SWD. The JTAG pin is connected to other hardware modules from the hardware, so it will affect JTAG function. When it is determined to use JTAG function, the circuit needs to be modified, just like MIMXRT105060HDUG has said:
(1). Burn fuse DAP_SJC_SWD_SEL from ‘0’ to ‘1’ to choose JTAG.
(2). DNP R323,R309,R152 to isolate JTAG multiplexed signals.
(3). Keep off J47 to J50 to isolate board level debugger.
So, to the MIMXRT1064-EVK board, just need to remove R323, R309, R152, disconnect J47,J48,J49,J50, which is used to disconnect the on board debugger, then use the external Segger JLINK JTAG interface to connect the MIMXRT1064-EVK on board J21.
2.2 Original fuse map read
First, the MIMXRT1064-EVK board enters the serial download mode, SW7: 1-OFF, 2-OFF, 3-OFF, 4-ON. Use MCUBootUtility tool to connect EVK, and read the initial fuse map, the situation is as follows:
Fig 1
2.3 JTAG Modification and test
Modify fuse to realize SWD to JTAG: 0X460[19] DAP_SJC_SWD_SEL=1
Fig 2
Use the JLINK commander, JTAG method to connect the board, to find the ARM CM7 core:
Fig 3
If the ARM CM7 core can’t be identified, it means the hardware still have issues, or the fuse modified bit is not correct, just do the double check, make sure the ARM core can be found, then go to the next steps.
2.4 Secure JTAG Modification
Modify fuse bit to realize Secure JTAG:
0X460[23:22]:JTAG_SMODE =1
0X460[26]: KTE_FUSE=1
0X610,0X600 burn key: 0xedcba987654321, user also can burn with other custom keys, but need to record it, as the JLINKScript needs to use it.
Fig 4
In the above picture, the secure JTAG fuse and key fuse is finished, at last, to burn fuse 0X400[6]: SJC_RESP_LOCK=1, which is used to close the write and read to secret response key:
Fig 5
Here, we can see, the 0X600,0X610 key area is shadow.
Now, record the UUID0, UUID1, it will use the script to read out to check the UUID correction or not.
2.5 Secure JTAG JLINK commander test
Because during the secure JTAG connection process, the JTAG_MOD pin needs to be pulled low and high, so a wire needs to be connected to pull JTAG_MOD low and high. MIMXRT1064-EVK can use J25_4, which is 3.3V, and JTAG_MOD signal point can use TP11 test point. By default, JTAG_MOD is pulled low. When it needs to be pulled high, it can be connected to J25_4.
During the test, it will need to use the JLINKScript, the content is as follows, also can check
the attached NXP_RT1064_SecureJTAG.JlinkScript file:
int InitTarget(void) {
int r;
int v;
int Key0;
int Key1;
JLINK_SYS_Report("***********************************************");
JLINK_SYS_Report("J-Link script: InitTarget() *");
JLINK_SYS_Report("NXP iMXRT, Enable Secure JTAG *");
JLINK_SYS_Report("***********************************************");
JLINK_SYS_MessageBox("Set pin JTAG_MOD => 1 and press any key to continue...");
// Secure response stored @ 0x600, 0x610 in eFUSE region (OTP memory)
Key0 = 0x87654321;
Key1 = 0xedcba9;
JLINK_CORESIGHT_Configure("IRPre=0;DRPre=0;IRPost=0;DRPost=0;IRLenDevice=5");
CPU = CORTEX_M7;
JLINK_SYS_Sleep(100);
JLINK_JTAG_WriteIR(0xC); // Output Challenge instruction
// Readback Challenge, Shift 64 dummy bits on TDI, TODO: receive Challenge bits on TDO
JLINK_JTAG_StartDR();
JLINK_SYS_Report("Reading Challenge ID....");
JLINK_JTAG_WriteDRCont(0xffffffff, 32); // 32-bit dummy write on TDI / read 32 bits on TDO
v = JLINK_JTAG_GetU32(0);
JLINK_SYS_Report1("Challenge UUID0:", v);
JLINK_JTAG_WriteDREnd(0xffffffff, 32);
v = JLINK_JTAG_GetU32(0);
JLINK_SYS_Report1("Challenge UUID1:", v);
JLINK_JTAG_WriteIR(0xD); // Output Response instruction
JLINK_JTAG_StartDR();
JLINK_JTAG_WriteDRCont(Key0, 32);
JLINK_JTAG_WriteDREnd(Key1, 24);
JLINK_SYS_MessageBox("Change pin JTAG_MOD => 0, press any key to continue...");
return 0;
}
SecJtag.bat file content is:
jlink.exe -JLinkScriptFile NXP_RT1064_SecureJTAG.JlinkScript -device MIMXRT1064XXX6A -if JTAG -speed 4000 -autoconnect 1 -JTAGConf -1,-1
This command is mainly used the JLINK commander and JLINKScript to realize the Secure JTAG connection.
When test it, put the SecJtag.bat, JLink.exe, and NXP_RT1064_SecureJTAG.JlinkScript 3 files in the same folder.
For testing, can change the board mode to the internal boot mode, SW7:1-OFF,2-OFF, 3-ON, 4-OFF.
Run SecJtag.bat, the test situation is:
It indicates to connect JTAG_MOD to higher level
Fig 6
Here, use the wire to connect the J25_4 and TP11, which is connect the JTAG_MOD=1, then click OK, go to the next step:
Fig 7
It can be seen here that the correct UUID has been recognized, which is consistent with the UUID read by MCUBootutility above. Many customers cannot read the correct UUID here, indicating that there is a problem with hardware modification, or fuse modification, or another. Or in the case, the JTAG pin in the app is not enabled, which will be described in detail later.
Here disconnect the connection between TP11 and J25_4, the default is JTAG_MOD=0, click OK to continue
Fig 8
Here, we can see, the ARM CM7 core is found, it means this hardware platform already realize the Secure JTAG connection. Now, can use the IDEs to do the debugging.
3. Secure JTAG debug function in 3 IDEs
This chapter aims at how to use secure JTAG function in RT10XX three commonly used IDEs: MCUXpresso, IAR, MDK, to implement secure JTAG code debug operation.
3.1 Software code prepare
This article selects the SDK hello_world project as the test demo:
SDK_2_13_0_EVK-MIMXRT1064\boards\evkmimxrt1064\demo_apps\hello_world
Two points should be noted here:
- Do not use led_blinky directly, because the led control pin GPIO_AD_B0_09 used by the code is JTAG_TDI, which will cause the Secure JTAG connection to fail after downloading this code, because the pin function of JTAG has been changed.
- Add the pin configuration for JTAG in app code pinmux.c, otherwise there will be a phenomenon due to the lack of JTAG pin configuration, to the empty RT1064, which the chip that has not burned the code can use Secure JTAG connection, but once the code is burned, the connection will be failed.
Add the following code to Pinmux.c:
IOMUXC_SetPinMux(IOMUXC_GPIO_AD_B0_11_JTAG_TRSTB, 0U);
IOMUXC_SetPinMux(IOMUXC_GPIO_AD_B0_06_JTAG_TMS, 0U);
IOMUXC_SetPinMux(IOMUXC_GPIO_AD_B0_07_JTAG_TCK, 0U);
IOMUXC_SetPinMux(IOMUXC_GPIO_AD_B0_09_JTAG_TDI, 0U);
IOMUXC_SetPinMux(IOMUXC_GPIO_AD_B0_10_JTAG_TDO, 0U);
3.2 MCUXpresso Secure JTAG debug
Use MCUXpresso IDE to import the SDK hello world demo, modify the pinmux.c, which add the JTAG pin function configuration.
Configure MCUXPresso ID’s debugger JLinkGDBServerCL.exe version as your used JLINK driver version, Window->preferences
Fig 9
Run->Debug configurations, configure to JTAG, choose device as MIMXRT1064xxx6A, add the JLINKscriptfile
Fig10
Fig 11
Connect JTAG_MOD=1, which is connect TP11 to J25_4, connect OK.
Fig 12
We can see, it already gets the correct UUID, it also requires connect JTAG_MOD=0, here just leave the TP11 floating, then connect OK:
Fig 13
It can be seen that at this time, it has successfully entered the debug mode and can do debugging. For details, you can check the MCUXpresso11_7_1_MIMXRT1064_SJTAG.mp4 file in the attachment.
The test experience here is that MCUXpresso V11.7.1 is found to be a bit unstable and needs to be tried a few more times, but the download of the higher version V11.8.0 version is very stable. If you can get a version higher than V11.7.1, it is recommended to use a higher version of MCUXpresso IDE .
3.3 IAR Secure JTAG debug
Some customers need to use the IAR IDE to debug Secure JTAG function, you can use the hello world in the SDK demo, modify pinmux.c to add the JTAG pin configuration code.
The difference is:
(1) Run JLINK driver:JLinkDLLUpdater.exe
Fig 14
Just to refresh the JLINK driver to the IAR,MDK IDE.
(2) Modify the file name of JLINKscript to be consistent with the name of the demo, and put it under the settings folder of the project folder. For example, the routine here is hello_world_flexspi_nor_debug, and the file name of JlinkScript is required: hello_world_flexspi_nor_debug.JlinkScript, so that IAR will automatically call the corresponding JlinkScript file
Fig15
(3) Configure IAR debugger as JLINK JTAG
Fig 16
Fig 17
Click debug button to enter debug mode:
Fig 18
It needs to set JTAG_MOD=1, just to connect TP11 to J25_4.
Fig 19
It needs to set JTAG_MOD=0, just leave the TP11 floating, click OK to continue.
Fig 20
We can see, the IAR already can do the secure JTAG debugging.
3.4 MDK Secure JTAG debug
For the MDK secure JTAG configuration, the basic requirement is:
(1) Modify pinmux.c code to enable the JTAG pin function
(2) Run JLINK driver, JLinkDLLUpdater.exe,refresh the driver to MDK
(3) JlinkScript file name changed to JLinkSettings.JlinkScript, copy it to the folder in the mdk project, then the MDK will call the JLINKscript file automatically
Fig 21
(4) Modify debugger to JLINK, then modify the interface to JTAG
Fig 22
Fig 23
So far, the Secure JTAG related configuration of MDK has been completed. From theory, it can be directly debugged to run. But I found some problems after many tests. For the code of RAM (hello_world debug), it is no problem to be able to perform secure JTAG debug, but for the code of flash (hello_world_flexspi_nor_debug), there is no problem through secure jtag download, but the debug will run the program abnormal, check the memory data in the flash, also get the wrong data
Fig 24
We can see, UUID also correct, normally, this issue is related to the flashloader during downloading, however, the flashloader of JLINK has not been directly accessed, so I tried to use RT-UFL as the flashloader, and the debugger was successful. If customers encounter similar problems when want to use the MDK to do the secure JTAG debugging, they can use RT-UFL as the flashloader.
The reference document is:
https://www.cnblogs.com/henjay724/p/13951686.html
https://www.cnblogs.com/henjay724/p/15465655.html
To summarize it here, copy the iMXRT_UFL file to the JLINK driver folder:
C:\Program Files\SEGGER\JLINK\Devices\NXP
Copy JLinkDevices.xml to folder:
C:\Program Files\SEGGER\JLINK
The Jlinkscript file add is the same as the Figure 21.
Modify the JlinkSettings.ini file, device is MIMXRT1064_UFL, override =1.
Fig 25
Delete the program algorithm, will use the RT-UFL algorithm
Fig 26
Uncheck update target before Debugging
Fig 27
Enter debug mode:
Fig 28
Configure JTAG_MOD=1, connect TP11 to J25_4, click OK to continue:
Fig 29
Leave the TP11 as floating, click OK to enter the debug mode, the result is:
Fig 30
We can see, after changing the flashloader to the RT-UFL, MDK project Secure JTAG debug also works OK, the attachment also share the RT-UFL related files.
4. Summary
For Secure JTAG, you need to modify the hardware to support JTAG function, modify the fuse to support secure JTAG, and modify the code pins to enable the JTAG function. For the IDE debug, you need to configure the relevant interface as JTAG and add the correct JlinkScriptfile, so that the secure JTAG function can be successfully run , and perform IDE code debugging.
Attachments:
evkmimxrt1064_hello_world_SJTAG.zip:MCUXpresso project
EVK-MIMXRT1064-hello_world_iar.7z:IAR project
EVK-MIMXRT1064-hello_world_mdk.7z:MDK project
File\ NXP_RT1064_SecureJTAG.JlinkScript, JLINK script
File\ SecJtag.bat, associate with JLink.exe and NXP_RT1064_SecureJTAG.JlinkScript to realize JLINK Commander connection, which will find the ARM core.
File\ RT-UFL: RT ultra flashloader algorithm, source:https://github.com/JayHeng/RT-UFL
Here, really thanks so much for our expert @juying_zhong 's help with the Secure JTAG patient guide during my testing road!
