• State Resolved
  • Locked Locked
  • Replies 2 replies
  • Subscribers 83 subscribers
  • Views 357 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

Compiler/TMS320F28376S: DCSM not secure

Eyal Saban1
Intellectual 885 points
Part Number: TMS320F28376S


Tool/software: TI C/C++ Compiler

Dear Sir , 

we are developing product based on 28376S   and want to secure the memory from reverese enginnering (e.g. using JTAG connection)

i have follow the example blinky_with_DCSM  and implemneted as part of the project 

i have created asm file with the follwoing

.....

.cdecls "security.h"

.sect "dcsm_otp_z1_linkpointer"
.long Z1_LINK_POINTER 
.long 0xFFFFFFFF 
.long Z1_LINK_POINTER 
.long 0xFFFFFFFF 
.long Z1_LINK_POINTER 
.long 0xFFFFFFFF 

.sect "dcsm_otp_z1_pswdlock"
.long 0xFFFFFF77 
.long 0xFFFFFFFF 

.sect "dcsm_otp_z1_crclock"
;; .long 0xFFFFFFFF
;; .long 0xFFFFFFFF 

.sect "dcsm_otp_z1_bootctrl"
;; .long 0xFFFFFFFF 
;; .long 0xFFFFFFFF

.sect "dcsm_zsel_z1"

.long 0xFFFFFFFF 
.long 0xFFFFFFFF 

.long 0xDFFFFFFF ;Z1-GRABRAM , CLA - Zone1,LSx and Dx are secure

.long 0xD5555555 ;Z1-GRABSECT , All allocated to Zone1

.long PASSWORD_KEY0 ;Z1-CSMPSWD0 (LSW of 128-bit password)
.long PASSWORD_KEY1 ;Z1-CSMPSWD1
.long PASSWORD_KEY2 ;Z1-CSMPSWD2
.long PASSWORD_KEY3 ;Z1-CSMPSWD3 (MSW of 128-bit password)

where PASSWORD_KEY0 ....PASSWORD_KEY3 (is key i have defined )

and Z1_LINK_POINTER   is definde set to 0x1FFFFFFF  e.g. Zone selct block will be located at 0x78020

in the linker command i have added 

PAGE 0:

....

DCSM_OTP_Z1_LINKPOINTER : origin = 0x78000, length = 0x00000C
/* Z1 OTP. PSWDLOCK/RESERVED */
DCSM_OTP_Z1_PSWDLOCK : origin = 0x78010, length = 0x000004
/* Z1 OTP. CRCLOCK/RESERVED */
DCSM_OTP_Z1_CRCLOCK : origin = 0x78014, length = 0x000004
/* Z1 OTP. RESERVED/BOOTCTRL */
DCSM_OTP_Z1_BOOTCTRL : origin = 0x7801C, length = 0x000004

/* DCSM Z1 Zone Select Contents (!!Movable!!) */
/* Z1 OTP. Z1 password locations / Flash and RAM partitioning */
DCSM_ZSEL_Z1_P0 : origin = 0x78020, length = 0x000010

/* Z2 OTP. LinkPointers */
DCSM_OTP_Z2_LINKPOINTER : origin = 0x78200, length = 0x00000C
/* Z2 OTP. GPREG1/GPREG2 */
DCSM_OTP_Z2_GPREG : origin = 0x7820C, length = 0x000004
/* Z2 OTP. PSWDLOCK/RESERVED */
DCSM_OTP_Z2_PSWDLOCK : origin = 0x78210, length = 0x000004
/* Z2 OTP. CRCLOCK/RESERVED */
DCSM_OTP_Z2_CRCLOCK : origin = 0x78214, length = 0x000004
/* Z2 OTP. GPREG3/BOOTCTRL */
DCSM_OTP_Z2_BOOTCTRL : origin = 0x7821C, length = 0x000004

/* DCSM Z1 Zone Select Contents (!!Movable!!) */
/* Z2 OTP. Z2 password locations / Flash and RAM partitioning */
DCSM_ZSEL_Z2_P0 : origin = 0x78220, length = 0x000010

.......

SECTIONS
{

/*OTP*/
dcsm_otp_z1_linkpointer : > DCSM_OTP_Z1_LINKPOINTER PAGE = 0
dcsm_otp_z1_pswdlock : > DCSM_OTP_Z1_PSWDLOCK PAGE = 0
dcsm_otp_z1_crclock : > DCSM_OTP_Z1_CRCLOCK PAGE = 0, type = DSECT
dcsm_otp_z1_bootctrl : > DCSM_OTP_Z1_BOOTCTRL PAGE = 0, type = DSECT
dcsm_zsel_z1 : > DCSM_ZSEL_Z1_P0 PAGE = 0//

dcsm_otp_z2_linkpointer : > DCSM_OTP_Z2_LINKPOINTER PAGE = 0, type = DSECT
dcsm_otp_z2_pswdlock : > DCSM_OTP_Z2_PSWDLOCK PAGE = 0, type = DSECT
dcsm_otp_z2_crclock : > DCSM_OTP_Z2_CRCLOCK PAGE = 0, type = DSECT
dcsm_otp_z2_bootctrl : > DCSM_OTP_Z2_BOOTCTRL PAGE = 0, type = DSECT
dcsm_zsel_z2 : > DCSM_ZSEL_Z2_P0 PAGE = 0, type = DSECT

}

The software is combied from 

a.custom bootloader   - runs after reset , unsecure the DCSM if neceassry for programing flash   and them resecure 

b.main application

for unsecure procedure (e.g. 4xdummy read and them write 4x key)

void UnsecureMemory()
{
volatile int tmp;
int I;
unsigned long LinkPointer;
unsigned long *Zone1SelBlockPtr;
int bitpos = 28;
int ZeroFound = 0;
// volatile long *CSM = (volatile long int *) 0x5F010; //CSM register file
volatile long *CSMPWL = (volatile long int *) 0x78080; //CSM Password location (assuming


LinkPointer = DcsmZ1Regs.Z1_LINKPOINTER.all;

/*find zone select block by finding '0' MSB in Z1LINKPOINTER*/
while ((ZeroFound == 0) && (bitpos > -1))
{
if ((LinkPointer & 0x80000000) == 0)
{
ZeroFound = 1;
Zone1SelBlockPtr = (unsigned long *) (0x78000 + ((bitpos + 3) * 16));
}
else
{
bitpos--;
LinkPointer = LinkPointer << 1;
}
}
if (ZeroFound == 0)
{
Zone1SelBlockPtr = (unsigned long *)0x78020;
}

/*Password are offset by RECORED (E.G. OFFSET 0x8 from zone select block*/
CSMPWL=Zone1SelBlockPtr+4;

for (I = 0; I < 4; I++)
tmp = *CSMPWL++;

DcsmZ1Regs.Z1_CSMKEY0 = PASSWORD_KEY0;
DcsmZ1Regs.Z1_CSMKEY1 = PASSWORD_KEY1;
DcsmZ1Regs.Z1_CSMKEY2 = PASSWORD_KEY2;
DcsmZ1Regs.Z1_CSMKEY3 = PASSWORD_KEY3;

}

for secure (force bit in Z1_CR)

void SecureMemory()
{
EALLOW;
DcsmZ1Regs.Z1_CR.bit.FORCESEC = 1;
EDIS;
}

for test purpose , i have called UnsecureMemory()  from the application , and then connect with JTAG   and watch Z1_CR

it was all 0 , i expcted to see UNSECURE at 1  , but it wasnt the case , as if the functino doesnt prefrom PMF , please advise

  • 0
    TI__Guru** 115411 points

    Hi,

    for test purpose , i have called UnsecureMemory()  from the application , and then connect with JTAG   and watch Z1_CR

    After executing the UnsecureMemory() function what does application does. Can you check the Z1_CR value from application itself and if UNSECURE bit is set then toggle some GPIO ? Since all the flash sectors are secure and if your application continue to run from flash after calling UnsecureMemory() function then device must be unsecure because you are able to connect to CCS.

    Regards,

    Vivek Singh

  • 0 in reply to Vivek Singh
    Intellectual 885 points

    Hi Vivik , 

    i found the answer in another post , it seems that before unsecure first there is need to disable FLASH Cache

    ....

    /*Disable Flash Cach - needed for unlock*/
    Flash0CtrlRegs.FRD_INTF_CTRL.bit.DATA_CACHE_EN = 0;
    Flash0CtrlRegs.FRD_INTF_CTRL.bit.PREFETCH_EN = 0;

    and then unsecure