【朝花夕拾】S32K144 backdoor key解锁后劳德巴赫或者JLINK更新app
【朝花夕拾】S32K144 backdoor key解锁后劳德巴赫或者JLINK更新app
- 一,文档简介
- 二,backdoor key加密代码准备
- 三,加密demo结果测试
- 3.1 Lauterbach测试结果
- 3.2 JLINK 测试结果
- 四,debugger工具更新新app
- 4.1 Lauterbach更新app
- 4.2 JLINK更新app
- 4.2.1新建一个NXP_Kinetis_S32_Attach.JLinkScript 文件
- 4.2.2新建一个S32K144_backdoorkeyJLINK.bat 文件
- 4.2.3 文件共路径
- 4.2.4 测试结果
- 五,如果backdoor key运行有问题排查点
一,文档简介
本篇文章主要目的是介绍如何在S32K14X系列上实现backdoor key加密debug接口,然后使用后门密钥去解密。解密之后,可以通过劳德巴赫或者JLINK脱离IDE的情况下下载新的app,实现app的更新。本文主要包含如何构建带有backdoor key的加密配置,从而实现芯片加密但是还具有后门密钥能够开启的功能,app里面能够根据外部信号,或者特定工况去灌入backdoor key达到debug口的临时解密,这种解密是可以让debugger连接,烧录等。但是过程中不能复位,一旦复位,芯片将会重新被加密。
二,backdoor key加密代码准备
SW: RTM4.0.3
IDE: S32DS3.4
Debugger: Lauterbach and Segger JLINK plus
Board: S32K144EVB-Q100
代码准备,目标功能:工程启动0X400区域配置后面密钥,并且加密debug接口,复位之后,板载红灯闪烁大概30s,然后调用灌入后门密钥命令,实现debug口解锁,完成后关闭红灯点亮板载绿灯。
导入RTM4.0.3的样例工程flash_paritioning_s32k144,修改点:
(1)Project_Settings->Startup_Code->startup_S32K144.S
/* Flash Configuration */.section .FlashConfig, "a".long 0xbe5f8529 /* 8 bytes backdoor comparison key */.long 0x8a8c0403 /* */.long 0xFFFFFFFF /* 4 bytes program flash protection bytes */.long 0xFFFF7FBF /* FDPROT:FEPROT:FOPT:FSEC(0xFE = unsecured) *///FE.text.thumb这里可以看到,设置的密钥,从0X400到0X407为十六进制:29855FBE03048C8A。
配置芯片使能后门密钥,使能Masserase,加密debug接口,所以0X40C位置值为:0XBF
(2)修改main.c如下
代码主要,发起命令的代码需要放到ram,这里图方便,把整个uint8_t backdoor_key_verify(uint8_t *key);
函数放到RAM。
#include "sdk_project_config.h"
#include "interrupt_manager.h"
#define PCC_CLOCK PCC_PORTD_CLOCK
#define LED0_PORT PTD
#define LED0_PIN 15
#define LED1_PORT PTD
#define LED1_PIN 16void delay(volatile int cycles)
{while(cycles--);
}volatile int exit_code = 0;
flash_ssd_config_t flashSSDConfig;/* Data source for program operation */
#define BUFFER_SIZE 0x100u /* Size of data source */
uint8_t sourceBuffer[BUFFER_SIZE];/* Function declarations */
void CCIF_Handler(void);
/* If target is flash, insert this macro to locate callback function into RAM */
START_FUNCTION_DECLARATION_RAMSECTION
void CCIF_Callback(void)
END_FUNCTION_DECLARATION_RAMSECTIONenum err
{
OK,
ERROR
};
//const uint8_t key[8] = {0x10, 0x32, 0x54, 0x76, 0x98, 0xBA, 0xDC, 0xFE};
const uint8_t key[8] = {0x29, 0x85, 0x5f, 0xbe, 0x03, 0x04, 0x8c, 0x8a};
__attribute__ ((section(".code_ram"))) // place the function below into .code_ram section
uint8_t backdoor_key_verify(uint8_t *key);uint8_t backdoor_key_verify(uint8_t *key)
{while((FTFC->FSTAT & FTFC_FSTAT_CCIF_MASK) == 0); // wait if operation in progressFTFC->FSTAT = FTFC_FSTAT_ACCERR_MASK | FTFC_FSTAT_FPVIOL_MASK; // clear flagsFTFC->FCCOB[0x3] = 0x45; // Backdoor Key Verify command (0x45)FTFC->FCCOB[0x7] = key[3];FTFC->FCCOB[0x6] = key[2];FTFC->FCCOB[0x5] = key[1];FTFC->FCCOB[0x4] = key[0];FTFC->FCCOB[0xB] = key[7];FTFC->FCCOB[0xA] = key[6];FTFC->FCCOB[0x9] = key[5];FTFC->FCCOB[0x8] = key[4];FTFC->FSTAT = FTFC_FSTAT_CCIF_MASK; // launch commandwhile((FTFC->FSTAT & FTFC_FSTAT_CCIF_MASK) == 0); // wait until completeif(FTFC->FSTAT & FTFC_FSTAT_ACCERR_MASK){return ERROR;}else{return OK;}
}
int main(void)
{/* Write your local variable definition here */status_t ret; /* Store the driver APIs return code */uint32_t address;uint32_t size;uint32_t failAddr;uint32_t i;flash_callback_t pCallBack;CLOCK_SYS_Init(g_clockManConfigsArr, CLOCK_MANAGER_CONFIG_CNT,g_clockManCallbacksArr, CLOCK_MANAGER_CALLBACK_CNT);CLOCK_SYS_UpdateConfiguration(0U, CLOCK_MANAGER_POLICY_AGREEMENT);/* Init source data */for (i = 0u; i < BUFFER_SIZE; i++){sourceBuffer[i] = i;}status_t error;/* Set pins as GPIO */error = PINS_DRV_Init(NUM_OF_CONFIGURED_PINS0, g_pin_mux_InitConfigArr0);DEV_ASSERT(error == STATUS_SUCCESS);/* Set Output value LED0 & LED1 */PINS_DRV_SetPins(LED0_PORT, 1 << LED0_PIN);PINS_DRV_SetPins(LED1_PORT, 1 << LED1_PIN);for (i = 0u; i < 40; i++){delay(720000);/* Toggle output value LED0 & LED1 */PINS_DRV_TogglePins(LED0_PORT, 1 << LED0_PIN);delay(720000);PINS_DRV_TogglePins(LED0_PORT, 1 << LED0_PIN);}MSCM->OCMDR[0u] |= MSCM_OCMDR_OCM1(0x3u);MSCM->OCMDR[1u] |= MSCM_OCMDR_OCM1(0x3u);/* Install interrupt for Flash Command Complete event */INT_SYS_InstallHandler(FTFC_IRQn, CCIF_Handler, (isr_t*) 0);INT_SYS_EnableIRQ(FTFC_IRQn);/* Enable global interrupt */INT_SYS_EnableIRQGlobal();/* Always initialize the driver before calling other functions */ret = FLASH_DRV_Init(&Flash_InitConfig0, &flashSSDConfig);DEV_ASSERT(STATUS_SUCCESS == ret);delay(720000);error = backdoor_key_verify(key);/* Toggle output value LED0 & LED1 */// PINS_DRV_TogglePins(LED0_PORT, 1 << LED0_PIN);PINS_DRV_TogglePins(LED1_PORT, 1 << LED1_PIN);while(1){};
}编译好代码,下载代码到S32K144EVB中。注意下载的时候,需要使用支持加密的模式去下,device选择为:S32K144 (ALLOW SECURITY)
复位之后会发现,板载红灯先闪烁大概30s,然后绿灯长亮。
三,加密demo结果测试
3.1 Lauterbach测试结果
打开trace32 Arm,CPU->system setting, CPU选择为S32K144.
在红灯闪烁阶段点击attach连接结果如下,不能点击UP,会自动复位:
可以看到是可以显示内核是上锁的。
在绿灯常亮阶段点击Attach,如下图:
可以看到已经成功连接了,所以说明芯片debugger已经被解锁了。
3.2 JLINK 测试结果
打开Segger JLINK驱动安装目录:
C:\Program Files\SEGGER\JLink_V796o\ JLink.exe
目标做两次连接,分别在板子复位的红灯闪烁(加密)阶段,以及绿灯常亮(解密)阶段连接。
(1)板子复位的红灯闪烁(加密)阶段连接结果
Log如下:
可以看到,使用S32K144 (ALLOW SECURITY)连接,但是结果是找不到内核的,说明芯片确实锁住了。
SEGGER J-Link Commander V7.96o (Compiled Jun 26 2024 16:18:16)
DLL version V7.96o, compiled Jun 26 2024 16:17:29Connecting to J-Link via USB...O.K.
Firmware: J-Link V13 compiled Dec 4 2024 17:54:04
Hardware version: V13.00
J-Link uptime (since boot): 0d 06h 30m 10s
S/N: 603001935
License(s): RDI, FlashBP, FlashDL, JFlash, GDB
USB speed mode: High speed (480 MBit/s)
VTref=4.586VType "connect" to establish a target connection, '?' for help
J-Link>connect
Please specify device / core. <Default>: S32K144 (ALLOW SECURITY)
Type '?' for selection dialog
Device>
Please specify target interface:J) JTAG (Default)S) SWDT) cJTAG
TIF>s
Specify target interface speed [kHz]. <Default>: 4000 kHz
Speed>
Device "S32K144 (ALLOW SECURITY)" selected.Connecting to target via SWD
ConfigTargetSettings() start
ConfigTargetSettings() end - Took 8us
InitTarget() start
SWD selected. Executing JTAG -> SWD switching sequence.
Skipping unsecure.
InitTarget() end - Took 1.94s
Found SW-DP with ID 0x2BA01477
DPIDR: 0x2BA01477
CoreSight SoC-400 or earlier
Scanning AP map to find all available APs
AP[2]: Stopped AP scan as end of AP map has been reached
AP[0]: AHB-AP (IDR: 0x24770011)
AP[1]: JTAG-AP (IDR: 0x001C0000)
Iterating through AP map to find AHB-AP to use
AP[0]: Skipped. Could not read CPUID register
AP[1]: Skipped. Not an AHB-AP
Attach to CPU failed. Executing connect under reset.
DPIDR: 0x2BA01477
CoreSight SoC-400 or earlier
Scanning AP map to find all available APs
AP[2]: Stopped AP scan as end of AP map has been reached
AP[0]: AHB-AP (IDR: 0x24770011)
AP[1]: JTAG-AP (IDR: 0x001C0000)
Iterating through AP map to find AHB-AP to use
AP[0]: Skipped. Could not read CPUID register
AP[1]: Skipped. Not an AHB-AP
Could not find core in Coresight setup
ConfigTargetSettings() start
ConfigTargetSettings() end - Took 7us
InitTarget() start
SWD selected. Executing JTAG -> SWD switching sequence.
Skipping unsecure.
InitTarget() end - Took 808ms
Found SW-DP with ID 0x2BA01477
DPIDR: 0x2BA01477
CoreSight SoC-400 or earlier
Scanning AP map to find all available APs
AP[2]: Stopped AP scan as end of AP map has been reached
AP[0]: AHB-AP (IDR: 0x24770011)
AP[1]: JTAG-AP (IDR: 0x001C0000)
Iterating through AP map to find AHB-AP to use
AP[0]: Skipped. Could not read CPUID register
AP[1]: Skipped. Not an AHB-AP
Attach to CPU failed. Executing connect under reset.
DPIDR: 0x2BA01477
CoreSight SoC-400 or earlier
Scanning AP map to find all available APs
AP[2]: Stopped AP scan as end of AP map has been reached
AP[0]: AHB-AP (IDR: 0x24770011)
AP[1]: JTAG-AP (IDR: 0x001C0000)
Iterating through AP map to find AHB-AP to use
AP[0]: Skipped. Could not read CPUID register
AP[1]: Skipped. Not an AHB-AP
Could not find core in Coresight setup
Error occurred: Could not connect to the target device.
For troubleshooting steps visit: https://wiki.segger.com/J-Link_Troubleshooting
J-Link>(2)绿灯常亮(解密)阶段连接结果
Log如下:
可以看到,使用S32K144 (ALLOW SECURITY)连接,可以看到开始是找到内核的,说明debugger口已经解锁了,但是后面JLINK 脚本自己又自动复位了,所以芯片相当于又锁了。
J-Link>connect
Device "S32K144 (ALLOW SECURITY)" selected.Connecting to target via SWD
ConfigTargetSettings() start
ConfigTargetSettings() end - Took 7us
InitTarget() start
SWD selected. Executing JTAG -> SWD switching sequence.
InitTarget() end - Took 52.0ms
Found SW-DP with ID 0x2BA01477
DPIDR: 0x2BA01477
CoreSight SoC-400 or earlier
Scanning AP map to find all available APs
AP[2]: Stopped AP scan as end of AP map has been reached
AP[0]: AHB-AP (IDR: 0x24770011)
AP[1]: JTAG-AP (IDR: 0x001C0000)
Iterating through AP map to find AHB-AP to use
AP[0]: Core found
AP[0]: AHB-AP ROM base: 0xE00FF000
CPUID register: 0x410FC241. Implementer code: 0x41 (ARM)
Found Cortex-M4 r0p1, Little endian.
FPUnit: 6 code (BP) slots and 2 literal slots
CoreSight components:
ROMTbl[0] @ E00FF000
[0][0]: E000E000 CID B105E00D PID 000BB00C SCS-M7
[0][1]: E0001000 CID B105E00D PID 003BB002 DWT
[0][2]: E0002000 CID B105E00D PID 002BB003 FPB
[0][3]: E0000000 CID B105E00D PID 003BB001 ITM
[0][4]: E0040000 CID B105900D PID 000BB9A1 TPIU
Initializing 61440 bytes work RAM @ 0x1FFF8000
Reset: Halt core after reset via DEMCR.VC_CORERESET.
Reset: Reset device via AIRCR.SYSRESETREQ.
Reset: SYSRESETREQ has confused core.
Found SW-DP with ID 0x2BA01477
DPIDR: 0x2BA01477
CoreSight SoC-400 or earlier
AP map detection skipped. Manually configured AP map found.
AP[0]: AHB-AP (IDR: Not set)
AP[0]: Skipped. Could not read CPUID register
Attach to CPU failed. Executing connect under reset.
DPIDR: 0x2BA01477
CoreSight SoC-400 or earlier
AP map detection skipped. Manually configured AP map found.
AP[0]: AHB-AP (IDR: Not set)
AP[0]: Skipped. Could not read CPUID register
Could not find core in Coresight setup
Reset: Using fallback: VECTRESET.
Reset: Halt core after reset via DEMCR.VC_CORERESET.
Reset: Reset device via AIRCR.VECTRESET.
Reset: VECTRESET has confused core.
Reset: Using fallback: Reset pin.
Reset: Halt core after reset via DEMCR.VC_CORERESET.
Reset: Reset device via reset pin
Reset: VC_CORERESET did not halt CPU. (Debug logic also reset by reset pin?).
Reset: Reconnecting and manually halting CPU.
Found SW-DP with ID 0x2BA01477
DPIDR: 0x2BA01477
CoreSight SoC-400 or earlier
AP map detection skipped. Manually configured AP map found.
AP[0]: AHB-AP (IDR: Not set)
AP[0]: Skipped. Could not read CPUID register
Attach to CPU failed. Executing connect under reset.
DPIDR: 0x2BA01477
CoreSight SoC-400 or earlier
AP map detection skipped. Manually configured AP map found.
AP[0]: AHB-AP (IDR: Not set)
AP[0]: Skipped. Could not read CPUID register
Could not find core in Coresight setup
T-bit of XPSR is 0 but should be 1. Changed to 1.
Error occurred: Could not connect to the target device.
For troubleshooting steps visit: https://wiki.segger.com/J-Link_Troubleshooting四,debugger工具更新新app
4.1 Lauterbach更新app
Trace32打开脚本:C:\T32\demo\arm\flash\s32k.cmm
有一个地方需要注意,默认的脚本是会不给修改0X400-0X40F区域的,如果要改这个地方,需要使用FLASH.AUTO 0x400–0x40f /CENSORSHIP ;配套设置对应区域的值来实现改动。
不加密数据:
Data.Set 0x400--0x40f %Byte 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFE 0x7F 0xFF 0xFF;
带key加密数据:
Data.Set 0x400--0x40f %Byte 0X29 0x85 0x5F 0xBE 0x03 0x04 0x8C 0x8A 0xFF 0xFF 0xFF 0xFF 0xBF 0x7F 0xFF 0xFF;
; ------------------------------------------------------------------------------
; Flash programming exampleDIALOG.YESNO "Program flash memory?"
LOCAL &progflash
ENTRY &progflash
IF &progflash
(FLASH.ReProgram.ALL /EraseData.LOAD.auto *FLASH.ReProgram.offFLASH.AUTO 0x400--0x40f /CENSORSHIP ;kerry remove ;;Data.Set 0x400--0x40f %Byte 0X29 0x85 0x5F 0xBE 0x03 0x04 0x8C 0x8A 0xFF 0xFF 0xFF 0xFF 0xBF 0x7F 0xFF 0xFF;kerry add secureData.Set 0x400--0x40f %Byte 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFE 0x7F 0xFF 0xFF;kerry add unsecureFLASH.AUTO OFF; Reset deviceSYStem.DownSYStem.Up)ENDDO上面是直接使用默认脚本C:\T32\demo\arm\flash\s32k.cmm,但是默认脚本是会做mass erase。
也可以自己定义脚本,新建一个s32k144 secured unlock.cmm,内容编写如下:
RESet
SYStem.RESet
SYStem.CPU S32K144
SYStem.CONFIG.DEBUGPORTTYPE SWDSYStem.Option DUALPORT ON
SYStem.MemAccess DAP
SYStem.JtagClock CTCK 10MHz
Trace.DISableSYStem.Mode Attach
Break
Data.Set AD:0x1FFFFC00--0x200037FF %Long 0X0Do ~~/demo/arm/flash/s32k CPU=S32K144 PREPAREONLYFLASH.ReProgram All
Data.LOAD.auto "C:/KerryPC/customer/Valeo/K144/backdoorKey/kerry/hello_world_s32k144.elf";no secured code
;Data.LOAD.auto "C:/KerryPC/customer/Valeo/K144/backdoorKey/kerry/flash_partitioning_s32k144.elf";backdoor secured codeFLASH.AUTO 0x400--0x40f /CENSORSHIP ;kerry remove ;
;Data.Set 0x400--0x40f %Byte 0X29 0x85 0x5F 0xBE 0x03 0x04 0x8C 0x8A 0xFF 0xFF 0xFF 0xFF 0xBF 0x7F 0xFF 0xFF;kerry add secureData.Set 0x400--0x40f %Byte 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFE 0x7F 0xFF 0xFF;kerry add unsecure
FLASH.AUTO OFFFLASH.ReProgram off如果要下载backdoorKey加密文件,脚本用这组:
Data.LOAD.auto "C:/KerryPC/customer/Valeo/K144/backdoorKey/kerry/flash_partitioning_s32k144.elf";backdoor secured code
FLASH.AUTO 0x400--0x40f /CENSORSHIP ;kerry remove ;
Data.Set 0x400--0x40f %Byte 0X29 0x85 0x5F 0xBE 0x03 0x04 0x8C 0x8A 0xFF 0xFF 0xFF 0xFF 0xBF 0x7F 0xFF 0xFF;kerry add secure
如果要下载新的无加密的文件,脚本用这组:
Data.LOAD.auto "C:/KerryPC/customer/Valeo/K144/backdoorKey/kerry/hello_world_s32k144.elf";no secured code
FLASH.AUTO 0x400--0x40f /CENSORSHIP ;kerry remove ;
Data.Set 0x400--0x40f %Byte 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFE 0x7F 0xFF 0xFF;kerry add unsecure
实际测试可以发现,如果下载backdoorKey加密文件,就可以得到继续加密的代码。
如果在debug口能连接的情况,下载无加密代码,那么端口将会没有加密。
说明该脚本能够成功下载代码,不带有复位。
4.2 JLINK更新app
从上面的测试结果可以看到,使用JLINK commander的connect命令直接做,是会有reset的动作在里面,如果一旦复位就会导致芯片又上锁了,所以需要芯片在使用后门密钥解锁之后,debugger做连接的时候,不能有复位动作。所以这里就借助于JLINKscript脚本去做,重新定义ResetTarget()接口,如果没有这个接口,就会使用默认JLinkARM.dll里面的ResetTarget实现,是会带有再次复位的。
对于脚本里面相关函数的含义如下:
• InitTarget():替换J-Link> DLL的目标CPU自动查找过程。对于默认情况下不可访问且需要执行一些特殊步骤才能成功执行常规调试连接过程的目标CPU非常有用。
• SetupTarget():在InitTarget()以及JLink常规调试连接序列之后被调用,通常用于更高级别的CPU调试设置,如写入某些内存位置、初始化PLL以加快下载速度等。
• ResetTarget():替换DLL的复位策略。无论在DLL中选择了什么复位类型,如果存在此函数,将调用它而不是DLL内部复位。
• AfterResetTarget():在ResetTarget()之后调用。复位结束后,用于初始化一些必要外设(比如看门狗)。除此之外,对于某些内核类型有必要在复位后执行一些特殊操作,以保证复位后的设备功能正常。
下面讲解如何使用JLINKscript脚本实现。
4.2.1新建一个NXP_Kinetis_S32_Attach.JLinkScript 文件
内容如下,并保存:
int InitTarget(void) {return 0;
}int ResetTarget(void){
return 0;
}4.2.2新建一个S32K144_backdoorkeyJLINK.bat 文件
内容如下,并保存:
jlink.exe -JLinkScriptFile NXP_Kinetis_S32_Attach.JLinkScript
4.2.3 文件共路径
把NXP_Kinetis_S32_Attach.JLinkScript, S32K144_backdoorkeyJLINK.bat,JLink.exe,app_backdoorsecure.elf, app_unsecure.elf都放一个文件夹。
4.2.4 测试结果
看下面的log是双击S32K144_backdoorkeyJLINK.bat之后:
(1),如果芯片处于锁的时候,会发现连接失败,这个时候可以通过具体触发方式去引导app代码灌入backdoor key,成功之后,往下走
(2),再次连接的时候,会发现找到内核了。
J-Link>mem32 0x400 0x20
00000400 = BE5F8529 8A8C0403 FFFFFFFF FFFF7FBF
可以看到,这个时候,0X400 后门密钥和芯片依旧是锁的相关配置值。
(3),loadfile直接下载新代码。
00000400 = FFFFFFFF FFFFFFFF FFFFFFFF FFFF7FFE
可以发现被改了。
C:\KerryPC\customer\Valeo\K144\backdoorKey\kerry>jlink.exe -JLinkScriptFile NXP_Kinetis_S32_Attach.JLinkScript
SEGGER J-Link Commander V7.96o (Compiled Jun 26 2024 16:18:16)
DLL version V8.12a, compiled Jan 9 2025 14:38:21Connecting to J-Link via USB...O.K.
Firmware: J-Link V13 compiled Dec 4 2024 17:54:04
Hardware version: V13.00
J-Link uptime (since boot): 0d 02h 44m 14s
S/N: 603001935
License(s): RDI, FlashBP, FlashDL, JFlash, GDB
USB speed mode: High speed (480 MBit/s)
VTref=4.563VType "connect" to establish a target connection, '?' for help
J-Link>connect
Please specify device / core. <Default>: S32K144 (ALLOW SECURITY)
Type '?' for selection dialog
Device>
Please specify target interface:J) JTAG (Default)S) SWDT) cJTAG
TIF>s
Specify target interface speed [kHz]. <Default>: 4000 kHz
Speed>
Device "S32K144 (ALLOW SECURITY)" selected.Connecting to target via SWD
ConfigTargetSettings() start
ConfigTargetSettings() end - Took 4us
InitTarget() start
InitTarget() end - Took 0us
Found SW-DP with ID 0x2BA01477
DPIDR: 0x2BA01477
CoreSight SoC-400 or earlier
Scanning AP map to find all available APs
AP[2]: Stopped AP scan as end of AP map has been reached
AP[0]: AHB-AP (IDR: 0x24770011, ADDR: 0x00000000)
AP[1]: JTAG-AP (IDR: 0x001C0000, ADDR: 0x01000000)
Iterating through AP map to find AHB-AP to use
AP[0]: Skipped. Could not read CPUID register
AP[1]: Skipped. Not an AHB-AP
Attach to CPU failed. Executing connect under reset.
DPIDR: 0x2BA01477
CoreSight SoC-400 or earlier
Scanning AP map to find all available APs
AP[2]: Stopped AP scan as end of AP map has been reached
AP[0]: AHB-AP (IDR: 0x24770011, ADDR: 0x00000000)
AP[1]: JTAG-AP (IDR: 0x001C0000, ADDR: 0x01000000)
Iterating through AP map to find AHB-AP to use
AP[0]: Skipped. Could not read CPUID register
AP[1]: Skipped. Not an AHB-AP
Could not find core in Coresight setup
ConfigTargetSettings() start
ConfigTargetSettings() end - Took 6us
InitTarget() start
InitTarget() end - Took 0us
Found SW-DP with ID 0x2BA01477
DPIDR: 0x2BA01477
CoreSight SoC-400 or earlier
Scanning AP map to find all available APs
AP[2]: Stopped AP scan as end of AP map has been reached
AP[0]: AHB-AP (IDR: 0x24770011, ADDR: 0x00000000)
AP[1]: JTAG-AP (IDR: 0x001C0000, ADDR: 0x01000000)
Iterating through AP map to find AHB-AP to use
AP[0]: Skipped. Could not read CPUID register
AP[1]: Skipped. Not an AHB-AP
Attach to CPU failed. Executing connect under reset.
DPIDR: 0x2BA01477
CoreSight SoC-400 or earlier
Scanning AP map to find all available APs
AP[2]: Stopped AP scan as end of AP map has been reached
AP[0]: AHB-AP (IDR: 0x24770011, ADDR: 0x00000000)
AP[1]: JTAG-AP (IDR: 0x001C0000, ADDR: 0x01000000)
Iterating through AP map to find AHB-AP to use
AP[0]: Skipped. Could not read CPUID register
AP[1]: Skipped. Not an AHB-AP
Could not find core in Coresight setup
Error occurred: Could not connect to the target device.
For troubleshooting steps visit: https://wiki.segger.com/J-Link_Troubleshooting
J-Link>connect
Device "S32K144 (ALLOW SECURITY)" selected.Connecting to target via SWD
ConfigTargetSettings() start
ConfigTargetSettings() end - Took 4us
InitTarget() start
InitTarget() end - Took 1us
Found SW-DP with ID 0x2BA01477
DPIDR: 0x2BA01477
CoreSight SoC-400 or earlier
Scanning AP map to find all available APs
AP[2]: Stopped AP scan as end of AP map has been reached
AP[0]: AHB-AP (IDR: 0x24770011, ADDR: 0x00000000)
AP[1]: JTAG-AP (IDR: 0x001C0000, ADDR: 0x01000000)
Iterating through AP map to find AHB-AP to use
AP[0]: Core found
AP[0]: AHB-AP ROM base: 0xE00FF000
CPUID register: 0x410FC241. Implementer code: 0x41 (ARM)
Found Cortex-M4 r0p1, Little endian.
FPUnit: 6 code (BP) slots and 2 literal slots
CoreSight components:
ROMTbl[0] @ E00FF000
[0][0]: E000E000 CID B105E00D PID 000BB00C SCS-M7
[0][1]: E0001000 CID B105E00D PID 003BB002 DWT
[0][2]: E0002000 CID B105E00D PID 002BB003 FPB
[0][3]: E0000000 CID B105E00D PID 003BB001 ITM
[0][4]: E0040000 CID B105900D PID 000BB9A1 TPIU
Memory zones:Zone: "Default" Description: Default access mode
Cortex-M4 identified.
J-Link>mem32 0x400 0x20
00000400 = BE5F8529 8A8C0403 FFFFFFFF FFFF7FBF
00000410 = F04FB672 F04F0100 F04F0200 F04F0300
00000420 = F04F0400 F04F0500 F04F0600 46B80700
00000430 = 46BA46B9 46BC46BB 4A0B490A 3A011A52
00000440 = 2000DD05 60082304 3A044419 4807DAFB
00000450 = 48074685 48074780 B6624780 F966F001
00000460 = 0000E7FE 1FFF8000 20007000 20007000
00000470 = 0000047D 0000049D BFFEF7FF 4A064B05
J-Link>loadfile hello_world_s32k144.elf 0x00
'loadfile': Performing implicit reset & halt of MCU.
ResetTarget() start
ResetTarget() end - Took 2us
Device specific reset executed.
Downloading file [hello_world_s32k144.elf]...
J-Link: Flash download: Bank 0 @ 0x00000000: 1 range affected (8192 bytes)
J-Link: Flash download: Total: 0.205s (Prepare: 0.030s, Compare: 0.065s, Erase: 0.022s, Program & Verify: 0.072s, Restore: 0.014s)
J-Link: Flash download: Program & Verify speed: 110 KB/s
O.K.
J-Link>mem32 0x400 0x20
00000400 = FFFFFFFF FFFFFFFF FFFFFFFF FFFF7FFE
00000410 = F04FB672 F04F0100 F04F0200 F04F0300
00000420 = F04F0400 F04F0500 F04F0600 46B80700
00000430 = 46BA46B9 46BC46BB 4A0B490A 3A011A52
00000440 = 2000DD05 60082304 3A044419 4807DAFB
00000450 = 48074685 48074780 B6624780 F816F001
00000460 = 0000E7FE 1FFF8000 20007000 20007000
00000470 = 0000047D 000004B9 BFFEF7FF 23E0F04F 从测试结果可以看出,使用JLINKscript脚本方式是可以连接过程没有复位的,从而能够在后门解锁之后继续去下载新的app。
五,如果backdoor key运行有问题排查点
(1) backdoor key的大小端要注意和.s里面的一致
(2) 执行解锁的条件是,KEYEN,并且芯片加密
(3) FLASH操作的发起命令函数要放到RAM
(4) FLASH时钟需要满足HSRUN下不超过28Mhz,RUN模式下不超过26.67Mhz。