EmbeddedRelated.com
Forums
   Forums    More Forums    68hc12  

Flash Secure/protect help needed

Started by adlai15 March 8, 2006
Hi,

I'm using an NE64 derivative. I would like to secure/protect my 
firmware in flash during or after the download of the firmware. I've 
seen a command FLASH PROTECT for the linker command file(.prm), but 
the mcu03ea.fpp file, for the NE64, that came with CodeWarrior has 
just a few lines in it. So I have a couple of questions:

1) What's the best way to secure the flash?
2) Does anyone have a complete FPP file (mcu03ea.fpp) for the NE64? If 
not, how is a file like that created?

I'm using CodeWarrior 3.1 with a P&E BDM.

Regards,
Adlai Shawareb
Hansen Medical
Reply by Gilles Blanquin March 13, 20062006-03-13
Hi Adlai.

CW12V31 does not provide the security word programming (address $FF0E-FF0F).
You will have to write your own sequence to program these bytes and secure 
the device, if this is what you want to do.

The latest CodeWarrior (CW12V45) provides a flash programming library, that 
is NOT selected by default, but that can be enabled (editing the .FPP file) 
to support the security word programming.

Indeed, this requires in real time the last sector of the flash 
($FC00|FE00-FFFF) to be fully backuped, erased then programmed with the 
desired security word.

Do you want to program the security word?

Regards,
Gilles
	From: "adlai15" <adlai15@...>
Date: Tue Mar 7, 2006  10:02 pm
Subject:

Hi,

I'm using an NE64 derivative. I would like to secure/protect my
firmware in flash during or after the download of the firmware. I've
seen a command FLASH PROTECT for the linker command file(.prm), but
the mcu03ea.fpp file, for the NE64, that came with CodeWarrior has
just a few lines in it. So I have a couple of questions:

1) What's the best way to secure the flash?
2) Does anyone have a complete FPP file (mcu03ea.fpp) for the NE64? If
not, how is a file like that created?

I'm using CodeWarrior 3.1 with a P&E BDM.

Regards,
Adlai Shawareb
Hansen Medical
Reply by adlai15 March 21, 20062006-03-21
Gilles,

Thanks. Yes, I want to program the security word. What I ended up 
doing was adding the following code to the Postload command file, 
and it seems to work fine. Is there a better way to handle it?

// Program Security byte to Secure state
wb 0x100 CLKDIV  // set FCLKDIV clock divider
wb 0x103 0       // FCFNG select block 0 
wb 0x104 0xFF    // FPROT all protection disabled
wb 0x105 0x30    // clear PVIOL and ACCERR in FSTAT register 
ww 0xFF0E 0xFFFC // write security byte to "Unsecured" state
wb 0x106 0x20    // write MEMORY PROGRAM command in FCMD register
wb 0x105 0x80    // clear CBEIF in FSTAT register to execute the 
command 
wait 20          // wait for command to complete
	--- In 68HC12@68HC..., Gilles Blanquin <gilles.blanquin@...> 
wrote:
>
> Hi Adlai.
> 
> CW12V31 does not provide the security word programming (address 
$FF0E-FF0F).
> You will have to write your own sequence to
program these bytes 
and secure 
> the device, if this is what you want to do.
> 
> The latest CodeWarrior (CW12V45) provides a flash programming 
library, that 
> is NOT selected by default, but that can be
enabled (editing 
the .FPP file) 
> to support the security word programming.
> 
> Indeed, this requires in real time the last sector of the flash 
> ($FC00|FE00-FFFF) to be fully backuped, erased then programmed 
with the 
> desired security word.
> 
> Do you want to program the security word?
> 
> Regards,
> Gilles
> 
> 
> 
> From: "adlai15" <adlai15@>
> Date: Tue Mar 7, 2006  10:02 pm
> Subject:
> 
> Hi,
> 
> I'm using an NE64 derivative. I would like to secure/protect my
> firmware in flash during or after the download of the firmware. 
I've
> seen a command FLASH PROTECT for the linker
command file(.prm), but
> the mcu03ea.fpp file, for the NE64, that came with CodeWarrior has
> just a few lines in it. So I have a couple of questions:
> 
> 1) What's the best way to secure the flash?
> 2) Does anyone have a complete FPP file (mcu03ea.fpp) for the 
NE64? If
> not, how is a file like that created?
> 
> I'm using CodeWarrior 3.1 with a P&E BDM.
> 
> Regards,
> Adlai Shawareb
> Hansen Medical
>
Reply by Gilles Blanquin March 22, 20062006-03-22
Hi Adlai.

Even if this seems to work, there is an important issue behind it. Indeed, 
if you could launch this script, it probably means that the chip is in 
"unsecured" state => security byte programmed to 0xFE.

When you run your script, the security byte is then over programmed with a 
new value. Even if you can read the new value (as you just set on more bit 
to 0), this programming violates flash specifications and should never be 
performed.
To summarize, you should never program twice the same word cell without 
erasing it.

I have posted a new flash driver library (only valid for ICD12 v6.1.11 and 
later revisions).

http://f6.grp.yahoofs.com/v1/ACMgRFD_6IwA6isqdF2ATh0PMhKX_gPPCIkVb8x3an3jAdT 
QMlpda78tvhQ8NijeLo31Ig8XxMAErT18AGJSDJ26iGo/fpp%27s%20for%20%20CW12V31%20an 
d%20ICD12%20v6.1.11%20and%20later%20releases.zip

Installation:

1-debugger closed.
2-in CodeWarrior installation, "prog" folder, rename the
"fpp" folder.
3-create a new "fpp" folder and unzip all posted files in this
folder.
	4-edit the NE64 fpp file with a text editor: The file is called
"Mcu03ea.fpp".

It contains:

NVMIF2  MC9S12NE64_V11  0x3EA "hcs12_common.fpp"
WORKSPACE 0x0400 0x1C00 3 2
DATABUFFER 0x500 0x1FFF
MODULEIMPORT MC9S12_FLASH_4000
MODULEIMPORT MC9S12_FLASH_C000
MODULEIMPORT MC9S12_FLASH_FTS64K
MODULEIMPORT MC9S12_FLASH_MIRROR_8000_PPAGE3C_FTS64K
	change the line:

MODULEIMPORT MC9S12_FLASH_C000

to:

MODULEIMPORT MC9S12_FLASH_C000_SW

then save the file.

5-end

Programming of the security word is then safe, as the sector is backuped in 
ram and patched with the security word, erased then programmed again.

How to?

e.g. from your .C source file:

const unsigned short securityWord @0xFF0E = 0x1234;

In the .prm:

ENTRIES /* keep the following unreferenced variables */
    securityWord
END
	Regards,
Gilles
	At 02:10 AM 3/22/2006, you wrote:
>Gilles,
>
>Thanks. Yes, I want to program the security word. What I ended up
>doing was adding the following code to the Postload command file,
>and it seems to work fine. Is there a better way to handle it?
>
>// Program Security byte to Secure state
>wb 0x100 CLKDIV  // set FCLKDIV clock divider
>wb 0x103 0       // FCFNG select block 0
>wb 0x104 0xFF    // FPROT all protection disabled
>wb 0x105 0x30    // clear PVIOL and ACCERR in FSTAT register
>ww 0xFF0E 0xFFFC // write security byte to "Unsecured" state
>wb 0x106 0x20    // write MEMORY PROGRAM command in FCMD register
>wb 0x105 0x80    // clear CBEIF in FSTAT register to execute the
>command
>wait 20          // wait for command to complete
>
>
>
>--- In 68HC12@68HC..., Gilles Blanquin <gilles.blanquin@...>
>wrote:
> >
> > Hi Adlai.
> >
> > CW12V31 does not provide the security word programming (address
>$FF0E-FF0F).
> > You will have to write your own sequence to program these bytes
>and secure
> > the device, if this is what you want to do.
> >
> > The latest CodeWarrior (CW12V45) provides a flash programming
>library, that
> > is NOT selected by default, but that can be enabled (editing
>the .FPP file)
> > to support the security word programming.
> >
> > Indeed, this requires in real time the last sector of the flash
> > ($FC00|FE00-FFFF) to be fully backuped, erased then programmed
>with the
> > desired security word.
> >
> > Do you want to program the security word?
> >
> > Regards,
> > Gilles
> >
> >
> >
> > From: "adlai15" <adlai15@>
> > Date: Tue Mar 7, 2006  10:02 pm
> > Subject:
> >
> > Hi,
> >
> > I'm using an NE64 derivative. I would like to secure/protect my
> > firmware in flash during or after the download of the firmware.
>I've
> > seen a command FLASH PROTECT for the linker command file(.prm), but
> > the mcu03ea.fpp file, for the NE64, that came with CodeWarrior has
> > just a few lines in it. So I have a couple of questions:
> >
> > 1) What's the best way to secure the flash?
> > 2) Does anyone have a complete FPP file (mcu03ea.fpp) for the
>NE64? If
> > not, how is a file like that created?
> >
> > I'm using CodeWarrior 3.1 with a P&E BDM.
> >
> > Regards,
> > Adlai Shawareb
> > Hansen Medical
> >
>
>
>
>
>
>
>
>Yahoo! Groups Links
>
>
>
>
Reply by adlai15 March 23, 20062006-03-23
Thanks Gilles for posting the new library. How can I find out which 
version of ICD12 I have? I'm using the version of CW31 that came 
with the Freescale demo board.

I made the changes you suggested, but when I try to download I get a 
dialog saying "Error while writing to DA00..DC00.". Then it displays 
another dialog saying it can't load my ABS file.

I don't know if my prm file is part of the problem, but here is my 
segments section just in case. Do you see anything that might cause 
the problems I'm seeing?

SEGMENTS
  // Three POST variables are placed at 0x2000 - 0x2005 in 
Startup.c, so begin at
  // 0x2006. Before chaning INTERNAL_RAM, be sure to understand why 
we are 
  // beginning RAM at 0x2006.
  INTERNAL_RAM = READ_WRITE 0x2006 TO 0x3EFE;
  MY_STACK = READ_WRITE 0x3EFF TO 0x3FFF;

  // unbanked FLASH EEPROM
  NON_BANKED_ROM_4000 = READ_ONLY  0x4000 TO 0x7FFF FILL 0xFF;  /* 
16K */
 
  // Start at 0xC006 because the 3 2-byte CRC's are are at 0xC000, 
0xC002, and 0xC004.
  NON_BANKED_ROM_C006 = READ_ONLY 0xC006 TO 0xFEFF FILL 0xFF; /* 
*FOR BDM* upper bank of 16K FLASH */
 
  // 0xFF00 to 0xFF0F is the Flash Protection Area which we don't 
want to write code to.
 
  // unbanked FLASH EEPROM
  NON_BANKED_ROM_FF1F = READ_ONLY 0xFF1F TO 0xFF7F FILL 0xFF;
    
  // banked FLASH EEPROM
//    PAGE_3C  = READ_ONLY  0x3C8000 TO 0x3CBFFF;   
//    PAGE_3D  = READ_ONLY  0x3D8000 TO 0x3DBFFF;
END

Regards,
Adlai
	--- In 68HC12@68HC..., Gilles Blanquin <gilles.blanquin@...> 
wrote:
>
> Hi Adlai.
> 
> Even if this seems to work, there is an important issue behind it. 
Indeed, 
> if you could launch this script, it probably means
that the chip 
is in 
> "unsecured" state => security byte
programmed to 0xFE.
> 
> When you run your script, the security byte is then over 
programmed with a 
> new value. Even if you can read the new value (as
you just set on 
more bit 
> to 0), this programming violates flash
specifications and should 
never be 
> performed.
> To summarize, you should never program twice the same word cell 
without 
> erasing it.
> 
> I have posted a new flash driver library (only valid for ICD12 
v6.1.11 and 
> later revisions).
> 
> 
http://f6.grp.yahoofs.com/v1/ACMgRFD_6IwA6isqdF2ATh0PMhKX_gPPCIkVb8x3
an3jAdT 
>
QMlpda78tvhQ8NijeLo31Ig8XxMAErT18AGJSDJ26iGo/fpp%27s%20for%20%
20CW12V31%20an 
> d%20ICD12%20v6.1.11%20and%20later%20releases.zip
> 
> Installation:
> 
> 1-debugger closed.
> 2-in CodeWarrior installation, "prog" folder, rename the
"fpp" 
folder.
> 3-create a new "fpp" folder and unzip
all posted files in this 
folder.
> 
> 
> 4-edit the NE64 fpp file with a text editor: The file is 
called "Mcu03ea.fpp".
> 
> It contains:
> 
> NVMIF2  MC9S12NE64_V11  0x3EA "hcs12_common.fpp"
> WORKSPACE 0x0400 0x1C00 3 2
> DATABUFFER 0x500 0x1FFF
> MODULEIMPORT MC9S12_FLASH_4000
> MODULEIMPORT MC9S12_FLASH_C000
> MODULEIMPORT MC9S12_FLASH_FTS64K
> MODULEIMPORT MC9S12_FLASH_MIRROR_8000_PPAGE3C_FTS64K
> 
> 
> change the line:
> 
> MODULEIMPORT MC9S12_FLASH_C000
> 
> to:
> 
> MODULEIMPORT MC9S12_FLASH_C000_SW
> 
> then save the file.
> 
> 5-end
> 
> Programming of the security word is then safe, as the sector is 
backuped in 
> ram and patched with the security word, erased
then programmed 
again.
> 
> How to?
> 
> e.g. from your .C source file:
> 
> const unsigned short securityWord @0xFF0E = 0x1234;
> 
> In the .prm:
> 
> ENTRIES /* keep the following unreferenced variables */
>     securityWord
> END
> 
> 
> 
> Regards,
> Gilles
> 
> 
> 
> At 02:10 AM 3/22/2006, you wrote:
> >Gilles,
> >
> >Thanks. Yes, I want to program the security word. What I ended up
> >doing was adding the following code to the Postload command file,
> >and it seems to work fine. Is there a better way to handle it?
> >
> >// Program Security byte to Secure state
> >wb 0x100 CLKDIV  // set FCLKDIV clock divider
> >wb 0x103 0       // FCFNG select block 0
> >wb 0x104 0xFF    // FPROT all protection disabled
> >wb 0x105 0x30    // clear PVIOL and ACCERR in FSTAT register
> >ww 0xFF0E 0xFFFC // write security byte to "Unsecured" state
> >wb 0x106 0x20    // write MEMORY PROGRAM command in FCMD register
> >wb 0x105 0x80    // clear CBEIF in FSTAT register to execute the
> >command
> >wait 20          // wait for command to complete
> >
> >
> >
> >--- In 68HC12@68HC..., Gilles Blanquin <gilles.blanquin@>
> >wrote:
> > >
> > > Hi Adlai.
> > >
> > > CW12V31 does not provide the security word programming (address
> >$FF0E-FF0F).
> > > You will have to write your own sequence to program these bytes
> >and secure
> > > the device, if this is what you want to do.
> > >
> > > The latest CodeWarrior (CW12V45) provides a flash programming
> >library, that
> > > is NOT selected by default, but that can be enabled (editing
> >the .FPP file)
> > > to support the security word programming.
> > >
> > > Indeed, this requires in real time the last sector of the flash
> > > ($FC00|FE00-FFFF) to be fully backuped, erased then programmed
> >with the
> > > desired security word.
> > >
> > > Do you want to program the security word?
> > >
> > > Regards,
> > > Gilles
> > >
> > >
> > >
> > > From: "adlai15" <adlai15@>
> > > Date: Tue Mar 7, 2006  10:02 pm
> > > Subject:
> > >
> > > Hi,
> > >
> > > I'm using an NE64 derivative. I would like to secure/protect
my
> > > firmware in flash during or after the download of the firmware.
> >I've
> > > seen a command FLASH PROTECT for the linker command file
(.prm), but
> > > the mcu03ea.fpp file, for the NE64, that
came with CodeWarrior 
has
> > > just a few lines in it. So I have a
couple of questions:
> > >
> > > 1) What's the best way to secure the flash?
> > > 2) Does anyone have a complete FPP file (mcu03ea.fpp) for the
> >NE64? If
> > > not, how is a file like that created?
> > >
> > > I'm using CodeWarrior 3.1 with a P&E BDM.
> > >
> > > Regards,
> > > Adlai Shawareb
> > > Hansen Medical
> > >
> >
> >
> >
> >
> >
> >
> >
> >Yahoo! Groups Links
> >
> >
> >
> >
>
Reply by Gilles Blanquin March 27, 20062006-03-27
Hi Aldai. please type the "VER" command in a Command window in the debugger. You should get something like this: in>VER HI-WAVE 6.1.42 Build 3249 HI-WAVE Engine 6.1.68 Build 4047 Source 6.1.27 Build 3249 Assembly 6.1.20 Build 3249 Procedure 6.1.13 Build 3249 Register 6.1.20 Build 3249 Memory 6.1.30 Build 3249 Data 6.1.37 Build 3249 Data 6.1.37 Build 3249 Command Line 6.1.24 Build 3249 ICD-12 Target 6.1.12 Build 5023 68HC12 Interface Libraries Version 2.62 (http://www.pemicro.com) Apparently, the library is NOT compatible with your ICD-12 release. Regards, Gilles At 08:44 PM 3/23/2006, you wrote: >Thanks Gilles for posting the new library. How can I find out which >version of ICD12 I have? I'm using the version of CW31 that came >with the Freescale demo board. > >I made the changes you suggested, but when I try to download I get a >dialog saying "Error while writing to DA00..DC00.". Then it displays >another dialog saying it can't load my ABS file. > >I don't know if my prm file is part of the problem, but here is my >segments section just in case. Do you see anything that might cause >the problems I'm seeing? > >SEGMENTS > // Three POST variables are placed at 0x2000 - 0x2005 in >Startup.c, so begin at > // 0x2006. Before chaning INTERNAL_RAM, be sure to understand why >we are > // beginning RAM at 0x2006. > INTERNAL_RAM = READ_WRITE 0x2006 TO 0x3EFE; > MY_STACK = READ_WRITE 0x3EFF TO 0x3FFF; > > // unbanked FLASH EEPROM > NON_BANKED_ROM_4000 = READ_ONLY 0x4000 TO 0x7FFF FILL 0xFF; /* >16K */ > > // Start at 0xC006 because the 3 2-byte CRC's are are at 0xC000, >0xC002, and 0xC004. > NON_BANKED_ROM_C006 = READ_ONLY 0xC006 TO 0xFEFF FILL 0xFF; /* >*FOR BDM* upper bank of 16K FLASH */ > > // 0xFF00 to 0xFF0F is the Flash Protection Area which we don't >want to write code to. > > // unbanked FLASH EEPROM > NON_BANKED_ROM_FF1F = READ_ONLY 0xFF1F TO 0xFF7F FILL 0xFF; > > // banked FLASH EEPROM >// PAGE_3C = READ_ONLY 0x3C8000 TO 0x3CBFFF; >// PAGE_3D = READ_ONLY 0x3D8000 TO 0x3DBFFF; >END > >Regards, >Adlai >--- In 6...@yahoogroups.com, Gilles Blanquin >wrote: > > > > Hi Adlai. > > > > Even if this seems to work, there is an important issue behind it. >Indeed, > > if you could launch this script, it probably means that the chip >is in > > "unsecured" state => security byte programmed to 0xFE. > > > > When you run your script, the security byte is then over >programmed with a > > new value. Even if you can read the new value (as you just set on >more bit > > to 0), this programming violates flash specifications and should >never be > > performed. > > To summarize, you should never program twice the same word cell >without > > erasing it. > > > > I have posted a new flash driver library (only valid for ICD12 >v6.1.11 and > > later revisions). > > > > >http://f6.grp.yahoofs.com/v1/ACMgRFD_6IwA6isqdF2ATh0PMhKX_gPPCIkVb8x3 >an3jAdT > > QMlpda78tvhQ8NijeLo31Ig8XxMAErT18AGJSDJ26iGo/fpp%27s%20for%20% >20CW12V31%20an > > d%20ICD12%20v6.1.11%20and%20later%20releases.zip > > > > Installation: > > > > 1-debugger closed. > > 2-in CodeWarrior installation, "prog" folder, rename the "fpp" >folder. > > 3-create a new "fpp" folder and unzip all posted files in this >folder. > > > > > > 4-edit the NE64 fpp file with a text editor: The file is >called "Mcu03ea.fpp". > > > > It contains: > > > > NVMIF2 MC9S12NE64_V11 0x3EA "hcs12_common.fpp" > > WORKSPACE 0x0400 0x1C00 3 2 > > DATABUFFER 0x500 0x1FFF > > MODULEIMPORT MC9S12_FLASH_4000 > > MODULEIMPORT MC9S12_FLASH_C000 > > MODULEIMPORT MC9S12_FLASH_FTS64K > > MODULEIMPORT MC9S12_FLASH_MIRROR_8000_PPAGE3C_FTS64K > > > > > > change the line: > > > > MODULEIMPORT MC9S12_FLASH_C000 > > > > to: > > > > MODULEIMPORT MC9S12_FLASH_C000_SW > > > > then save the file. > > > > 5-end > > > > Programming of the security word is then safe, as the sector is >backuped in > > ram and patched with the security word, erased then programmed >again. > > > > How to? > > > > e.g. from your .C source file: > > > > const unsigned short securityWord @0xFF0E = 0x1234; > > > > In the .prm: > > > > ENTRIES /* keep the following unreferenced variables */ > > securityWord > > END > > > > > > > > Regards, > > Gilles > > > > > > > > At 02:10 AM 3/22/2006, you wrote: > > >Gilles, > > > > > >Thanks. Yes, I want to program the security word. What I ended up > > >doing was adding the following code to the Postload command file, > > >and it seems to work fine. Is there a better way to handle it? > > > > > >// Program Security byte to Secure state > > >wb 0x100 CLKDIV // set FCLKDIV clock divider > > >wb 0x103 0 // FCFNG select block 0 > > >wb 0x104 0xFF // FPROT all protection disabled > > >wb 0x105 0x30 // clear PVIOL and ACCERR in FSTAT register > > >ww 0xFF0E 0xFFFC // write security byte to "Unsecured" state > > >wb 0x106 0x20 // write MEMORY PROGRAM command in FCMD register > > >wb 0x105 0x80 // clear CBEIF in FSTAT register to execute the > > >command > > >wait 20 // wait for command to complete > > > > > > > > > > > >--- In 6...@yahoogroups.com, Gilles Blanquin > > >wrote: > > > > > > > > Hi Adlai. > > > > > > > > CW12V31 does not provide the security word programming (address > > >$FF0E-FF0F). > > > > You will have to write your own sequence to program these bytes > > >and secure > > > > the device, if this is what you want to do. > > > > > > > > The latest CodeWarrior (CW12V45) provides a flash programming > > >library, that > > > > is NOT selected by default, but that can be enabled (editing > > >the .FPP file) > > > > to support the security word programming. > > > > > > > > Indeed, this requires in real time the last sector of the flash > > > > ($FC00|FE00-FFFF) to be fully backuped, erased then programmed > > >with the > > > > desired security word. > > > > > > > > Do you want to program the security word? > > > > > > > > Regards, > > > > Gilles > > > > > > > > > > > > > > > > From: "adlai15" > > > > Date: Tue Mar 7, 2006 10:02 pm > > > > Subject: > > > > > > > > Hi, > > > > > > > > I'm using an NE64 derivative. I would like to secure/protect my > > > > firmware in flash during or after the download of the firmware. > > >I've > > > > seen a command FLASH PROTECT for the linker command file >(.prm), but > > > > the mcu03ea.fpp file, for the NE64, that came with CodeWarrior >has > > > > just a few lines in it. So I have a couple of questions: > > > > > > > > 1) What's the best way to secure the flash? > > > > 2) Does anyone have a complete FPP file (mcu03ea.fpp) for the > > >NE64? If > > > > not, how is a file like that created? > > > > > > > > I'm using CodeWarrior 3.1 with a P&E BDM. > > > > > > > > Regards, > > > > Adlai Shawareb > > > > Hansen Medical > > > > > > > > > > > > > > > > > > > > > > > > > > > >Yahoo! Groups Links > > > > > > > > > > > > > > >Yahoo! Groups Links Yahoo! Groups Links
You might also like... (promoted content)
The 2024 Embedded Online Conference - Register Early and Save with Promo Code ER2024!
The 2024 Embedded Online Conference - Register Early and Save with Promo Code ER2024!
The 2024 Embedded Online Conference - Register Early and Save with Promo Code ER2024!
Check out Memfault's New Sandbox!
Check out Memfault's New Sandbox!
Check out Memfault's New Sandbox!