Self Writing Flash with Security in Kill Mode

Tip / Sign in to post questions, reply, level up, and achieve exciting badges. Know more

cross mob
PrMa_264311
Level 3
Level 3
First like received

 Before I brick any of my devices, does anyone have thoughts on self writing of flash with security enabled? I don't want anyone to hack my device, but my device must be able to re-write it's own flash, whether in bootloader mode or in the user application. I understand the certain security bits remove the ability to debug/program using SWD, but do they remove the ability to self write? From the TRM (which isn't specific enough in this case):

   

 

   
        
  • PROTECTED mode: The user may change the mode from OPEN to PROTECTED. This disables all debug access to user code or memory. Only access to user registers is still available; this prevents debug access to reprogram flash. The mode can be set back to OPEN but only after completely erasing the flash.
  •    
   
        
  • KILL mode: The user may change the mode from OPEN to KILL. This removes all debug access to user code or memory, and the flash cannot be erased. Only access to user registers is still available; this prevents debug access to reprogram flash. The part cannot be taken out of KILL mode; devices in KILL mode may not be returned for failure analysis.
  •    
   

 

   

Flash cannot be erased because debug hardware is disabled or Flash cannot ever physically be erased because of something at the flash controller level?

0 Likes
8 Replies
Bob_Marlowe
Level 10
Level 10
First like given 50 questions asked 10 questions asked

Different from an EEProm PSoCs are not programmed, they always program themselves. A (non-erasable) part in the PSoCs contain some system-functions. Have a look into the "System Reference Guide" accessable from the Help-menu in Creator 3. The system takes over at power-on and checks for programming request (commands) and takes over when

   

 

   

A "Killed" PSoC cannot be reprogrammed, erased or debugged.

   

 

   

Bob

0 Likes
PrMa_264311
Level 3
Level 3
First like received

Yes. The programmer must talk with the SPC, which writes the flash. Similarly, the user application must write to the SPC register to have it write system flash (through an API). But that doesn't answer the question. When the chip is "killed", does that lock out access to the SPC and therefore flash write access?

   

 

   

I was looking for a document similar to AN73854. I didn't find one, but I did find clues to the answer buried at the end of the "Programming Specifications Document" (http://www.cypress.com/?docID=43528). In appendix A is a table explaining the different modes. This should be in the TRM. Unfortunately the table still does not explain which mode best allows internal write access to the flash while disabling SWD. For example, "Kill" simply says SWD is totally disabled, which does not preclude the use the application code to program the flash.

   

 

                                                                                                                                                                                                                                        
     States of Chip Level Protection    
Protection State       
        Value in hex and CPUSS_PROTECTION       
       
        Value in written Supervisory Row       
       
        Restrictions       
VIRGIN0x000x01       
        
         In this mode, silicon is in post-fab (untrimmed state). After trimming, silicon is moved into OPEN mode for customer. This mode is not for custom use. Customers are not physically prohibited from bringing parts back to VIRGIN state, but they are left with parts missing critical trim, wounding, and other settings from Cypress. This essentially makes the part unusable for the customer.        
       
OPEN0x010x00       
        In this mode, silicon is shipped to customers. Most applications use this state in which external debugger can access all needed resources for full functional debugging of the application. Flash, SRAM, Supervisory flash, and registers are available via DAP (Debug Access Port).       
PROTECTED0x020x02       
        In this mode, silicon allows limited access via DAP; it is enough to read the silicon ID and move the chip back to OPEN mode. Access to Flash, SRAM, and most of registers is disabled, so SWD transactions are NACKed for master. This is true for Read and Write requests on the SWD bus.       
KILL0x040x04       
        KILL mode completely locks the SWD-pins from an external programmer. Firmware must be 100% operable without bugs because it can no longer be updated. If this mode is needed, then it is recommended to enable it only for production programming of end-application.       
0 Likes
PrMa_264311
Level 3
Level 3
First like received

 I should point out that "Protected" mode still allows someone to move the chip back into "OPEN" mode...which is useless if one is trying to prevent someone from reverese engineering the code. So only "KILL" makes sense...but can it self program?

0 Likes
Bob_Marlowe
Level 10
Level 10
First like given 50 questions asked 10 questions asked

A "Protected" chip can be erased, so the protection goes to 0x00 which is "Open". You cannot reset the protection patterns programmatically, only an erase can do that.

   

A "Killed" chip cannot be erased, so no chance to get out of that mode.

   

Bob

0 Likes
Bob_Marlowe
Level 10
Level 10
First like given 50 questions asked 10 questions asked

... and as I pointed out in my former post a "Killed" chip cannot be re-programmed or can re-program itself partially.

   

 

   

Bob

0 Likes
HeLi_263931
Level 8
Level 8
100 solutions authored 50 solutions authored 25 solutions authored

When you look in the PSoC4 TRM, chapter 26.5, you see what access is enabled in which mode. OPEN means that debug mode is enabled, PROTECTED and KILL mean its disabled. But the CPU core has always access to e.g. writing flash.

0 Likes
PrMa_264311
Level 3
Level 3
First like received

 Thanks Bob and hli. That clears it up.

0 Likes
PrMa_264311
Level 3
Level 3
First like received

 The key is found in secion 26.5.5. You can still change the device from PROTECTED to OPEN because the DAP interface is still available, but doing so automatically wipes the chip.

   

 

   

"Changing the protection setting from PROTECTED to OPEN automatically does an erase all operation."

0 Likes