• State TI Thinks Resolved
  • Locked Locked
  • Replies 21 replies
  • Answers 5 answers
  • Subscribers 32 subscribers
  • Views 6269 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

TMS570LC4357: How to lock JTAG with OTP and temporally unlock using AJSM

Mr Tian
Intellectual 700 points
Part Number: TMS570LC4357
Other Parts Discussed in Thread: UNIFLASH, HALCOGEN,

I've been loading related thread on forum for a while and following are the key points of the process. Need your help to verify before mess up with the pricey chip.

1. Read first 4 32-bit out of OTP start from address 0xF0000000. The number reads is known as 'original visible unlock code'. Let's say we have a reads of all '1s', 0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF 0xFFFFFFFF. The pattern is unique on each individual chip

2. Program few bits in those 128-bits from '1' into '0'. For instance, Program 0xFFFFFFFF 0x00000000 0xFFFFFFFF 0xFFFFFFFF into that area. It will result OTP reads  0xFFFFFFFF 0x00000000 0xFFFFFFFF 0xFFFFFFFF.

3. After procedure 2, the JTAG port is locked and there is no way back to permanent unlock JTAG. The only approach to temporally unlock JTAG is by using AJSM. By saying temporally, it means valid till next power cycle.

4. The idea to unlock using AJSM is to use a register called "unlock-by-scan", once the register's 128-bit value XOR OTP first 128-bit value equals to the 'original visible unlock code', user shall gain temporally access to JTAG port.

5. Operation 4 take places right after Target connect and before Reset finish.

6. Once program OTP first 128-bit into all 0s, JTAG will permanently lock and AJSM mechanism will disabled.

Then the second parts need help is about the tools available for this procedure.

By uniflash, the 'original visible unlock code' is able to read out. OTP can be programmed by either CCS or uniflash. The question is, is there anything else can perform procedure 1-3? If any, what's their pros and cons? What is the tools available for procedure 4-6?

Please kindly help me confirm point by point. I need to get this procedure 99% sure before hands on.

  • 0
    Intellectual 700 points
    Still no response? Help please.
  • 0
    Intellectual 700 points

    Dear TI, I wrote you, but you still ain't callin'
    I left my cell, my email and my home phone at the profile
    I sent two post back in last-week
    You must not've got 'em
    There probably was a problem at the post system or somethin'

  • 0 in reply to Mr Tian
    TI__Guru**** 197036 points

    Hello YiRan,

    Sorry for my late response.

    1. You can use HALCoGen to generate lock key and unlock key and its ECC for locking the AJSM

    2. You can use a standalone tool (dbgauth.exe in CCSV7  folder) or CCS7 (or uniflash) to unlock the AJSM

    dbgauth -c testBoard.dat -s ajsm -t cortexr4 -k unlocking key -m 1

    3. please login private E2E to download one app note: SPNA232A

     

     

  • 0 in reply to QJ Wang
    Intellectual 700 points
    Hello QJ Wang,

    Haven't try 1-2 steps yet, but seems the private E2E forum require invitation. Link you provide reads ‘Invitation is Missing or Invalid’
  • 0 in reply to Mr Tian
    TI__Guru 59540 points
    Yiran,

    The private E2E requires that you request access and provide information within the request form. Once you have provided the information, we will draft a special unilateral SafeTI NDA to cover sharing of the NDA materials contained within the Private forum. You will need to have the SafeTI NDA signed by somone within your company authorized to sign on behalf of you company and enter into the legal agreement of the NDA. Once the SafeTI NDA is executed, a formal invitation to join the community will be sent to you.

    To request access, please use this link: tideals.wufoo.com/.../

    If you are working as a third party supporting creation of materials to support the Hercules devices and not as a direct customer to TI, then please let me know and we can discuss the best way to handle the exchange of this NDA material without access to the private forum. In this case, you may already have an NDA on file with TI so we could potentially work within the guidelines of that agreement without direct access to the private forum. Feel free to private message me within this E2E and we can discuss more directly about your project and company information.
  • 0 in reply to QJ Wang
    Intellectual 700 points
    Hello QJ Wang,

    I found the visible key configuration in Halcogen programme. Where does the Visible Key comes from? Through flash reads over 0xF000000 address? Does each device has an unique Visible Key? Or they all share one single key?

    Awaiting for your response. Thx.
  • 0 in reply to Chuck Davenport
    Intellectual 700 points
    Hello Chuck,

    My colleague already have NDA with TI and they insist to contact with you over their channel. Request already sent to my colleague for the SPNA232A document. Thanks for your kind reply.

    Regards,
  • 0 in reply to Mr Tian
    TI__Guru**** 197036 points

    Hello Yiran,

    The original visible unlock code is same for all the devices of LC4357. The original visible unlock code is defined by TI at chip design stage. The locked LC4357 AJSM can be temporarily unlocked by scanning an unlock key into the "Unlock By Scan" register of the AJSM module. The XOR of the OTP contents and the unlock key (in Unlock-By-Scan register) results in the original visible unlock code. For example:

    1. The original visible unlock code for LC43x at 0xF000_0000: FFEFFFF_FFFDFFFE_FFFFFFFF_EFFDFFFF

    2. The new key written to 0xF000_0000 is: DA69B4D2_72E8E5D4_83030605_AB85570A  (generated through HALCoGen)

    3. The unlock key will be: 25864b2d8d151a2a7cfcf9fa4478a8f5  (Generated through HALCoGen)

    XOR of the values in step 2 and step 3 generates the original visible unlock code in step 1.

  • 0 in reply to QJ Wang
    Intellectual 700 points
    Hello QJ Wang,

    Thanks for your clear reply.

    With the help of Halcogen, I've already generate a key and flash to OTP -- Chip is locked now. However, I can not get the chip connected through SPNA232A approach. (Tried multiple method but none of them work).

    As SPNA232A is a NDA documents I assume I can't provide more specified detail here. Can you help me over this issue? How can I provide you more detail? Thx.

    Regards,
  • 0 in reply to Mr Tian
    TI__Guru**** 197036 points

    Hello Yiran,

    Let me introduce the first method:

    1. Find the unlock scan pattern or unlock key from your ajsm.asm generated through HALCoGen

        AJSM0~AISM3 are the key you programmed to the OTP. The unlock key is:

       dbgauth key : b2a365677ae8f5d23288651127786ef1

    2. In CCS, double click your target configuration file (for example TMS570LC4357.ccxml ), and click "Test Connection", the testBoard.dat file will be generated and is located in c:\Users\...\AppData\Local\Texas Instruments\CCS\ti\x\y\BrdData   (x,y are numbers)

    3. The dbgauth.exe is located in c:\ti\ccsv7\common\uscif\dbgauth.exe

    4. open you cmd windows, type following command to unlock (replace the folder name and unlock key with yours)

    c:\ti\ccsv7\common\uscif\dbgauth.exe -c C:\Users\...\AppData\Local\TEXASI~1\CCS\ti\1\0\BrdDat\testBoard.dat -s ajsm -t cortexr4 -k b2a365677ae8f5d23288651127786ef1 -m 1

  • 0 in reply to QJ Wang
    TI__Intellectual 1835 points

    Hi QJ,

    Recently, I'm helping to do the AJSM Lock&Unlock on TMS570LC4357 platform. When I do the test on TMS570LS31x USB Stick Development Kit, it works well. But when I test AJSM Unlock on TMS570LC43x LAUNCHPAD, it shows failed.

    1. The HL_ajsm.asm of TMS570LC4357 is as below.

        .sect ".ajsm"
    .arm

AJSM0 .word  0xC9E9B3D2U
AJSM1 .word  0xBE8B7D16U
AJSM2 .word  0x27A44F4CU
AJSM3 .word  0x53A0A760U


    .sect ".ajsmecc"
    .arm

AJSMECC0 .byte  0x4CU
AJSMECC1 .byte  0xC8U

	
;/****************************************************************************/
;   
; For the above visible key selected, for unlocking scan pattern below 
; 
; dbgauth key : ac4f589fd859b0b2417482e926144c2d 
; CCS: 
; 		unlock key bits 31:00  = 0x26144c2d
; 		unlock key bits 63:32  = 0x417482e9
; 		unlock key bits 95:64  = 0xd859b0b2
; 		unlock key bits 127:96 = 0xac4f589f
;
;/****************************************************************************/

    2. I can lock the JTAG successfully, but when I use cmd command line to unlock JTAG, it shows the target device is still locked. Could you help to check the result on your TMS570LC43x Launchpad? Thanks a lot.

      

  • 0 in reply to David Bai
    TI__Guru**** 197036 points
    Hi David,

    I need to check the code with LC43x device.
  • 0 in reply to QJ Wang
    TI__Intellectual 1835 points

    Hi QJ,

    OK, I think my operation steps are correct. Maybe there are some subtle differences between LC43x and LSxx need your verification. Thanks a lot. 

  • 0 in reply to David Bai
    TI__Guru**** 197036 points
    Hi David,

    Can you please cortexr4 instead of cortexr5 in dbgauth command line? I didn't find a spare LC4357 board for testing AJSM.
  • 0 in reply to QJ Wang
    TI__Intellectual 1835 points

    Hi QJ,

    I tried cortexr4 instead before, it shows error occurred as below. So I think the cortex should be cortexr5.

  • 0 in reply to David Bai
    TI__Guru**** 197036 points
    Thanks David, good job.
  • 0 in reply to QJ Wang
    TI__Intellectual 1835 points
    Hi QJ,
    How about the case? Any updates? Thanks a lot.
  • 0 in reply to David Bai
    TI__Guru**** 197036 points
    Hi David,

    I haven't figured it out.
  • 0 in reply to QJ Wang
    TI__Guru**** 197036 points

    Hi David,

    There is a difference between the R5 based TMS570LC4357 and the R4 based TMS570S3137 Hercules products. On the TMS570LC4357 the flash is natively BE8 instead of BE32. The flash loaders switch the bytes when programming the device so to the user it still appears as BE32. The HALCoGen AJSM key generation tool doesn't take that into account.

    The workaround is to do byte swap of unlock key generated by HALCoGen

    ; unlock key bits 31:00  = 0x26144c2d    -->0x2d4c1426

    ; unlock key bits 63:32  = 0x417482e9    -->0xe9827441

    ; unlock key bits 95:64  = 0xd859b0b2   -->0xb2b059d8

    ; unlock key bits 127:96 = 0xac4f589f    -->0x9f584fac

    So the unlock key is: 9f584facb2b059d8e98274412d4c1426

    the command is:

    C:\\ti\\ccsv7\\ccs_base\\common\\uscif\\dbgauth.exe -c  C:\\Users\\...\\AppData\\Local\\TEXASI~1\\CCS\\ti\\1\\0\\BrdDat\\testBoard.dat -s ajsm -t cortexr5 -k 9f584facb2b059d8e98274412d4c1426 -m 1

    I tested on my board, it works 

  • 0 in reply to QJ Wang
    TI__Guru**** 197036 points

    Hi David,

    I created a new gel file and xml file for TMS570LC4357. They are useful if you want to unlock the device using CCS:

    1. Gel file: change the key in line #67

    Please place this gel file to: C:\ti\ccsv7\ccs_base\emulation\gel

    3554.tms570lc43xx_ajsm_unlock.gel

    2. xml file: please place to: C:\ti\ccsv7\ccs_base\common\targetdb\devices

    1362.tms570lc43xx_secure.xml

  • 0 in reply to QJ Wang
    TI__Intellectual 1835 points
    Hi QJ,
    Thanks a lot. You are right, I tested on my board, it works well too.