ok, i've tried couple experiments and done RE of the boot loader, and here are my findings: 1. JTAG pins are configured as GPIO inputs during reset, RTCK is sampled by the boot loader itself and GPIO are configured accordingly at latter stage 2. There is something, like CRP latch in the chip, the boot loader writes 0xFFFFFFFF there, if CRP is enabled 3. it is possible to rewrite the boot loader only, even on CRP protected devices. 4. it is possible to ENABLE the JTAG on CRP protected devices, using 5 asm commands run from ram, however FLASH is still inaccessible from JTAG -- it's reading 0xFFFFFFFF once CRP latch is set. Never the less zeroing the CRP latch by means of JTAG enables full access to FLASH, provided, you stop CPU before that (zeroing CRP latch resets the cpu core. Only the core, not periferals) This was tested on LPC2129, with latest bootloader. tools : IDA Pro Advanced, philips on-field boot loader update utility Olimex LPC2129 board.
Message
Re: Flash Security Clarification --- some sad facts
2005-12-25 by Felix