• State Resolved
  • Locked Locked
  • Replies 1 reply
  • Subscribers 100 subscribers
  • Views 307 views
  • Users 0 members are here
Support feedback
Options
Options
Similar topics

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

[FAQ] J721S2XSOMXEVM: How to unlock the JTAG using TISCI API ?

Diwakar Dhyani
Mastermind 35990 points
Part Number: J721S2XSOMXEVM

How we can unlock the JTAG on HS-SE devices using TISCI api mentioned in the secure debug document ?

  • +1
    TI__Mastermind 35990 points

    Please follow the below steps to unlock the JTAG using TISCI_MSG_OPEN_DEBUG_FWLS tisci API.

    1. Make the corresponding changes in the secure board config (sciclient_defaultBoardcfg_security.c)
      cd <RTOS_SDK>/<pdk>/packages/ti/drv/sciclient/soc/V*/
       
      Note: We are keeping host id as 128 to allow all host to send this TISCI msg, customer can modify it according to there host.
    2. Create a debug certificate, below is the example for the certificate template.
      [ req ]                                                                         
distinguished_name     = req_distinguished_name                                 
x509_extensions        = v3_ca                                                  
prompt                 = no                                                     
                                                                                
dirstring_type = nobmp                                                          
                                                                                
[ req_distinguished_name ]                                                      
C                      = US                                                     
ST                     = SC                                                     
L                      = Dallas                                                 
O                      = Texas Instruments., Inc.                               
OU                     = PBU                                                    
CN                     = Albert                                                 
emailAddress           = Albert@ti.com                                          
                                                                                
[ v3_ca ]                                                                       
basicConstraints = CA:true                                                      
1.3.6.1.4.1.294.1.3=ASN1:SEQUENCE:swrv                                          
1.3.6.1.4.1.294.1.8=ASN1:SEQUENCE:debug                                         
                                                                                
[ swrv ]                                                                        
swrv         =  INTEGER:0                                                       
                                                                                
[ debug ]                                                                       
debugUID     =  FORMAT:HEX,OCT:0000                                             
debugType    =  INTEGER:5                                                       
coreDbgEn    =  INTEGER:0x010206070809                                          
coreDbgSecEn =  INTEGER:0x202180
    3. Sign the above certificate with the active root trust keys (SMPK/BMPK)
      Eg:  openssl req -new -x509 -key <RTOS_SDK>/<pdk>/packages/ti/build/makerules/k3_dev_mpk.pem -nodes -outform der -out debug_unlock_cert.der -config  debug_cert.txt -sha512
    4. With the above command you get the signed certificate, now we will generate the header file containing the debug cert.
      In Linux you can run xxd tool to generate .h file Eg: xxd -i debug_unlock_cert.der debug_cert.h

    5. Create a wrapper API  inside the PDK.
      Ex:We can add the below wrapper api in <RTOS_SDK>/<pdk>/packages/ti/drv/sciclient/src/sciclient/sciclient_firewall.c file
        138 int32_t Sciclient_firewallDebugOpen(
  139     const struct tisci_msg_open_debug_fwls_req *req,
  140     struct tisci_msg_open_debug_fwls_resp *resp,
  141     uint32_t timeout)
  142 {   
  143     int32_t r;
  144     Sciclient_ReqPrm_t sciReq = {0};
  145     sciReq.messageType    = TISCI_MSG_OPEN_DEBUG_FWLS;
  146     sciReq.flags          = TISCI_MSG_FLAG_AOP;
  147     sciReq.pReqPayload    = (const uint8_t *) req;
  148     sciReq.reqPayloadSize = (uint32_t) sizeof(*req);
  149     sciReq.timeout        = timeout;
  150     
  151     Sciclient_RespPrm_t sciResp = {0};
  152     sciResp.flags           = 0;
  153     sciResp.pRespPayload    = (uint8_t *) resp;
  154     sciResp.respPayloadSize = (uint32_t) sizeof(*resp);
  155 
  156     
  157     r = Sciclient_service(&sciReq, &sciResp);
  158     if ((r != CSL_PASS) ||
  159         ((sciResp.flags & TISCI_MSG_FLAG_ACK) != TISCI_MSG_FLAG_ACK)) {
  160         r = CSL_EFAIL;
  161     }
  162     
  163     return r;
  164 }
  165
    6. Include the debug certificate header file generated in the STEP 4, add the call to pass the debug certificate to TIFS.
    7. After doing all the changes , run the below commands.
      cd <RTOS_SDK>/<pdk>/packages/ti/build
make sciclient_boardcfg_hs BOARD=j721s2_evm CORE=mcu1_0
make pdk_libs BOARD=j721s2_evm CORE=mcu1_0
make sbl_mmcsd_img_hs BOARD=j721s2_evm CORE=mcu1_0
    8. Copy sbl_mmcsd_img_mcu1_0_release.tiimage as tiboot3.bin and tifs.bin corresponding to HS-SE device to the SD card boot partition.