Thank you for confirming JTAG is enabled upon reset before any code is executed in a "virgin" device. This confirms what my client has been telling me all along. This means that unless boot loader code is executed after power on reset, *and* CEP byte is enabled by writing the magic word in the specific location in user flash, the code in on-chip flash can be compromised by JTAG debugging. To know how this can be done, you need to look what the boot loader does on starting up. For 2148 part (see code snippet below with my annotation, thanks to Joel for providing me the memory dump), the first thing bootloader does is to "hastily" disable JTAG debug port. I say "hastily" because as quickly as possible, it clears PINSEL2 register which disables JTAG debug port. Then after clearing what appears to be a SPECIAL undocumented register 40 bytes away from PINSEL2, it restores PINSEL2 with what was originally there, but with the bits 0-3 cleared. Bits 0 and 1 of PINSEL2 are not documented in the user manual. But setting Bit 2 to a 1 will enable the JTAG debug port. According to Table 62 on page 80 of 214X user manual, upon reset, Bit 2 is 0. If this is the case, why is it necessary for the boot loader to clear this bit? Jaya > @ r0 = PINSEL2 > @ PINSEL2 = 0 > ldr r2, =0xe002c014 @d004 > mov r3, #0x0 @d004 > swp r0, r3, [r2] @d008 > > @ r1 = SPECIAL > @ SPECIAL = 0 > add r2, r2, #40 @d00c > swp r1, r3, [r2] @d010 > > @ PINSEL2 = r0 & ~7 > bic r3, r0, #7 @d014 > str r3, [r2, #-40] @d018 > > @ continue with reset > ldr pc, 0x7fffd020 @d01c --- In lpc2000@yahoogroups.com, "philips_apps" <philips_apps@y...> > 3) How is Bootloader programmed for the first time? > > Via JTAG on a tester. JTAG is accessible in virgin devices. Once > bootloader is programmed and CRP is enabled the tester can't access > the JTAG.
Message
Re: Flash Security Clarification
2005-12-23 by jayasooriah