• State Resolved
  • Locked Locked
  • Replies 7 replies
  • Subscribers 79 subscribers
  • Views 4169 views
  • Users 0 members are here
Support feedback
Options
Options
Similar topics

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

MSP430 Flasher and JTAG Password

Martin Held
Intellectual 300 points
Other Parts Discussed in Thread: MSP430F5527

Hi All,


I've got a program (.txt) that has a last line of

@17fc

de ad be ef

q

When I use msp430 flasher, with the -b option to unlock the BSL, it properly locks the JTAG functionality after a power on reset and is properly programmed (yay!)


However, if I want to repogram the device for debugging, even knowing the JTAG password (DEADBEEF), I can't seem to get the -p option in msp430 flasher to work right.  -l 2 just causes it to hang on 'processing triggers...', and specifying -p 0xDEADBEEF or -p 0xDEAD 0xBEEF or -p 0xDEAD 0xBEEF 0xBEEF never changes anything, always the wrong jtag password.  Am I doing something wildly wrong?  I have found exactly zero examples of -p in use for msp430 flasher.

This is an MSP430F5527 in case it matters.

  • 0
    TI__Prodigy 575 points

    Hi Martin,

    You're mixing up two things here. You're writing a BSL password but what the -p option expects is a JTAG password. This is a user defined signature located at 0xFF88 which locks access to the JTAG interface (see SLAU272 - MSP430FR57xx Family User's Guide chapter 1.13.2 for details) The JTAG password functionality is only available on MSP devices with FRAM!

    MSP430 Flasher is using the JTAG interface only. You can use it to read or write the BSL memory but you won't be able to actually use the BSL to program the target device with this tool.

    I'll be sure to enhance the documentation to avoid confusion about this in the future.

    Best Regards,

    Robert

  • 0 in reply to Robert_L
    Intellectual 300 points

    Hi Robert,


    Unfortunately, I'm even more confused.  First, I'm using a 5527, not a 57xx series part.  Also, I'm looking at slau208m, page 71,

    "The JTAG security lock key resides at the end of the bootstrap loader (BSL) memory at addresses 17FCh through 17FFh.  Anything other than 0h or FFFFFFFFh programmed to these addresses locks the JTAG interface."

    Now, if what I think you're getting at is still correct, does this mean that I am correctly locking the JTAG, but also that once locked, JTAG isn't accessible by any password at all, period, but instead the BSL is locked with the password 0xdeadbeef?

    If this specifies also the BSL password, and JTAG is permanently locked until a BSL complete wipe, that's perfectly fine. 

    However, assuming the above, with msp430 flasher, is there an elegant way to poke at 17fc-17ff without erasing the entire BSL?  The stock BSL is perfectly fine with us.  Using -b unlocks the BSL, and the default action is to then erase the entire chip, and then program it.  So I'm fairly certain I have 3 parts with BSL passwords set, but no BSL and are effectively locked permanently into one set of code (They're old prototype boards, so I'm not worried, acceptable learning casualties).  Otherwise I think I'm going to have to get my hands on the BSL code, specify -b, and then when the entire device gets wiped, program the BSL, the bsl password, and then the main program.

    Or should I just be using the 'blow jtag fuse' option in msp430flasher? (Which I thought was only for F1xxx/F2xxx/F4xxx series parts that actually have a 'fuse' and require a higher voltage on VTEST or something like that)

    (In the case of the first that I need to get a BSL programming file to append to my TI-TXT programming file, what's the best route of getting the stock BSL code?)


    Thanks,

    Martin

  • 0 in reply to Martin Held
    TI__Prodigy 575 points

    Hi Martin,

    Sorry about the confusion, I checked SLAU208 and you’re absolutely right about the JTAG interface being lockable via the signature located at 0x17FC in the BSL memory. In fact, this is exactly what happens when you use the “blow JTAG fuse” option (-f) on 5xx/6xx devices (I can see how the wording can be misleading here - I'll be sure to fix this)

    This “JTAG security lock key” however has nothing to do with the JTAG password which is only available on FRAM devices (hence my reference to the FR57xx user’s guide). The difference is that the JTAG security lock key cannot be “entered” like a password somewhere to re-enable JTAG access – especially not using the –p option of MSP430 Flasher. The only way to reset it to 0x00000000 or 0xFFFFFFFF is by using the BSL interface to overwrite it. Unfortunately this is also the only way you’d be able to recover your 3 parts where the JTAG lock key is set.

    Moving forward, the only thing you need to do if you want to lock the JTAG interface after programming your target device is call MSP430 Flasher with the following command:

    MSP430Flasher –n MSP430F5527 –w “yourcode.txt” –v –f

    This connects to your target device, erases the MAIN and INFO memory (default), programs your target code into the device, verifies the transfer and then sets the JTAG lock key to disable JTAG access.

    I hope this makes more sense now.

    Best Regards,

    Robert

  • 0 in reply to Robert_L
    Intellectual 300 points

    Hi Robert,


    Okay, that makes much more sense now.  The confusion really is generated by 'blow jtag fuse' and the documents stating 'there is no jtag fuse, use address <foo> to disable jtag'.  I would suggest maybe something for the msp430 flasher and other teams to instead of saying 'blow jtag fuse' to 'disable jtag permanently'.


    One last clarification:  If the jtag fuse is 'blown' by writing to 0x17fc-f, that is also the BSL security passkey as I understand it, though most likely incorrectly... will the BSL still be usable, and if so, with what password?  Or is that the separate area of flash at 0xFFFF?


    (The elprotronic software that the contract manufacturer uses as I understand it has a separate option to write the 16-byte BSL passkey).

    Thanks,

    Martin

  • 0 in reply to Martin Held
    TI__Prodigy 575 points

    Hi Martin,

    The BSL is definitely usable after writing a JTAG lock key to 0x17FC - 0x17FF.

    The BSL passkey is something different again. It's located at 0xFFE0 and 0xFFFF (as described in SLAU319h - chapter 3.5.2).

    Best Regards,

    Robert

  • 0 in reply to Robert_L
    Intellectual 300 points

    Excellent, thank you for all your help!  Now just to figure out how to get the BSL working on this board...

  • 0 in reply to Martin Held
    Guru 33653 points

    Martin Held said:

    Excellent, thank you for all your help!  Now just to figure out how to get the BSL working on this board...

    Unblowing soft fuse on MSP430F5xx...

**Attention** This is a public forum