TI中文支持网28377d用的确实很爽,可是这DCSM要把人搞疯。
加密已经搞了几天,锁是锁上了,但是把GRABSECTR,GRABRAMR,EXEONLYSECTR,EXEONLYRAMR四个寄存器都烧成0,程序就不跑了,重新传程序,重新上电也不行。OTP也改不了,一旦锁上,就是UNLOCK了,JTAG也是啥也看不成,锁上之后程序不跑也不知是何原因。因为OTP,前后已经搞废2片了。28377D这OTP让人好无奈啊。崩溃中T_T
Eric Ma:
还没好好研究DCSM,确实比以前的CSM复杂些。
你好好看过technical reference guide 里面的DCSM说明了没?
ERIC
H S57:
回复 Eric Ma:
technical reference guide我是一字不落,看好几遍。
首先这两个寄存器GRABSECTR GRABRAMR不配置的话,4个CSMKEY即便是LOCK也没有用,按照手册上说的,这两个寄存器配置如下。
配置完直接出现JTAG无法连接目标板的情况。
目标板供电没有问题,没有虚焊,连不上仿真器但是程序运行正常。板卡功耗正常,和未加密之前无差别。测试烧写2块目标板,出现的情况一致。
Console输出如下:
C28xx_CPU1: Trouble Halting Target CPU: (Error -1156 @ 0x0) Device may be operating in low-power mode. Do you want to bring it out of this mode? Choose 'Yes' to force the device to wake up and retry the operation. Choose 'No' to retry the operation without waking the device. (Emulation package 6.0.628.1) C28xx_CPU1: Error: (Error -2134 @ 0x0) Unable to control device execution state. Reset the device, and retry the operation. If error persists, confirm configuration, power-cycle the board, and/or try more reliable JTAG settings (e.g. lower TCLK). (Emulation package 6.0.628.1) C28xx_CPU1: Error: (Error -1135 @ 0x0) The debug probe reported an error. Confirm debug probe configuration and connections, reset the debug probe, and retry the operation. (Emulation package 6.0.628.1) C28xx_CPU1: Unable to determine target status after 20 attempts C28xx_CPU1: Failed to remove the debug state from the target before disconnecting. There may still be breakpoint op-codes embedded in program memory. It is recommended that you reset the emulator before you connect and reload your program before you continue debugging C28xx_CPU1: GEL: Error while executing OnTargetConnect(): Could not write 0x0005F412@Data: target is not connected at *((int *) 0x5F412)=0x000F [f28377d_cpu1.gel:80] at OnTargetConnect()
既然GRABSECTR GRABRAMR寄存器各位烧写0x01不行,干脆都烧成0x00。继续换板子,两个寄存器都烧写0x00000000。还是连不上仿真器。
既然GRAB寄存器搞不定,我测试EXEONLYSECT EXEONLYRAM 这两个寄存器。继续换板子,两个寄存器都烧写0x00000000。烧写后程序不运行。观察板卡功耗,和没有烧写程序的功耗一样。认为是没有BOOT成功或者INIT_FLASH未成功。BOOTMODE两个引脚均上拉,寄存器默认配置。FLASHBOOT无误。
查手册有提示。
2.13.1.3 Execute-Only Protection To achieve a higher level of security on secure Flash sectors and RAM blocks that store critical user code (instruction opcodes), the Execute-Only protection feature is provided. When the Execute-Only protection is turned on for any secure Flash sector or RAM block, data reads to that Flash sectors are disallowed from any code (even from secure code). Execute-only protection for a Flash sector and RAM block can be turned on by configuring the bit field associated for that particular sector/RAM block in the zone's (which has ownership of that sector/RAM block) EXEONLYSECT and EXEONLYRAM register, respectively
3.27.1 Safe Copy Code Functions (Z1 and Z2) To allow code copy from a secure, EXEONLY flash sector to a secure, EXEONLY RAM belonging to the same zone, dedicated TI-provided code copy functions, which are programmed in secure ROM, should be used. These functions are denoted as SafeCopyCodeZ1() (for zone1) and SafeCopyCodeZ2() (for zone2) and are supported by hardware to allow users to copy the data from secure, EXEONLY flash sectors, to secure, EXEONLY RAM without compromising security. The application must ensure that the interrupts are disabled before calling the SafeCopyCodeZx() functions. The device will reset if an interrupt or NMI vector is fetched during execution of these functions. The following is an example of how the copy function is used: STEC INTM Status = SafeCopyCodeZx(size,(Uint16 *)dest, (Uint16 *)src); CLRC INTM Prototypes: Uint16 SafeCopycodeZ1(Uint32 size, Uint16 *dst, Uint16 *src); Uint16 SafeCopycodeZ2(Uint32 size, Uint16 *dst, Uint16 *src); src – Source address in flash which is secure and EXEONLY enabled. dst – Destination address in RAM which is secure, EXEONLY enabled and in same zone as source flash. size – Number of words(16bit) to be copied. The function returns the number of words copied. The application must ensure that the source flash sector and destination RAM block belongs to the same zone, and variables src, src+size should fall within a sector boundary and dst, dst+size should fall within a RAM block boundary. If any one of these conditions fails, function will return zero.
添加库,使用SafeCopyCodeZ1((size_t)&RamfuncsLoadSize, &RamfuncsRunStart, &RamfuncsLoadStart);转移的FLASH和RAM都是EXEONLY使能过了,可无论如何修改程序和CMD,板卡状态没有丝毫的改变。
折腾了几天,打样的7块板子全部都烧的半死不活。现在已经不知从何下手,累觉不爱。
H S57:
回复 H S57:
2.13.1
There are three types of accesses: data/program reads, JTAG access, and instruction fetches (calls,
jumps, code executions, ISRs). Instruction fetches are never blocked. JTAG accesses are always blockedwhen a memory is secure. Data reads to a secure memory are always blocked unless the program isexecuting from a memory which belongs to the same zone. Data reads to unsecure memory are alwaysallowed. Table 2-15 shows the levels of security.
0x5F412是MEM_CFG_REGS Registers 的DxINIT Register初始化RAM,M0,M1,D0,D1。虽然GRAB寄存器阻塞了JTAG对M0,M1,D0,D1的访问,但是并没有阻塞这个DxINIT Register的访问。而且GRAB寄存器永远不阻塞指令。写DxINIT Register和JTAG没关系吧。但是console提示Could not write 0x0005F412@Data
是否GRAB寄存器会阻塞通过JTAG访问RAM以外的一些寄存器对的RAM的访问。如果是这样,unlock才能连上JTAG,但是连不上JTAG,unlock不了啊。矛盾啊
H S57:
回复 H S57:
补充以下,后来试GRAB域设置成0x01或者0x10,UNLOCK后RAM和FLASH是可以看的。可能和JTAG连接的时候的问题有关,可能和BOOTMODE引导有关系,有待研究
H S57:
回复 H S57:
烧写GRAB寄存器后连接不上仿真器也已解决
加密后,如果程序已经BOOT,而且RAM或FLASH区位于DCSM-Zx区内,ECSL会阻塞JTAG对芯片的访问,需要输入CSMPWD0,和CSMPWD1两个密码才能连接仿真器。- -!这样就要修改BOOTMODE,未连接仿真器时,BOOTMODE为WAIT模式,让芯片一直在等待状态。就可以顺利连接仿真器了。
WAIT模式需要TRSTn = 0,GPIO72 = 1,GPIO84 = 0。
手册上还讲了不同的仿真器TRSTn信号不同,如何实现加密后正确连接仿真器。请自行查阅。
Eric Ma:
回复 H S57:
很中肯的用户分享。
虽然DCSM用起来比较复杂,但毕竟它帮助了提高我们代码的安全性。
另外,加密后就连不上仿真器,这个在之前版本的芯片就有这个现象,正是你说的原因。可以通过配置boot mode,或是按复位来解决这个问题。
总之,多谢支持C2000。
ERIC
Eruroraito:
您好!很感谢您的分享,加密我也搞了几天了,连锁都没锁上,请问下加密需要修改到什么地方呢? 是否有屏蔽的地方会使用到呢?对于底层的东西不是很懂。
H S57:
回复 Eruroraito:
把手册上DCSM部分从头到尾好好看看,这次加密模块确实比较复杂。
要加密Z1的话,至少需要配置如下寄存器,注意这些寄存器都是OTP,写成0就改不回1了。加密Z2同理。
PSWDLOCK
作用是CSMPSWD密码锁定之后不能从JTAG或者MEMORY BROWSER读取。
Z1-CSMPSWD0
Z1-CSMPSWD1
Z1-CSMPSWD2
Z1-CSMPSWD3
这几个是密码。
GRABSECT
GRABRAM
配置成如图所示,GRABRAM我没有全加密,我Z1的CLA没用,没写01或者10,你要用了给相关位修改成01或者10,具体寄存器信息看手册
Eruroraito:
回复 H S57:
好的,非常感谢
