Hello, I'm working with the MCF52233. I had secured the flash ( 4ac8 in position 0x414 ) and then i tried to write data without unsecuring temporally the flash. I sorprised when i realised the flash was written successfully. I read all the info about the Back door access in the data sheet but i don't continue understanding what is the back door access used for.
Does anybody know what is the back door access used for?
thanks in advice.
Gonzalo
Solved! Go to Solution.
> In my opinion, if freescale designs somethings, it must be useful.
To be young and innocent again... I would never expect that. These parts are a "pick and mix" of previously designed and used modules. They don't always fit together as well as you might hope.
> The key access secuence is done from the outside of the flash.
Obviously outside the Flash, but not necessarily from outside the CHIP. The smart way would be to write some code that unlocks the chip after interacting with the user to get authentication, like entering the 8-byte code on a keypad, serial port, magstripe, RFID, USB or whatever is appropriate. In some instances using an external device might be the most appropriate.
> which is the tool that can do it?
Anything that supports "17.4.3.3 JTAG Lockout Recovery" or "17.4.3.4 EzPort Lockout Recovery". If Freescale's web site wasn't down I'd expect to be able to find a list of devices that can do this on the product page. That's a simple search you should do yourself.
Tom
Tom,
I want to protect the flash against copying. So i wrote 4ac8 in the offset 0x414. Also i want the program to save user data un the last block of the flash. I achieve this as you said: "Back Door" which is always enabled and is described as "backdoor flash address of IPSBAR plus an offset of 0x0400_0000.
At the begining, i thoght there was necesary to unsecured temporally to write the flash. Then i realised that i can write the flash without unsecuring. So i think: "the backdoor access key must have a function". I don't understand which is this function. Sure this function is security related, so i want to learn when a user should unsecure temporally the flash. That's all.
Thanks again
Gonzalo
Again, the "backdoor flash address" has *NOTHING* at all to do with the "Backdoor key".
The "User Code" is INSIDE the "security boundary". It can be trusted to do whatever it wants, including writing new data to the end of the FLASH.
The whole point of the Security system is to prevent anything OUTSIDE the chip from being able to read the code in the FLASH unless they have the 8-byte secret key. Or you can be really paranoid and disable the "security back door" completely. The only way into the system in that case requires you to completely erase the entire FLASH first.
Security is complicated. It can't be explained simply.
Read this section again, and all the other security-related features it refers to:
17.4.3 Flash Security Operation
Keep reading until you understand it. If you can't understand it, find someone there (not here) who can.
Tom
Hi Tom,
I really appreciate the time you take to answer. I would like to say a few statements:
1) I know the "backdoor flash address" has *NOTHING* at all to do with the "Backdoor key". I agree security is complicated, but the info in the data sheet isn't enough.
2) Why i can't use the forum to fin someone who understand a little more than me? This is the freescale coldfire forum!!
3) Some uc can use hot-plug debuggers. I looked for hot-plug debugger for the coldfire and i didn't find one.
4) EzPort, Jtag, and BDM must reset the coldfire in order to start the operation
5) The backdoor key unsecures the flash until the next reset.
if we put 3,4 and 5 together: Why an user would like to use the backdoor key in order to unsecure temporally the CFM?
Could you please answer to the last cuestion??
thanks in advice
Gonzalo
> Why i can't use the forum to fin someone who understand a little more than me?
You can, but any complete explanation would be as long as the reference manual.
> Could you please answer to the last cuestion??
I don't understand your question as phrased, but reading through the previous times you've asked it, you can't see a use for it.
Let's see if I can try again. Note I'm reading the Reference Manual, I don't know any more than that.
Assume you don't want your code pirated. You SECURE the chip. That disables the BDM, so you can't get to it with the debugger any more. If you have secured it and disabled the backdoor (KEYEN bit in CFMSEC), then the only access to the chip starts with erasing the entire FLASH and then performing the blank-check. That unsecures it and lets you write new (or the same) code back to the chip. You can also write it back with security turned off.
If you have enabled back door access, then you can use that to remove the security, and then are able to read the code and debug the chip. But only people who know the 8-byte security code
Who would you want to do this? To debug a problem, to connect the debugger to read variables, to get access to read logged data that isn't available any other way. There may be some part of your production process that requires programming, testing and then reprogramming with a different version of code.
Does that help explain what it is for?
> I had secured the flash ( 4ac8 in position 0x414 ) and then i tried to write ...
If you were able to get full access to the chip after "securing" it, then maybe you didn't secure it properly, or the operation didn't work or you didn't reset/power-cycle the chip after doing that. After resetting you should be able to read the "secured state" from CFMSEC[SECSTAT]. Write some code that reads that register and prints out the result somehow (or flashes a LED differently for the different states of that bit). You may find the chip isn't really secured.
Tom
>Who would you want to do this? To debug a problem, to connect the debugger to read variables, to get access to read >logged data that isn't available any other way. There may be some part of your production process that requires >programming, testing and then reprogramming with a different version of code.
>Does that help explain what it is for?
Yes, i read and understood the same you explain. But all debuggers reset the CFM, and so th CFM is secured again!. I didn't find a hot-plug debugger for ColdFire. Do you know one?
By the way, I were able to get full access to the chip after "securing" it, but from the inside. I read CFMSEC[SECSTAT] and the CFM is secured. Also the BDM can't be conneted, which means that the CFM is unsecured.
Thanks again!!!!
> I were able to get full access to the chip after "securing" it, but from the inside
That's inside the "security perimeter". You can do what you like there. "Security" is only for external threats (in most countries, most of the time :-). The Flash sector protection bits are there to protect against "accidents" from inside.
Tom
Thanks again.
What about the other question...
>But all debuggers reset the CFM, and so th CFM is secured again!. I didn't find a hot-plug debugger for ColdFire. Do you >know one?
Gonzalo
> Do you know one?
No. Why do you want one?
> But all debuggers reset the CFM, and so th CFM is secured again!.
I assume you want to connect to a secured part and then conduct a debugging session. I would guess that the first time you connect (and temporarily unsecure the part) you're meant to write to the FLASH to force it to be unsecured. Then you work on it unsecured. Then if you want it secure again you reflash it to be secured.
Tom
No, i don't need one. i just i want to know the purpuse of the BackDoor Key Access. In my opinion, if freescale designs somethings, it must be useful.
The key access secuence is done from the outside of the flash. so, which is the tool that can do it?
> In my opinion, if freescale designs somethings, it must be useful.
To be young and innocent again... I would never expect that. These parts are a "pick and mix" of previously designed and used modules. They don't always fit together as well as you might hope.
> The key access secuence is done from the outside of the flash.
Obviously outside the Flash, but not necessarily from outside the CHIP. The smart way would be to write some code that unlocks the chip after interacting with the user to get authentication, like entering the 8-byte code on a keypad, serial port, magstripe, RFID, USB or whatever is appropriate. In some instances using an external device might be the most appropriate.
> which is the tool that can do it?
Anything that supports "17.4.3.3 JTAG Lockout Recovery" or "17.4.3.4 EzPort Lockout Recovery". If Freescale's web site wasn't down I'd expect to be able to find a list of devices that can do this on the product page. That's a simple search you should do yourself.
Tom
Hi tom, thanks again.
If the chip "talks" with an user, then the key could be as big as the disigner wants, and not 8 bytes fixed.
About Jtag and EzPort, if the flash is secured, they only can erase all the flash. they do not enter in debug mode. I thogth there was a tool to "talk" with the flash (not throgh the program). That's all the confussion. It's seem to be like you said: >>These parts are a "pick and mix" of previously designed and used modules<<
Thanks a lot again
The Reference Manual is confusing as they describe a "Back Door" (also "Backdoor") and also a "Backdoor Key". They're different things. The non-key one isn't a "security beating back door". It is a secondary port for accessing the RAM or FLASH. The RAM and FLASH have optimised interfaces so the CPU can read them very quickly. The DMA devices can't get to the RAM and FLASH this way. They need a second port (the "back door") that supports normal, simple read and write accesses.
When programming the FLASH, the CPU has to access the FLASH chip via this same "back door" that the peripherals use so it can perform the simple reads and writes that the Flash controller understands. These two access paths are distinguished by having the Flash appear at two different address ranges.
1.4.4.2 Flash
"The CFM interfaces to the ColdFire core through an optimized read-only memory
controller which supports interleaved accesses from the 2-cycle flash arrays. A backdoor mapping of the
flash memory is used for all program, erase, and verify operations, as well as providing a read datapath for
the DMA."
Read:
Table 13-3. RAMBAR Field Description
Read:
13.6 Internal Bus Arbitration
Search the Reference Manual for "Back Door" (3 hits) and "backdoor" (25 hits).
Search this forum for "backdoor" and "back door" as well.
Tom
HI Tom,
thanks for your answer. I agree the words are a little confusing.
I was talking about the backdoor access sequence. I don't find a use for it. As i said, i secured the flash, and then i wrote to the flash via the backdoor access so i don't understand the uses of unsecuring the flash.
why an user would want to unsecure the flash via the backdoor access sequence with the comparasion key?. Is it to enable the DMA to have write access to flash??
thanks again
Gonzalo
> I don't find a use for it.
So?
> i wrote to the flash via the backdoor access
That's because you had a copy of the "Backdoor Key" that was used to secure the device. If you didn't have that key you wouldn't be able to access the chip, steal the code and flood eBay with millions of pirated clones of whatever hardware that chip is in.
> Is it to enable the DMA to have write access to flash?
No, read through the manual again. The "Backdoor Key" described in the CFM module is all about security and locking down the chip against copying.
The SRAM has a "back door" controlled by the BDE bit in RAMBAR.
The Flash has a "Back Door" which is always enabled and is described as "backdoor flash address of IPSBAR plus an offset of 0x0400_0000. It can be used for DMA access, but MUST be used for writing programming commands to the FLASH.
They're different things with similar names that can be told apart by context.
If I've answered your question, please mark it "Answered".
Tom