• State Resolved
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 18 replies
  • Subscribers 101 subscribers
  • Views 670 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

AM62A7: Question Regarding HS-SE Device Debug Port Unlock Methods

Cesc Yang
Intellectual 251 points
Part Number: AM62A7


Tool/software:

Dear TI Experts,

Throgh TISCI document I understand there are two methods for unlocking the debug port:

  1. Extending the SBL image with debug information.
  2. Using a certificate generated from the UID for unlocking the debug port.

However, I'm unsure of the exact steps required to implement them. Could you please provide guidance on how to generate the SBL image with the extended debug information, and how to generate the certificate for unlocking the debug port based on the UID?

Additionally, I am aware that eFuse can be used to permanently lock the debug port, but I'm unclear on the exact process for this. Could you also provide details or reference material on how to do this as well?

Best regards,
Yang

  • 0
    TI__Genius 9571 points

    Dear customer, 

        Could you please refer the link here ?   Thanks. 

        https://software-dl.ti.com/tisci/esd/latest/6_topic_user_guides/secure_debug.html?highlight=jtag#secure-debug-user-guide

    Regards,

    Linjun

  • 0 in reply to Linjun Meng
    Intellectual 251 points

    Hi Linjun,

    Thanks for this doc. It answered the question regarding the certificate generating.

    However, there are still 2 questions pending:

    1. How to build SBL images with extended debug information.
    2. How to permanently lock the debug port via eFuse.

    Are there any specific guides on these processes?

    Best Regards,

    Yang

  • +1 in reply to Cesc Yang
    TI__Guru 73361 points

    1. The following patch enables the debug extension in the SBL certificate:

    diff --git a/examples/drivers/boot/sbl_ospi_nand_multistage/sbl_ospi_nand_stage1/am62ax-sk/r5fss0-0_nortos/ti-arm-clang/makefile b/examples/drivers/boot/sbl_ospi_nand_multistage/sbl_ospi_nand_stage1/am62ax-sk/r5fss0-0_nortos/ti-arm-clang/makefile
index 8966f3a..5b1b36a 100644
--- a/examples/drivers/boot/sbl_ospi_nand_multistage/sbl_ospi_nand_stage1/am62ax-sk/r5fss0-0_nortos/ti-arm-clang/makefile
+++ b/examples/drivers/boot/sbl_ospi_nand_multistage/sbl_ospi_nand_stage1/am62ax-sk/r5fss0-0_nortos/ti-arm-clang/makefile
@@ -272,9 +272,9 @@ $(BOOTIMAGE_NAME): $(BOOTIMAGE_BIN_NAME)
 	@echo  Boot image: am62ax:r5fss0-0:nortos:ti-arm-clang $(BOOTIMAGE_PATH)/$@ ...
 ifeq ($(DEVICE_TYPE),HS)
 ifeq ($(ENC_SBL_ENABLED),yes)
-	$(BOOTIMAGE_CERT_GEN_CMD) --swrv 1 --sbl-enc --enc-key $(APP_ENCRYPTION_KEY) --sbl-bin $(BOOTIMAGE_PATH)/$(BOOTIMAGE_BIN_NAME) --sysfw-bin $(SYSFW_PATH)/sysfw-hs-enc.bin --sysfw-inner-cert $(SYSFW_PATH)/sysfw-hs-enc-cert.bin --boardcfg-blob $(BOARDCFG_BLOB) --boardcfg-sbldata-blob $(BOARDCFG_SBLDATA_BLOB) --sbl-loadaddr $(SBL_RUN_ADDRESS) --sysfw-loadaddr $(SYSFW_LOAD_ADDR) --bcfg-loadaddr $(BOARDCFG_LOAD_ADDR) --bcfg-sbldata-loadaddr $(BOARDCFG_SBLDATA_LOAD_ADDR) --key $(BOOTIMAGE_CERT_KEY) --rom-image $(BOOTIMAGE_PATH)/$(BOOTIMAGE_NAME) --enable-sbldata $(ENABLE_SBLDATA)
+	$(BOOTIMAGE_CERT_GEN_CMD) --swrv 1 --sbl-enc --enc-key $(APP_ENCRYPTION_KEY) --sbl-bin $(BOOTIMAGE_PATH)/$(BOOTIMAGE_BIN_NAME) --sysfw-bin $(SYSFW_PATH)/sysfw-hs-enc.bin --sysfw-inner-cert $(SYSFW_PATH)/sysfw-hs-enc-cert.bin --boardcfg-blob $(BOARDCFG_BLOB) --boardcfg-sbldata-blob $(BOARDCFG_SBLDATA_BLOB) --sbl-loadaddr $(SBL_RUN_ADDRESS) --sysfw-loadaddr $(SYSFW_LOAD_ADDR) --bcfg-loadaddr $(BOARDCFG_LOAD_ADDR) --bcfg-sbldata-loadaddr $(BOARDCFG_SBLDATA_LOAD_ADDR) --key $(BOOTIMAGE_CERT_KEY) --debug DBG_FULL_ENABLE --rom-image $(BOOTIMAGE_PATH)/$(BOOTIMAGE_NAME) --enable-sbldata $(ENABLE_SBLDATA)
 else
-	$(BOOTIMAGE_CERT_GEN_CMD) --swrv 1 --sbl-bin $(BOOTIMAGE_PATH)/$(BOOTIMAGE_BIN_NAME) --sysfw-bin $(SYSFW_PATH)/sysfw-hs-enc.bin --sysfw-inner-cert $(SYSFW_PATH)/sysfw-hs-enc-cert.bin --boardcfg-blob $(BOARDCFG_BLOB) --boardcfg-sbldata-blob $(BOARDCFG_SBLDATA_BLOB) --sbl-loadaddr $(SBL_RUN_ADDRESS) --sysfw-loadaddr $(SYSFW_LOAD_ADDR) --bcfg-loadaddr $(BOARDCFG_LOAD_ADDR) --bcfg-sbldata-loadaddr $(BOARDCFG_SBLDATA_LOAD_ADDR) --key $(BOOTIMAGE_CERT_KEY) --rom-image $(BOOTIMAGE_PATH)/$(BOOTIMAGE_NAME) --enable-sbldata $(ENABLE_SBLDATA)
+	$(BOOTIMAGE_CERT_GEN_CMD) --swrv 1 --sbl-bin $(BOOTIMAGE_PATH)/$(BOOTIMAGE_BIN_NAME) --sysfw-bin $(SYSFW_PATH)/sysfw-hs-enc.bin --sysfw-inner-cert $(SYSFW_PATH)/sysfw-hs-enc-cert.bin --boardcfg-blob $(BOARDCFG_BLOB) --boardcfg-sbldata-blob $(BOARDCFG_SBLDATA_BLOB) --sbl-loadaddr $(SBL_RUN_ADDRESS) --sysfw-loadaddr $(SYSFW_LOAD_ADDR) --bcfg-loadaddr $(BOARDCFG_LOAD_ADDR) --bcfg-sbldata-loadaddr $(BOARDCFG_SBLDATA_LOAD_ADDR) --key $(BOOTIMAGE_CERT_KEY) --debug DBG_FULL_ENABLE --rom-image $(BOOTIMAGE_PATH)/$(BOOTIMAGE_NAME) --enable-sbldata $(ENABLE_SBLDATA)
 endif
 	$(COPY) $(BOOTIMAGE_NAME_HS) $(BOOTIMAGE_PATH)/tiboot3.bin
 else

    2. Programming the JTAG_DISABLE field is currently not supported by the TIFS. It is expected to be supported by SDK v11.0

  • 0 in reply to Cesc Yang
    TI__Genius 9571 points

    Even if  programming the eFuse debug port is supported, The CRP  (customer return process )  can't support for failure chips. Please note!

  • 0 in reply to Linjun Meng
    TI__Guru 73361 points

    Hello,

    For unlocking the HSM core, the previous method of enabling the debug extension cannot be used.

    Instead, the JTAG unlocking of all the cores including HSM must be done through the following TISCI API described in the following section:

    https://software-dl.ti.com/tisci/esd/latest/6_topic_user_guides/secure_debug.html?highlight=jtag#using-tisci-api

    The latest MCU+ SDK has an example for this:

    https://software-dl.ti.com/mcu-plus-sdk/esd/AM62AX/10_01_00_33/exports/docs/api_guide_am62ax/EXAMPLES_RUNTIME_DEBUG_UNLOCK.html

    Regards,

    Prashant

  • 0 in reply to Prashant Shivhare
    Intellectual 251 points

    Hi Prashant,

    I've tried this method using V9.2 SDK. I've changed the board config to allow a53 core to unlock JTAG, rebuilt boardcfg , libs and sbl. Then I flash and reboot the device and got this respond message from a53 core:

    I connected the a53 core and found that the code got stuck here:

    Something worth noticing is that when I rebuilt the boardcfg, It doesnt work for DEVICE_TYPE=HS. It only successfully generates files for DEVICE_TYPE=GP. Below is the error generated when building boardcfg if I changed the DEVICE_TYPE in the devconfig.mak from GP to HS.

    What I have done then is that I first build boardcfg with DEVICE_TYPE set as GP, then I build boardcfg again with DEVICE_TYPE set as HS. This generates the sciclient_defaultBoardcfg_hexhs.bin.hs.signed file as shown below.

    Then I repeated the rebuilt of libs and sbl. I re-flash the sbl stage 1 into the device and rebooted. However the phenomenon remains the same.

    Please help to resolve this issue.

    Regards,

    Yang

  • 0 in reply to Prashant Shivhare
    Intellectual 251 points

    Hi Prashant,

    I've tried the same method using V10.1 SDK. The A53 core printed the following:

    However I still can't connect the HSM core.

    Referring to the this documentation here,

    the debug_unlock_x509_cert_gen has been modified as follows:
    .
    The HSM should be able to be connected. How is it still not open to JTAG?

    Can you prioritize this issue as enabling the HSM debug can help with all the other blocks we are encountering and this is a matter of urgent.

    Regards,

    Yang

  • 0 in reply to Cesc Yang
    TI__Genius 9571 points

    Hi yang,

       Could you please modify the sciclient_defaultBoardcfg_security.c as below to try?

      .jtag_unlock_hosts = {TISCI_HOST_ID_A53_0, 0, 0, 0},

      

    Linjun

  • 0 in reply to Linjun Meng
    Intellectual 251 points

    Hi,

    This method doesn't work either. Current phenomenon is that no matter how I change the sec_dbg string,  the only cores I can connect to are the A530-0 and DM-R5. Also, after I connected to the DM-R5, if I connect any of the other blocked cores, the DM-R5 automatically disconnects, and after this the DM-R5 couldn't be connected to either.

    Also I noticed in the TISCI 10.01.08 document it says:

    Does this apply to AM62Ax?

    TI experts, please help with this issue.

    Regards,

    Yang

  • 0 in reply to Cesc Yang
    TI__Guru 73361 points

    Hello,

    Cesc Yang said:
    Does this apply to AM62Ax?

    That statement is for the TIFS core not the HSM core. The HSM core can be unlocked on the HSSE device.

    Cesc Yang said:
    However I still can't connect the HSM core.

    Please share the error reported by debugger on connecting to the HSM core.

    Thanks!

  • 0 in reply to Prashant Shivhare
    Intellectual 251 points

    Hi Prashant,

    Please refer to the image below:
    This is how I modify the cert_gen.py:
    ;
    These 2 cores are the ones that can actually be connected to:
    ;

    This is the error shown if I try to connect to the HSM:

    ;

    Additionally, if I try to connect to the MCU-R5 core, this would happen(The DM-R5 also gets blocked after about 2 seconds.):

    Thank you very much for you support.

    Regards,

    Yang

  • 0 in reply to Cesc Yang
    TI__Guru 73361 points

    Hi,

    It seems like the MCU R5F core is not booted. Could you please share the full boot logs?

    For testing purpose, could you please boot the default HSM appimage and see if you are able to connect to HSM core then?

    Regards,

    Prashant

  • 0 in reply to Prashant Shivhare
    Intellectual 251 points

    Hi Prashant,

    This is the flashing script I'm using. The HSM image is generated from the default HSM_min_sample.
    ;

    This is the sbl and A53 print log(Uart No.1):

    This is the DM print log(Uart No.3):

    Uart No.2(Normally used by HSM trace) and Uart No.4(Normally used by MCU-R5) didnt print anything.

    What does this mean?

    Regards,

    Yang

  • 0 in reply to Cesc Yang
    Intellectual 251 points

    Hi,

    After I switch these ipc example projects to helloworld projects, the cores can boot successfulIy, and as a result I can successfully connect to HSM and MCU-R5.

    I'm going to try the same using SDK version the client's development is based on, which is SDK V9.2. If there's any issue I will update them here.

    Thanks for pointing out the reason being MCU not getting booted here Prashant.

    Regards,

    Yang

  • 0 in reply to Prashant Shivhare
    Intellectual 251 points

    Hi Prashant,

    This method works, but only if I replace the makefile under mcu_plus_sdk\tools\sysfw\boardcfg from V9.2 into the one in SDK V10.1.

    Regards,

    Yang

  • +1 in reply to Cesc Yang
    TI__Guru 73361 points

    Hello,

    The board configuration build failure is a known issue and is already fixed from SDK v10.0.

    https://github.com/TexasInstruments/mcupsdk-core-k3/commit/2403d2eeb

    Regards,

    Prashant

  • 0 in reply to Prashant Shivhare
    Intellectual 251 points

    Hi Prashant,

    Understood. Is there any known issue on the functionality of the ipc example in the SDK since the problem was the MCU core did not get booted correctly running the ipc example?

    Regards,

    Yang

  • 0 in reply to Cesc Yang
    TI__Guru 73361 points

    Hello,

    There is no known issue related to IPC example.

    I was able to successfully connect to the MCU core with the default IPC_RPMSG_ECHO examples.

    Regards,

    Prashant