Re-flash MPC5748G after enabling password groups

[cwerling]

Hi Colin, Hi Alex,

Thank you for providing these examplary usages of the MPC's password locking mechanism. After flashing your simpleserial firmware, I am having issues with re-flash the MPC's firmware after unlocking all password groups. This should be possible though, right?

---

I have programmed the password group configurations as provided by you, entered the lifecycle 'OEM production' and I'm entering the passwords via TeraTerm as follows:

for each x in {0,1,2,3}

1. w0x to select password group x
2. q{pass} to enter the respective word-reversed password
   • correct password returns r0x 601fffff
   • wrong password returns r0x e01fffff
   • not entirely sure how to interpret the PASS_LOCK_3_PGn register, but this seems to indicate various 'unlockings' (Password Group Lock, Debug Interface Lock, Master only, etc.)
3. when checking the lock status with l, I seemling get a locked status again: r00 e01fffff

Assuming I have correctly unlocked the password groups in the runtime (skipping 3.), I still fail to flash new firmware through the PEMicro GDB server. I am providing the JTAG password via command line and are able to attach via GDB, debug, etc. However, when I load the new ELF, I get a flash error.

My best guess is, this is due to the PEMicro software resetting the board before doing anything else, as this should 're-lock' the password groups.

I would really appreciate your thoughts on this: Have you been able to re-flash the chip in this stage? If so, how? If not, do you think it should be possible (e.g. by programming without a reset)?

I couldn't find anything related to password group-related flashing on the PEMicro forums and thought I'd consult you guys first.

Thanks in advance for any hints! Christian

---

Down below you find the PEMicro output when trying to flash. (I assume the writings are just not possible and thus the CRC checksums fail).

CMD>CM E:\NXP\S32DS_Power_v2.1\eclipse\plugins\com.pemicro.debug.gdbjtag.ppc_1.8.7.201906071634\win32\gdi\P&E\nxp_mpc5748g_1x32x1520k_cflash.pcp

Initializing.

Device IDCODE is $00000082
Device ID revision is $00000000
MPC574xC Device detected.
Initialized.

;version 1.05, 06/26/2017, Copyright P&E Microcomputer Systems, www.pemicro.com [5748G_6080k]

;device NXP, MPC5748G, 1x32x1520k, desc=CFlash

;begin_cs device=$00F90000, length=$005F0000, ram=$40000000

Loading programming algorithm ...
Done.
Programming sequency is : erase, blank check, program, and verify {default}
CMD>VC
Verifying object file CRC-16 to device ranges ...
   block 00FA0000-00FA0007 ...
Ok.
   block 00FA0010-00FA0017 ...
Ok.
   block 01000000-01000269 ...
Calculated CRC-16 does not match block. (File = $2BCC, Device = $D1B1)
Current content of flash does not match application to be programmed

CMD>EM

Erasing.
Module has been erased.
CMD>PM

Programming.
Processing Object File Data ...

Error during programming.
Error Programming flash of device
Error occured during Flash programming.

Device IDCODE is $00000082
Device ID revision is $00000000

Device IDCODE is $00000082
Device ID revision is $00000000

Starting reset script (E:\NXP\S32DS_Power_v2.1\eclipse\plugins\com.pemicro.debug.gdbjtag.ppc_1.8.7.201906071634\win32\gdi\P&E\s32e200_mpc574xg.mac) ...
REM This script is compatible with MPC574xG devices.                                                                                        
REM Clean GPRs to remove residual data after using algorithm                                                                                
REM Initialize all of the Main SRAM - 768KB                                                                                                 
Initializing RAM from $40000000 to $400BFFFF.

Reset script (E:\NXP\S32DS_Power_v2.1\eclipse\plugins\com.pemicro.debug.gdbjtag.ppc_1.8.7.201906071634\win32\gdi\P&E\s32e200_mpc574xg.mac) completed.

MPC574xG Device detected.
PE-ERROR: Error downloading to the device.

[colinoflynn]

Hi Christian,

I don't remember if I've tested this with the flash lock enabled. When I used the password feature I setup the DCF records to disable all the flash locks (set the bit to '0'), although it's been a while I admit so looking back at notes. The unlock did work however as far as being reflected in the registers, which seems to be the case for you too.

when checking the lock status with l, I seemling get a locked status again: r00 e01fffff

Just to confirm - this is expected, as the l command just relocks it (and prints to show it took effect) as in here.

You could (I think) modify the PEMicro PCP file to write the passwords, there is various setup you can see in the files from memory (I'm away from my computer with PEMicro installed so forget exactly what is in there). This may be the easiest way, especially if just hard-coding.

From memory you could attach w/o reset first, but there were some caveats to that. But it might still do some sort of reset even then.

The other solution is to use the RAM upload feature to load a bootloader. We had the RAM upload for this reason (the 'monitor' function), but never actually ported or had a working bootloader. There are some NXP provided bootloaders that might work, but it was never pushed far enough to actually get that far.

The PEMicro forum was helpful in the past for me, as was the NXP forum (https://community.nxp.com/t5/MPC5xxx/bd-p/mpc5xxx).

See this app-note as well on the locking features, in case you didn't come across it: https://www.nxp.com/docs/en/application-note/AN12092.pdf

The features have a lot of interplay IMO, so getting it all working wasn't always easy!

[cwerling]

Hi Colin,

Thanks for your quick & thorough reply!

Since I only used your prog tools, but didn't implement your advice from the password docs about creating a DCF record to render the locks harmless, I assume my flash is locked until I provide all four valid passwords.

When the device is initially delivered to the customer, no DCF records that initialize lock registers exist in UTEST flash. In this situation, if no DCF records to initialize PASS_LOCKx_PGn registers are found, all blocks of flash default to locked (blocked against reprogramming).

(from AN12092)

Loading code via the monitor mode would be an option, too, although that would complicate my attack setup. Thanks anyways for the firmware, it's a very handy one for being stuck with after all :)

I will ping the PEMicro forums and ask for any advice on the PCP password group unlocking.

Best, Christian