The TI E2E™ design support forums will undergo maintenance from July 11 to July 13. If you need design support during this time, open a new support request with our customer support center.

  • State TI Thinks Resolved
  • Locked Locked
  • Replies 3 replies
  • Answers 2 answers
  • Subscribers 41 subscribers
  • Views 308 views
  • Users 0 members are here
Support feedback
Options
Options
Similar topics

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

CC3235SF: How to secure firmware in CC3235SF without purchasing certificates.

VINOD KUMAR
Prodigy 95 points
Part Number: CC3235SF
Other Parts Discussed in Thread: UNIFLASH

Hi Team,

I am using CC3235SF for my project. I have few questions -
1.Is there any way to secure firmware without purchasing certificates?
2.What is the difference between development mode and production mode while creating project in uniflash?
3.To secure the firmware, i should use production mode.is it right?

4.Is there any alternate way to generate OTA package without using uniflash tool?The output file should be same as generated by uniflash tool.

  • 0
    TI__Guru 63585 points

    Hi,

    • Is there any way to secure firmware without purchasing certificates?

    [Shlomi] what do you refer as firmware? the application code? or the entire image? anyway, certificates are used to authenticate and not to encrypt. Best would be of course to use certificates so you also have authentication. If you decide to not use certificates and still have encryption, there is an option in Uniflash that is referred to as 'No Signature Test' but I would not recommend it.

    • What is the difference between development mode and production mode while creating project in uniflash? 

    [Shlomi] development mode is per device MAC address whereas production mode does not depend on a specific MAC address. Technically, development mode opens some filesystem APIs during boot loader mode so you can for example list the files, JTAG interface is opened, etc. With production mode you cannot do it. JTAG interface is locked.

    • To secure the firmware, i should use production mode.is it right?

    [Shlomi] see my explanation above.

    • Is there any alternate way to generate OTA package without using uniflash tool?The output file should be same as generated by uniflash tool.

    [Shlomi] no, OTA is generated from Uniflash.

    Shlomi

  • 0 in reply to Shlomi Itzhak
    Prodigy 95 points

    Hi Shlomi


    My priority is to secure my application code. so, how i can do that without purchasing code signing certificate? Please provide me a link/document in which it is briefly explained.
    Currently, I am using dummy certificates which is not secure. If we generate code signing certificate from Openssl then is it secure?
    I want to secure my other files in file system which is stored on SPI flash m/m. How i can secure them?

  • 0 in reply to VINOD KUMAR
    Guru 79325 points

    Hi,

    If you don't want to purchase code signing certificate, you can use vendor device authentication. For more details see this. But this approach have some limitations:

    • you can use only serial flash MX25R3235FM1IH0. If you are using MOD device it is not problem but for QFN you need keep this in mind.
    • your certificate catalogue is stored inside OTP part of memory. Once you upload this catalogue, you cannot rewrite them again. If you make mistake, only way is exchange SPI flash physically.
    • certificate catalogue can be uploaded using Uniflash software via UART using only. With own certificate catalogue you cannot use gang programming (using UART or SPI flash programmer). You need to use always Uniflash for production (GUI or CLI)

    Last point is very limited production capabilities. I think it is much easier (with CC3235) buy proper code signing certificate. It much simplify production and don't fall down into rabbit hole exchanging SPI flash during development, when you not properly upload OTP part of flash.

    If you want to use secured files, just check secured file in Uniflash (see table 6-2 in swru469).

    Jan