Yahoo Groups archive

Lpc2000

Index last updated: 2026-04-28 23:31 UTC

Message

Re: [lpc2000] Re: Flash Security Clarification

2005-12-23 by Richard Duits

If I remember correctly the manual also says the pins are sampled a bit 
after the reset, which suggest that this is done by the bootloader code. 
If I would have to implement this myself in hardware, I would enable the 
jtag if the bootcode did not write to PINSEL register within the first 
few instructions executed. This way the JTAG is enabled if the device is 
virgin (no bootcode in the flash) and the device is protected if the 
right bootcode is present. The fact that the bootloader writes to the 
PINSEL register in the first instructions, may suggest that this is also 
what philips implemented. The other possibility is that they blow a fuse 
after programming the bootloader into the virgin device. I don't think 
they would leave a backdoor when they go to all the trouble of 
implementing the CRP.

Erasing the bootsector is also impossible because all ways to execute 
code other than the bootloader or the flashed program are disabled when 
CRP is enabled.

According a past thread, nobody succeeded in starting debugging directly 
after reset. The answer from philips_apps was that this was to implement 
the CRP. I have seen enough evidence to trust philips when they say 
there are no backdoors.

Richard.


Dominic Rath wrote:

> Hello,
>
> On Friday 23 December 2005 15:43, Felix wrote:
> > --- In lpc2000@yahoogroups.com, "jayasooriah" <jayasooriah@y...> wrote:
> > > Thank you for confirming JTAG is enabled upon reset before any code is
> > > executed in a "virgin" device.  This confirms what my client has been
> > > telling me all along.
> >
> > i think you're mixing 2 things --- JTAG after reset and JTAG on
> > "virgin" device.
> >
> > 1) according to user manual '0x00000000' is written into every
> > pinselect register when reset is low, thus switching JTAG/GPIO pins
> > into GPIO mode Inputs.
> The reset state of pinsel2 (the one responsible for jtag) is detailed 
> in table
> 62. Bit 2 is determined by the state of pin1.26/rtck on the rising 
> edge of
> reset. If this pin is driven low when the device comes out of reset, 
> the jtag
> port will start enabled. That's why they're setting it to zero as 
> early as
> possible. The JTAG statemachine is held in reset while the system 
> reset is
> driven low, which is why the lpcs can't be debugged out of reset. 
> Depending
> on when the debug logic is released from reset, a criticial timing issue
> could enable an attacker to force the device into debug mode before the
> bootloader had a chance to disable JTAG. Programming the debug control
> register to force the target into debug state takes 71 TCK cycles, or 
> 24us at
> 3MHz JTAG frequency. Of course, this is pure speculation, as the user 
> manual
> is a bit unclear about the state of the test logic during reset. It is 
> likely
> that because of the restrictions of -S arm cores (synchronize TCK with 
> MCLK)
> this attack isn't possible.
>
> > 2) i assume that "virgin" device behaves different with GPIO, this can
> > be done using simpliest 32 AND gate circuit.
> The virgin device has no bootloader which could disable the JTAG port, 
> so JTAG
> comes up enabled, if RTCK is driven low.
>
> >
> > 3) How ever -- Philips did not comment on my previous statement ---
> > IS THERE a way to reprogram BOOT on CPR enabled devices w/o erasing
> > all sectors? (by using boot update procedure with patched boot)
> >   If there is such possibility -- then i consider this CRP unsecure,
> > and  not effective enough.
> I haven't checked the bootloader updating mechanism yet - maybe the 
> updates
> are digitally signed, and the IAP calls only accept updates with a valid
> signature?
>
> > Dixi.
> >
>
> Regards,
>
> Dominic
>
>
> SPONSORED LINKS
> Microprocessor 
> <http://groups.yahoo.com/gads?t=ms&k=Microprocessor&w1=Microprocessor&w2=Microcontrollers&w3=Pic+microcontrollers&w4=8051+microprocessor&c=4&s=93&.sig=tsVC-J9hJ5qyXg0WPR0l6g> 
> 	Microcontrollers 
> <http://groups.yahoo.com/gads?t=ms&k=Microcontrollers&w1=Microprocessor&w2=Microcontrollers&w3=Pic+microcontrollers&w4=8051+microprocessor&c=4&s=93&.sig=DvJVNqC_pqRTm8Xq01nxwg> 
> 	Pic microcontrollers 
> <http://groups.yahoo.com/gads?t=ms&k=Pic+microcontrollers&w1=Microprocessor&w2=Microcontrollers&w3=Pic+microcontrollers&w4=8051+microprocessor&c=4&s=93&.sig=TpkoX4KofDJ7c6LyBvUqVQ> 
>
> 8051 microprocessor 
> <http://groups.yahoo.com/gads?t=ms&k=8051+microprocessor&w1=Microprocessor&w2=Microcontrollers&w3=Pic+microcontrollers&w4=8051+microprocessor&c=4&s=93&.sig=1Ipf1Fjfbd_HVIlekkDP-A> 
>
>
>
> ------------------------------------------------------------------------
> YAHOO! GROUPS LINKS
>
>     *  Visit your group "lpc2000
>       <http://groups.yahoo.com/group/lpc2000>" on the web.
>        
>     *  To unsubscribe from this group, send an email to:
>        lpc2000-unsubscribe@yahoogroups.com
>       <mailto:lpc2000-unsubscribe@yahoogroups.com?subject=Unsubscribe>
>        
>     *  Your use of Yahoo! Groups is subject to the Yahoo! Terms of
>       Service <http://docs.yahoo.com/info/terms/>.
>
>
> ------------------------------------------------------------------------
>

Attachments

  • No local attachments were found for this message.

Move to quarantaine

This moves the raw source file on disk only. The archive index is not changed automatically, so you still need to run a manual refresh afterward.