BSL

[thomassss 0]

Hi everyone,

 

I am trying to secure my code on my msp430g2553. 

 

I understood I need to blow the JTAG. Apparently I can do that just by supplying 7V on the TEST pin.

 

Then I have two options:

 

Option 1: Disable the BSL. For this I need to write the word 0xAA55 at the address 0xFFDE. But I am not very knowledgeable about  microcontrollers firmware and I have a hard time understanding how to do this. 

 

At http://processors.wiki.ti.com/index.php/Placing_Variables_in_Specific_Memory_Location_-_MSP430#Generating_JTAG_Lock, they suggest a few lines to write at a certain address to set the JTAG lock.

 

If I write:

#include <msp430g2553.h>
 
#pragma RETAIN(BSL_lock)
#pragma location=0xFFDE
const unsigned long int BSL_lock = 0xAA55;

at the beginning of my program in CCS, will this disable the BSL ?

 

Option 2: Set up a password to protect BSL access

 

I used OpenBSL and was able to run their Demo guide https://code.google.com/p/ti-txt-parser/wiki/OpenBSL_Host_Demo_Guide

But here again I have a hard time understanding how to modify this to set up the BSL password.

 

I found that OpenBSL_Config.h has {'M', 'Y', 'P', 'A', 'S', 'S', 'W', 'D'} and apparently I also have to change the address to which this password is sent in the Map file OpenBSL.map:

.const     0    0000feea    00000010     
                0000feea    00000008     OpenBSL_Core.obj (.const:.string:OpenBslPasswd)
                0000fef2    00000008     OpenBSL_Mem.obj (.const:MemInfo)

I have to replace feea by FFDE I think. But I am not sure of this. Can someone confirm if this is right or if there exhist another easy way to set your password for the BSL? And how to check setting the password actually worked?

 

Any help is appreciated

 

Thanks in advance

[jazz 209]

I am trying to secure my code on my msp430g2553. 

 

I understood I need to blow the JTAG. Apparently I can do that just by supplying 7V on the TEST pin.

 

To disable JTAG device access, JTAG fuse must be blown. Just supplying 6V-7V on TEST pin will not blow the fuse. There is JTAG command / preparation sequence that must be executed before connecting 6V-7V on TEST pin. This is explained in slau320 MSP430 Programming Via the JTAG Interface.

[thomassss 0]

Hi Everyone,

 

Thanks Jazz . I thought 7V on the TEST pin would blow the fuse but you are right there is more to do.

 

Using OpenBSL I was able to modify the BSL password:

 

In OpenBSL_Config.h change {'M', 'Y', 'P', 'A', 'S', 'S', 'W', 'D'} to your password and also change the address to which this password is sent in the Map file OpenBSL.map:

.const     0    0000feea    00000010     
                0000feea    00000008     OpenBSL_Core.obj (.const:.string:OpenBslPasswd)
                0000fef2    00000008     OpenBSL_Mem.obj (.const:MemInfo)

Replace feea by FFDE for msp430g2553.

 

If you do this and run the demo code from https://code.google.com/p/ti-txt-parser/wiki/OpenBSL_Host_Demo_Guide you will now have changed the password. Therefore if you try to run the program  openbsl_host_test.bat again it won't work anymore because you changed the password. If you want to access the msp with the BSL again you have to go into Scripts\OpenBSLHost.py and change the password to your new password again.

 

I guess I need to figure out a way to blow this damn JTAG fuse now. I read sla320 and it seems like the spi by wire from the launchpad is not sufficient enough to blow the JTAG fuse. You need the 4 wires connection? What hardware can I use to blow the JTAG fuse? If someone has an easyway to blow this fuse that would be awesome if you could share your method.

 

Thanks in advance for you help.

 

Regards,

Thomas 

[greeeg 460]

The recommend tool is TI's MSP-FET, or the older MSP-FET430UIF.

https://estore.ti.com/msp-fet.aspx

 

I've never had to blow the JTAG fuse, so I don't know the exact procedure.

 

The user manual for the MSP-FET describes the connections required. You still only need 2 pins to your MSP (SBWTCK/SBWTDIO), But you need an extra pin from the MSP-FET.

 

You should be able to use the MSPflasher on the software side.

[jazz 209]

Thanks Jazz . I thought 7V on the TEST pin would blow the fuse but you are right there is more to do.

 

I guess I need to figure out a way to blow this damn JTAG fuse now. I read sla320 and it seems like the spi by wire from the launchpad is not sufficient enough to blow the JTAG fuse. You need the 4 wires connection? What hardware can I use to blow the JTAG fuse? If someone has an easyway to blow this fuse that would be awesome if you could share your method.

 

SBW is able to blow the fuse and slau320 covering this, no need for JTAG and 4 extra wires.

 

Open source TI FET's are able for JTAG fuse blow software update, for example using MSP-FET430UIF source for updating eZ-FET Lite. Function BlowFuseXv2.c from open source MSP430.DLLv3 ...

/**
BlowFuse
Blow JTAG security fuse.
After calling this function JTAG access is not possible anymore.
inData: <tgtHasTest(8)>
outData: -
tgtHasTest: specifies if target device has TEST pin or not (bool)
*/

//! \todo implementation & rename to jtag access protection
#ifdef MSP430_UIF
HAL_FUNCTION(_hal_BlowFuseXv2)
{
decl_out_long
short ret_value = 0;
short bslValue = 0;
StreamSafe stream_tmp;
unsigned char stream_in_tmp[26];
unsigned short i =0;

WriteMemWordXv2(0x182, 0x0003);
ReadMemWordXv2(0x182, bslValue);

if( (bslValue & 0x8000) == 0 )
{
// Coppy incoming stream to forward it to HAL_ExecuteFuncletXv2
for(i=0;i<(sizeof(stream_in_tmp) - 4);i++)
{
STREAM_get_byte(&stream_in_tmp[i]);
}
// add Password to stream
stream_in_tmp[i] = 0xDE;
stream_in_tmp[i+1] = 0xAD;
stream_in_tmp[i+2] = 0xBA;
stream_in_tmp[i+3] = 0xBE;

// Write password into device
STREAM_internal_stream(stream_in_tmp, sizeof(stream_in_tmp), MESSAGE_OUT_TO_DLL, 0, &stream_tmp);
HAL_ExecuteFuncletXv2(MESSAGE_NEW_MSG | MESSAGE_LAST_MSG); // Data from DLL Stream
STREAM_external_stream(&stream_tmp);

// now perform a BOR via JTAG - we loose control of the device then...
test_reg
SetReg_32Bits_(0x00000200);
}
else
{
ret_value = HALERR_UNDEFINED_ERROR;
}
return ret_value;
}
#endif

#ifdef EZ_FET
HAL_FUNCTION(_hal_BlowFuseXv2)
{
// fuseblow is not supported on eZ-FET
return API_CALL_NOT_SUPPORTED;
}
#endif

Blowing non-soft fuse on MSP430x2xx devices need also some hardware update. If 3 / 3.3 V are available on-board, voltage doubler can be used for Vpp (6 - 6.6V). Or external (6 - 7V) Vpp supply. For applying Vpp on device TEST pin can be used combination of digital transistor / P MOSFET, or P MOSFET with integrated GATE logic (for example MIC2514). Also, there are logic chips able for delivering 6.5V / 100mA, for example NC7WZ04.

 

For example, adding fuse blow to custom eZ-FET Lite, that is @@greeeg working on (http://forum.43oh.com/topic/5530-custom-ezfet-lite), and where 3.3 V reg is on-board, is possible with adding voltage doubler (with true out disconnection when doubler is disabled, and connecting doubler output directly to TEST pin) and customizing software, with no much extra parts or need for resizing board.

[thomassss 0]

Hey guys,

 

Thanks for the reply. I looked on slau278r and on page 24 I was able to find the connection I need to make with my board to be able to use the MSP-FET430UIF. I am disappointed that the MSP-FET430UIF doesn't have the BSL connection (RXD, TXD) though. It means I will have to have another connection to make with the launchpad to program the BSL password apparently. Am I right?

 

Jazz,

If I understand well if I use the MSP-FET430UIF I can blow the fuse without hardware update, right?

BUT if I want to use a cheaper eZ-FET Lite to blow the fuse I would need to do a hardware update to double the voltage?

 

Is that what you meant ?

 

Thanks,

Thomas

[jazz 209]

Thanks for the reply. I looked on slau278r and on page 24 I was able to find the connection I need to make with my board to be able to use the MSP-FET430UIF. I am disappointed that the MSP-FET430UIF doesn't have the BSL connection (RXD, TXD) though. It means I will have to have another connection to make with the launchpad to program the BSL password apparently. Am I right?

 

MSP-FET430UIF is SBW / JTAG tool, not BSL. BSL password can be programmed by SBW / JTAG / BSL. If you want to play with BSL there is slaa535 LaunchPad-Based MSP430 UART BSL Interface where MSP430G2 LP can be used as BSL base.

 

Jazz,

If I understand well if I use the MSP-FET430UIF I can blow the fuse without hardware update, right?

BUT if I want to use a cheaper eZ-FET Lite to blow the fuse I would need to do a hardware update to double the voltage?

 

Is that what you meant ?

 

Yes

[thomassss 0]

Thank you jazz for the answer!

 

I was using the LP and OpenBSL to program the BSL password which use the TXD and RXD pins on the launchpad. The MSP-FET430UIF doesn't seems to have the TXD, RXD connections so it doesn't looks like I can use the MSP-FET430UIF and OpenBSL to program the BSL password. I will have to have some other connections and use the launchpad. Do you see any other way of programming the BSL password using the MSP-FET430UIF?

 

Sorry, I am not that familiar with all the different way to access and program a microcontroller. I may need to learn more about this.

 

Also will the code that you gave me work with the MSP-FET430UIF to blow the fuse ? or is this only the code for ez-FET Lite ?

 

Thanks,

Thomas

[jazz 209]

I was using the LP and OpenBSL to program the BSL password which use the TXD and RXD pins on the launchpad. The MSP-FET430UIF doesn't seems to have the TXD, RXD connections so it doesn't looks like I can use the MSP-FET430UIF and OpenBSL to program the BSL password. I will have to have some other connections and use the launchpad. Do you see any other way of programming the BSL password using the MSP-FET430UIF?

 

Sorry, I am not that familiar with all the different way to access and program a microcontroller. I may need to learn more about this.

 

BSL using TEST / RESET / TXD / RXD for target connection. SBW using only TEST / RESET. Both BSL / SBW are writing to target device flash, and BSL password is part (vector table) of target device flash, so any BSL / SBW / JTAG tool can change BSL password of target device.

 

Also will the code that you gave me work with the MSP-FET430UIF to blow the fuse ? or is this only the code for ez-FET Lite ?

 

MSP430.DLL and MSP-FET430UIF / ezFET are open (common / integrated with #ifdef MSP430_UIF / EZ_FET switches) source now (http://processors.wiki.ti.com/index.php/MSPDS_Open_Source_Package), and it is possible to add not existing stuff on ezFET firmware from MSP-FET430UIF.

[thomassss 0]

Hey Jazz,

 

Sorry I had to take care of some other things and I put the Fuse Blow issue on the side for a while. But I am getting back to it now.

I have installed CCS 6.0.1, I have the MSP-FET, the MSP-TS430PW28A board and I can compile code on my msp430g2553.

 

I have looked at the BlowFuseXv2.c code that you gave me. It seems like the code set up the BSL password and Blow the fuse if I am not misunderstood. How do you use this code? Should I just call the BlowFuseXv2.c function in my code and compile it in CCS? I don't understand much what tgtHasTest is?

 

I have seen some softwares in the CD that came with the MSP-FET: FET-Pro, FET-R600, GANG430. Can I use one of these sofwares to set up the BSL password and Blow the fuse?

 

In short, could you give me a list of instructions on how to set up the BSL password and blow the fuse in the MSP430g2553 with the MSP-FET and the MSP-TS430PW28A board?

 

I am sorry I am not familiar with how to program the ROM, I wish I could get some more info somewhere.

 

Thanks in advance for the kind help.

[thomassss 0]

Alright,

 

I found out on slau157 that on CCS you can compile the code and go to Run ? Advanced ? Make Device Secure and it will apparently Blow the JTAG Fuse.

 

I wish there was the same kind of thing to change the BSL password. Does someone know how to set the BSL password with CCS and SBW?

 

Thanks

[KatiePier 73]

@@thomassss

The BSL password is simply the 32-bytes from 0xFFE0 through 0xFFFF (see www.ti.com/lit/pdf/slau319 section 2.4.4.3). Note that this area also contains the interrupt vector table. So if you look at the binary image that your code generates, you'll probably see that at least some of these bytes are already filled in, so by default there is already some of a password (just maybe not a very strong one - most of it might be FFs). You should be able to modify addresses that are not used for pointing to interrupt vectors if you like to have a different password. Safest way to do this would probably just be to make dummy ISRs for each of your unused interrupt vectors and the placement of these is going to fill in the addresses in the vector table and therefore change your password. If you really wanted to get particular about what your password is you could explicitly place the vectors at particular addresses instead of having the linker choose where they go, but that starts to get trickier - just having these will at least give you a longer password even if the linker chooses where to put them.

 

And these addresses can simply be programmed in using JTAG or SBW - indeed, if you have any interrupts in your program (and the reset vector will get filled anyway), then your JTAG/SBW is already programming this area (0xFFE0-FFFF) with something and therefore there is already some password on your BSL. If you are generating a TI-txt or hex file that you're programming in using MSP430Flasher or Elprotronic software or something, then as long as these addresses have something in them in the file then your BSL password is already getting set to something.

 

Regards,

Katie

[thomassss 0]

Thanks, I got it. I just used CCS (see http://processors.wiki.ti.com/index.php/Generating_and_Loading_MSP430_Binary_Files) to generate the  TI-txt and it appear I am actually writing into 0xFFE0-FFFF so I am happy. I can maybe use some dummy ISR to make the password more complicated.