• State Resolved
  • Locked Locked
  • Replies 7 replies
  • Answers 1 answer
  • Subscribers 83 subscribers
  • Views 596 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

CCS/TMS320F280049C: Using CCS or Uniflah to modify overwrite FLASH content for a secure device

Pierfrancesco Annese
Prodigy 180 points

Part Number: TMS320F280049C
Other Parts Discussed in Thread: C2000WARE, UNIFLASH

Tool/software: Code Composer Studio

Hi All,

I've a customer board with a TMS320F280049C device, developed for our customer.

I'm using DCSM feature to protect our SW, and, starting from examples found on c2000ware library and from TI forum, I've configured DCSM directly in my .out file.

So I would like to connect CCS or Uniflash to this device to debug or eventually overwrite the protected memory.

We implemented the standard boot configuration i.e.  BOOT1=BOOT0=1, so booting from flash.

So, as suggested in 3.13.1.2 of TRM,  I've modified the BOOT1 pin to 0 to set the boot of the devcie in wait mode and to allow the debugger to work properly.

After this modification I'm able to connect to the device using CCS and XDS jtag debugger and implementing in the gel file the PMF sequence I can read the protected flash content.

I'm attaching the OTP bank1 dump (I've intentionally removed the registers CSMPSWDx content), and the DCSM regs. content after PMF.

The main problem is that even if I'm able to unsecure the device just after the connection, at the execution of any program command it seems that the Boot rom makes the device secure again and the operation fail.

So in this scenario i don't know how to allow CCS or uniflash to unsecure and program the device again.

Thank you.

/cfs-file/__key/communityserver-discussions-components-files/171/USER_5F00_OTP_5F00_Bank1.dat

/cfs-file/__key/communityserver-discussions-components-files/171/dcsm_5F00_reg_5F00_dump.dat

  • 0
    TI__Guru* 87155 points

    Hi,

    I assigned this to our DCSM expert. Please expect the reply in a day or two.

    Thanks and regards,
    Vamsi

  • 0
    TI__Guru** 116731 points

    Hi,

    If you are using the CCS, then you need to provide the password values in CCS flash plug-in GUI. You can open the GUI in CCS by clicking on Tools -> "On-Chip Flash" and then provide the password values in password fields.

    Regards,

    Vivek Singh

  • 0 in reply to Vivek Singh
    Prodigy 180 points

    Hi Vivek,

    thank you very much for your suggestion.

    I was able to update and run a new SW version on that device.

    Anyway I've still a problem.

    I've implemented a "user" SW boot , allocated on the first 8 sectors of FLASH bank 0, that can receive via can an update version of an application SW that is stored on FLASH device starting fron 9th sector of bank 0.

    For flash operations (erase and program) I'm using FLASH api lib (F021 Flash API v1.56), and all this library is copied and executed from RAM (RAML3 and 4).

    The entire RAMLS and FLASH bank0 and bank 1 is assigned to DCSM zone 1 and I'm not using at all the "exe only" feature (see attached dump of DCSM memory)

    If I run my boot sw via CCS, so with memory unprotected, the update procedure is executed without any problem.

    If I run my boot SW from FLASH with protection enabled at the first erase command executed for sector 9 of bank0 I get a failure from the library as the FSM is found set to 0x410. 

    Since the boot SW belongs to the same zone, the update procedure is executed without unprotecting the memory, is it correct ?

    (from section 3.13.3 of TRM: "...or execute the Flash programming code from secure
    memory which belongs to the same zone")

    So I've modifed my boot SW to unlock the memory (executing the PMF sequence) before executing the update, and the procedure succeeded also executing from FLASH.

    So what is wrong in my understanding of DCSM feature ?

    Thank you very muxh

    /cfs-file/__key/communityserver-discussions-components-files/171/dcsm_5F00_reg_5F00_dump_5F00_1.dat

  • 0 in reply to Pierfrancesco Annese
    TI__Guru** 116731 points

    Can you check if before doing the flash operation you are changing the slash semaphore (FLSEM) to 'b01. You can find the detail of this in "Table 3-135. FLSEM Register Field Descriptions" in device TRM. This change need to be done from secure memory of same zone only.

    Regards,

    Vivek Singh

  • 0 in reply to Vivek Singh
    TI__Guru** 116731 points

    Hi,

    Is this issue resolved?

    Vivek Singh

  • 0 in reply to Vivek Singh
    Prodigy 180 points

    Hi Viviek,

    Sorry, I've forgotten to update the status.

    I've found out the root cause of the issue.

    I was using the FLASH library linked in ROM. Once I've used the library on RAM, the problem desappeared and my applciation boot is now able the update the flash with DCSM feature active.

    So I think we can close the issue.

    I've obly one further question to ask you:

    since all the LSRAM and both flash BANKS are secured and assigned to the same zone, can I leave the CSM pwd unlocked ?

    Thank you

  • 0 in reply to Pierfrancesco Annese
    TI__Guru** 116731 points

    Hi,

    since all the LSRAM and both flash BANKS are secured and assigned to the same zone, can I leave the CSM pwd unlocked ?

    Sorry, I did not understand your question. If you need security on the device, why would you want to have CSM password unlocked?

    Regards,

    Vivek Singh