Secure JTAG in imxrt1060-evk using JLink base

Min1 · ‎07-20-2021

Hello.

I'm using imxrt1060-evk. The board has MIMXRT1062DVL6A processor.

I want to use secure jtag so I followed AN12419 manual.

I did the fuse configuration described in the manual.

here is my board & debugger connection.

I'm using J-Link Base. I connected it to J21.

Power is supplied by DC 5V connection( J2). To use J2, J1 is connected to 1-2.

Here is my JLinkScript.

int InitTarget(void) {
int r;
int v;
int Key0;
int Key1;

JLINK_SYS_Report("***********************************************");
JLINK_SYS_Report("J-Link script: InitTarget() *");
JLINK_SYS_Report(" NXP iMXRT, Enable Secure JTAG *");
JLINK_SYS_Report("***********************************************");

JLINK_SYS_MessageBox("Set pin JTAG_MOD => 1 and press any key to continue...");

// Secure response stored @ 0x600, 0x610 in eFUSE region (OTP memory)
Key0 = 0xa2631407; //I modified it to my eFuse value
Key1 = 0x00e33510; //I modified it to my eFuse value

JLINK_CORESIGHT_Configure("IRPre=0;DRPre=0;IRPost=0;DRPost=0;IRLenDevice=4"); //I modified IRLenDevice to 4
CPU = CORTEX_M7;

JLINK_SYS_Sleep(100);

JLINK_JTAG_WriteIR(0xC); // Output Challenge instruction

// Readback Challenge, Shift 64 dummy bits on TDI, TODO: receive Challenge bits on TDO
JLINK_JTAG_StartDR();
JLINK_SYS_Report("Reading Challenge ID....");

JLINK_JTAG_WriteDRCont(0xffffffff, 32); // 32-bit dummy write on TDI / read 32 bits on TDO
v = JLINK_JTAG_GetU32(0);
JLINK_SYS_Report1("Challenge UUID0:", v);

JLINK_JTAG_WriteDREnd(0xffffffff, 32);
v = JLINK_JTAG_GetU32(0);
JLINK_SYS_Report1("Challenge UUID1:", v);

JLINK_JTAG_WriteIR(0xD); // Output Response instruction

JLINK_JTAG_StartDR();
JLINK_JTAG_WriteDRCont(Key0, 32);
v = JLINK_JTAG_GetU32(0);
JLINK_SYS_Report1("Response key:", v);
JLINK_JTAG_WriteDREnd(Key1, 24);
v = JLINK_JTAG_GetU32(0);
JLINK_SYS_Report1("Response key:", v);

JLINK_SYS_MessageBox("Change pin JTAG_MOD => 0, press any key to continue...");

return 0;
}

Here is my J-Link result.

I thought Secure JTAG will be unlocked by using jLinkScript above.

However, unlocking failed and J-Link reported the wrong UUID.

J-Link also reported that it failed to power up DAP.

How can I solve it??

kerryzhou · ‎07-20-2021

Hi @Min1

Some points you have missed:

1. JTAG mode modification.

You need to remove R323, R309, R152 as it connect the JTAG pins to the ENET PHY chip.

In fact, before your test the secure JTAG, you need to make the JTAG works at first, but now you already write the SJTAG.

2. From the AN12419, you missed this steps:

Finally, the user must program 0x1 in the eFuse SJC_RESP _LOCK to disable read/write access of the secret
response key. After this operation, the secret response field “SJC_RESP” becomes “invisible” in the fuse map. See
Figure 3 and Figure 4 .

I don't know whey you modify your script :

JLINK_CORESIGHT_Configure("IRPre=0;DRPre=0;IRPost=0;DRPost=0;IRLenDevice=4"); //I modified IRLenDevice to 4

You can use the default:

JLINK_CORESIGHT_Configure("IRPre=0;DRPre=0;IRPost=0;DRPost=0;IRLenDevice=5");

You just need to modify the key0,key1 to your own fuse data.

Not long ago, I help one customer test the RT1050 SJTAG, it works OK:

https://community.nxp.com/t5/i-MX-RT/Secure-JTAG-in-imxrt1050-EVKB/m-p/1293040/page/2

Normally, I test the SJTAG, will let the JTAG work at first, then add the SJTAG.

You can add the above two missed points and test it again.

BTW, SW7 should be:1-off,2-off, 3-off, 4-on serial download mode.

1-OFF, 2-OFF,3-ON, 4-OFF, internal boot mode

Any updated information, just kindly let me know.

Kerry

Min1 · ‎07-21-2021

Hello. @kerryzhou

Thank you for your answer.

I followed your step but failed again.

1. I edited eFuse configuration like the pic below.

2. removed R323, R309, R152

3. modified JLink Script

but the JLink result is failed.

The Challenge UUID & response key is still wrong.

kerryzhou · ‎07-22-2021

Hi @Min1

Do you use your JLINK base to connect the MIMXRT1060-EVK board before you modify the fuse?

I mean, whether you can use your JLINK base to debug the RT1060 or not?

In my memory, JLINK base may have limit to connect the RT1060, I am using the JLINK plus, so if you didn't use it to debug the RT chip previously, you can check with Segger side, just make sure your JLINK base can support the RT at first.

Any updated information, kindly let me know.

Best Regards,

Kerry

Min1 · ‎08-05-2021

Sorry for the late reply @kerryzhou.

I have JLink Plus too, so I tested secure jtag using link plus.

It failed again. However, I discovered another problem.

When I connect JLink to secure JTAG board, JLink discovered only 1 device in JTAG chain!

JLink didn't find other device. It found only ARM CoreSight JTAG which has 4 IRLen.

Is it right for JLink to find only one device when Secure JTAG is activated?

Best Regards,

Min

kerryzhou · ‎08-08-2021

Hi @Min1

If just connect one device to the JTAG , I think find one device is correct.

Now, your UUID still not correct? What about the JTAG_MOD pin, do you connect it to higher or low?

Best Regards,

Kerry

Min1 · ‎08-08-2021

First, It starts with JTAG_MOD= 0.

I connect JTAG_MOD pin manually like the pic below and connected it to DC 3.3 or GND to change pin value.

kerryzhou · ‎08-08-2021

Hi @Min1

Before you run the jlinkscript, set the JTAG_MOD=1, then run the jlinkscript, the jlinkscript will tell you set it to 0, then you change MOD to 0.

Please test it again.

before you add the secure, do you test the JTAG at first, whether that works or not?

Best Regards,

KERRY

Min1 · ‎08-08-2021

Yes, JTAG worked before secure JTAG.

I set JTAG_MOD to 1 and followed script message but failed.

JLink reported error that Too few devices on the JTAG bus. IRPos: 0, TotalIRLen: 4 like the message.

etc. I didn't edit TotalIRLen in script.

Best Regards,

Min1

kerryzhou · ‎08-08-2021

Hi @Min1

https://community.nxp.com/t5/i-MX-RT/Secure-JTAG-in-imxrt1050-EVKB/td-p/1290923/page/2

This post add more details about my secure JTAG testing, it also has the wave.

You also can check the JTAG wave, whether it is correct.

About the JLINKscript, I just modify the key data.

int InitTarget(void) {
int r;
int v;
int Key0;
int Key1;

JLINK_SYS_Report("***********************************************");
JLINK_SYS_Report("J-Link script: InitTarget() *");
JLINK_SYS_Report(" NXP iMXRT, Enable Secure JTAG *");
JLINK_SYS_Report("***********************************************");

JLINK_SYS_MessageBox("Set pin JTAG_MOD => 1 and press any key to continue...");

// Secure response stored @ 0x600, 0x610 in eFUSE region (OTP memory)
// Key0 = 0x87654321;
// Key1 = 0xedcba9;
Key0 = 0x00000000;
Key1 = 0x87654321;

JLINK_CORESIGHT_Configure("IRPre=0;DRPre=0;IRPost=0;DRPost=0;IRLenDevice=5");
CPU = CORTEX_M7;

JLINK_SYS_Sleep(100);

JLINK_JTAG_WriteIR(0xC); // Output Challenge instruction

// Readback Challenge, Shift 64 dummy bits on TDI, TODO: receive Challenge bits on TDO
JLINK_JTAG_StartDR();
JLINK_SYS_Report("Reading Challenge ID....");

JLINK_JTAG_WriteDRCont(0xffffffff, 32); // 32-bit dummy write on TDI / read 32 bits on TDO
v = JLINK_JTAG_GetU32(0);
JLINK_SYS_Report1("Challenge UUID0:", v);

JLINK_JTAG_WriteDREnd(0xffffffff, 32);
v = JLINK_JTAG_GetU32(0);
JLINK_SYS_Report1("Challenge UUID1:", v);

JLINK_JTAG_WriteIR(0xD); // Output Response instruction

JLINK_JTAG_StartDR();
JLINK_JTAG_WriteDRCont(Key0, 32);
JLINK_JTAG_WriteDREnd(Key1, 24);

JLINK_SYS_MessageBox("Change pin JTAG_MOD => 0, press any key to continue...");

return 0;
}