• State Resolved
  • Locked Locked
  • Replies 4 replies
  • Subscribers 31 subscribers
  • Views 1857 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

TM4C129: permanently locking JTAG

David M. Alter
Guru 61235 points
Other Parts Discussed in Thread: TM4C129ENCZAD

Tiva team,

The TM4C129ENCZAD datasheet dated June 18, 2014, section 8.2.3.7 says that if you disable the JTAG interface using the BOOTCFG register, it is permanent and cannot be reversed.

But doesn't performing the unlock sequence described in section 4.3.4.3 restore the BOOTCFG register to the factory default settings, and therefore reverses the JTAG lockout (albeit the flash is also mass erased during the unlock procedure)?

For reference: https://e2e.ti.com/support/microcontrollers/tiva_arm/f/908/t/343078

The above post seems to suggest grounding the JTAG pins as a way to stop a hacker from invoking the JTAG unlock sequence.  Am I understanding this correctly?  That seems like a difficult approach, since JTAG is generally needed during development, initial flash programming, etc.  Also, grounding the JTAG pins is not necessarily irreversible for a determined hacker.

Regards,

David

  • 0
    Guru 27665 points

    David M. Alter said:
    But doesn't performing the unlock sequence described in section 4.3.4.3 restore the BOOTCFG register to the factory default settings, and therefore reverses the JTAG lockout (albeit the flash is also mass erased during the unlock procedure)?

    Pretty much. And for good reason, people get annoyed when they brick the board.

    David M. Alter said:
    That seems like a difficult approach, since JTAG is generally needed during development, initial flash programming, etc.  Also, grounding the JTAG pins is not necessarily irreversible for a determined hacker.

    There is no method of stopping someone who is determined, even secure micros (which the TM4C series most definitely is not) are breakable. It's all a question of

    • providing evidence that you asserted your right (sort of a no trespassing sign). The question in that case is whether a simple label may be more cost effective
    • increasing the cost to break. All these techniques cost the developer/manufacturer as well. So is this cost (repeated over N units) less than the cost to you of someone breaking the protection.

    Robert 

    Side note: I'd be surprised if there wasn't an inexpensive way to read the flash contents even with the JTAG disabled.

  • 0
    TI__Guru**** 244400 points
    Hello David

    Yes, unlocking sequence mass erases the device while unlocking the device, thereby "sort-of" securing the code. The tougher the access to JTAG pins, the more effort goes in for ??? value. Changing the JTAG pins to GPIO inputs also makes it a bit tougher even if the access to the pins is achieved.
  • 0 in reply to Amit Ashara
    TI__Guru 61235 points
    Amit, Robert,

    Thanks for your responses. It seems that section 8.2.3.7 of the datasheet is misleading then when it says disabling the JTAG pins is permanent and irreversible. The JTAG unlock procedure will reverse it (and also mass erase the device). The documentation should be amended.

    Regards,
    David
  • 0 in reply to David M. Alter
    TI__Guru**** 244400 points
    Hello David

    It could be a datasheet note as the JTAG unlock process mentions that all User Committed registers are reset to the factory default state.