8 Replies Latest reply on Oct 28, 2013 4:32 PM by user_71310180

    Self Writing Flash with Security in Kill Mode

    user_71310180

       Before I brick any of my devices, does anyone have thoughts on self writing of flash with security enabled? I don't want anyone to hack my device, but my device must be able to re-write it's own flash, whether in bootloader mode or in the user application. I understand the certain security bits remove the ability to debug/program using SWD, but do they remove the ability to self write? From the TRM (which isn't specific enough in this case):

         

       

         
            
      • PROTECTED mode: The user may change the mode from OPEN to PROTECTED. This disables all debug access to user code or memory. Only access to user registers is still available; this prevents debug access to reprogram flash. The mode can be set back to OPEN but only after completely erasing the flash.
      •    
         
            
      • KILL mode: The user may change the mode from OPEN to KILL. This removes all debug access to user code or memory, and the flash cannot be erased. Only access to user registers is still available; this prevents debug access to reprogram flash. The part cannot be taken out of KILL mode; devices in KILL mode may not be returned for failure analysis.
      •    
         

       

         

      Flash cannot be erased because debug hardware is disabled or Flash cannot ever physically be erased because of something at the flash controller level?

        • 1. Re: Self Writing Flash with Security in Kill Mode
          user_1377889

          Different from an EEProm PSoCs are not programmed, they always program themselves. A (non-erasable) part in the PSoCs contain some system-functions. Have a look into the "System Reference Guide" accessable from the Help-menu in Creator 3. The system takes over at power-on and checks for programming request (commands) and takes over when

             

           

             

          A "Killed" PSoC cannot be reprogrammed, erased or debugged.

             

           

             

          Bob

          • 2. Re: Self Writing Flash with Security in Kill Mode
            user_71310180

            Yes. The programmer must talk with the SPC, which writes the flash. Similarly, the user application must write to the SPC register to have it write system flash (through an API). But that doesn't answer the question. When the chip is "killed", does that lock out access to the SPC and therefore flash write access?

               

             

               

            I was looking for a document similar to AN73854. I didn't find one, but I did find clues to the answer buried at the end of the "Programming Specifications Document" (http://www.cypress.com/?docID=43528). In appendix A is a table explaining the different modes. This should be in the TRM. Unfortunately the table still does not explain which mode best allows internal write access to the flash while disabling SWD. For example, "Kill" simply says SWD is totally disabled, which does not preclude the use the application code to program the flash.

               

             

                                                                                                                                                                                                                                                    
                 States of Chip Level Protection    
            Protection State       
                    Value in hex and CPUSS_PROTECTION       
                   
                    Value in written Supervisory Row       
                   
                    Restrictions       
            VIRGIN0x000x01       
                    
                     In this mode, silicon is in post-fab (untrimmed state). After trimming, silicon is moved into OPEN mode for customer. This mode is not for custom use. Customers are not physically prohibited from bringing parts back to VIRGIN state, but they are left with parts missing critical trim, wounding, and other settings from Cypress. This essentially makes the part unusable for the customer.        
                   
            OPEN0x010x00       
                    In this mode, silicon is shipped to customers. Most applications use this state in which external debugger can access all needed resources for full functional debugging of the application. Flash, SRAM, Supervisory flash, and registers are available via DAP (Debug Access Port).       
            PROTECTED0x020x02       
                    In this mode, silicon allows limited access via DAP; it is enough to read the silicon ID and move the chip back to OPEN mode. Access to Flash, SRAM, and most of registers is disabled, so SWD transactions are NACKed for master. This is true for Read and Write requests on the SWD bus.       
            KILL0x040x04       
                    KILL mode completely locks the SWD-pins from an external programmer. Firmware must be 100% operable without bugs because it can no longer be updated. If this mode is needed, then it is recommended to enable it only for production programming of end-application.       
            • 3. Re: Self Writing Flash with Security in Kill Mode
              user_71310180

               I should point out that "Protected" mode still allows someone to move the chip back into "OPEN" mode...which is useless if one is trying to prevent someone from reverese engineering the code. So only "KILL" makes sense...but can it self program?

              • 4. Re: Self Writing Flash with Security in Kill Mode
                user_1377889

                A "Protected" chip can be erased, so the protection goes to 0x00 which is "Open". You cannot reset the protection patterns programmatically, only an erase can do that.

                   

                A "Killed" chip cannot be erased, so no chance to get out of that mode.

                   

                Bob

                • 5. Re: Self Writing Flash with Security in Kill Mode
                  user_1377889

                  ... and as I pointed out in my former post a "Killed" chip cannot be re-programmed or can re-program itself partially.

                     

                   

                     

                  Bob

                  • 6. Re: Self Writing Flash with Security in Kill Mode
                    user_78878863

                    When you look in the PSoC4 TRM, chapter 26.5, you see what access is enabled in which mode. OPEN means that debug mode is enabled, PROTECTED and KILL mean its disabled. But the CPU core has always access to e.g. writing flash.

                    • 7. Re: Self Writing Flash with Security in Kill Mode
                      user_71310180

                       Thanks Bob and hli. That clears it up.

                      • 8. Re: Self Writing Flash with Security in Kill Mode
                        user_71310180

                         The key is found in secion 26.5.5. You can still change the device from PROTECTED to OPEN because the DAP interface is still available, but doing so automatically wipes the chip.

                           

                         

                           

                        "Changing the protection setting from PROTECTED to OPEN automatically does an erase all operation."