My group is currently trying to access an MPC5777C device that we've censored. We know for sure that the JTAG password is programmed, as well as the password for PASS Group 0 and possibly Group 1, however it's my understanding that we can gain access with only one password.
The life cycle of the device is set to OEM Production.
We are using the Greenhills MULTI environment. We've successfully been able to reset and halt the device by writing to the jtag_password_hi and jtag_password_lo registers.
We can read flash memory at this point using the "memory view" window. However, when we try to download a program over the debugger, it seems to fail to read memory at all (i.e. the probe thinks a block is erased when it is actually populated).
Additionally, we're having trouble accessing the CIN0-7 registers. We've successfully written to the PASS_CHSEL register and have seen it change to acknowledge a new master, but writing the password to the CIN area has no effect.
Can someone help us better understand how to gain access to the device?
P.S. We figured this out for the most part, turned out it was a matter of having every password group loaded.
The question now, though, is exactly how password words map into CIN0-7. The manual says that CIN0 matches with the MSB of the password. Does this mean, for instance, that for Group 0, CIN0 corresponds to the value at 0x00400160?