Flash security on TMS570LS3

Hi Martin,

I have Forwarded your query to concered team, we will get back to you as soon as possible.

Best Regards
Prathap

Hi Martin,

I have Forwarded your query to concerned team, we will get back to you as soon as possible.

Best Regards
Prathap

Hello Martin,

The AJSM on the parts shipped from TI is in the unlocked state. This is done by the virtue of programming the correct "visible unlock code" in the customer OTP sector of flash bank 0. This is a 128-bit code located at word addresses 0xF0000000 and 0xF0000004.

A user can lock the part by programming one or more bits from among these 128 bits. Note that you can only change 1's to 0 (program). An erase operation is not allowed in this sector (OTP = One-Time-Progammable). Once any bit of this 128-bit password is changed, the part then powers up as locked. In this condition, the only test access port (TAP) that is visible to any JTAG emulator is the AJSM TAP. The AJSM TAP is made to look like the JTAG TAP: it has a 4-bit IR register, but a different value in its IDCODE register in order to distinguish it from the JTAG TAP.

In order to unlock the part, the user must scan the correct 128 bits through the "unlock-by-scan" register of the AJSM. This register is accessible on the AJSM tap at IR value of 0xB. The value to be scanned must be such that when it is XOR'ed with the changed 128-bit value in the OTP, it results in the original correct visible unlock code.

The utility to scan through the unlock-by-scan register needs to be provided by the emulator vendor you have chosen. We have verified the process using a Signum JTAGjet emulator as well as the XDS510 USB emulator from Spectrum Digital.

Regards, Sunil

Hello Sunil,

Thanks for the clarifications. I still need information because I want to be sure I understand correctly before I start messing with the AJSM module.

First, I am using a TMS570LS3137 on a custom board with CCS V5.1 and a Spectrum Digital XDS510USB emulator.

What I plan to do to lock my device, is to map four 32bit constants containing my key at address 0xF0000000, 0xF0000004, 0xF0000008 and 0xF000000C in the OTP. I assume that when I program my software using the JTAG emulator CCS will program my application in the FLASH and the key in the OTP automatically. Is that assumption correct?

Then I don’t understand your explanation on how to temporarily unlock the device with the JTAG emulator to be able to debug or reflash another application. Do I need to write a special function in the GEL file to write my unlock key? Is the unlock key the same as the one programmed in the OTP? Can you give me an example of what I need to do to unlock the device using CCSV5.1 or do I need to use another program?

Regards,

Martin

Hello Sunil,

I rejected your suggested answer to this issue, because I think it is not clear enough and I don't understand the JTAG part. Sorry!

Could you have a look at my january 18 post. I am under pressure to implement the AJSM in a software we must deliver soon.

Thanks

Martin.

Sunil,

I'm currently at the stage of choosing microcontroller and tms570 is on a par with few other chips, but from your explanation it seems that code stored in this chip would not be safe and work on eventually "locked" chip would be a nightmare due to lack of support in tools ?

Why I think that this way of securing flash is not good at all:

from your explanation in theory I can grab most simple mcu on planet -> create a simple bit banged JTAG interface that will -> store value (starting from zero to max) in "Unlock-by-scan" register -> try to write value in far segment of flash -> read it back -> if match occurs = got password. Considering that this is direct & high speed JTAG connection and fact that I would have to make 4 x 32 bit value attack - this is not acceptable as security measure.

Please clarify.

I'm sorry for sounding a bit harsh, but competition this day is hard, some countries don't care (or care “not to care”), and scarce of information from TI on security subject is a bit depressing.

Regards and thanks in advance, Tom

Update:

there is at least a light in the tunnel (from datasheet):

" ...

Also, changing all the 128 bits to zeros is not a valid condition and will permanently secure the device.

..."

so in theory, one can make a bootloader that will allow only: erase (whole flash) / write / crc whole flash.

Hello Sunil,

Sorry for the long delay, it took a long time to get an answer from Spectum Digital. Currently they don’t have a tool to allow me to unlock the device. They told me I can use the SDJTAG library that they provide with their emulator to make my own tool but since I don’t know how JTAG works I was not able to do it.

Anyway, I made a program that allows me to write in the OTP and I was successful in writing the security key. After that the JTAG port was disabled and I could not connect with CCS5.1 anymore.

I’ve seen in another post that you are working on a tool to unlock the DSP. I would be interested to try it as soon as possible. Even it the procedure I have done works ok, if something goes wrong having this tool will be a life saver.

Thanks for your support!

@Tomasz,

The AJSM password is 128 bits long, and you can choose to change any number of 1's to 0's. There are 2^123 unique combinations possible with the current visible unlock code (based on default OTP contents). Even if you could try 1 million keys per second, it could take you 10^24 years to solve the password.

@Martin,

We are currently evaluating a tool that works with the TI XDS560 emulator. Testing for other emulators will also commence once this is verified. I will update this post when this tool is tested and ready.

Regards, Sunil

Dear Sunil,

My assumption was that;

- this is parallel programming port, running @ higher frequencies - there fore a lot more attempts could be made.

- you've mentioned that OTP does contain some '0' already which decreases combination count

- you can cool chip down to be able to spin it a lot harder – getting more attempts / second.

- competition can simply acquire more units for brute force attempt (few more units vs. a lot of money dropped into development - make sense for some people)

Also password can be simply given away by one of employees and from then on competition would have all software + any future updates. I was honestly counting on some sort of "fuse" that can be set to disable FLASH access, and can be zeroed out only via full chip erase. (yes I know, nasty employee can send software to competition either way, but not future updates if he/she gets sagged).

Anyway, as I've updated my previous post - condition when "setting all bits to zero will completely lock down device" is absolutely all right with me – I can deal with all requirements on bootloader level.

ps. My apologies for hijacking original thread.

Hi Sunil,

        Any development on that tool to unlock jsm???

Thanks.

David...