Mark Butcher

Unsecuring FLASH using backdoor keys - M5223X

Discussion created by Mark Butcher on Mar 17, 2008
Latest reply on Mar 21, 2008 by Mark Butcher
Hi All

We have been using the security function to block access to internal program in FLASH - this stops any BDM access and thus also subsequent debugging and is perfect for the protection requirement.

It is possible for us to upload new encrypted code via the Internet (HTTP post) to the device - the CPU can delete and program the new code after decryption so there is generally no need to be able to access the FLASH at a later time.

If it is necessary to be able to debug on a board we can delete the complete code via EzPort, which opens up BDM access again, and then work normally.

What we are missing is the ability to unlock a board by entering the backdoor keys (eg. when EzPort is not an option). This is implemented on a web side in the device, allowing the (secret) 16 bytes backdoor keys to be entered and the idea is to temporarily unlock the FLASH (security is deactivated until next reset) and then clear the configuration FLASH in this state (write block 0x400 to 0x418  to zero).

Presently the last step is proving to be a difficulty. We have tried various interpretations of the guidelines to doing this in the users' manual but haven't been successful yet. What is sure is that the FLASH is secured and that the backdoor access is indeed enabled. Has any one achieved this?

Here are more details:

The security setting:
.long 0x11223344    // backdoor key set to 0x1122334455667788
.long 0x55667788
.long 0x00000000
.long 0x00000000
.long 0x00000000
.long 0x80004AC8  // security enabled with backdoor access allowed

This is a variant of the code being used to try to unlock this (the backdoor keys are passed as two long words):

extern int fnEnableBackdoor(unsigned long key[2]){    unsigned long *ulKeyLocation = (unsigned long *)0x400;    if (CFMSEC & SECSTAT) {                                              // device secured—        if (CFMSEC & KEYEN) {                                            // is backdoor key access enabled–            CFMMCR |= KEYACC;                                            // enable backdoor key access            *(unsigned long*)(BACKDOOR_FLASH + ulKeyLocation++)) = key[0]; // write backdoor access keys            *(unsigned long*)(BACKDOOR_FLASH + ulKeyLocation)) = key[1];            CFMMCR &= ~KEYACC;                                           // normal flash access            if (!(CFMSEC & SECSTAT)) {                                   // check whether the device could be unsecured                return 1;            }            else {                return 0;            }        }        else {            return 0;        }    }    return 1;}

 It is not absolutely clear whether the writes to the backdoor keys need to be via the backdoor or direct - we have tried all combinations. Some cause exceptions when tried, some don't, but no attempt has yet been successful in actually unsecuring a device.

Any ideas?


Mark Butcher