• State
  • Locked Locked
  • Replies 6 replies
  • Subscribers 83 subscribers
  • Views 1428 views
  • Users 0 members are here
Support feedback
Options
Options
Similar topics

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

TMS320F28062 unlock CSM

Timothy Starr
Expert 2445 points
Other Parts Discussed in Thread: TMS320F28062

Hello-

We have a question about this note in the technical reference for the TMS320F28062 on page 63 that reads:

"NOTE: Any read of the CSM password would yield 0x0000 until the device is unlocked. These reads are labeled "dummy read" or a "fake read." The application reads the password locations, but will always get 0's no matter what the actual value is. What is important is the actual value of the password. If the actual value is all 0xFFFF, then doing this "dummy read" will unlock the device. If the actual value is all 0x0000, then no matter what the application code does, one will never be able to unlock the device. If the actual value is something other than all 0xFFFF or 0x0000, then when the dummy read is performed, the actual value must match the password the user provided."

But our _unlock_CSM function just reads the password from the CSMKEY location, which is not correct, and writes it to the key and that seems to work.  At least for the flash functions and Device_cal, but not for allowing JTAG connection. How is that possible? 

Thanks and Best Regards, Tim Starr on behalf of DS@PM

  • 0
    TI__Guru 55700 points

    Timothy,

    I believe you are talking about unlock_csm function available in F2806x.gel file. In that case, if the user has a custom password they can enter them in KEY register as highlighted below to unlock the device using gel functions. The dummy reads of the password location unlock only when the password is all 0xFFFF's. When you receive the parts from TI factory, the device is unlock state and the password locations are all 0xFFFF's.

    hotmenu Unlock_CSM()

    {
    /* Perform dummy reads of the password locations */
    XAR0 = *0x3F7FF8;
    XAR0 = *0x3F7FF9;
    XAR0 = *0x3F7FFA;
    XAR0 = *0x3F7FFB;
    XAR0 = *0x3F7FFC;
    XAR0 = *0x3F7FFD;
    XAR0 = *0x3F7FFE;
    XAR0 = *0x3F7FFF;

    /* Write passwords to the KEY registers. 0xFFFF's are dummy passwords.
    User should replace them with the correct password for their DSP */
    *0xAE0 = 0xFFFF;
    *0xAE1 = 0xFFFF;
    *0xAE2 = 0xFFFF;
    *0xAE3 = 0xFFFF;
    *0xAE4 = 0xFFFF;
    *0xAE5 = 0xFFFF;
    *0xAE6 = 0xFFFF;
    *0xAE7 = 0xFFFF;
    }

    Regards,

    Manoj

  • 0
    TI__Guru 61235 points

    Greetings Tim,

    Are the passwords actually programmed, or have they been left as 0xFFFF?  If 0xFFFF, then the bootload in the boot ROM will unlock the device after reset.  Perhaps this is what you are observing.  The device is already unlocked.

    If the passwords are actually programmed (to non-0xFFFF or non-0x0000) and the device is reset, reading from the CSMKEY registers and writing what's been read back to the CSMKEY registers does nothing (actually, it never does anything).

    Regards,

    David

  • 0 in reply to David M. Alter
    TI__Guru** 109155 points

    Just to add what Manoj and David mentioned, the statement in TRM "Any read of the CSM password would yield 0x0000 until the device is unlocked." is for PASSWORD locations in Flash and not for CSMKEY register. If user has written the passwords in CSMKEY register and not cleared them, then subsequent reads to these registers will return the value written.

    Regards,

    Vivek Singh

  • 0 in reply to Vivek Singh
    Expert 2445 points

    First, a correction to what I told you. The device is correctly reading from the CSL_PWL location not the CSMKEY as was stated earlier. Other pertinent facts:

    1. The passwords are programmed. The unlock_csm function we were referring to was our own that reads the password from the password locations and then writes these values to the KEY registers to unlock the device rather than writing hardcoded values to the KEY registers.

    2. The snippet that we sent is executing from flash (starting at 0x3E8000) and the stack is in L0-L2 DPSARAM (0x8000)

    F28062.cmd file snippet:

       DRAML0      : origin = 0x008180, length = 0x000E80     /* on-chip RAM block L0 */

    ...

       .stack              : > DRAML0 (HIGH) PAGE = 1

    We also tested the snippet with the password at all F's and "force locked" the device right before the call to Device_cal and it does the same thing, as expected. We mentioned that it locks up but we think it may be stuck in a reset loop.

    To summarize our two outstanding questions:

    1. Why is an unlock required to perform a Device_cal?

    2. Performing a "dummy read" on the password locations returns the password and not 0x0000 as stated in the manual?

    Thanks for all your help on this, and Best Regards,

    Tim Starr on behalf of DS@PM

  • 0 in reply to Timothy Starr
    TI__Guru** 109155 points

    Hi Timothy,

    2. Performing a "dummy read" on the password locations returns the password and not 0x0000 as stated in the manual?

    If you are running the unlock_csm() function from secure memory (which means it's secure code) then it'll be able to read the passwords value from CSM_PWL location correctly.

    The statement in manual is wrt device security initialization which is done from non-secure memory (e.g. BootROM code). But I agree that it should have been mentioned explicitly to avoid confusion. We'll look on how this can be updated in future release of document.

    We'll have someone else to answer your question on "Device_cal()".

    Regards,

    Vivek Singh

  • 0 in reply to Vivek Singh
    TI__Guru** 109155 points

    Hi,

    On below question -

    1. Why is an unlock required to perform a Device_cal?

    Please check if the stack is located in secure memory which could cause such issue.

    Regards,

    Vivek Singh