This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

MSP430F6779A: Need simple steps to disable and reenable JTAG interface using BSL commands

Part Number: MSP430F6779A
Other Parts Discussed in Thread: UNIFLASH,

Hi,

Our product uses MSP430F6779A processor.  We want to know the easiest process possible by which we can blow the reversible "electronic fuse" in this device, so that the JTAG connector is secured in field so no one can steal the device and extract our code using JTAG.  In the event of unit failure in the field, we would then want to reverse the "electronic fuse" back in-house should the unit need to be returned from the field for analysis.  There are many different TI Tools ("Flasher.exe, Uniflash, BSL Scripter, CCS interface) that went through different revisions which included (and still do include) this functionality of a disabling the JTAG.  Series F5xx and F6xx mention "electronic fuse" which is what we thing we want.   Some documents say this can be done "only once" others don't say at all.  The addresses of the password and length of password are different for different devices. 

We see a note saying the 8-byte password is at 0x17F8 - 0x17FF, and anything other than 0000 | 0000 or FFFF | FFFF written to this address range will lock the JTAG.  But it's not clear how to actually accomplish this with the tools.

To be clear, we DON'T NEED general conversation.  We need a specific set of steps for F6779A to allow us to disable JTAG, and then at a later time reenable JTAG, in a way that will prevent extraction of source code from Flash memory. 

We have spent several days experimenting with this and have succeeded in killing one F6779A CPU by using flasher.exe with option -f, so now are asking for help.  We need to stop guessing how the security system with JTAG works and get a clear understanding.

Sincerely,

Kip Leitner

  • AFAIK, JTAG password for flash 5xx/6xx family is fixed, the same for all devices. Fuse value (factory default 0FFh) is stored at the end of last BSL segment (flash memory). This (your target) is simple, because for you is enough to unlock (in office) locked device from the field.

    From my point of view the less complicated method is to inplement this function into device itself, so it can do unlock when some "special" command is sent to device, by your application existing interface (without need of special software/hardware tools).

    Fuse value is stored inside flash memory that can be written by standard flash write functions (like to any other flash location). Default value is (erased) 0FFh (8 bytes). When you lock JTAG it should write 055h values per book (it is reported that TI tools write DEAD BEAF, or something similar, anyway it is relevant). Any other value than 0FFh or 000h is JTAG locked device. So when your device is back to office you should just write 000h to JTAG fuse location, and JTAG will be open again. This can be done only once, because to rewrite fuse again (different from 000h value) flash memory must be erased first, and BSL restored.

    This can be done also by BSL if you have / know BSL password for your JTAG locked device. Here is my example (software / hardware tools are irrelevant) for this...

    forum.43oh.com/.../

**Attention** This is a public forum