• State Resolved
  • Locked Locked
  • Replies 9 replies
  • Subscribers 83 subscribers
  • Views 2827 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

F28M35H52C: How can I unlock my flash memory ?

Ril Dank
Intellectual 455 points
Part Number: F28M35H52C
Other Parts Discussed in Thread: UNIFLASH, CONTROLSUITE

Hello,

I probably did something stupid writing in some wrong place in the M3 flash memory.

Now it looks like it is locked and I don't know how to unlock it.

When I try to erase any sector, I get the following error message :

From CCS 6.2 :

"Cortex_M3_0: Flash Programmer: Error erasing Sector N. Operation Cancelled.
Cortex_M3_0: File Loader: Memory write failed: Unknown error"

From Uniflash 4.2:

"[9/25/2017, 3:36:39 PM] [ERROR] Cortex_M3_0: Flash Programmer: Error erasing Sector N. Operation Cancelled.

[9/25/2017, 3:36:39 PM] [ERROR] Cortex_M3_0: Flash Programmer: Error erasing flash. Please check if the device is locked."

Here it shows sector N but I have the same error with other sectors.

I've read that this could be caused by witting new values in CSM PSWDs/KEYs registers. When I read the values using uniflash at 0x200000, 0x200004, 0x200008 and 0x20000C, I read 0x00000000.  Same for PSWDs/KEYs at 0x27FFF0, 0x27FFF4, 0x27FFF8 and 0x27FFFC.

 Could anyone tell me how I can unlock my device? Maybe I wrote passwords without knowing it but now I don't know how to recover them.

Please tell me I have not broken my device!

Thanks for the help.

Ril

EDIT:

I've just read in the technical reference manual :

"""

If the password locations of a zone have all 128 bits as ones, the zone is labeled unsecure. Since new
flash devices have erased flash (all ones), only a read of the password locations is required to bring any
zone into unsecure mode. If the password locations of a zone have all 128 bits as zeros, the zone is
secure, regardless of the contents of the CSMKEY registers. The user should not use all zeros as a
password or reset the device during an erase of the flash. Resetting the device during an erase routine
can result in either an all zero or unknown password. If a device is reset when the password locations are
all zeros, the device cannot be unlocked by the password match flow described in Section 1.10.3.2. Using
a password of all zeros will seriously limit user’s ability to debug secure code or re-program the flash.

NOTE:If a device is reset while the password locations of a zone are all zeros or an unknown value,
that zone will be permanently locked unless a method to run the flash erase routine from
secure SARAM is embedded into the flash or OTP. Care must be taken when implementing
this procedure to avoid introducing a security hole.
"""

This almost made my heart stop :/  Please tell me there is a way to recover my device and that it is not that easy to mess up a device!!!

EDIT 2:

A few more questions...

1. Actually, I'm not even sure I wrote all zeroes as CSM password. Earlier, I said that I read the value of 0x200000 to 0x20000C and it showed zeros in uniflash. Is that supposed to be the password? It shouldnt be possible to read the password value just like that right ?

2. What is the difference between

- 0x200000 to 0x20000C area

- 0x27FFF0 to 0x27FFFC area

?

3. Is there anyway to know the actual value of the CSM passwords ? Like at least be sure that it is permanently locked...

4. When you know the password, what is the proper way of unlocking the device ? Using uniflash ?

Thanks again.

  • 0
    TI__Guru* 87155 points
    Ril,

    If you see all zeros in the Flash password locations, then the device can not be unlocked anymore.
    Please refer to this post for more details: e2e.ti.com/.../2117181

    Answers for your questions:
    1) Yes, they are password locations. Note that until you program PSWDLOCK field in M3 OTPSECLOCK location in OTP, you will be able to see the passwords programmed in the Flash in the debugger window. Check the password locations and GRABSECT locations of both zone1 and zone2.

    2) There are two security zones. Addresses that you mentioned are password locations for each zone.

    3) As mentioned in #1, you can open CCS memory window to the password locations and check the values that are programmed in there. If it is all zeros, it is permanently locked. If it is some other value, you will be able to unlock it.

    4) You can use the CCS Flash Plugin or UniFlash GUI fields to unlock if you know the non-zero password. You can enter the password values that you see in the memory window in to the password fields in GUI and click on Unlock button.

    Thanks and regards,
    Vamsi
  • 0 in reply to Vamsi Gudivada
    Intellectual 455 points
    Thanks for your answer Vamsi.

    Although I did a mistake, I think it is a shame that it is that easy to permanently lock the device!

    Oh well, I hope I don't get fired :p
  • 0 in reply to Vamsi Gudivada
    Intellectual 455 points

    One more question, what are the addresses covered by zone1 and zone2 exaclty ? More generally, where can I find a detailed description of the memory map for my device (F28M35H52C1)? I'm having trouble finding it even in the technical reference manual.

    Thanks.

    Ril 

  • 0 in reply to Ril Dank
    TI__Guru* 87155 points
    Ril,

    I can understand the pain. To address this issue, the password locations are moved to OTP instead of Flash in our latest devices like F28004x, F2837xD, F2837xS and F2807x devices.

    We highlighted the consequence of an all zero password in our documentation. Also, our examples and the linker command files provided in ControlSuite make sure to define the password zones separately with dedicated sections mapped to them. These things help a lot to eliminate this issue. However, users have to pay attention when programming those locations using Flash GUI or API.

    Thanks and regards,
    Vamsi
  • 0 in reply to Vamsi Gudivada
    TI__Guru* 87155 points
    Ril,

    Regarding memory map: Check section 6.1 Memory Maps in data manual at www.ti.com/.../f28m35h52c.pdf.

    Regarding memory addresses for Zone1 vs Zone2: For dual zone security on the master subsystem, different secure memories (RAMs and flash sectors) can be assigned to different security zones by configuring the GRABRAM and GRABSECT registers associated with each zone. However, note that Flash sector N and Flash sector A are dedicated to Zone1 and Zone2 respectively. These sectors cannot be allocated to any other zone by configuring these registers. Please read section 1.10 Code Security Module (CSM) from TRM at www.ti.com/.../spruh22h.pdf.

    Thanks and regards,
    Vamsi
  • 0 in reply to Vamsi Gudivada
    Intellectual 455 points
    Thanks again for your help Vamsi.
  • 0 in reply to Vamsi Gudivada
    Intellectual 455 points

    Hello Vamsi, sorry, got a couple more question for you!

    So in CCS 6.2 memory browser, I read only zeros from sector A to N, even though I know I didn't wrote only zeros. Does that happen when the device is locked ?
    Also, I can confirm that OTPSECLOCK is still 0xFFFFFFFF.

    Also, I know for a fact that I didn't touch 0x200000 to 0x20000C (zone1). Is it possible to be completely locked if I only wrote zeros in 0x27FFF0 to 0x27FFFC (zone2)?


    Thanks
    Ril

  • 0 in reply to Ril Dank
    TI__Guru* 87155 points

    Ril,

    Yes, if the device is locked, you will get all zeros.  If the passwords are zeros, device is permanently locked irrespective of OTPSECLOCK.

    If you write zeros to all the Zone2 CSM locations (including GRABSECT locations - read GRABSECT field description for a value 0), then it can lock all the sectors except Sector N (Sector N is dedicated to Zone 1 as I mentioned earlier).  If you see zeros in Sector N Zone1 password locations as well, then it means that they are programmed as zeros.  

    Thanks and regards,

    Vamsi

  • 0 in reply to Ril Dank
    TI__Guru** 115881 points

    Hi Ril,

    As Vamsi mentioned, if CCS memory watch window is showing all the values in password location for Zone1 and Zone2  as zeros and OTPSECLOCK is 0xFFFF_FFFF then yes, these values have been programmed (or corrupted) as zero and device can not be recovered. You need to replace the device.

    You can also read the Z1_CSMCR and Z2_CSMCR register in CCS memory watch window and check the status of bit 5 (CSM-ALLZERO) which should be set to '1' in this case.

    Regards,

    Vivek Singh