Use removed MK20 part from freedom board

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Use removed MK20 part from freedom board

Jump to solution
3,613 Views
mjg8t
Contributor IV

Hello,

I have been working with some MK20DX128VFM5 samples that I received from freescale.  I now have a designed PCB that I would like to build, but do not have any more parts.  I thought I could order a couple of freedom boards, pull of the mk20 and use them on my board, but they seemed to be lock and or secured. 

I have tried to connect to them with my J-link and through codewarrior.  I have used J-link commander to try and get a direct conection, but the chips are not responding. 

Does anyone know what state these chips may be in?  Is there anything that I can do to make them usable?  I sure wish we get some of these parts from mouser digikey, hopefully soon.

Thanks.

0 Kudos
1 Solution
2,005 Views
BlackNight
NXP Employee
NXP Employee

If the device has security plus mass erase disabled, it means game over:

How (not) to Secure my Microcontroller | MCU on Eclipse

Unless you know the back door mechanism which has been implemented by the OpenSDA producer?

See as well the KL25Z Reference manual (KL25P80M48SF0RM.pdf), search for MEEN

page 153, chapter 9.3.1:

When mass erase is disabled (via MEEN and SEC settings), the erase

request does not occur and the Flash Mass Erase in Progress bit

continues to assert until the next system reset.

page 428, FTFA_FSEC:

Mass Erase Enable Bits

Enables and disables mass erase capability of the flash memory module. The state of the MEEN bits is

only relevant when the SEC bits are set to secure outside of NVM Normal Mode. When the SEC field is

set to unsecure, the MEEN setting does not matter.

Chapter 8:Security, page 149

In the unsecured state all flash commands are available on the programming interfaces

either from the debug port (SWD) or user code execution. When the flash is secured

(FSEC[SEC] = 00, 01, or 11), the programmer interfaces are only allowed to launch mass

erase operations. Additionally, in this mode, the debug port has no access to memory

locations.


Hope this helps,
Erich

View solution in original post

0 Kudos
11 Replies
2,005 Views
prtronicsyslda
Contributor I

Hello everyone,

I have a FRDM KL25Z  board but could not flash the MK20 (with segger SWD) because to be protected, I bought the IC MK20DX128VFM5 and replace on the board. The objective is to again take again the functional board, then build a robot with debugger on board. (simulate frdm kl25z)

My question is: Where can I get the Bootloader MSD to unload with segger? I already used the segger "12_OpenSDA_FRDM-KL25Z" by https://www.segger.com/downloads/jlink but the MK20 does not work after scheduled. Ie the PC should recognize right?

My circuit hi level is:  PC    ->   Segger ->   J8 (SWD)  FRDMKL25Z 

Please help me.

Thank you Pedro Santos

0 Kudos
2,005 Views
apanecatl
Senior Contributor II

That is correct the K20's mcu's are secured and the mass erase disabled feature is on, as you suggest is for security reasons, the only way to erase them is using a J-link programmer + J link commander (sw tool).

You can find the J link commander in the following link:

http://www.segger.com/jlink-software.html

I attached a video of how do the mass erase, it takes just a couple of seconds; however, we don;t recommend you remove the mcu's from the freedom board since you will render the board unusable and might damage the microcontroller in the removal process.

0 Kudos
2,005 Views
qiaoy
Contributor I

I knew how to unsecure the kinetis with jlink..

But the issue for me is that I can't access the k20 on freedom board via JTAG/SWD.

0 Kudos
2,005 Views
pgo
Senior Contributor V

Hi Yu,

Not directly related to the un-securing the device but I noticed that accessing the K20 on the FRDM-KL25 board using the SWD connector may have problems unrelated to the security.

I found it necessary to supply power to the board independently through the USB connector to access the chip at all.  Supplying power via the SWD wasn't sufficient.

I then connected to the device while reset was asserted which ensures that the software on the device did not disable the SWD function on the chip pins etc.

The above may be the reason for the difficulty in connecting at all.

I then read the MDM-AP.Status register which contains 0x00000016.  This confirmed that it was secured with mass erase and backdoor access disabled.

bye

0 Kudos
2,005 Views
mjg8t
Contributor IV

So, can someone give evidence that the device can or cannot be accessed after being "secured and the mass erase disabled".  I don't think that by someone stating that it can or can't without being able to refer to some documentation stating the case is considered an answer. 

So what where lies the answer?

I am having the same problem as Yu Qiao in that the device will not respond.

0 Kudos
2,006 Views
BlackNight
NXP Employee
NXP Employee

If the device has security plus mass erase disabled, it means game over:

How (not) to Secure my Microcontroller | MCU on Eclipse

Unless you know the back door mechanism which has been implemented by the OpenSDA producer?

See as well the KL25Z Reference manual (KL25P80M48SF0RM.pdf), search for MEEN

page 153, chapter 9.3.1:

When mass erase is disabled (via MEEN and SEC settings), the erase

request does not occur and the Flash Mass Erase in Progress bit

continues to assert until the next system reset.

page 428, FTFA_FSEC:

Mass Erase Enable Bits

Enables and disables mass erase capability of the flash memory module. The state of the MEEN bits is

only relevant when the SEC bits are set to secure outside of NVM Normal Mode. When the SEC field is

set to unsecure, the MEEN setting does not matter.

Chapter 8:Security, page 149

In the unsecured state all flash commands are available on the programming interfaces

either from the debug port (SWD) or user code execution. When the flash is secured

(FSEC[SEC] = 00, 01, or 11), the programmer interfaces are only allowed to launch mass

erase operations. Additionally, in this mode, the debug port has no access to memory

locations.


Hope this helps,
Erich

0 Kudos
2,005 Views
mjg8t
Contributor IV

Hi Erich,

Thanks for the comprehensive information!   Off to patiently waiting for the smaller parts to trickle into the distributors.

Thanks.

0 Kudos
2,005 Views
rogerzhong
Contributor III

Agree with pgo. The device can never be accessed from any external sources, including the J-link, if the device is both secured and the mass erase disabled through FSEC.

0 Kudos
2,005 Views
oliverzhang
Contributor I

Hi Roger, Boss is calling you.

0 Kudos
2,005 Views
pgo
Senior Contributor V

Hi Pedro,

Can you explain how the JLINK is able to erase the device?  I had though that it was impossible to do this if the device is both secured and mass erase disabled.  I am interested in a reference to some documentation that explains the method.  Not just JLINK commands to use but the underlying method available on the chip.

bye

0 Kudos
2,005 Views
pgo
Senior Contributor V

Hi,

I had a look at the MK20s on the Freedom boards I have.  They are secured and have the mass erase disabled.

This means they cannot be re-programmed except by the on-chip software.

I'm unsure why they would need to be in such a state except for security reasons.

bye

0 Kudos