This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

Custom USB BSL with encryption

Other Parts Discussed in Thread: MSP430F5507

Hi all,

I am trying to determine the least difficult approach for implementing firmware decryption. I am using the MSP430F5507 and the USB BSL to download firmware updates from the field. The only problem is that I would like to encrypt the firmware before sending it off to the users. I would rather not write a custom BSL, but rather use the TI supplied USB BSL to download the encrypted firmware and run it through the decryption routine somehow. Would this be possible or am I forced to write a custom BSL with the decryption routine added to it?

If I have to write a custom USB BSL the issue that I am concerned about is the code size of the custom BSL. I successfully ported the TI provided USB BSL to CCS, but I am unable to add anything else to the BSL code without exceeding the BSL memory area. Any suggestions?

Thank you,

  • Hi Cody,

    in the default implementation of USB BSL, i don't see any possibility (at least an easy one) to do decryption. 

    However just a small tip, the USB BSL itself works in two steps. The default USB BSL inside the MSP430 is a small version of the BSL which only supports very few commands (i think only RX_PASSWORD, RX_DATA_BLOCK). What we do is basically first of all is to unlock the small USB BSL and then download a full version of BSL into the RAM. Then the real work will start after the full BSL is fully downloaded in the RAM and executed from there.

    Here is an example of BSL_Scripters script of SLAU319 which shows those steps:

    MODE 5xx USB
    // to erase device, should fail
    RX_PASSWORD erase_pass.txt
    DELAY 1000
    // delay for mass erase
    RX_PASSWORD ff_pass.txt
    SET_PC 0x2504
    DELAY 3000
    // The USB BSL is now in RAM, and is started
    // We must now re-initialize communication
    MODE 5xx USB
    // Now we simply demo the use of the supported functions
    TX_DATA_BLOCK 0x8000 0x100 Data_Read_1.txt
    CRC_CHECK 0x8000 0x10 0xCFB8
    ERASE_SEGMENT 0x8000
    TX_DATA_BLOCK 0x8000 0x100 Data_Read_2.txt
    CRC_CHECK 0x8000 0x100 0x5B2F
    SET_PC 0x8000

    I think then it is possible for you to create a custom BSL with this mechanism also.

    Hope this at least will help you a bit.

  • Leo is right. You only need to "customize" the RAM_BSL..

    However, note that your custom RAM_BSL will be stored in the PC and is thus not secure.

    To make it secure, you need to customize the Flash_BSL in your chip. It only needs to be able to: (a) load RAM from PC, (b) decrypt what that (c) run that, and (d) go back to and repeat. The key (pun intended) is to store all your secret in your chip, not in the PC. 

  • OCY,

    So does it sound feasible to just add the decryption key (128 bit) to the custom flash BSL, modify the RAM BSL to actually contain the routine to decrypt the incoming firmware but have it call the key from the flash BSL memory? Would I even be able to gain access to the key stored in the flash BSL from the RAM BSL? Like I said previously the custom USB flash BSL that I currently have working consumes the entire 2k of BSL memory, so adding the decrypt routine is not possible without some serious rework of what I currently have (rework in assembly? yikes!).

    Thanks all for the help,

  • The principle of what you said is correct. You only need to keep the key secret. The decryption algorithm or code can be public.

    Make sure no one can read the key without using the key.

  • So one final question. Can the custom RAM BSL access the custom FLASH USB BSL memory to get the KEY for decryption without opening a security hole?

  • Hi Cody,

    i think as long as you can keep the content of the FLASH USB BSL secure, then it should be possible.

    To do this, i might suggest the following things:

    - disable the JTAG key

    - modify the FLASH USB BSL to not able do any operation on itself (always check the address for any read write operation).

**Attention** This is a public forum