• State Resolved
  • Locked Locked
  • Replies 13 replies
  • Answers 3 answers
  • Subscribers 79 subscribers
  • Views 441 views
  • Users 0 members are here
Support feedback
Options
Options
Similar topics

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

Original question:

MSP430FR2355: Boot and Code Security Options on MSP430FR2xxx devices - Force mass erase/Prevent extracting firmware?

MSP430FR2475: JTAG e-fuse programming lock key, verifying that lock key was successfully programmed and e-fuse was blown

Samyukta Ramnath1
Intellectual 770 points
Part Number: MSP430FR2475
Other Parts Discussed in Thread: UNIFLASH, MSP-FET

Hello,

I've been able to follow instructions to disable JTAG on the MSP430FR2xxx device family by writing a value of 0x5555 to JTAG signature 1 and JTAG signature 2. I've also been able to disable the BSL by writing similar signature to 0x5555 and 0x5555. Following this post , since there is a password to enable the BSL but this would be a fixed password, to avoid the risk of the device being able to be unlocked in the field, I understand that I must blow the e-fuse to disable the JTAG, as well as disable the BSL by following the steps mentioned above. I understand that the lock down will only be applied after a reset after this command is applied. When I try to reprogram the tool thereafter, I get an error that 'the device has been secured' and it is unable to be recognised by softwares such as Uniflash.

I was able to recover and unlock the device by performing a mass-erase using the TI Uniflash tool and was able to subsequently have the device recogised by Uniflash and re-program the device.

Since I wish to perform these lockdown steps this in my final customer firmware, I want to have the reset functionality also be a part of the firmware itself to reduce the number of extra manufacturing steps required. 

However, that means that I need a way to verify that the lock down has already occurred. If it has already occurred once, there is no need to write the memory again and reset the device again (as this would cause a boot loop). 

a. How would I apply a device reset from within the MSP430FR2xxx firmware? I'm not aware of a 'reset' command that resets the MCU itself.

b. Looking at documentation, I'm seeing some functions such as 'isLockKeyProgrammed' or 'isFuseBlown'. However these seem to be functions that another device would send the main MCU via the JTAG interface, not something that the main MCU can check within itself. Is the only solution to just read out the two JTAG and BSL signatures and confirm that they are equal to 0x5555 as expected if the device is locked down? 

Please let me know. 

Warm regards,

Samyukta

  • 0
    Guru 34033 points

    a. Device firmware reset can be done by watchdog

    b. Yes, firmware can read JTAG / BSL signatures stored in FRAM.

  • 0
    TI__Mastermind 28070 points

    Hi Samyukta,

    In addition to zrno's suggestion of resetting the device by watchdog. You can also set the PMMSWPOR/BOR bits to trigger a POR or BOR respectively. Please see this snippet from the MSP430FR4xx and MSP430FR2xx family user's guide (SLAU445).

    Best Regards,
    Brandon Fisher

  • 0 in reply to zrno soli
    Intellectual 770 points

    Hi, thanks for your answer. I was able to write the signatures in FRAM, and can see them in the memory viewer in Uniflash; This leads to JTAG being secured and I can no longer detect the device in Uniflash. However, in code I tried something like this:

    #define JTAG_LOCK_SIGNATURE_START 0xFF80
unsigned long * FRAM_write_ptr;

bool isLockKeyProgrammed(void){
    FRAM_write_ptr = (unsigned long *)JTAG_LOCK_SIGNATURE_START;
    return (*FRAM_write_ptr == 0x55555555);
}

    This function evaluates to false though I can see the address 0xff80 and 0xff82 set to 0x5555 each in the memory browser.

    Moreover, when I try to disable the BSL by setting 0x5555 to the BSL signatures at 0xFF84 and 0xFF86, I can't see the memory being set in the memory browser; how can I confirm that the BSL is in fact disabled?

    Any ideas? What am I doing wrong? 

  • 0 in reply to Brandon Fisher94
    Intellectual 770 points

    Just to confirm, this is the line of code, right? 

    PMMCTL0 |= PMMSWBOR_1;

  • 0 in reply to Samyukta Ramnath1
    TI__Mastermind 28070 points

    Hi Samyukta,

    Samyukta Ramnath1 said:

    Hi, thanks for your answer. I was able to write the signatures in FRAM, and can see them in the memory viewer in Uniflash; This leads to JTAG being secured and I can no longer detect the device in Uniflash. However, in code I tried something like this:

    Fullscreen
    1
    2
    3
    4
    5
    6
    7
    #define JTAG_LOCK_SIGNATURE_START 0xFF80
    unsigned long * FRAM_write_ptr;
    bool isLockKeyProgrammed(void){
    FRAM_write_ptr = (unsigned long *)JTAG_LOCK_SIGNATURE_START;
    return (*FRAM_write_ptr == 0x55555555);
    }
    XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

    This function evaluates to false though I can see the address 0xff80 and 0xff82 set to 0x5555 each in the memory browser.

    This looks like it should work. I'm not certain why it wouldn't return true if you have actually loaded the JTAG signature with those values. You could perhaps trying reading it back in Int sized segments rather than long, but your method should work to my knowledge.

    Samyukta Ramnath1 said:

    Just to confirm, this is the line of code, right? 

    PMMCTL0 |= PMMSWBOR_1;

    Yes that is correct. 

    Best Regards,
    Brandon Fisher

  • 0 in reply to Brandon Fisher94
    Intellectual 770 points

    Hi Brandon,

    Thanks for the confirmation. I think that the issue was due to me trying to read flash before a system init had been done. It seems to work reliably now.

    The issue I'm facing now is that, after I've determined that the JTAG signatures are not written, and I have written the JTAG and BSL signatures that lock up JTAG and disable the BSL, I initiate a BOR by running the line PMMCTL0 |= PMMSWBOR_1. This works and I can see the device reset, and once it starts up again it sees that the JTAG signatures have been written. However, I can still detect the device using Uniflash, and I can still program it. If I manually remove power from the device and give it back again, after that I'm unable to detect the device using Uniflash or program it (it will give the 'device has been secured' error). I've tried initiating a POR as well, with the same result. Any idea what I may be doing wrong? I also tried causing a watchdog reset by writing a 'while 1' loop and letting the watchdog reset the device; with the same result. I'm unable to replicate the effect of removing power from the device and then when I reconnect I am seeing the memory written properly and the device secured as I expect. 

    Another question - I'm using an MSP-FET to program my device. I'm writing 0x55555555 to the address 0xFF80 and also to 0xFF84 to disable the BSL. Now reading through forums and the datasheet, the idea is that we can lock the JTAG but if we leave the BSL enabled with a password, a BSL mass erase command unlocks the device, or if we enter the password, the JTAG will be unlocked correctly. However, if I disable the BSL by writing 0x55555555 to 0xFF84, this should make my device one time programmable, lock it forever and I would be completely unable to reprogram it ever, since I would not be able to send a mass erase command. I can see 0x5555 in 0xFF80, 0xFF82, 0xFF84 and 0xFF86, and although I cannot reprogram the device using uniflash or read out FRAM, I can still manually send out a mass erase command that actually erases the device. Thereafter, I can program the device. Can you explain a bit about how the mass erase command through uniflash works? 

     I was referencing your responses to this post: e2e.ti.com/.../msp430fr2355-boot-and-code-security-options-on-msp430fr2xxx-devices---force-mass-erase-prevent-extracting-firmware

  • 0 in reply to Samyukta Ramnath1
    Intellectual 770 points

    Another question : I saw another way to load the signatures onto the FRAM: 

    #pragma RETAIN(jtagSignature)
#pragma DATA_SECTION(jtagSignature, ".jtagsignature")
const uint32_t jtagSignature = JTAG_LOCK_CONFIG_SIGNATURE;

#pragma RETAIN(bslLockSignature)
#pragma DATA_SECTION(bslLockSignature, ".bslsignature")
const uint32_t bslLockSignature = BSL_LOCK

    However, if I do this, how would I ensure that a device BOR occurs that would enable the JTAG lock? In the previous code example, if the JTAG lock key is not programmed, I would program it and initiate a BOR and that in theory should lock up the JTAG (although I don't see this working as I expected yet), but in this case if I were to perform the reset in code it would go in a loop. Any ideas?   

  • 0 in reply to Samyukta Ramnath1
    TI__Mastermind 28070 points

    Hi Samyukta,

    Samyukta Ramnath1 said:
    The issue I'm facing now is that, after I've determined that the JTAG signatures are not written, and I have written the JTAG and BSL signatures that lock up JTAG and disable the BSL, I initiate a BOR by running the line PMMCTL0 |= PMMSWBOR_1. This works and I can see the device reset, and once it starts up again it sees that the JTAG signatures have been written. However, I can still detect the device using Uniflash, and I can still program it. If I manually remove power from the device and give it back again, after that I'm unable to detect the device using Uniflash or program it (it will give the 'device has been secured' error). I've tried initiating a POR as well, with the same result. Any idea what I may be doing wrong? I also tried causing a watchdog reset by writing a 'while 1' loop and letting the watchdog reset the device; with the same result. I'm unable to replicate the effect of removing power from the device and then when I reconnect I am seeing the memory written properly and the device secured as I expect. 

    Are you unlocking the PMM register prior to reset? Can you try the following line for your BOR instead? 

    PMMCTL0 |= PMMPW | PMMSWBOR_1;

    All of your updated settings should take effect after BOR, so if this bit is being reset properly I expect JTAG to come back up locked. If this register wasn't unlocked I wouldn't be expecting you to see a reset, but its worth a try.

    Samyukta Ramnath1 said:

    Another question - I'm using an MSP-FET to program my device. I'm writing 0x55555555 to the address 0xFF80 and also to 0xFF84 to disable the BSL. Now reading through forums and the datasheet, the idea is that we can lock the JTAG but if we leave the BSL enabled with a password, a BSL mass erase command unlocks the device, or if we enter the password, the JTAG will be unlocked correctly. However, if I disable the BSL by writing 0x55555555 to 0xFF84, this should make my device one time programmable, lock it forever and I would be completely unable to reprogram it ever, since I would not be able to send a mass erase command. I can see 0x5555 in 0xFF80, 0xFF82, 0xFF84 and 0xFF86, and although I cannot reprogram the device using uniflash or read out FRAM, I can still manually send out a mass erase command that actually erases the device. Thereafter, I can program the device. Can you explain a bit about how the mass erase command through uniflash works? 

    See section 2.4.4.2 of the Programming With the JTAG Interface Guide (SLAU320) for more info on the command being used: 

    Best Regards,
    Brandon Fisher

  • 0 in reply to Brandon Fisher94
    Intellectual 770 points

    Hi  ,  I tried your line of code and am still seeing the device reset, but I still do not see the JTAG locked after the reset, I still need to run a manual unplug-replug of the device to manually remove and apply power before I see the JTAG lock take effect.

    In this post : https://e2e.ti.com/support/microcontrollers/msp-low-power-microcontrollers-group/msp430/f/msp-low-power-microcontroller-forum/999593/msp430fr5969-sp-what-location-bit-to-write-to-perform-a-software-reset I see a 'SOFT_RESET' macro that actually does work. However it seems like this is unlocking the PMM register, applying a SW BOR, and resetting all other bits of the PMMCTL0 register except for the PMMSWBOR 0x0001 bit which according to the TRM means: 

    PMMCTL0 0x0001 and 0x0002 bit is reserved and always read as 0

    PMMCTL0 = PMMPW | PMMSWBOR 

    SVSHE = 0 (0b = High-side SVS (SVSH) is disabled in LPM2, LPM3, LPM4, LPM3.5, and LPM4.5. SVSH is enabled in active mode, LPM0, and LPM1.)

    PMMREGOFF = 0 (0b = Regulator remains on when going into LPM3 or LPM4

    PMMSWPOR = 0 (No power on reset) 

    When I set this as a soft reset, after writing the memory, I am able to see JTAG locked up and unable to detect the device after running this firmware.

  • 0 in reply to Brandon Fisher94
    Intellectual 770 points

    Hi , the piece that I'm not understanding or the piece I would like to confirm, is that Uniflash is sending this JTAG User_Code_Erase command that must be applied through the JTAG mailbox. Could you point me to some documentation that confirms this? 

  • 0 in reply to Samyukta Ramnath1
    TI__Mastermind 28070 points

    Hi Samyukta,

    If you hover over this option in uniflash, the tooltip confirms this is the command being used. 

    As far as I know, the Programming with JTAG Interface guide is the only detailed documentation we would have on that command. The UniFlash documentation doesn't explicitly call it out, but your experience with this command working when the JTAG interface is disabled also says to me that this is the command being used. 

    Best Regards,
    Brandon Fisher

  • +1 in reply to Samyukta Ramnath1
    Guru 34033 points
    Samyukta Ramnath1 said:
    Hi , the piece that I'm not understanding or the piece I would like to confirm, is that Uniflash is sending this JTAG User_Code_Erase command that must be applied through the JTAG mailbox. Could you point me to some documentation that confirms this? 

    All TI GUI / CLI PC side software tools are using the same msp430.dll, and all are using the same user_code_erase command over dll. Both, msp430.dll and FET firmware are open source, and you can find this inside MSP debug stack.

    If you want to go deep and see in details what is going on (like I did), you can use 5529 LP with dual 5528/9 debugger for debugging debugger.

  • 0 in reply to zrno soli
    Intellectual 770 points

    Thanks a lot! I think I've found the piece of code that proves this in the msp430 dll source code: https://github.com/BuLogics/libMSP430/blob/d949a8159e86dfaf0e1457682555b9278e0e48d2/DLL430_v3/src/TI/DLL430/FramMemoryAccessBase.cpp#L81 
    Here it sends out a 0x1A1A command (User_Code_Erase) and if Uniflash is using this MSP430.dll with this source code, it would make sense that I am able to recover my device.

    the revisions.txt also confirms that Erase now uses JTAG Mailbox : https://github.com/BuLogics/libMSP430/blob/d949a8159e86dfaf0e1457682555b9278e0e48d2/revisions.txt#L69  

**Attention** This is a public forum