TWR-K65F180M board unintentionally secured

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

TWR-K65F180M board unintentionally secured

8,083 Views
petec20
Contributor III

I've been using IAR Embedded workbench v7.30 to program a tower system for a few months and everything has been okay.

Target is TWR-K65F180M. JTAG probe is Segger and using the JTAG interface. The Segger software is up to date.

I powered down the system to change a wire connection, powered it back up again, went to reload the MCU flash, and got an IAR message saying that it had detected a 'secure Kinetis device' and that it needed to unsecure the device. I clicked okay and it said 'timeout while unsecuring device. Erase never starts'.

I'm wondering how this can happen when the memory range 0x400-0x40F is initialised to disable the MCU security. I checked this in the binary and it confirmed it.

JFlash_0x400-0x40F_from_BIN.jpg

I've also tried the 'unlock kinetis' function in Jlink commander. That also said that the unlock feature had timed out.

Then I tried the technique mentioned here: https://community.freescale.com/thread/300407

Which gave the following output:

SEGGER J-Link Commander V4.94c ('?' for help)

Compiled Oct 31 2014 20:00:06

Script file read successfully.

DLL version V4.94c, compiled Oct 31 2014 19:59:57

Firmware: J-Link V9 compiled Apr 21 2015 18:10:40

Hardware: V9.30

S/N: 269302xxx

OEM: SEGGER-EDU

Feature(s): FlashBP, GDB

VTarget = 3.267V

Info: TotalIRLen = 4, IRPrint = 0x01

****** Error: Error while identifying Cortex-M device. Wrong AHB ID. Expected 0x04770001, found 0x00000000

Info: TotalIRLen = 4, IRPrint = 0x01

No devices found on JTAG chain. Trying to find device on SWD.

Info: Found SWD-DP with ID 0x2BA01477

****** Error: Error while identifying Cortex-M core.

Info: Found SWD-DP with ID 0x2BA01477

No device found on SWD.

Trying to find device on FINE interface.

No device found on FINE interface.

Did not find any core.

Failed to identify target. Trying again with slow (4 kHz) speed.

No devices found on JTAG chain. Trying to find device on SWD.

Info: Found SWD-DP with ID 0x2BA01477

****** Error: Error while identifying Cortex-M core.

Info: Found SWD-DP with ID 0x2BA01477

No device found on SWD.

Trying to find device on FINE interface.

No device found on FINE interface.

Did not find any core.

No device found at all. Selecting JTAG as default target interface.

Processing script file...

Target interface speed: 1000 kHz

Sleep(10)

Info: TotalIRLen = 4, IRPrint = 0x01

****** Error: Error while identifying Cortex-M device. Wrong AHB ID. Expected 0x04770001, found 0x00000000

Reset type UNKNOWN: ???

Info: TotalIRLen = 4, IRPrint = 0x01

****** Error: Error while identifying Cortex-M device. Wrong AHB ID. Expected 0x04770001, found 0x00000000

Reset delay: 0 ms

Reset type UNKNOWN: ???

Info: TotalIRLen = 4, IRPrint = 0x01

Info: TotalIRLen = 4, IRPrint = 0x01

****** Error: Error while identifying Cortex-M device. Wrong AHB ID. Expected 0x04770001, found 0x00000000

Info: TotalIRLen = 4, IRPrint = 0x01

Info: TotalIRLen = 4, IRPrint = 0x01

PC: (R15) = 00000000, CPSR = 00000000 (Unknown mode, ARM)

Info: TotalIRLen = 4, IRPrint = 0x01

Info: TotalIRLen = 4, IRPrint = 0x01

Info: TotalIRLen = 4, IRPrint = 0x01

Info: TotalIRLen = 4, IRPrint = 0x01

Info: TotalIRLen = 4, IRPrint = 0x01

Info: TotalIRLen = 4, IRPrint = 0x01

Info: TotalIRLen = 4, IRPrint = 0x01

Info: TotalIRLen = 4, IRPrint = 0x01

R0 = 00000000, R1 = 00000000, R2 = 00000000, R3 = 00000000

R4 = 00000000, R5 = 00000000, R6 = 00000000, R7 = 00000000

Info: TotalIRLen = 4, IRPrint = 0x01

Info: TotalIRLen = 4, IRPrint = 0x01

Info: TotalIRLen = 4, IRPrint = 0x01

Info: TotalIRLen = 4, IRPrint = 0x01

Info: TotalIRLen = 4, IRPrint = 0x01

USR: R8 =00000000, R9 =00000000, R10=00000000, R11 =00000000, R12 =00000000

Info: TotalIRLen = 4, IRPrint = 0x01

Info: TotalIRLen = 4, IRPrint = 0x01

     R13=00000000, R14=00000000

Info: TotalIRLen = 4, IRPrint = 0x01

Info: TotalIRLen = 4, IRPrint = 0x01

Info: TotalIRLen = 4, IRPrint = 0x01

Info: TotalIRLen = 4, IRPrint = 0x01

Info: TotalIRLen = 4, IRPrint = 0x01

FIQ: R8 =00000000, R9 =00000000, R10=00000000, R11 =00000000, R12 =00000000

Info: TotalIRLen = 4, IRPrint = 0x01

Info: TotalIRLen = 4, IRPrint = 0x01

Info: TotalIRLen = 4, IRPrint = 0x01

     R13=00000000, R14=00000000, SPSR=00000000

Info: TotalIRLen = 4, IRPrint = 0x01

Info: TotalIRLen = 4, IRPrint = 0x01

Info: TotalIRLen = 4, IRPrint = 0x01

SVC: R13=00000000, R14=00000000, SPSR=00000000

Info: TotalIRLen = 4, IRPrint = 0x01

Info: TotalIRLen = 4, IRPrint = 0x01

Info: TotalIRLen = 4, IRPrint = 0x01

ABT: R13=00000000, R14=00000000, SPSR=00000000

Info: TotalIRLen = 4, IRPrint = 0x01

Info: TotalIRLen = 4, IRPrint = 0x01

Info: TotalIRLen = 4, IRPrint = 0x01

IRQ: R13=00000000, R14=00000000, SPSR=00000000

Info: TotalIRLen = 4, IRPrint = 0x01

Info: TotalIRLen = 4, IRPrint = 0x01

Info: TotalIRLen = 4, IRPrint = 0x01

UND: R13=00000000, R14=00000000, SPSR=00000000

Sleep(1000)

Selecting SWD as current target interface.

Setting target interface speed to 1MHz. Use "Speed" to change.

Sleep(10)

Select SWD by sending SWD switching sequence.

Found SWD-DP with ID 0x2BA01477

Sleep(10)

Write DP register 2 = 0x01000000

Sleep(10)

Read AP register 0 = 0xE00FF003

Sleep(10)

Read AP register 0 = 0x00000036

Sleep(10)

Read AP register 1 = 0x00000036

Sleep(10)

Read AP register 1 = 0x00000000

Sleep(10)

Read AP register 0 = 0x00000000

Sleep(10)

Read AP register 0 = 0x00000036

Sleep(10)

Write AP register 1 = 0x00000001

Sleep(1000)

Read AP register 0 = 0x00000036

Sleep(10)

Read AP register 0 = 0x00000036

Sleep(10)

Read AP register 1 = 0x00000036

Sleep(10)

Read AP register 1 = 0x00000001

Sleep(100)

Write DP register 2 = 0x00000000

Sleep(1000)

Selecting JTAG as current target interface.

Setting target interface speed to 1MHz. Use "Speed" to change.

Sleep(100)

Info: TotalIRLen = 4, IRPrint = 0x01

****** Error: Error while identifying Cortex-M device. Wrong AHB ID. Expected 0x04770001, found 0x00000000

Reset delay: 0 ms

Reset type UNKNOWN: ???

Info: TotalIRLen = 4, IRPrint = 0x01

Script processing completed.

When I look at the reset line with no JTAG probe attached the MCU resets every 2.2mS I assume this is due to the watchdog and the 100nF capacitor on the reset line, as a soon as it resets it ramps again and the cycle repeats. In the code the first thing it does is disables the watchdog in the correct sequence. The code then runs a short setup sequence and ends in an endless loop. So even if I can't get into the part I'm wondering why it watchdogs.

QUESTIONS

1) Are there any other techniques to try to unlock the part?

2) From above can anybody tell me if the part is recoverable?

3) How did the MCU become secured in the first place, when the memory range 0x400-0x40F is being initialised as above to prevent this?

4) As the internal code disables the watchdog why does it appear to be active?

Labels (1)
0 Kudos
Reply
15 Replies

3,528 Views
petec20
Contributor III

Jorge, is it possible to obtain the binary to reprogram the K20 as I'm not convinced it works correctly. Also I appear to have a similar problem to this thread:

OpenSDA on TWR-K65F180M

0 Kudos
Reply

3,527 Views
jorge_a_vazquez
NXP Employee
NXP Employee

Hi petec20

It seems that your K20 doesn't work correctly. You can find the binary file to reprogram the k20 bootloader in the link: OpenSDA Serial and Debug Adapter|NXP​ or in the attached CMSIS-DAP-BOOTLOADER.zip file. I have done some tests, reprogrammed my MK20DX128 with "k20dx128_bootloader_0x8000.axf" and JTAG interface, then I put my board in BOOTLOADER mode by holding the reset button and plugging the usb cable and I load the default firmware of OpenSDA (attached file), It works fine. I only get the BOOTLOADER if I hold the reset button down while plugging in the USB and I don't see activity on LED 02.

Please try this and tell me if you have any question.

Best Regards

Jorge Alcala

0 Kudos
Reply

3,527 Views
petec20
Contributor III

Thankyou for the K20 files Jorge. Re-flashing the K20 MCU has made a difference and it now behaves as expected in OpenSDA mode. The TWR-K65F180M board will now connect in both MSD & COM port modes as expected. So using MSD mode I dragged and dropped the '27_OpenSDA_TWR-K65F180M.bin' file to it, to install it. IAR IDE can now see it and use it on its OpenSDA connection. :smileyhappy:

However, the following error appears, and this looks the same as was seen through the JTAG connection previously.

"Protection bytes in flash at addr. 0x400 - 0x40F indicate that readout protection is set

For debugger connection the device needs to be unsecured.

Do you want to unsecure the device?

Note: Unsecuring will trigger a mass erase of the internal flash.

If 'Do not show this message again' is selected, mass erase will be performed automatically in the future."

Clicking 'Yes' produces the further message:

"Kinetis(connect): Timeout while unsecuring device. Erase never starts......."

So, now that the OpenSDA connection works, I tried Jlink commander, as follows:

J-Link>unlock kinetis

Found SWD-DP with ID 0x2BA01477

Unlocking device...Timeout while unlocking device.

And I also tried using the technique described on this thread again as it seems very successful: https://community.nxp.com/thread/300407

and the correct device type, the device is now always found, but it always timesout whilst trying to unlock it.

Jorge, does the 'timeout' error suggest that something else is wrong, or is it a fatal error?

0 Kudos
Reply

3,527 Views
jorge_a_vazquez
NXP Employee
NXP Employee

Hi petec20

Sorry for the late response, I actually was looking for the source of you problem. According with the information that you gave us, you Board it's secured, and since you can execute an "unlock kinetis" with jlink commander, neither with your IDE, everything indicate that your MCU have disable the mass erase bit too, This is unfortunate. Now, you can buy another TWR-K65F or you can order some samples and replace the component.

Hope this could help you!!!


Have a great day,
Jorge Alcala

-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------

0 Kudos
Reply

3,527 Views
petec20
Contributor III

Hello Jorge,

Thankyou for looking at this and staying with it. The worrying thing for me is how it managed to happen in the first place. As factory access should still be enabled, is it possible to RMA the board for it to be unlocked?

If the part was anything but a BGA part I'd order a new one and replace it, it would be the simple option. But with BGA that's not as easy.

Kind regards

Pete

0 Kudos
Reply

3,527 Views
jorge_a_vazquez
NXP Employee
NXP Employee

Hi petec20

Yes, It doesn't look logical since the project that you share doesn't have anything dangerous in the security register. You could apply For Tool Warranty Replacement in the following link: Returns and Warranty Information|NXP

Hope you could resolve your issue with this information.


Best Regards
Jorge Alcala

-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------

0 Kudos
Reply

3,527 Views
petec20
Contributor III

Hello Jorge,

Thankyou for your assistance Jorge, and also the RMA link. I have initiated a return.

0 Kudos
Reply

3,527 Views
jorge_a_vazquez
NXP Employee
NXP Employee

Hi petec20

According with the binary you target has security disabled. This could be related with a low power mode, Are you using any low power mode?. This could be also a JTAG connection problem. Please look at you connections, tell me about the operation mode and let me know if the problem continue.

Best regards

Jorge Alcala

0 Kudos
Reply

3,527 Views
petec20
Contributor III

Hello Jorge,

Thankyou for the reply. A low power mode isn't configured on boot (FOPT=0xF9), nor is it switched to low power as part of the code. I've had a careful look at the JTAG connection. With the power off I tested the resistance of all the JTAG wires. The only thing I came across was the possibility that TDI on the TWR board (TWR-K65F180M J18 pin 8) may of had an intermittent connection inside the connector. However after seeing it once I can't provoke it again by moving it.

I then plugged the JTAG lead into a K60 based Tower board and it was OK with this, using the same setup upto address 0x410.

What I did notice was that once it also saw the K60 board as 'secured' and after me clicking to say 'yes' IAR EW unsecured it. I'm wondering how this can happen and that this might indicate the source of the problem with the TWR-K65F180M. The code setup has always been the following:

Vector table in flash starting at 0x0. Vector table ends at 0x3FF. Flash config starts at 0x400, and ends at 0x40F. The flash config can't move as it's anchored to that address in the linker file. The code starts at 0x410. The 16 bytes of flash config has always been:

/* Backdoor comparison key 8bytes */

          DCD    0xFFFFFFFF

          DCD    0xFFFFFFFF

/* Flash protection bytes FPROT3 */

          DC8    0xFF

/* Flash protection bytes FPROT2 */

        DC8 0xFF

/* Flash protection bytes FPROT1 */

        DC8 0xFF

/* Flash protection bytes FPROT0 */

        DC8 0xFF

/* Flash security byte FTFE_FSEC ( = 0xFE for unsecured MCU, Factory access granted. Backdoor disabled. ) */

        DC8 0xFE

/* Flash non-volatile option byte FTFE_FOPT

        DC8 0xF9  ; 0xF9 = normal power boot, NMI disabled, EZ ignored.

/* FlexNVM devices - EEPROM protection byte FTFE_FEPROT */

        DC8 0xFF

/* FlexNVM devices - data flash protection byte FTFE_FDPROT */

        DC8 0xFF

Jorge, in my first post the Jlink tool screen shot shows the MDM-AP register being read at various times as:

Read AP register 0 = 0xE00FF003

Read AP register 0 = 0x00000036

Read AP register 1 = 0x00000000

Read AP register 1 = 0x00000001

So sometimes bit 2 of the AP register is set and sometimes not. Apparently the MCU boots in secure mode and then becomes unsecure if the flash config determines this. Is that why the AP register initially shows 0x00000036 ?

I've had a good read of AN4507 'Using the Kinetis Security and Flash Protection Features' but I'm still struggling to work out what's wrong as as far as I can tell the code seems to comply with this.

Can you see any deficiencies in the security setup and why the TWR-K65F180M still reports locked?

0 Kudos
Reply

3,527 Views
jorge_a_vazquez
NXP Employee
NXP Employee

Hi petec20

Could be possible that you share your project?, I want to try to replicate your issue. I actually make a project with TWR-K65F and configure it like yours and it works, I also read MDM-AP register and I could read it in once and it doesn't change. Have you tried to use on board OpenSDA interface??? there could be a problem with you JTAG interface.

Best regards

Jorge Alcala

0 Kudos
Reply

3,526 Views
petec20
Contributor III

Hello Jorge,

I have created a very reduced project with exactly the same start up and attached it below. This is identical to the original except the main program has been replaced by an endless loop. When I try to download this to the TWR-K65F180M it fails with exactly the same error.

I have tried using OpenSDA. I got the TWR-K65F180 firmware from here SEGGER - The Embedded Experts - Downloads - J-Link OpenSDA

The TWR-K65F180M always appears in Windows explorer as drive I. When I copy the .bin file to it, it immediately goes offline and reappears as drive Z (which is very strange behaviour as that drive is a SATA CDROM drive). I don't usually have a problem with USB devices or drives on this machine. When I power cycle the TWR-K65F180M I do get the 1Hz flashing LED and then it re-appears in explorer but not as a virtual COM port or anything that IAR or Jlink can see. I installed Jlink v 5.12f software to try to gain the Virtual COM port, it installed OK but the port never appears (it never gave me the option to install one, like I've seen in their setup guide).

Jumpers J33 & J34 on the TWR-K65F180M were repositioned to enabled OpenSDA.

So I have to have another attempt at getting OpenSDA to work.

0 Kudos
Reply

3,526 Views
jorge_a_vazquez
NXP Employee
NXP Employee

Hi petec20

I tried the project that you send, I didn’t get a IAR message of "kinetis secured", I retry it and it was the same, then I used another project and it gave me not error, it works fine, so I think that the issue is with your JTAG interface.

Are you using the drag and drop functionality? Have you tried to flash your target with IAR and the on-board openSDA interface? You just have to configure the debugger options to select j-link and debug.

Please have a try with this an tell me if you have any questions please.

Best regards

Jorge Alcala

0 Kudos
Reply

3,526 Views
petec20
Contributor III

Hello Jorge,

When trying to use OpenSDA with my TWR-K65F180M board, the following happens:

When the TWR-K65F180M is plugged into the PC using just a USB lead into J7, and configuring the power to run off the USB, I get a USB mass storage device labelled 'BOOTLOADER' in windows explorer. So, going by this page:

https://community.nxp.com/docs/DOC-100720 therefore it would seem I have a working 'OpenSDAv2 Bootloader' in mass storage mode. This appears regardless of whether I press the reset button SW1 on power-up, or not. I think it appears regardless because I see a continuously active reset signal on pin 21 of U2 the K20 serial interface MCU and the reset LED D2 is continuously lit. It looks like is being pulled low and released every 150uS, and it varies between 0.25v and about 1.7v. Is this correct? It doesn't look right. Or is it part of how it polls the pin?

As the TWR-K65F180M appears to only like mass storage mode I tried copying a .S19, a .srec and a .bin file (of the same project I posted) to it hoping it would program the target with it. It doesn't appear to do anything with them as trying to use the board with JTAG again produces the same timeout on erase error. When I copy a file to the TWR-K65F180M in bootloader mode it immediately drops off the USB bus and only comes back when I cycle the power - in bootloader mode again, not debug.

SideNote: If I connect a FRDM-K66F board to the PC using a USB lead and J26, I get the following appearing:

1) In Device manager>Ports(COM&LPT), I get 'Jlink CDC UART Port (COM8)'

2) In Device manager>Universal Serial Bus Controllers, I get 'Jlink driver'

The FRDM-K66F becomes available on Jlink and IAR can use it. This is what I was expecting from the TWR-K65F180M board OpenSDA connection after changing the mass storage to a debug connection. For some reason the TWR-K65F180M only ever appears as a mass storage device.

SideNote2: As noted by Erich Styger there is a difference between copy & pasting a file and drag & drop. Drag & drop seems to work better. Mentioned here: https://mcuoneclipse.com/2013/10/07/frdm-boards-not-responding-check-your-virus-scanner/

I've also read this page: https://community.nxp.com/thread/358952 and tried that with the attached file but it made no difference. The JLink_OpenSDA_V2.bin file on that page is different to the JLink_OpenSDA_V2.bin downloaded from Segger. I have tried both.

0 Kudos
Reply

3,526 Views
jorge_a_vazquez
NXP Employee
NXP Employee

Hi petec20

The bootloader mode it's used to load the OpenSDA firmware to the K20, not to load the .bin of your project.

What version of OpenSDA firmware are you using? according to the User's Guide you should load V2.0.
So when you copy the jLink_OpenSDA_V2.bin (attached file) to the TWR-K65F180M in bootloader mode it immediately drops off the USB as you said, then you have to disconnect and reconnect the USB cable, your board should be powered and you should be capable of see it in Device Manager as 'Jlink CDC UART Port' and then you could debug your target with your IDE (IAR). If this doesn't work, please make sure that your the jumper connections are set it up as default, you can find the default jumper configuration in the User's Guide.

Best Regards

Jorge Alcala

0 Kudos
Reply

3,526 Views
petec20
Contributor III

Hello Jorge,

"The bootloader mode it's used to load the OpenSDA firmware to the K20, not to load the .bin of your project."

I realise this but as the board appears to be stuck in MSD mode I thought I might be able to use this to download code to it, to solve the problem.

"What version of OpenSDA firmware are you using? according to the User's Guide you should load V2.0."

There's some confusion over which version of OpenSDA to use:

Here: https://community.nxp.com/docs/DOC-100720

it says Use either v2.0 or v2.1 depending on how you read it. Apparently either should work as the only difference is the address it expects the application at. As the board never even gets as far as enumerating as anything except a Mass Storage Device this would seem irrelevant at this point.

However here:https://www.segger.com/opensda.html

In the table it says to use OpenSDA bootloader V1.0 for TWR-K65F180M

I have tried all 3. Four actually if you count the 2 different versions of v2.0 I have come across as the version being linked by NXP staff on the forum is different to the v2.0 found else where. The latest attempt I used the file you have just sent in case it was different.

Currently the board has OpenSDA firmware v2.0

"So when you copy the jLink_OpenSDA_V2.bin (attached file) to the TWR-K65F180M in bootloader mode it immediately drops off the USB as you said, then you have to disconnect and reconnect the USB cable,"

It does and I unplug and replug the USB cable.

"your board should be powered and you should be capable of see it in Device Manager as 'Jlink CDC UART Port' and then you could debug your target with your IDE (IAR)."

The board re-connects as a Mass storage device, not 'Jlink CDC UART Port'.

"If this doesn't work, please make sure that your the jumper connections are set it up as default, you can find the default jumper configuration in the User's Guide."

All the jumpers are placed as the default settings in the TWR-K65F180M user guide. I can only find one version of this document which is 'Rev. 0,05/2015'.

Jorge, on your TWR-K65F180M when you've unplugged the USB cable, and reconnected it (so the TWR-K65F180M should come back as 'Jlink CDC UART Port') is the Red reset LED D2 permanently on? On my board while the OpenSDA circuit has power, this is never off.

0 Kudos
Reply