Yahoo Groups archive

Lpc2000

Index last updated: 2026-04-28 23:31 UTC

Message

Re: [lpc2000] Re: Flash Security Clarification --- some sad facts

2005-12-25 by Dominic Rath

On Sunday 25 December 2005 02:35, Felix wrote:
> ok, i've tried couple experiments and done RE of the boot loader, and
> here are my findings:
>
> 1. JTAG pins are configured as GPIO inputs during reset, RTCK is
> sampled by the boot loader itself and GPIO are configured accordingly
> at latter stage
The manual says that PINSEL2 bit 2 is determined by the state of RTCK, and the 
bootloader behaves as if this is correct. It clears bits 0 to 2 very early, 
but saves PINSEL2's initial value. If 0x1fc isn't set to 0x87654321, the 
value of PINSEL2 is restored. I can't see where the bootloader samples RTCK, 
but even if it does, JTAG is reenabled before.

> 2. There is something, like CRP latch in the chip, the boot loader
> writes 0xFFFFFFFF there, if CRP is enabled
Where is that? It is written to the undocumented location 0x3fff8024 no matter 
if CRP is enabled or not.

> 3. it is possible to rewrite the boot loader only, even on CRP
> protected devices.
I don't see how that's possible. The bootloader-updater is first written to 
RAM, then rewrites Flash from there. You can't write to RAM using the ISP 
routines when CRP is enabled, nor can you use JTAG.

> 4. it is possible to ENABLE the JTAG on CRP protected devices, using
> 5 asm commands run from ram, however FLASH is still inaccessible from
> JTAG -- it's reading 0xFFFFFFFF once CRP latch is set. Never the less
> zeroing the CRP latch by means of JTAG enables full access to FLASH,
> provided, you stop CPU before that (zeroing CRP latch resets the cpu
> core. Only the core, not periferals)
How do you put these 5 asm commands into ram when CRP is enabled?
If flash is inaccessible "from JTAG" it is inaccessible from any code running. 
I guess you misinterpreted some things. What debugger did you use for your 
tests?

>
> This was tested on LPC2129, with latest bootloader.
> tools :
> IDA Pro Advanced,
> philips on-field boot loader update utility
> Olimex LPC2129 board.

Maybe you could provide more details? At what location is that "CRP latch"? I 
don't think that CRP is implemented in hardware. The manual says that CRP is 
available since bootloader version 1.61, which suggests that it was added 
after the silicon was finished. CRP seems to be implemented only in software 
(with the exception of non-standard JTAG handling, where nRESET keeps the 
test logic in reset, too, preventing debug out of reset).

Regards,

Dominic

Attachments

  • No local attachments were found for this message.

Move to quarantaine

This moves the raw source file on disk only. The archive index is not changed automatically, so you still need to run a manual refresh afterward.