[SOLVED] write a secured FW on Kinetis usinj J-Link

This site uses cookies. By continuing to browse this site, you are agreeing to our Cookie Policy.

  • [SOLVED] write a secured FW on Kinetis usinj J-Link

    I need to write a secured FW on Kinetis.

    J-Link write this:

    Source Code

    1. Downloading file [./4chMpu_Ver1.2.4.0.protected.bin]...Comparing flash [050%]
    3. *** Warning ***
    4. Your application image would set the system security of the device.
    5. This is not supported in the current configuration.
    6. Application data has been changed accordingly.
    7. *** Warning ***
    9. 100%] Done.


    So it writes an unprotected FW, infact when I verify the FW:

    Source Code

    1. Loading binary file ./4chMpu_Ver1.2.4.0.protected.bin
    2. Reading 140440 bytes data from target memory @ 0x00000000.
    3. Verify failed @ address 0x0000040C.
    4. Expected FC read FE


    Is it possible to write a protected FW? How?

    best regards
    Max

  • Hi Max,


    you need to add " (allow security)" to the device name you select in J-Link Commander.
    For example "MK65FN2M0xxx18 (allow security)" instead of "MK65FN2M0xxx18".

    Best regards,
    Niklas
    Please read the forum rules before posting.

    Keep in mind, this is *not* a support forum.
    Our engineers will try to answer your questions between their projects if possible but this can be delayed by longer periods of time.
    Should you be entitled to support you can contact us via our support system: segger.com/ticket/
    Or you can contact us via e-mail.

  • With "MK64FN1M0XXX12 (allow security)", I can Program and Verify. And I wonder how, since the FW should be unreadable from debug port.
    the script wr-fw.jlink is:

    Source Code

    1. unlock Kinetis
    2. r
    3. sleep 100
    4. erase
    5. loadbin ./4chMpu_Ver1.2.4.0.protected.bin,0x0
    6. r
    7. sleep 100
    8. verifybin ./4chMpu_Ver1.2.4.0.protected.bin,0x0
    9. exit

    and I run:

    Source Code

    1. /opt/SEGGER/JLink/JLinkExe -device "MK64FN1M0XXX12 (allow security)" -if SWD -speed 4000 -JTAGConf -1,-1 -CommanderScript ./wr-fw.jlink


    the output is:

    Source Code

    1. SEGGER J-Link Commander V5.10i (Compiled Jan 28 2016 09:41:48)
    2. DLL version V5.10i, compiled Jan 28 2016 09:41:43
    5. Script file read successfully.
    6. Processing script file...
    8. J-Link connection not established yet but required for command.
    9. Connecting to J-Link via USB...O.K.
    10. Firmware: J-Link Ultra V4 compiled Apr 22 2016 11:48:35
    11. Hardware version: V4.00
    12. S/N: 504400379
    13. License(s): RDI, FlashBP, FlashDL, JFlash, GDB
    14. Emulator has Trace capability
    15. VTref = 3.416V
    16. Found SWD-DP with ID 0x2BA01477
    17. Unlocking device...O.K.
    19. Target connection not established yet but required for command.
    20. Device "MK64FN1M0XXX12 (ALLOW SECURITY)" selected.
    23. Found SWD-DP with ID 0x2BA01477
    24. Found SWD-DP with ID 0x2BA01477
    25. Found Cortex-M4 r0p1, Little endian.
    26. FPUnit: 6 code (BP) slots and 2 literal slots
    27. CoreSight components:
    28. ROMTbl 0 @ E00FF000
    29. ROMTbl 0 [0]: FFF0F000, CID: B105E00D, PID: 000BB00C SCS
    30. ROMTbl 0 [1]: FFF02000, CID: B105E00D, PID: 003BB002 DWT
    31. ROMTbl 0 [2]: FFF03000, CID: B105E00D, PID: 002BB003 FPB
    32. ROMTbl 0 [3]: FFF01000, CID: B105E00D, PID: 003BB001 ITM
    33. ROMTbl 0 [4]: FFF41000, CID: B105900D, PID: 000BB9A1 TPIU
    34. ROMTbl 0 [5]: FFF42000, CID: B105900D, PID: 000BB925 ETM
    35. ROMTbl 0 [6]: FFF43000, CID: B105900D, PID: 003BB907 ETB
    36. ROMTbl 0 [7]: FFF44000, CID: B105900D, PID: 001BB908 CSTF
    37. Cortex-M4 identified.
    38. Reset delay: 0 ms
    39. Reset type NORMAL: Resets core & peripherals via SYSRESETREQ & VECTRESET bit.
    41. Sleep(100)
    43. Erasing device (MK64FN1M0xxx12 (allow security))...
    44. Comparing flash [100%] Done.
    45. Erasing flash [100%] Done.
    46. Verifying flash [100%] Done.
    47. J-Link: Flash download: Total time needed: 1.071s (Prepare: 0.048s, Compare: 0.000s, Erase: 1.020s, Program: 0.000s, Verify: 0.000s, Restore: 0.002s)
    48. Erasing done.
    50. Downloading file [./4chMpu_Ver1.2.4.0.protected.bin]...Comparing flash [100%] Done.
    51. Erasing flash [100%] Done.
    52. Programming flash [100%] Done.
    53. Verifying flash [100%] Done.
    54. J-Link: Flash download: Flash programming performed for 1 range (143360 bytes)
    55. J-Link: Flash download: Total time needed: 1.711s (Prepare: 0.068s, Compare: 0.016s, Erase: 0.000s, Program: 1.590s, Verify: 0.009s, Restore: 0.026s)
    56. O.K.
    58. Reset delay: 0 ms
    59. Reset type NORMAL: Resets core & peripherals via SYSRESETREQ & VECTRESET bit.
    60. SYSRESETREQ has confused core. Trying to reconnect and use VECTRESET.
    61. Found SWD-DP with ID 0x2BA01477
    63. **************************
    64. WARNING: Failed to reset CPU. VECTRESET has confused core.
    65. **************************
    68. **************************
    69. WARNING: CPU did not halt after reset.
    70. **************************
    73. **************************
    74. WARNING: T-bit of XPSR is 0 but should be 1. Changed to 1.
    75. **************************
    78. **************************
    79. WARNING: Could not set S_RESET_ST
    80. **************************
    82. Found SWD-DP with ID 0x2BA01477
    84. **************************
    85. WARNING: Could not set S_RESET_ST
    86. **************************
    89. **************************
    90. WARNING: CPU did not halt after reset.
    91. **************************
    94. **************************
    95. WARNING: T-bit of XPSR is 0 but should be 1. Changed to 1.
    96. **************************
    99. **************************
    100. WARNING: Could not set S_RESET_ST
    101. **************************
    103. Kinetis (setup): CPU did not halt after disabling watchdog.
    105. **************************
    106. WARNING: T-bit of XPSR is 0 but should be 1. Changed to 1.
    107. **************************
    110. ****** Error: DAP error while reading AIRCR / CPUID register
    112. Sleep(100)
    114. Loading binary file ./4chMpu_Ver1.2.4.0.protected.bin
    115. Reading 140440 bytes data from target memory @ 0x00000000.
    116. Verify successful.
    119. Script processing completed.
    122. ****** Error: Could not start CPU core. (ErrorCode: -1)
    Display All


    So how the verify step can be successful if the FW is unreadable?

    best regards
    Max

  • Hi Max,


    is the memory protection active or is it only active after a power-cycle?
    Can be tested by slightly adjusting the script:

    C Source Code

    1. unlock Kinetis
    2. r
    3. sleep 100
    4. erase
    5. loadbin ./4chMpu_Ver1.2.4.0.protected.bin,0x0
    6. mem32 0 10
    7. r
    8. sleep 100
    9. verifybin ./4chMpu_Ver1.2.4.0.protected.bin,0x0
    10. mem32 0 10
    11. exit
    Display All


    If the flash memory is not readable, this is probably just a wrong output from J-Link Commander.
    Could you please give to most recent version of the J-Link software & documentation pack a try?

    Best regards,
    Niklas
    Please read the forum rules before posting.

    Keep in mind, this is *not* a support forum.
    Our engineers will try to answer your questions between their projects if possible but this can be delayed by longer periods of time.
    Should you be entitled to support you can contact us via our support system: segger.com/ticket/
    Or you can contact us via e-mail.

  • tryed your script and new version of Jlink

    Source Code

    1. SEGGER J-Link Commander V6.14b (Compiled Mar 9 2017 08:48:28)
    2. DLL version V6.14b, compiled Mar 9 2017 08:48:20
    5. Script file read successfully.
    6. Processing script file...
    8. J-Link connection not established yet but required for command.
    9. Connecting to J-Link via USB...O.K.
    10. Firmware: J-Link Ultra V4 compiled Feb 21 2017 14:10:22
    11. Hardware version: V4.00
    12. S/N: 504400379
    13. License(s): RDI, FlashBP, FlashDL, JFlash, GDB
    14. VTref = 3.414V
    15. Found SWD-DP with ID 0x2BA01477
    16. Unlocking device...O.K.
    18. Target connection not established yet but required for command.
    19. Device "MK64FN1M0XXX12 (ALLOW SECURITY)" selected.
    22. Found SWD-DP with ID 0x2BA01477
    23. Found SWD-DP with ID 0x2BA01477
    24. AP-IDR: 0x24770011, Type: AHB-AP
    25. AHB-AP ROM: 0xE00FF000 (Base addr. of first ROM table)
    26. Found Cortex-M4 r0p1, Little endian.
    27. FPUnit: 6 code (BP) slots and 2 literal slots
    28. CoreSight components:
    29. ROMTbl 0 @ E00FF000
    30. ROMTbl 0 [0]: FFF0F000, CID: B105E00D, PID: 000BB00C SCS
    31. ROMTbl 0 [1]: FFF02000, CID: B105E00D, PID: 003BB002 DWT
    32. ROMTbl 0 [2]: FFF03000, CID: B105E00D, PID: 002BB003 FPB
    33. ROMTbl 0 [3]: FFF01000, CID: B105E00D, PID: 003BB001 ITM
    34. ROMTbl 0 [4]: FFF41000, CID: B105900D, PID: 000BB9A1 TPIU
    35. ROMTbl 0 [5]: FFF42000, CID: B105900D, PID: 000BB925 ETM
    36. ROMTbl 0 [6]: FFF43000, CID: B105900D, PID: 003BB907 ETB
    37. ROMTbl 0 [7]: FFF44000, CID: B105900D, PID: 001BB908 CSTF
    38. Cortex-M4 identified.
    39. Reset delay: 0 ms
    40. Reset type NORMAL: Resets core & peripherals via SYSRESETREQ & VECTRESET bit.
    42. Sleep(100)
    44. Erasing device (MK64FN1M0xxx12 (allow security))...
    45. Comparing flash [100%] Done.
    46. Erasing flash [100%] Done.
    47. Verifying flash [100%] Done.
    48. J-Link: Flash download: Total time needed: 1.039s (Prepare: 0.015s, Compare: 0.000s, Erase: 1.022s, Program: 0.000s, Verify: 0.000s, Restore: 0.001s)
    49. Erasing done.
    51. Downloading file [./4chMpu_Ver1.2.4.0.protected.bin]...
    52. Comparing flash [100%] Done.
    53. Erasing flash [100%] Done.
    54. Programming flash [100%] Done.
    55. Verifying flash [100%] Done.
    56. J-Link: Flash download: Flash programming performed for 1 range (143360 bytes)
    57. J-Link: Flash download: Total time needed: 1.673s (Prepare: 0.033s, Compare: 0.015s, Erase: 0.000s, Program: 1.593s, Verify: 0.008s, Restore: 0.022s)
    58. O.K.
    60. 00000000 = 20030000 000004D9 000004E9 000004E9
    61. 00000010 = 000004E9 000004E9 000004E9 00000000
    62. 00000020 = 00000000 00000000 00000000 00015EF9
    63. 00000030 = 000004E9 00000000 00015F15 00015FCD
    65. Reset delay: 0 ms
    66. Reset type NORMAL: Resets core & peripherals via SYSRESETREQ & VECTRESET bit.
    67. SYSRESETREQ has confused core. Trying to reconnect and use VECTRESET.
    68. Found SWD-DP with ID 0x2BA01477
    69. AP-IDR: 0x24770011, Type: AHB-AP
    70. AHB-AP ROM: 0xE00FF000 (Base addr. of first ROM table)
    72. **************************
    73. WARNING: Failed to reset CPU. VECTRESET has confused core.
    74. **************************
    77. **************************
    78. WARNING: CPU did not halt after reset.
    79. **************************
    82. **************************
    83. WARNING: T-bit of XPSR is 0 but should be 1. Changed to 1.
    84. **************************
    87. **************************
    88. WARNING: Could not set S_RESET_ST
    89. **************************
    91. Found SWD-DP with ID 0x2BA01477
    92. AP-IDR: 0x24770011, Type: AHB-AP
    93. AHB-AP ROM: 0xE00FF000 (Base addr. of first ROM table)
    94. SYSRESETREQ has confused core. Trying to reconnect and use VECTRESET.
    95. Found SWD-DP with ID 0x2BA01477
    96. AP-IDR: 0x24770011, Type: AHB-AP
    97. AHB-AP ROM: 0xE00FF000 (Base addr. of first ROM table)
    99. **************************
    100. WARNING: Failed to reset CPU. VECTRESET has confused core.
    101. **************************
    104. **************************
    105. WARNING: CPU did not halt after reset.
    106. **************************
    109. **************************
    110. WARNING: T-bit of XPSR is 0 but should be 1. Changed to 1.
    111. **************************
    114. **************************
    115. WARNING: Could not set S_RESET_ST
    116. **************************
    118. Found SWD-DP with ID 0x2BA01477
    119. Protection bytes in flash at addr. 0x400 - 0x40F indicate that readout protection is set.
    120. For debugger connection the device needs to be unsecured.
    121. Note: Unsecuring will trigger a mass erase of the internal flash.
    122. Device will be unsecured now.
    124. ****** Error: DAP error while reading AIRCR / CPUID register
    126. Sleep(100)
    128. Loading binary file ./4chMpu_Ver1.2.4.0.protected.bin
    129. Reading 140440 bytes data from target memory @ 0x00000000.
    130. Verify successful.
    132. 00000000 = 20030000 000004D9 000004E9 000004E9
    133. 00000010 = 000004E9 000004E9 000004E9 00000000
    134. 00000020 = 00000000 00000000 00000000 00015EF9
    135. 00000030 = 000004E9 00000000 00015F15 00015FCD
    138. Script processing completed.
    Display All


    tomorrow I will do other test

    best regards

    max

  • if I do a power cycle, and execute only the verify with this script:

    Source Code

    1. r
    2. sleep 100
    3. verifybin ./4chMpu_Ver1.2.4.0.protected.bin,0x0
    4. mem32 0 10
    5. exit


    the verify fails, as expected:

    Source Code

    1. SEGGER J-Link Commander V6.14b (Compiled Mar 9 2017 08:48:28)
    2. DLL version V6.14b, compiled Mar 9 2017 08:48:20
    5. Script file read successfully.
    6. Processing script file...
    8. J-Link connection not established yet but required for command.
    9. Connecting to J-Link via USB...O.K.
    10. Firmware: J-Link Ultra V4 compiled Feb 21 2017 14:10:22
    11. Hardware version: V4.00
    12. S/N: 504400379
    13. License(s): RDI, FlashBP, FlashDL, JFlash, GDB
    14. VTref = 3.412V
    15. Target connection not established yet but required for command.
    16. Device "MK64FN1M0XXX12 (ALLOW SECURITY)" selected.
    19. Found SWD-DP with ID 0x2BA01477
    20. Found SWD-DP with ID 0x2BA01477
    21. AP-IDR: 0x24770011, Type: AHB-AP
    22. AHB-AP ROM: 0xE00FF000 (Base addr. of first ROM table)
    23. Found Cortex-M4 r0p1, Little endian.
    24. FPUnit: 6 code (BP) slots and 2 literal slots
    25. CoreSight components:
    26. ROMTbl 0 @ E00FF000
    27. ROMTbl 0 [0]: FFF0F000, CID: B105E00D, PID: 000BB00C SCS
    28. ROMTbl 0 [1]: FFF02000, CID: B105E00D, PID: 003BB002 DWT
    29. ROMTbl 0 [2]: FFF03000, CID: B105E00D, PID: 002BB003 FPB
    30. ROMTbl 0 [3]: FFF01000, CID: B105E00D, PID: 003BB001 ITM
    31. ROMTbl 0 [4]: FFF41000, CID: B105900D, PID: 000BB9A1 TPIU
    32. ROMTbl 0 [5]: FFF42000, CID: B105900D, PID: 000BB925 ETM
    33. ROMTbl 0 [6]: FFF43000, CID: B105900D, PID: 003BB907 ETB
    34. ROMTbl 0 [7]: FFF44000, CID: B105900D, PID: 001BB908 CSTF
    35. Cortex-M4 identified.
    36. Reset delay: 0 ms
    37. Reset type NORMAL: Resets core & peripherals via SYSRESETREQ & VECTRESET bit.
    39. Sleep(100)
    41. Loading binary file ./4chMpu_Ver1.2.4.0.protected.bin
    42. Reading 140440 bytes data from target memory @ 0x00000000.
    43. Verify failed @ address 0x00000000.
    44. Expected 00 read FF
    45. 00000000 = FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
    46. 00000010 = FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
    47. 00000020 = FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
    48. 00000030 = FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
    51. Script processing completed.
    Display All


    best regards
    Max

  • When I write FW using "MK64FN1M0XXX12 (allow security)", the verify stage is successful, but FW doesn't work, it seems that it doesn't run.
    Instead if I write FW using "MK64FN1M0XXX12", the verify stage will fail. FW is not protected from further reads through JTAG/SWD, but it runs and works correctly.

    There is something else I need to know?

    best regards
    Max

  • Hi Max,


    You cannot verify the image after you activated the security (well that is the point of the security, nobody should be able to read it back).
    Therefore, when connecting while the security is set, the device will be unlocked and therefore mass-erased by the J-Link, as it is said by J-Link Commander:
    Protection bytes in flash at addr. 0x400 - 0x40F indicate that readout protection is set.
    For debugger connection the device needs to be unsecured.
    Note: Unsecuring will trigger a mass erase of the internal flash.
    Device will be unsecured now.


    Best regards,
    Niklas
    Please read the forum rules before posting.

    Keep in mind, this is *not* a support forum.
    Our engineers will try to answer your questions between their projects if possible but this can be delayed by longer periods of time.
    Should you be entitled to support you can contact us via our support system: segger.com/ticket/
    Or you can contact us via e-mail.

  • SEGGER - Niklas wrote:

    You cannot verify the image after you activated the security (well that is the point of the security, nobody should be able to read it back).
    Therefore, when connecting while the security is set, the device will be unlocked and therefore mass-erased by the J-Link, as it is said by J-Link Commander:
    That's true after a power cycle (you suggested it).
    If I run the script:

    Source Code

    1. unlock Kinetis
    2. r
    3. sleep 100
    4. erase
    5. loadfile ./4chMpu_Ver1.2.4.0.protected.bin,0x0
    6. mem32 0, 10
    7. mem8 400, 10
    8. r
    9. sleep 100
    10. verifybin ./4chMpu_Ver1.2.4.0.protected.bin,0x0
    11. mem32 0, 10
    12. mem8 400, 10
    13. rnh
    14. exit
    Display All


    the result is:

    Source Code

    1. SEGGER J-Link Commander V6.14b (Compiled Mar 9 2017 08:48:28)
    2. DLL version V6.14b, compiled Mar 9 2017 08:48:20
    5. Script file read successfully.
    6. Processing script file...
    8. J-Link connection not established yet but required for command.
    9. Connecting to J-Link via USB...O.K.
    10. Firmware: J-Link Ultra V4 compiled Feb 21 2017 14:10:22
    11. Hardware version: V4.00
    12. S/N: 504400379
    13. License(s): RDI, FlashBP, FlashDL, JFlash, GDB
    14. VTref = 3.412V
    15. Found SWD-DP with ID 0x2BA01477
    16. Unlocking device...O.K.
    18. Target connection not established yet but required for command.
    19. Device "MK64FN1M0XXX12 (ALLOW SECURITY)" selected.
    22. Found SWD-DP with ID 0x2BA01477
    23. Found SWD-DP with ID 0x2BA01477
    24. AP-IDR: 0x24770011, Type: AHB-AP
    25. AHB-AP ROM: 0xE00FF000 (Base addr. of first ROM table)
    26. Found Cortex-M4 r0p1, Little endian.
    27. FPUnit: 6 code (BP) slots and 2 literal slots
    28. CoreSight components:
    29. ROMTbl 0 @ E00FF000
    30. ROMTbl 0 [0]: FFF0F000, CID: B105E00D, PID: 000BB00C SCS
    31. ROMTbl 0 [1]: FFF02000, CID: B105E00D, PID: 003BB002 DWT
    32. ROMTbl 0 [2]: FFF03000, CID: B105E00D, PID: 002BB003 FPB
    33. ROMTbl 0 [3]: FFF01000, CID: B105E00D, PID: 003BB001 ITM
    34. ROMTbl 0 [4]: FFF41000, CID: B105900D, PID: 000BB9A1 TPIU
    35. ROMTbl 0 [5]: FFF42000, CID: B105900D, PID: 000BB925 ETM
    36. ROMTbl 0 [6]: FFF43000, CID: B105900D, PID: 003BB907 ETB
    37. ROMTbl 0 [7]: FFF44000, CID: B105900D, PID: 001BB908 CSTF
    38. Cortex-M4 identified.
    39. Reset delay: 0 ms
    40. Reset type NORMAL: Resets core & peripherals via SYSRESETREQ & VECTRESET bit.
    42. Sleep(100)
    44. Erasing device (MK64FN1M0xxx12 (allow security))...
    45. Comparing flash [100%] Done.
    46. Erasing flash [100%] Done.
    47. Verifying flash [100%] Done.
    48. J-Link: Flash download: Total time needed: 1.040s (Prepare: 0.015s, Compare: 0.000s, Erase: 1.023s, Program: 0.000s, Verify: 0.000s, Restore: 0.002s)
    49. Erasing done.
    51. Downloading file [./4chMpu_Ver1.2.4.0.protected.bin]...
    52. Comparing flash [100%] Done.
    53. Erasing flash [100%] Done.
    54. Programming flash [100%] Done.
    55. Verifying flash [100%] Done.
    56. J-Link: Flash download: Flash programming performed for 1 range (143360 bytes)
    57. J-Link: Flash download: Total time needed: 1.672s (Prepare: 0.033s, Compare: 0.015s, Erase: 0.000s, Program: 1.591s, Verify: 0.009s, Restore: 0.022s)
    58. O.K.
    60. 00000000 = 20030000 000004D9 000004E9 000004E9
    61. 00000010 = 000004E9 000004E9 000004E9 00000000
    62. 00000020 = 00000000 00000000 00000000 00015EF9
    63. 00000030 = 000004E9 00000000 00015F15 00015FCD
    65. 00000400 = FF FF FF FF FF FF FF FF FF FF FF FF FC FF FF FF
    67. Reset delay: 0 ms
    68. Reset type NORMAL: Resets core & peripherals via SYSRESETREQ & VECTRESET bit.
    69. SYSRESETREQ has confused core. Trying to reconnect and use VECTRESET.
    70. Found SWD-DP with ID 0x2BA01477
    71. AP-IDR: 0x24770011, Type: AHB-AP
    72. AHB-AP ROM: 0xE00FF000 (Base addr. of first ROM table)
    74. **************************
    75. WARNING: Failed to reset CPU. VECTRESET has confused core.
    76. **************************
    79. **************************
    80. WARNING: CPU did not halt after reset.
    81. **************************
    84. **************************
    85. WARNING: T-bit of XPSR is 0 but should be 1. Changed to 1.
    86. **************************
    89. **************************
    90. WARNING: Could not set S_RESET_ST
    91. **************************
    93. Found SWD-DP with ID 0x2BA01477
    94. AP-IDR: 0x24770011, Type: AHB-AP
    95. AHB-AP ROM: 0xE00FF000 (Base addr. of first ROM table)
    96. SYSRESETREQ has confused core. Trying to reconnect and use VECTRESET.
    97. Found SWD-DP with ID 0x2BA01477
    98. AP-IDR: 0x24770011, Type: AHB-AP
    99. AHB-AP ROM: 0xE00FF000 (Base addr. of first ROM table)
    101. **************************
    102. WARNING: Failed to reset CPU. VECTRESET has confused core.
    103. **************************
    106. **************************
    107. WARNING: CPU did not halt after reset.
    108. **************************
    111. **************************
    112. WARNING: T-bit of XPSR is 0 but should be 1. Changed to 1.
    113. **************************
    116. **************************
    117. WARNING: Could not set S_RESET_ST
    118. **************************
    120. Found SWD-DP with ID 0x2BA01477
    121. Protection bytes in flash at addr. 0x400 - 0x40F indicate that readout protection is set.
    122. For debugger connection the device needs to be unsecured.
    123. Note: Unsecuring will trigger a mass erase of the internal flash.
    124. Device will be unsecured now.
    126. ****** Error: DAP error while reading AIRCR / CPUID register
    128. Sleep(100)
    130. Loading binary file ./4chMpu_Ver1.2.4.0.protected.bin
    131. Reading 140440 bytes data from target memory @ 0x00000000.
    132. Verify successful.
    134. 00000000 = 20030000 000004D9 000004E9 000004E9
    135. 00000010 = 000004E9 000004E9 000004E9 00000000
    136. 00000020 = 00000000 00000000 00000000 00015EF9
    137. 00000030 = 000004E9 00000000 00015F15 00015FCD
    139. 00000400 = FF FF FF FF FF FF FF FF FF FF FF FF FC FF FF FF
    141. Script processing completed.
    Display All


    You can see that I can read the flash, and the FSEC bit are set to 00 (byte @0x40C is 0xFC), this mean thet FW should be protected. But (it seems to be) only after power cycle. unfortunately writing in this way FW doesn't run.

    Instead if I use "MK64FN1M0XXX12" device (no "(allow security)") the result is:

    Source Code

    1. SEGGER J-Link Commander V6.14b (Compiled Mar 9 2017 08:48:28)
    2. DLL version V6.14b, compiled Mar 9 2017 08:48:20
    5. Script file read successfully.
    6. Processing script file...
    8. J-Link connection not established yet but required for command.
    9. Connecting to J-Link via USB...O.K.
    10. Firmware: J-Link Ultra V4 compiled Feb 21 2017 14:10:22
    11. Hardware version: V4.00
    12. S/N: 504400379
    13. License(s): RDI, FlashBP, FlashDL, JFlash, GDB
    14. VTref = 3.407V
    15. Found SWD-DP with ID 0x2BA01477
    16. Unlocking device...O.K.
    18. Target connection not established yet but required for command.
    19. Device "MK64FN1M0XXX12" selected.
    22. Found SWD-DP with ID 0x2BA01477
    23. Found SWD-DP with ID 0x2BA01477
    24. AP-IDR: 0x24770011, Type: AHB-AP
    25. AHB-AP ROM: 0xE00FF000 (Base addr. of first ROM table)
    26. Found Cortex-M4 r0p1, Little endian.
    27. FPUnit: 6 code (BP) slots and 2 literal slots
    28. CoreSight components:
    29. ROMTbl 0 @ E00FF000
    30. ROMTbl 0 [0]: FFF0F000, CID: B105E00D, PID: 000BB00C SCS
    31. ROMTbl 0 [1]: FFF02000, CID: B105E00D, PID: 003BB002 DWT
    32. ROMTbl 0 [2]: FFF03000, CID: B105E00D, PID: 002BB003 FPB
    33. ROMTbl 0 [3]: FFF01000, CID: B105E00D, PID: 003BB001 ITM
    34. ROMTbl 0 [4]: FFF41000, CID: B105900D, PID: 000BB9A1 TPIU
    35. ROMTbl 0 [5]: FFF42000, CID: B105900D, PID: 000BB925 ETM
    36. ROMTbl 0 [6]: FFF43000, CID: B105900D, PID: 003BB907 ETB
    37. ROMTbl 0 [7]: FFF44000, CID: B105900D, PID: 001BB908 CSTF
    38. Cortex-M4 identified.
    39. Reset delay: 0 ms
    40. Reset type NORMAL: Resets core & peripherals via SYSRESETREQ & VECTRESET bit.
    42. Sleep(100)
    44. Erasing device (MK64FN1M0xxx12)...
    45. Comparing flash [100%] Done.
    46. Erasing flash [100%] Done.
    47. Verifying flash [100%] Done.
    48. J-Link: Flash download: Total time needed: 1.036s (Prepare: 0.014s, Compare: 0.000s, Erase: 1.019s, Program: 0.000s, Verify: 0.000s, Restore: 0.002s)
    49. Erasing done.
    51. Downloading file [./4chMpu_Ver1.2.4.0.protected.bin]...
    52. Comparing flash [100%] Done.
    53. Erasing flash [100%] Done.
    54. Programming flash [100%] Done.
    55. Verifying flash [100%] Done.
    56. J-Link: Flash download: Flash programming performed for 1 range (143360 bytes)
    57. J-Link: Flash download: Total time needed: 1.667s (Prepare: 0.033s, Compare: 0.014s, Erase: 0.000s, Program: 1.586s, Verify: 0.009s, Restore: 0.022s)
    58. O.K.
    60. 00000000 = 20030000 000004D9 000004E9 000004E9
    61. 00000010 = 000004E9 000004E9 000004E9 00000000
    62. 00000020 = 00000000 00000000 00000000 00015EF9
    63. 00000030 = 000004E9 00000000 00015F15 00015FCD
    65. 00000400 = FF FF FF FF FF FF FF FF FF FF FF FF FE FF FF FF
    67. Reset delay: 0 ms
    68. Reset type NORMAL: Resets core & peripherals via SYSRESETREQ & VECTRESET bit.
    70. Sleep(100)
    72. Loading binary file ./4chMpu_Ver1.2.4.0.protected.bin
    73. Reading 140440 bytes data from target memory @ 0x00000000.
    74. Verify failed @ address 0x0000040C.
    75. Expected FC read FE
    76. 00000000 = 20030000 000004D9 000004E9 000004E9
    77. 00000010 = 000004E9 000004E9 000004E9 00000000
    78. 00000020 = 00000000 00000000 00000000 00015EF9
    79. 00000030 = 000004E9 00000000 00015F15 00015FCD
    81. 00000400 = FF FF FF FF FF FF FF FF FF FF FF FF FE FF FF FF
    83. Script processing completed.
    Display All


    you can see that now the FSEC bits are 10 (@0x40C => 0xFE) and the FW is unprotected, but runs correctly

    please note that my binary has FSEC bits set to 00

    Brainfuck Source Code

    1. $ xxd -g1 -s1024 -l16 4chMpu_Ver1.2.4.0.protected.bin
    2. 00000400: ff ff ff ff ff ff ff ff ff ff ff ff fc ff ff ff ................


    best regards
    Max

  • Hi Max,


    C Source Code

    1. Found SWD-DP with ID 0x2BA01477
    2. Protection bytes in flash at addr. 0x400 - 0x40F indicate that readout protection is set.
    3. For debugger connection the device needs to be unsecured.
    4. Note: Unsecuring will trigger a mass erase of the internal flash.
    5. Device will be unsecured now.

    An this point, the flash is definitely mass-erased.

    C Source Code

    1. ****** Error: DAP error while reading AIRCR / CPUID register
    3. Sleep(100)
    5. Loading binary file ./4chMpu_Ver1.2.4.0.protected.bin
    6. Reading 140440 bytes data from target memory @ 0x00000000.
    7. Verify successful.
    9. 00000000 = 20030000 000004D9 000004E9 000004E9
    10. 00000010 = 000004E9 000004E9 000004E9 00000000
    11. 00000020 = 00000000 00000000 00000000 00015EF9
    12. 00000030 = 000004E9 00000000 00015F15 00015FCD
    14. 00000400 = FF FF FF FF FF FF FF FF FF FF FF FF FC FF FF FF
    16. Script processing completed.
    Display All


    My guess is that this a cache error on J-Link side.
    Lets adjust the script once more:

    C Source Code

    1. unlock Kinetis
    2. r
    3. exec ExcludeFlashCacheRange 0x00000000 - 0x00100000
    4. sleep 100
    5. erase
    6. loadfile ./4chMpu_Ver1.2.4.0.protected.bin,0x0
    7. mem32 0, 10
    8. mem8 400, 10
    9. r
    10. sleep 100
    11. verifybin ./4chMpu_Ver1.2.4.0.protected.bin,0x0
    12. mem32 0, 10
    13. mem8 400, 10
    14. rnh
    15. exit
    Display All



    Best regards,
    Niklas
    Please read the forum rules before posting.

    Keep in mind, this is *not* a support forum.
    Our engineers will try to answer your questions between their projects if possible but this can be delayed by longer periods of time.
    Should you be entitled to support you can contact us via our support system: segger.com/ticket/
    Or you can contact us via e-mail.

  • running modified script as you suggest:

    Source Code

    1. SEGGER J-Link Commander V6.14b (Compiled Mar 9 2017 08:48:28)
    2. DLL version V6.14b, compiled Mar 9 2017 08:48:20
    5. Script file read successfully.
    6. Processing script file...
    8. J-Link connection not established yet but required for command.
    9. Connecting to J-Link via USB...O.K.
    10. Firmware: J-Link Ultra V4 compiled Feb 21 2017 14:10:22
    11. Hardware version: V4.00
    12. S/N: 504400379
    13. License(s): RDI, FlashBP, FlashDL, JFlash, GDB
    14. VTref = 3.407V
    15. Found SWD-DP with ID 0x2BA01477
    16. Unlocking device...O.K.
    18. Target connection not established yet but required for command.
    19. Device "MK64FN1M0XXX12 (ALLOW SECURITY)" selected.
    22. Found SWD-DP with ID 0x2BA01477
    23. Found SWD-DP with ID 0x2BA01477
    24. AP-IDR: 0x24770011, Type: AHB-AP
    25. AHB-AP ROM: 0xE00FF000 (Base addr. of first ROM table)
    26. Found Cortex-M4 r0p1, Little endian.
    27. FPUnit: 6 code (BP) slots and 2 literal slots
    28. CoreSight components:
    29. ROMTbl 0 @ E00FF000
    30. ROMTbl 0 [0]: FFF0F000, CID: B105E00D, PID: 000BB00C SCS
    31. ROMTbl 0 [1]: FFF02000, CID: B105E00D, PID: 003BB002 DWT
    32. ROMTbl 0 [2]: FFF03000, CID: B105E00D, PID: 002BB003 FPB
    33. ROMTbl 0 [3]: FFF01000, CID: B105E00D, PID: 003BB001 ITM
    34. ROMTbl 0 [4]: FFF41000, CID: B105900D, PID: 000BB9A1 TPIU
    35. ROMTbl 0 [5]: FFF42000, CID: B105900D, PID: 000BB925 ETM
    36. ROMTbl 0 [6]: FFF43000, CID: B105900D, PID: 003BB907 ETB
    37. ROMTbl 0 [7]: FFF44000, CID: B105900D, PID: 001BB908 CSTF
    38. Cortex-M4 identified.
    39. Reset delay: 0 ms
    40. Reset type NORMAL: Resets core & peripherals via SYSRESETREQ & VECTRESET bit.
    43. Sleep(100)
    45. Erasing device (MK64FN1M0xxx12 (allow security))...
    46. Comparing flash [100%] Done.
    47. Erasing flash [100%] Done.
    48. Verifying flash [100%] Done.
    49. J-Link: Flash download: Total time needed: 1.038s (Prepare: 0.015s, Compare: 0.000s, Erase: 1.021s, Program: 0.000s, Verify: 0.000s, Restore: 0.001s)
    50. Erasing done.
    52. Downloading file [./4chMpu_Ver1.2.4.0.protected.bin]...
    53. Comparing flash [100%] Done.
    54. Erasing flash [100%] Done.
    55. Programming flash [100%] Done.
    56. Verifying flash [100%] Done.
    57. J-Link: Flash download: Flash programming performed for 1 range (143360 bytes)
    58. J-Link: Flash download: Total time needed: 1.668s (Prepare: 0.033s, Compare: 0.014s, Erase: 0.000s, Program: 1.587s, Verify: 0.009s, Restore: 0.022s)
    59. O.K.
    61. 00000000 = 20030000 000004D9 000004E9 000004E9
    62. 00000010 = 000004E9 000004E9 000004E9 00000000
    63. 00000020 = 00000000 00000000 00000000 00015EF9
    64. 00000030 = 000004E9 00000000 00015F15 00015FCD
    66. 00000400 = FF FF FF FF FF FF FF FF FF FF FF FF FC FF FF FF
    68. Reset delay: 0 ms
    69. Reset type NORMAL: Resets core & peripherals via SYSRESETREQ & VECTRESET bit.
    70. SYSRESETREQ has confused core. Trying to reconnect and use VECTRESET.
    71. Found SWD-DP with ID 0x2BA01477
    72. AP-IDR: 0x24770011, Type: AHB-AP
    73. AHB-AP ROM: 0xE00FF000 (Base addr. of first ROM table)
    75. **************************
    76. WARNING: Failed to reset CPU. VECTRESET has confused core.
    77. **************************
    80. **************************
    81. WARNING: CPU did not halt after reset.
    82. **************************
    85. **************************
    86. WARNING: T-bit of XPSR is 0 but should be 1. Changed to 1.
    87. **************************
    90. **************************
    91. WARNING: Could not set S_RESET_ST
    92. **************************
    94. Found SWD-DP with ID 0x2BA01477
    95. AP-IDR: 0x24770011, Type: AHB-AP
    96. AHB-AP ROM: 0xE00FF000 (Base addr. of first ROM table)
    97. SYSRESETREQ has confused core. Trying to reconnect and use VECTRESET.
    98. Found SWD-DP with ID 0x2BA01477
    99. AP-IDR: 0x24770011, Type: AHB-AP
    100. AHB-AP ROM: 0xE00FF000 (Base addr. of first ROM table)
    102. **************************
    103. WARNING: Failed to reset CPU. VECTRESET has confused core.
    104. **************************
    107. **************************
    108. WARNING: CPU did not halt after reset.
    109. **************************
    112. **************************
    113. WARNING: T-bit of XPSR is 0 but should be 1. Changed to 1.
    114. **************************
    117. **************************
    118. WARNING: Could not set S_RESET_ST
    119. **************************
    121. Found SWD-DP with ID 0x2BA01477
    122. Protection bytes in flash at addr. 0x400 - 0x40F indicate that readout protection is set.
    123. For debugger connection the device needs to be unsecured.
    124. Note: Unsecuring will trigger a mass erase of the internal flash.
    125. Device will be unsecured now.
    127. ****** Error: DAP error while reading AIRCR / CPUID register
    129. Sleep(100)
    131. Loading binary file ./4chMpu_Ver1.2.4.0.protected.bin
    132. Reading 140440 bytes data from target memory @ 0x00000000.
    133. Verify failed @ address 0x00000000.
    134. Expected 00 read FF
    135. 00000000 = FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
    136. 00000010 = FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
    137. 00000020 = FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
    138. 00000030 = FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
    140. 00000400 = FF FF FF FF FF FF FF FF FF FF FF FF FE FF FF FF
    142. Found SWD-DP with ID 0x2BA01477
    143. Found SWD-DP with ID 0x2BA01477
    144. AP-IDR: 0x24770011, Type: AHB-AP
    145. AHB-AP ROM: 0xE00FF000 (Base addr. of first ROM table)
    146. Found Cortex-M4 r0p1, Little endian.
    147. FPUnit: 6 code (BP) slots and 2 literal slots
    148. CoreSight components:
    149. ROMTbl 0 @ E00FF000
    150. ROMTbl 0 [0]: FFF0F000, CID: B105E00D, PID: 000BB00C SCS
    151. ROMTbl 0 [1]: FFF02000, CID: B105E00D, PID: 003BB002 DWT
    152. ROMTbl 0 [2]: FFF03000, CID: B105E00D, PID: 002BB003 FPB
    153. ROMTbl 0 [3]: FFF01000, CID: B105E00D, PID: 003BB001 ITM
    154. ROMTbl 0 [4]: FFF41000, CID: B105900D, PID: 000BB9A1 TPIU
    155. ROMTbl 0 [5]: FFF42000, CID: B105900D, PID: 000BB925 ETM
    156. ROMTbl 0 [6]: FFF43000, CID: B105900D, PID: 003BB907 ETB
    157. ROMTbl 0 [7]: FFF44000, CID: B105900D, PID: 001BB908 CSTF
    160. Script processing completed.
    Display All


    first time the ram is read (after loadfile) it is read correctly.

    then the verifybin command fails.

    FW still doesn't run

    best regards
    Max

  • Hi Max,

    FW still doesn't run

    This is the expected result. At the end of this script file, the flash is erased, as mentioned in the ouput of J-Link Commander:

    Found SWD-DP with ID 0x2BA01477
    Protection bytes in flash at addr. 0x400 - 0x40F indicate that readout protection is set.
    For debugger connection the device needs to be unsecured.
    Note: Unsecuring will trigger a mass erase of the internal flash.
    Device will be unsecured now.


    I just wanted to show that the reason why the verify seemed to work in the first place was the Flash cache of J-Link.
    The firmware will work with this script:

    C Source Code

    1. unlock Kinetis
    2. r
    3. sleep 100
    4. erase
    5. loadfile ./4chMpu_Ver1.2.4.0.protected.bin,0x0
    6. r0
    7. r1
    8. exit



    Best regards,
    Niklas
    Please read the forum rules before posting.

    Keep in mind, this is *not* a support forum.
    Our engineers will try to answer your questions between their projects if possible but this can be delayed by longer periods of time.
    Should you be entitled to support you can contact us via our support system: segger.com/ticket/
    Or you can contact us via e-mail.