Use of back door access

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Use of back door access

Jump to solution
1,967 Views
gonmk
Contributor I

Hello, I'm working with the MCF52233. I had secured the flash ( 4ac8 in position 0x414 ) and then i tried to write data without unsecuring temporally the flash. I sorprised when i realised the flash was written successfully.  I read all the info about the Back door access  in the data sheet but i don't continue understanding what is the back door access used for.

 

Does anybody know what is the back door access used for?

 

thanks in advice.

Gonzalo

 

Labels (1)
0 Kudos
1 Solution
1,285 Views
TomE
Specialist II

> In my opinion, if freescale designs somethings, it must be useful.

To be young and innocent again... I would never expect that. These parts are a "pick and mix" of previously designed and used modules. They don't always fit together as well as you might hope.

> The key access secuence is done from the outside of the flash.

Obviously outside the Flash, but not necessarily from outside the CHIP. The smart way would be to write some code that unlocks the chip after interacting with the user to get authentication, like entering the 8-byte code on a keypad, serial port, magstripe, RFID, USB or whatever is appropriate. In some instances using an external device might be the most appropriate.

> which is the tool that can do it?

Anything that supports "17.4.3.3 JTAG Lockout Recovery" or "17.4.3.4 EzPort Lockout Recovery". If Freescale's web site wasn't down I'd expect to be able to find a list of devices that can do this on the product page. That's a simple search you should do yourself.

Tom

View solution in original post

0 Kudos
14 Replies
1,285 Views
gonmk
Contributor I

Tom,
I want to protect the flash against copying. So i wrote 4ac8 in the offset 0x414. Also i want the program to save user data un the last block of the flash. I achieve this as you said: "Back Door" which is always enabled and is described as "backdoor flash address of IPSBAR plus an offset of 0x0400_0000.

At the begining, i thoght there was necesary to unsecured temporally to write the flash. Then i realised that i can write the flash without unsecuring. So i think: "the backdoor access key must have a function". I don't understand which is this function. Sure this function is security related, so i want to learn when a user should unsecure temporally the flash. That's all.

Thanks again

Gonzalo

0 Kudos
1,285 Views
TomE
Specialist II

Again, the "backdoor flash address" has *NOTHING* at all to do with the "Backdoor key".

The "User Code" is INSIDE the "security boundary". It can be trusted to do whatever it wants, including writing new data to the end of the FLASH.

The whole point of the Security system is to prevent anything OUTSIDE the chip from being able to read the code in the FLASH unless they have the 8-byte secret key. Or you can be really paranoid and disable the "security back door" completely. The only way into the system in that case requires you to completely erase the entire FLASH first.

Security is complicated. It can't be explained simply.


Read this section again, and all the other security-related features it refers to:

17.4.3 Flash Security Operation

Keep reading until you understand it. If you can't understand it, find someone there (not here) who can.

Tom


0 Kudos
1,285 Views
gonmk
Contributor I

Hi Tom,

I really appreciate the time you take to answer. I would like to say a few statements:

1) I know the "backdoor flash address" has *NOTHING* at all to do with the "Backdoor key". I agree security is complicated, but the info in the data sheet isn't enough.

2) Why i can't use the forum to fin someone who understand a little more than me? This is the freescale coldfire forum!!

3) Some uc can use hot-plug debuggers. I looked for hot-plug debugger for the coldfire and i didn't find one.

4) EzPort, Jtag, and BDM must reset the coldfire in order to start the operation

5) The backdoor key unsecures the flash until the next reset.

if we put 3,4 and 5 together: Why an user would like to use the backdoor key in order to unsecure temporally the CFM?

Could you please answer to the last cuestion??

thanks in advice

Gonzalo

0 Kudos
1,285 Views
TomE
Specialist II

> Why i can't use the forum to fin someone who understand a little more than me?

You can, but any complete explanation would be as long as the reference manual.

> Could you please answer to the last cuestion??

I don't understand your question as phrased, but reading through the previous times you've asked it, you can't see a use for it.

Let's see if I can try again. Note I'm reading the Reference Manual, I don't know any more than that.

Assume you don't want your code pirated. You SECURE the chip. That disables the BDM, so you can't get to it with the debugger any more. If you have secured it and disabled the backdoor (KEYEN bit in CFMSEC), then the only access to the chip starts with erasing the entire FLASH and then performing the blank-check. That unsecures it and lets you write new (or the same) code back to the chip. You can also write it back with security turned off.

If you have enabled back door access, then you can use that to remove the security, and then are able to read the code and debug the chip. But only people who know the 8-byte security code

Who would you want to do this? To debug a problem, to connect the debugger to read variables, to get access to read logged data that isn't available any other way. There may be some part of your production process that requires programming, testing and then reprogramming with a different version of code.

Does that help explain what it is for?

> I had secured the flash ( 4ac8 in position 0x414 ) and then i tried to write ...

If you were able to get full access to the chip after "securing" it, then maybe you didn't secure it properly, or the operation didn't work or you didn't reset/power-cycle the chip after doing that. After resetting you should be able to read the "secured state" from CFMSEC[SECSTAT]. Write some code that reads that register and prints out the result somehow (or flashes a LED differently for the different states of that bit). You may find the chip isn't really secured.

Tom

0 Kudos
1,285 Views
gonmk
Contributor I

>Who would you want to do this? To debug a problem, to connect the debugger to read variables, to get access to read >logged data that isn't available any other way. There may be some part of your production process that requires >programming, testing and then reprogramming with a different version of code.

>Does that help explain what it is for?


Yes, i read and understood the same you explain. But all debuggers reset the CFM, and so th CFM is secured again!. I didn't find a hot-plug debugger for ColdFire. Do you know one?


By the way, I were able to get full access to the chip after "securing" it, but from the inside. I read CFMSEC[SECSTAT] and the CFM is secured. Also the BDM can't be conneted, which means that the CFM is unsecured.

Thanks again!!!!

0 Kudos
1,285 Views
TomE
Specialist II

> I were able to get full access to the chip after "securing" it, but from the inside


That's inside the "security perimeter". You can do what you like there. "Security" is only for external threats (in most countries, most of the time :-). The Flash sector protection bits are there to protect against "accidents" from inside.


Tom



0 Kudos
1,285 Views
gonmk
Contributor I

Thanks again.

What about the other question...

>But all debuggers reset the CFM, and so th CFM is secured again!. I didn't find a hot-plug debugger for ColdFire. Do you >know one?



Gonzalo

0 Kudos
1,285 Views
TomE
Specialist II

> Do you know one?


No. Why do you want one?


> But all debuggers reset the CFM, and so th CFM is secured again!.


I assume you want to connect to a secured part and then conduct a debugging session. I would guess that the first time you connect (and temporarily unsecure the part) you're meant to write to the FLASH to force it to be unsecured. Then you work on it unsecured. Then if you want it secure again you reflash it to be secured.


Tom


0 Kudos
1,285 Views
gonmk
Contributor I

No, i don't need one. i just i want to know the purpuse of the BackDoor Key Access. In my opinion, if freescale designs somethings, it must be useful.

The key access secuence is done from the outside of the flash. so, which is the tool that can do it?

0 Kudos
1,286 Views
TomE
Specialist II

> In my opinion, if freescale designs somethings, it must be useful.

To be young and innocent again... I would never expect that. These parts are a "pick and mix" of previously designed and used modules. They don't always fit together as well as you might hope.

> The key access secuence is done from the outside of the flash.

Obviously outside the Flash, but not necessarily from outside the CHIP. The smart way would be to write some code that unlocks the chip after interacting with the user to get authentication, like entering the 8-byte code on a keypad, serial port, magstripe, RFID, USB or whatever is appropriate. In some instances using an external device might be the most appropriate.

> which is the tool that can do it?

Anything that supports "17.4.3.3 JTAG Lockout Recovery" or "17.4.3.4 EzPort Lockout Recovery". If Freescale's web site wasn't down I'd expect to be able to find a list of devices that can do this on the product page. That's a simple search you should do yourself.

Tom

0 Kudos
1,285 Views
gonmk
Contributor I

Hi tom, thanks again.

If the chip "talks" with an user, then the key could be as big as the disigner wants, and not 8 bytes fixed.

About Jtag and EzPort, if the flash is secured, they only can erase all the flash. they do not enter in debug mode. I thogth there was a tool to "talk" with the flash (not throgh the program). That's all the confussion. It's seem to be like you said: >>These parts are a "pick and mix" of previously designed and used modules<<

Thanks a lot again

0 Kudos
1,285 Views
TomE
Specialist II

The Reference Manual is confusing as they describe a "Back Door" (also "Backdoor") and also a "Backdoor Key". They're different things. The non-key one isn't a "security beating back door". It is a secondary port for accessing the RAM or FLASH. The RAM and FLASH have optimised interfaces so the CPU can read them very quickly. The DMA devices can't get to the RAM and FLASH this way. They need a second port (the "back door") that supports normal, simple read and write accesses.

When programming the FLASH, the CPU has to access the FLASH chip via this same "back door" that the peripherals use so it can perform the simple reads and writes that the Flash controller understands. These two access paths are distinguished by having the Flash appear at two different address ranges.

1.4.4.2 Flash

"The CFM interfaces to the ColdFire core through an optimized read-only memory

controller which supports interleaved accesses from the 2-cycle flash arrays. A backdoor mapping of the

flash memory is used for all program, erase, and verify operations, as well as providing a read datapath for

the DMA."

Read:

Table 13-3. RAMBAR Field Description

Read:

13.6 Internal Bus Arbitration

Search the Reference Manual for "Back Door" (3 hits) and "backdoor" (25 hits).

Search this forum for "backdoor" and "back door" as well.


Tom

0 Kudos
1,285 Views
gonmk
Contributor I

HI Tom,

thanks for your answer. I agree the words are a little confusing.

I was talking about the backdoor access sequence. I don't find a use for it. As i said, i secured the flash, and then i wrote to the flash via the backdoor access so i don't understand the uses of unsecuring the flash.

why an user would want to unsecure the flash via the backdoor access sequence with the comparasion key?. Is it to enable the DMA to have write access to flash??

thanks again

Gonzalo

0 Kudos
1,285 Views
TomE
Specialist II

> I don't find a use for it.

So?

> i wrote to the flash via the backdoor access

That's because you had a copy of the "Backdoor Key" that was used to secure the device. If you didn't have that key you wouldn't be able to access the chip, steal the code and flood eBay with millions of pirated clones of whatever hardware that chip is in.

> Is it to enable the DMA to have write access to flash?

No, read through the manual again. The "Backdoor Key" described in the CFM module is all about security and locking down the chip against copying.

The SRAM has a "back door" controlled by the BDE bit in RAMBAR.

The Flash has a "Back Door" which is always enabled and is described as "backdoor flash address of IPSBAR plus an offset of 0x0400_0000. It can be used for DMA access, but MUST be used for writing programming commands to the FLASH.

They're different things with similar names that can be told apart by context.

If I've answered your question, please mark it "Answered".

Tom

0 Kudos