Electronic – Reprogramming LPC3154 at LPCxpresso

lpcxpresso

I wonder, if that's possible to load lpc3154 at LPCExpresso board with custom firmware?

I see that chip supports secure boot, so if AES key was programmed, it is impossible without knowing the key? Or are there any options to boot lpc3154 without knowing the key? (SD, flash, USB, JTAG… Anything?)

Does anyone know if key was indeed loaded?

Just buying new lpc3154 is not an option – they are not in stock here anywhere, and wait times are 4 weeks+ (and a price tag > than a price of this board)…

Best Answer

From what i gather the AES key is loaded into the chip. And also there may be a CR232 check on the firmware as well or OTP fuses set

source

Supports un-secure boot from UART and USB (DFU class) interfaces during development. Once the AES key is programmed in the OTP, only secure boot is allowed through UART and USB.

This doesn't mean it cant be hacked, if you put the time into it. I would check to see if the JTAG pins have been disabled and start from there.

some interesting statements from the user guide

7.1 Production line use case At the NXP production line the OTP will be tested and programmed using JTAG. In test mode, the fuse block itself will be accessed directly. During programming the VPP will need a higher voltage than in the application use case. Written data is checked afterwards by reading out the fuses (using a low voltage on VPP) The customer will also program the OTP only at the production line, here DFU programming will be used. An image for programming customer-selected bits can be loaded into the device via USB.

7.2 Application use case nitially it is important to make sure that the data_15 register is updated early during the initialization (by boot-code) this will set the security level. Four levels of security are implemented in the design:

• Level 0: nothing is protected.

• Level 1: password protected. In this level, JTAG can be enabled by software after password sequence (depends on customer application) by setting the sticky bit 'JTAG_EN' in OTP_con register.

• Level 2: In this level, JTAG access can be enabled using special test equipment. Used by NXP for Returned Material Analysis only.

• Level 3: JTAG is completely disabled and hence the chip is virtually locked.

The customer can program the security level of the chip. For level 1, fuse-bit 509 should be set. For level 2, fuse-bits 509 and 510 are set. For level 3, fuse-bits 509, 510 and 511 are programmed. A special case will be for the customer to disable writing to the fuses, but since in application a low voltage (for reading) will be connected to the VPP, writing will not be possible anyway. During normal application, the fuses will already have been programmed on the production line. So three options remain: copying the fuse data into the data registers, reading this data, and setting the read protection. The boot code will copy the fuse data into the data registers because this is needed for security and DRM. After this, the data can be read from the data registers via the APB0 bus (according to the read protection settings).

Edit: If the key is truly loaded, you will only be able to load custom firmware if you have the key.

Best Answer

Related Solutions

Electronic – Running a CAN sample project on LPCXpresso LPC11C24

Two MinIMU-9 v2 with LPCxpresso, or Arduino Uno/Mega

Related Topic