winIDEA HelpNXP S32: Unlocking secure debug on S32G2/3xx and S32R45x
In this topic:
•Unlock password protected devices
•Unlock Challenge/Response protected devices
Introduction
This topic describes how to perform secure debugging with Password and Challenge/Response authentication methods on NXP S32G2/3xx and S32R45x devices in winIDEA.
Password authentication and Challenge/Response authentication are secure debug modes which prevent unauthorized debug access to the SoC by requiring the correct credentials to authenticate the debugger at the start of the debug session. Once successfully authenticated, the SoC remains unsecured until a power-on-reset or a similarly destructive reset occurs.
SoCs that are secured by Password authentication require the BlueBox to provide a password to the SoC to unlock any further debug access. winIDEA provides an EVE script that automatically performs the necessary authentication on the start of every debug session.
If your SoC is secured by Challenge/Response authentication, you are first required to register your SoC using its UID (unique identifier) together with an Application Debug Key/Password (ADKP). NXP has provided a software tool (Volkano) through which you can register your SoC and also provides the necessary key wrapping that allows the device registration to be securely stored on either a pc or on a NXP smartcard without revealing the original ADKP. Unlike the Password protected method, the secure ADKP key is not provided directly to the SoC. Instead the SoC provides a random Challenge value to which the debugger responds with a Response value that is calculated by Volkano from the UID, ADKP and the Challenge value.
Once the SoC and ADKP are registered, authentication at the start of every debug session can be automatically performed in winIDEA using an EVE script.
Requirements
•winIDEA 9.21.48 or newer
•BlueBox iC5700, iC5000
•ARM HSSTP II Active Probe or CoreSight Debug Adapter
Unlock password protected devices
When the secure debug of your SoC is configured as password protected, the BlueBox must authenticate itself with a password before it can proceed with the debug session. Perform the following steps to configure winIDEA for automatic password authentication. Note that his example is based on the S32Gxx device.
|
Add a custom script Hardware / CPU Options / Reset / Initialization before Programming. |
|
Set Parameters for S32G2xx_ConnectToSecuredSoC.cpp. |
Make sure that the Protection value is set to Password and specify the password (a 16 byte hex string) that is provided by NXP. Make sure a space separates each byte value.
|
Enable Same as Programming in Initialization before Debug session - Connect. |
|
Perform Download. |
The EVE script will handle the password authentication in the background on every new debug session.
Unlock Challenge/Response protected devices
When the secure debug of your SoC is configured as Challenge/Response, debug access to your SoC is locked until a valid response value is received in reply to the SoC’s Challenge value.
Volkano is a software package provided by NXP for computing this secure debug response value, and in order to do so, your SoC must be registered to Volkano with its UID (unique ID) and ADKP key. The SoC registrations can be either securely stored on your PC or on a NXP smartcard (S32 Debug Entry Authenticator).
To use Challenge/Response in winIDEA the following steps need to be performed:
Obtain SoC UID (unique ID)
Before the SoC can be registered to Volkano you need to obtain its UID (Unique ID). In winIDEA perform the following steps to read the UID from your SoC:
|
Select Debug / Prepare to Attach |
Target device/SoC should be connected and powered.
|
Navigate to Help / Support / Log and enable (27) EVE logging. |
|
Select Hardware / Scripts / Read UID. |
After execution of this script the UID of the SoC is displayed in the Progress window.
I 01B : ---------------------------------- |
Volkano configuration
The following steps guide you through the procedure to initialize Volkano and to register your SoC.
|
Run command prompt and navigate to the folder. |
Volkano is located in the folder NXP/SDAF_1.0.0. within your winIDEA installation folder.
|
If you are using an authentication smartcard, make sure that your card reader is recognized by Windows and that the smartcard is properly inserted. |
|
Generate the wrapping keys by entering the following command. |
volkano -cmd generate_wrapkey |
|
(optional) Provide a user password. |
If you are using an authenticator smartcard, you are now required to provide a user password. Skip this step if you are not using the authentication smartcard.
volkano -cmd update_pwd <your_password> |
|
The password can only be set when using the authenticator smartcard. Once set, you will need to authenticate yourself with this password for every other command in the volkano.exe API using the -pw option. For example: volkano -cmd discover -pw <your_password>. |
|
Export the public part of the wrapping key to a binary file. |
volkano -cmd export_wrapkey |
|
Now wrap the ADKP value. |
The ADKP value (Application Debug Key/Password) belonging to your SoC with the public key that you have generated in the previous steps. The ADKP value (a 16 byte hex string) for your SoC is provided by NXP.
Example: “50617373776F72642D30322D32303230”
volkano_utils -cmd wrap_adkp -adkp <ADKP value> -keybin wrap_key.bin |
|
Register the UID. |
Now that the wrapped key is generated, you can register the UID. Enter the UID value of the SoC you want to debug and provide the key that was generated in the previous step. UID string example: “8AAA63550B301511”
volkano -cmd register_adkp -uid <UID value> -key <ADKP wrapped with the wrapping key> |
You can now easily register more UIDs, by changing only the UID value in the same command.
|
To make sure that your SoC is successfully registered you can type the following command. |
volkano -cmd discover |
Configuration
To use the EVE script which will automatically perform the authentication on every debug session follow the steps below. The example is based on the S32Gxx device.
|
Follow the steps from 1 - 4 from previous configuration and change the Protection value into Challenge_Response. |
|
(optional) If the device registrations are stored on an authentication smartcard, also enter the Password value. Otherwise leave the value as the default \0. |
|
In Hardware / CPU Options make sure that Same as Programming in Initialization before Debug session is enabled. |
|
Perform Download. |
The EVE script will handle the Challenge/Response authentication in the background on every new debug session. In the Progress window you can observe the authentication procedure. Note that the output of the authentication procedure is only shown if EVE logging was previously enabled.
