RT1064, flash reading protection.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

RT1064, flash reading protection.

Jump to solution
1,620 Views
luishs
Senior Contributor I

 

Hi.

I am migrating commercial projects from Kinetis MK66 to RT1064, I need that the programs once loaded in the microcontroller cannot be read and extracted.

In the Kinetis MK66 we did it by creating the project with Segger's Jlink, but for the RT1064 I don't see anything similar.

How can the flash be protected, so that the program cannot be read and extracted in the RT1064?
I read about the encryption options, but I understand that it is necessary when the flash is external, but in the RT1064 and RT1024 the flash is internal and it would not be necessary to do the entire encryption process, it would be enough to activate a fuse that prevents reading and flash extraction.

Regards

0 Kudos
1 Solution
1,601 Views
kerryzhou
NXP TechSupport
NXP TechSupport

Hi @luishs ,

   RT1064 and kinetis are totally not the same chip.

   kinetis use the internal flash, RT1064 is also using the "internal flash", but this chip is packaged with a flash memory Winbond W25Q32JV. RT1064 communicate with the winbond flash chip with the flexSPI interface.

   So, the protection between the kinetis and the RT1064 is totally not the same.

   To the RT1064, you can secure the JTAG interface:

https://www.nxp.com/docs/en/application-note/AN12419.pdf

   Another is the encryption options: HAB signed, HAB encrypted, BEE.

https://www.nxp.com/webapp/sps/download/mod_download.jsp?colCode=AN12681&location=null&appType=moder...

  You also can use our SPT tool:

https://www.nxp.com/design/software/development-software/mcuxpresso-software-and-tools-/mcuxpresso-s...

 

Wish it helps you!

Best Regards,

Kerry

   

View solution in original post

6 Replies
1,602 Views
kerryzhou
NXP TechSupport
NXP TechSupport

Hi @luishs ,

   RT1064 and kinetis are totally not the same chip.

   kinetis use the internal flash, RT1064 is also using the "internal flash", but this chip is packaged with a flash memory Winbond W25Q32JV. RT1064 communicate with the winbond flash chip with the flexSPI interface.

   So, the protection between the kinetis and the RT1064 is totally not the same.

   To the RT1064, you can secure the JTAG interface:

https://www.nxp.com/docs/en/application-note/AN12419.pdf

   Another is the encryption options: HAB signed, HAB encrypted, BEE.

https://www.nxp.com/webapp/sps/download/mod_download.jsp?colCode=AN12681&location=null&appType=moder...

  You also can use our SPT tool:

https://www.nxp.com/design/software/development-software/mcuxpresso-software-and-tools-/mcuxpresso-s...

 

Wish it helps you!

Best Regards,

Kerry

   

1,597 Views
luishs
Senior Contributor I

 

Thanks.
Your second link to AN12681 I can't download it, it asks me for a provider name and email, I put Mouser's, but it's not accepted.

How can I download AN12681? My usual supplier is Mouser.

Regarding the JTAG protection solution. Does that also work to prevent access to JTAG and SWD? In this way, could I avoid that once my firmware was loaded, it could be accessed by JTAG or SWD to read, delete or load a new firmware?

Regards

0 Kudos
1,592 Views
kerryzhou
NXP TechSupport
NXP TechSupport

Hi @luishs 

   AN12681 Application note needs the special approve, you can see the note when you download it:

kerryzhou_0-1653960814844.png

Just input the distributor is not enough, it need the NXP salesperson or the FAE approve, so you need to contact with your distributor at first, they will help you contact with the NXP related person, I also don't have the approve authority.

  To the secure JTAG, after it is secured, then you just can use the JTAG, not the SWD anymore.

  About the BEE/ HAB, you also can use our SPT tool directly:

https://www.nxp.com/design/software/development-software/mcuxpresso-software-and-tools-/mcuxpresso-s...

  It will help you secure the memory.

  https://community.nxp.com/t5/i-MX-RT-Knowledge-Base/RT1015-APP-BEE-encryption-operation-method/ta-p/...

https://community.nxp.com/t5/i-MX-RT-Knowledge-Base/RT1050-HAB-Encrypted-Image-Generation-and-Analys...

  But, please note, secure flash will need to burn the fuse, so you must very careful, and it can't back. I suggest you learn the related knowledge at first, then do the operation.

Best Regards,

kerry

 

1,572 Views
luishs
Senior Contributor I

A question about preventing access to modify or read the flash. You tell me that following your instructions the access by SWD would be denied, but the access by JTAG would be active.

So the question is whether it is possible to prevent all types of access, both by JTAG and by SWD. Leave the chip in a state that after loading my firmware, no one can access the chip either by JTAG or SWD, so it could not be read, modified or deleted.

If this is not possible, then I would have to look at the options to encrypt my firmware, to protect it from reading, since it is a commercial product.

0 Kudos
1,564 Views
kerryzhou
NXP TechSupport
NXP TechSupport

Hi @luishs ,

   Yes, you even can disable the debugger interface:

kerryzhou_0-1654134084283.png

 Then, the external side can't access the flash through the JTAG/SWD interface.

  But, if your boot mode still can be set, then RT1064 still can be access from the serial download mode, so, you also can change the boot mode to the fuse boot mode. More details, check the RT1064 RM, chapter 9.3.3 Boot From Fuses mode (BOOT_MODE[1:0] = 00b).

Best Regards,

Kerry

0 Kudos
1,588 Views
luishs
Senior Contributor I

 

Thanks.

0 Kudos