[SOLVED] What does "unlock Kinetis" actually do?

This site uses cookies. By continuing to browse this site, you are agreeing to our Cookie Policy.

  • [SOLVED] What does "unlock Kinetis" actually do?

    I have Kinetis K10s that need to be unsecured by a flasher. Our firmware image secures the chip but leaves the mass erase option available. The factory programming equipment does not have a data connection to the Flasher, just a button hooked up to the trigger input. I need the Flasher to unsecure, then mass erase every time it programs parts.

    Other posts in this forum says the Flasher should automatically unsecure, but it doesn't. I've tried setting AutoPerformsUnsecure in the .jflash project but that doesn't unsecure the parts, either. The Freescale docs just say to set the Mass Erase bit in the MDM-AP control register. I can do this via wjc and wjd commands in the J-Link Commander, but that alone doesn't do the job. The only method that seems to unlock the K10 is to execute 'unlock kinetis' three times in the J-Link Commander. (DLL 4.70A, J-Trace HW 3.10, FW 6/27/13)

    It looks like I need to duplicate what "unlock kinetis' does as a series of init steps (e.g, WriteIR, WriteDR) that I can put into the .jflash project, so I'm down to grabbing USB commands to the JLink while it executes "unlock kinetis" to suss out how this command unlocks the K10. If that doesn't work, I'm down to logic analyzer traces on the JTAG lines.

    Ideally, if Segger has an unsecure kinetis .jflashscript, or can publish what "unsecure Kinetis" actually sends, that would get me a lot further down the road.
  • Hi,

    unsecuring Kinetis devices is currently supported only when programming in J-Link mode (via DLL/J-Flash PC software).
    Implementing this for the Flasher ARM stand-alone mode is on the ToDo list, but usually you should not have secured devices you are programming in production...

    But so far, I am not sure if we understand each other correctly.
    First you are talking about "Flasher", then posting a J-Link Commander output which refers to a J-Trace Cortex-M...

    Could you please clarify?


    Best regards
    Alex
    Please read the forum rules before posting.

    Keep in mind, this is *not* a support forum.
    Our engineers will try to answer your questions between their projects if possible but this can be delayed by longer periods of time.
    Should you be entitled to support you can contact us via our support system: segger.com/ticket/

    Or you can contact us via e-mail.
  • Agreed, normally the factory works with blank parts. However, the factory occasionally has to rework or reprogram a device that has already been programmed, especially during line bringup. However if they put a programmed device back on the line and attempt to flash it again (say, with newer FW or diagnostic FW), the Flasher does not or cannot unsecure it to erase it.

    Therefore I am looking for a way to modify the Flasher project to explicitly attempt to unsecure every chip prior to programming it. My current approach is to write a .jflashscript file to replace InitTarget() with a script that will unsecure the device before programming. The question is what to put in that script.

    Freescale has sent me a set of .jflash steps that perform a series of SWD-mode commands to unsecure the device. Unfortunately, the jflashscript API apparently doesn't support SWD mode writes, so I need to duplicate those steps using JTAG IR and DR writes.

    As to the Commander reference, I am using a J-Trace for ARM Coretex-M to investigate how the Commander's "Unlock Kinetis" command works, and turn these into IR and DR command sequences that can be sent to the device. I've since discovered that the first thing that "Unlock Kinetis" does is put the device in SWD mode and then unlocks it with SWD writes. Either way, it looks like I have to convert SWD jflash steps into JTAG IR/DR writes that can be used in the Flasher.
  • OK so I almost have this working using Init Steps, but I cannot find a way to hold the nRST pin during connect in stand-alone mode. These init steps work fine in connected mode:

    Reset (3,0) // Reset hold during connection
    Delay (10)
    Write JTAG IR (0x0A) // DPACC
    Delay (10)
    Write JTAG DR (0x04, 3) // Set SELECT, Write
    Write JTAG DR (0x01000000, 32) // Set MDM-AP, Bank 0
    Delay (100)
    Write JTAG IR (0x0B) // APACC
    Delay (10)
    Write JTAG DR (0x02, 3) // Write MDM-AP Control
    Write JTAG DR (0x01, 32) // Mass Erase
    Delay (1000)
    Write JTAG IR (0x0A) // DPACC
    Delay (10)
    Write JTAG DR (0x04, 3) // Set SELECT, Write
    Write JTAG DR (0x00, 32) // Set AHB-AP, Bank 0
    Delay (1000)
    Reset (2,0) // Normal reset
    Delay (10)


    In stand-alone mode, the nRST line is released before connecting, but in connected mode nRST is held as it should be on a reset type 3.

    Is there a way to script nRST control?
  • I know this is an old post, but it was one of the very few pages I found when I had exactly the same issue in April of 2016. I thought I would post the solution to help out anyone else with the same issue, especially since the manual does not mention it.

    This now works automatically when transferring the data and config directly to a Flasher from J-Flash. However, I tried to use the Flasher Portable with multiple configurations, transferring the files in MSD mode as described in the manual, and then it does not work.

    Segger support told me that you need an additional directory and file - per configuration. You can grab the extra file from the Flasher in MSD mode, after you have used the transfer function in J-Flash. Many thanks to Erik from Segger for fast support. I verified the solution using J-Link software version 5.12c.

    Solution from Segger below:

    For locked Kinetis devices, a special unlock sequence is required which is included in a *.PEX file.

    The *.PEX file will be automatically downloaded to the Flasher when clicking "File" -> "Download config & data file to Flasher...".

    The Flasher expects the *.PEX files in a subfolder named like the *.CFG file. As the default config / data file names
    are FLASHER.CFG and FLASHER.DAT, the *.PEX file will be stored in the subfolder FLASHER\CONNECT.PEX.



    Please find below an example file structure of the Flasher for multiple configurations:


    FLASHER.INI
    FLASHER0.CFG
    FLASHER0.DAT
    FLASHER0\CONNECT.PEX
    FLASHER1.CFG
    FLASHER1.DAT
    FLASHER1\CONNECT.PEX



    Content of FLASHER.INI:


    [FILES]
    DataFile = "FLASHER0.DAT"
    ConfigFile = "FLASHER0.CFG"
    DataFile1 = "FLASHER1.DAT"
    ConfigFile1 = "FLASHER1.CFG"
  • Thank you for sharing these information.
    Meanwhile, we have added a section describing the *.PEX files in the Flasher user manual.
    Further information regarding this can be found in chapter 2.4.1 Preparing for stand-alone mode operation manually in the Flasher UM (UM08022).


    Best regards
    Erik
    Please read the forum rules before posting.

    Keep in mind, this is *not* a support forum.
    Our engineers will try to answer your questions between their projects if possible but this can be delayed by longer periods of time.
    Should you be entitled to support you can contact us via our support system: segger.com/ticket/

    Or you can contact us via e-mail.
  • Flasher Portable Plus "unlock Kinetis"

    Hello,
    We are in the process of replacing our Cyclone max programmers with Segger Flasher portable plus.
    Cyclone max fails to unlock kinetis in stand alone programmer mode.
    Can someone confirm that Flasher portable plus can unlock a locked kinetis device using Flasher portable plus without the need of a computer connected to it?
    (basically we want to unlock,erase,program in stand alone mode)
    best regards
    DCS