Flash Security Issue on CFM

CW5_CW6_4 · ‎09-25-2008

I have some problems understanding flash security feature of the coldfire device MCF52233. There is no obvious definition of the flash security in the reference manual. Only information about it is

"Security information that allows the MCU to prevent intrusive access to the flash memory is stored in the
flash configuration field." on page 249

What kind of intrusive accesses? Is there a list about it? After I made some trials I found out that BDM interface is disabled totally when flash security is enabled. It seams to be illogical to me. What is the relation between BDM and flash security. Is this mentioned in the reference manual? Or any other document?

One other question is what is the use of backdoor access? For which purpose can it be used? Code running from the flash have all kind of access to flash in secure mode. Why does running code need such a bypass?
To enable BDM interface? No use, BDM resets the device and it is secured aggain.

If BDM were not disabled, it may run the required sequence to bypass the security if the key was known. Then it may have a meaning.

Is there somebody effectively using the flash security bypass feature?

CW5_CW6_4 · ‎09-26-2008

Actually I am also using the flash security and bootloader. I know that internal code is not actually effected by the security. So internal code does not need to use backdoor access keys to reach the flash. I can already.

I am questioning myself:
what could be the use of the backdoor access keys?

There may be one reason for this: Internal code unsecures the flash temporary, to allow an outside access such as BDM, ezPort, or JTAG. However when these are initialized, they reset the controller and it's secured aggain. So it doesn't work.

Or I am missing something.

Message Edited by CW5_CW6.4 on 2008-09-26 08:37 PM

RichTestardi · ‎09-26-2008

I have found no use of the backdoor access key. I am guessing it must be as you speculate -- there might be some value in unsecuring the device before the next reset. (Unsecuring after the next reset is trivial -- just clear the configuration field and reset...)

RichTestardi · ‎09-26-2008

Hi,

> I found out that BDM interface is disabled totally when flash security is enabled.

Yes, this is because with the BDM, you could debug the MCU and read all of flash.

If you have not prepared for this scenario in advance, you most likely cannot reprogram flash on that MCU, using the BDM, even to erase it. In that case, the only option I found was to use the EzPort to do a bulk-erase, thereby unsecuring the flash.

With that said, when you enable flash security, that does not prevent the MCU itself from being able to read/write/erase the flash (assuming MCF_CFM_CFMPROT is temporarily reset to 0), so if you have a bootloader of some kind in your firmware, you can "update" flash and even clear the flash security bits. For this reason, your "update" process should first clear *all* of flash, before allowing the flash security bits to be changed -- otherwise, someone could again use this to access otherwise secure areas of flash.

We, for example, store AES encryption keys (not to mention the algorithmic code that accesses the keys!) in flash which we don't want anyone to be able to peek at -- whether using JTAG, BDM, or EzPort... So we turn on flash security. The only way out of that mode is either thru a bootloader "update" process, where the MCU clears all of flash first, or thru the EzPort bulk erase operation.

Hopefully that helps explain why folks would use flash security (and how you can fix a "brick" if you turned it on by mistake)?

-- Rich

mjbcswitzerland · ‎09-26-2008

Hi

You may find something here:
http://forums.freescale.com/freescale/board/message?board.id=CFCOMM&message.id=4142

Regards

Mark

www.uTasker.com

Message Edited by mjbcswitzerland on 2008-09-26 01:41 PM

Flash Security Issue on CFM

Flash Security Issue on CFM

General