Please enable JavaScript to view this site.

winIDEA Help

Version: 9.21.363

Update NXP S32K3xx HSE Firmware

In this topic:

HSE FW operations

Enable HSE FW

Install HSE FW

Update HSE FW

SBAF Update

Activate passive block

Check FW status

Configuration steps

Additional resources

 

 

Introduction

This topic provides step-by-step instructions for updating the Hardware Security Engine Firmware (HSE FW) on NXP S32K3xx devices and enabling security features. It covers key operations such as firmware installation, updates, and status verification. For additional technical details, refer to the NXP documentation listed in the Additional resources.

 

Requirements

winIDEA version 9.21.322 or newer

winIDEA Pro license

HSE Firmware and software package provided by NXP

 

 

HSE FW operations

HSE FWD update offers the following operations for the activation of security features:

Enable HSE FW

Install HSW FW

Update HSE FW

SBAF Update

Activate passive block

Check FW status

 

HSE-FW-Features

 

 

Enable HSE FW

You can enable HSE FW usage for the application by programming a 8 bytes HSE FW feature flag at address 0x1B000000. This UTEST field is one-time programmable only. By default, this value is unprogrammed - the HSE FW cannot be installed in the system and the application does not intend to use HSE FW on the device.

 

If the UTEST is modified:

1.The application informs SBAF that it wants to use HSE FW on the device.

2.The HSE FW update software checks if the HSE FW is already programmed in the UTEST, if not, it writes the value 0xAABBCCDDDDCCBBAA at 0x1B000000.

3.HSE FW is enabled and further operations can be performed.

 

enable-HSE-FW

 

 

Install HSE FW

The HSE FW installation is a one-time process and once HSE FW is in the system, it can only be updated further. For more information, refer to the HSE Firmware Reference Manual.

If the installed HSE FW is AB SWAP (OTA Enabled), any further update with FULL MEM (OTA Disabled) will not be possible anymore.

HSE FW update supports two ways of HSE FW installation:

HSE FW installation with IVT

HSE FW installation without IVT

 

HSE FW installation with IVT

The Full Mem HSE FW image and AB SWAP HSE FW image should have a header marker value of 0xDA and 0xDB respectively. In the demo application, the script programs:

IVT to address 0x00400000

Full Mem or AB SWAP HSE FW pink image at 0x00422000

Demo app image at 0x00402000

Secure boot app image along with app header at location 0x00451FC0

After programming the mentioned files, the functional reset is issued and SBAF installs the HSE FW.

 

 

HSE FW installation without IVT

In this case, either FULL MEM or AB SWAP HSE FW pink image is flashed at BLOCK 0 of location 0x00400000 and no IVT is present in code flash. The demo application and Secure boot app images are loaded to the same addresses as in installation with IVT.

After programming the files, the functional reset is issued and SBAF will install the HSE FW.

 

HSE-FW-installation

 

After installing the firmware, you can check the install status and installed version by selecting the Check FW status operation.

 

 

Update HSE FW

Once you have installed the HSE FW in the device, reinstallation is not allowed. The new HSE FW version can only be updated through the FW update process.

 

You can select between two updating options (Data transfer mode):

One Shot Mechanism -  Requires the entire encrypted image of HSE FW delivered by NXP to be programmed on application memory. The firmware update is requested once by the application and the complete firmware update takes place at once.

Streaming Mode Mechanism - Requires only a chunk of firmware image to be present on the application memory. The size of the chunk is shared by the application while requesting the firmware update service. The streaming mode happens in 3 stages – init, update and finish. The Init and Finish commands are called only once, while the update can be called repeated times, depending on the size of firmware (Refer demo app code for more information). The firmware update completes only after the finish is requested to the firmware.

 

HSE FW can be updated for 3 different configurations:

FULL MEM (OTA Disabled) to FULL MEM (OTA Disabled)

FULL MEM (OTA Disabled) to AB SWAP (OTA Enabled)

AB SWAP (OTA Enabled) to AB SWAP (OTA Enabled)

 

In the FULL MEM configuration, the entire Flash memory is seen as one continuous memory block.

 

In the AB SWAP configuration the Flash memory splits into two blocks of equal size:

Active block

Passive block

 

When the Flash configuration is set to AB_SWAP, it is not possible to go back to the FULL_MEM configuration. Hence, only an AB_SWAP HSE Firmware image can be used in this configuration.

 

You can distinguish between FULL MEM configuration and AB SWAP configuration firmware from the first byte of HSE Firmware image:

0xDA - FULL MEM HSE Firmware configuration

0xDB - AB SWAP HSE Firmware configuration

 

HSE_Full_Mem

 

 

You have to select the demo application folder and correct HSE FW - pink file.

 

HSE-FW-updated

 

 

Update troubleshooting

If the update fails, check:

If the HSE FW is enabled - 8 bytes of UTEST must be different from 0xFF.

oIf not enabled, execute the Enable HSE FW operation.

You are not updating from OTA Enabled to OTA Disabled firmware.

SBAF is updated to the correct version.

oIf not, update to the correct version with SBAF Update.

 

 

SBAF Update

HSE FW offers an option to update the Secure-BAF on the device. You need to select the correct SBAF pink image file that wants to program to the SBAF. If you try to update SBAF to the same version, the operation will fail.

 

i-icon

You can check the SBAF version on address 0x4039c020 or via the Check FW status operation.

 

HSE-SBAF-update

 

 

Activate passive block

In AB SWAP configuration the Flash memory splits into two blocks of equal size (Active block and Passive block). HSE FW offers the option to activate the passive block. Please refer to the device reference manual for more details.

 

HSE-activate-passive-block

 

 

Check FW status

HSE FW update offers an operation to check the current firmware installed on the device. Additionally it checks and prints the SBAF version.

 

HSE-reading-HSE-SBAF-Version

 

 

Configuration steps

Follow these steps for HSE FW update to activate security features on NXP S32K3xx devices.

 

number1

Open a winIDEA Workspace with S32K3xx device selected.

This will be needed by HSE FW update to connect to the target.

 

number2

Press F6 (or Tools | Run Script) and select S32K3xx_HSE_FW_Update.py.

The script can be found in your C:\ISYSTEM_TEMP\JP30_SFR_<winIDEA version>\ARM folder. This will open the GUI with control over the HSE FW operations.

 

number3

Select the desired operation in the HSE FW update GUI.

The Data transfer mode and Streaming size configurations are needed only with the Update HSE FW operation.

 

Number4

Add the path to the demo application folder.

For example, C:/NXP/HSE_DEMOAPP_S32K3XX_0_2_1_0.

 

Number5

Select the correct pink file.

Select the HSE FW pink image you want to install (not for SBAF Update operation); for example, C:/NXP/HSE_FW_S32K3XX_0_2_1_0/hse_full_mem/hse/bin/s32k3x4_hse_fw_0.5.0_2.1.0_pb220625.bin.pink.

If the operation is SBAF Update, add the SBAF pink image; for example, C:/NXP/HSE_FW_S32K3XX_0_2_1_0/hse_full_mem/sbaf/bin/s32k3x4_Secure_Baf_0.5.0_0.10.0_pb220428.bin.pink.

 

number6

Click OK to start the operation.

The log window can be used to track operation execution.

 

 

Additional resources

The following documentation can be found in the DEMO_APP and HSE_FW folders provided by NXP:

Demo application readme file in e.g., HSE_S32K3x4\HSE_DEMOAPP_S32K3XX_0_2_1_0

oHSE_DEMOAPP_S32K3XX_0_2_1_0_ReadMe.pdf

HSE Firmware Release notes in e.g., HSE_S32K3x4

oHSE_FW_S32K3XX_0_2_1_0_ReleaseNotes.pdf

HSE Service API Reference Manual in e.g., HSE_S32K3x4\HSE_FW_S32K3XX_0_2_1_0\docs

oS32K3X4_HSE_Service_API_Reference_Manual.pdf

 

 

Copyright © 2025 TASKING