Friday, October 20th 2017, 11:16pm UTC+2

You are not logged in.

  • Login
  • Register

Dear visitor, welcome to SEGGER Forum. If this is your first visit here, please read the Help. It explains how this page works. You must be registered before you can use all the page's features. Please use the registration form, to register here or read more information about the registration process. If you are already registered, please login here.

peter_cz

Beginner

Date of registration: May 12th 2015

Posts: 8

1

Tuesday, May 12th 2015, 10:07am

JLink on unsecure and erase Kinetis FLASH

Dears,

I would like to ask you for advice on your JLink tools. I am
trying to do FLASH erase on my secure Kinetis MKV31F512xxx12 device.

I would like to use J-link for this. Unfortunately I can’t
erase it due to device is secured. I do the following with JLink commander:

J-Link>device MKV31F512xxx12
Info: Device "MKV31F512XXX12" selected (512 KB
flash, 96 KB RAM).
Reconnecting to target...
Info: TotalIRLen = 4, IRPrint = 0x01
Info: TotalIRLen = 4, IRPrint = 0x01
Info: Found Cortex-M4 r0p1, Little endian.
Info: FPUnit: 6 code (BP) slots and 2 literal slots
Info: TPIU fitted.


J-Link>unlock Kinetis
Found SWD-DP with ID 0x2BA01477
Unlocking device…O.K.


J-Link>erase
Erasing device (MKV31F512xxx12)…
****** Error: Failed to erase
sectors 8 @ address 0x00004000 (Algo135: Flash protection violation. Flash is
write-protected.)

Info: J-Link: Flash download: Total
time needed: 1.155s (Prepare: 0.689s, Compare: 0.000s, Erase: 0.067s, Program:
0.000s, Verify: 0.000s, Restore: 0.398s)

ERROR: Erase returned with error
code -5.


Is there a way to unlock secured device and erase it?

Thanks for your advice.

Regards,
Peter

SEGGER - Erik

Super Moderator

Date of registration: Dec 20th 2011

Posts: 387

2

Tuesday, May 12th 2015, 12:16pm

Hi,

The Freescale Kinetis device series has two different protection mechanisms.
a) Flash security byte (FSEC), located at offset 0x40C in the internal flash memory. This byte allows to set flash security, mass erase enable bit, etc...
b) Program Flash Protection (FPROT), located at offset 0x408-0x40B in the internal flash memory. They allow to protect up to 32 regions in flash from erase / write accesses.

The unlock Kinetis command in J-Link Commander handles protection mechanism a). J-Link Commander checks if system security is set and if so, it tries to clear it. In your case, it seems so that the program flash protection is set of the sector, located at 0x00004000 and therefore programming / erasing fails. Clearing the program flash protection bytes should suffice to be able to mass erase the device.

Can you please read back the flash configuration field which includes the FPROT bytes?
This can be done in J-Link Commander as follows:
mem 400 10

- Erik

peter_cz

Beginner

Date of registration: May 12th 2015

Posts: 8

3

Tuesday, May 12th 2015, 12:22pm

J-Link>mem 400 10
00000400 = FF FF FF FF FF FF FF FF FF FF FF FF FE FF FF FF
J-Link>

SEGGER - Erik

Super Moderator

Date of registration: Dec 20th 2011

Posts: 387

4

Tuesday, May 12th 2015, 1:35pm

That's strange. The flash protection violation error is reported if the "Flash Protection Violation Flag" in the FTFA_FSTAT register is set after triggering erase operation. Regarding to the description, this flag is set when a program / erase attempt was made to a protected flash area only. This would confirm my assumption that the flash area at 0x4000 is protected but according to the FPROT bytes (addr 0x408-0x40B ), it is not.

Can you please power-on-reset your target, start J-Link Commander with the command line arguments below, execute the steps and provide a screenshot of the entire output?:

JLink.exe -device MKV31F512xxx12 -speed 4000
r
mem 400 10
erase
mem 400 10

peter_cz

Beginner

Date of registration: May 12th 2015

Posts: 8

5

Tuesday, May 12th 2015, 1:58pm

executed as you suggested, screenshot attached
peter_cz has attached the following image:
  • cmd_segger.png

SEGGER - Erik

Super Moderator

Date of registration: Dec 20th 2011

Posts: 387

6

Tuesday, May 12th 2015, 2:39pm

Can you please check if flash download is working with either of the two images in the attached *.zip?

JLink.exe -device MKV31F512xxx12 -speed 4000
r
loadfile <EXTRACT_DIR>\Full_Flash_ExpectLockRegion1_TestData.mot
r
loadfile <EXTRACT_DIR>\Full_Flash_TestData.mot

Please send a screenshot again. So far it seems to me that the flash is somehow broken. Do you have the opportunity to check functionality on another device?
SEGGER - Erik has attached the following file:
  • TestImages.zip (430.88 kB - 326 times downloaded - Last download: Today, 4:08pm)

peter_cz

Beginner

Date of registration: May 12th 2015

Posts: 8

7

Tuesday, May 12th 2015, 3:02pm

for sure I know there is a protected area somewhere - I would like to get rid of that protected code to be able re-program device... Device is not broken but programmed with some protected area somewhere .... try it to erase all flash
peter_cz has attached the following image:
  • cmd_segger.png

SEGGER - Erik

Super Moderator

Date of registration: Dec 20th 2011

Posts: 387

8

Wednesday, May 13th 2015, 5:51pm

Quoted

for sure I know there is a protected area somewhere - I would like to get rid of that protected code to be able re-program device
As I previously described: The flash program protection is located in the first flash sector at offset 0x0408 - 0x040B. According to the read back data from this memory region, the flash protection is not set for any region. Therefore, it seems to me that the flash region 1 (0x00004000 - 0x00007FFF) is broken. The screenshots, confirms that programming all regions, expect of region 1, works just fine.

Quoted

Device is not broken but programmed with some protected area somewhere
Neither the flash protection, nor the system security is set.

peter_cz

Beginner

Date of registration: May 12th 2015

Posts: 8

9

Wednesday, May 13th 2015, 6:33pm

Erik,

I have other 2 devices which were programmed the same way as the one which seems to be broken. I gonna test them, unsecure them and mass erase them.
Erik, do you have something in mind or what steps you may suggest to take before mass erase to find out if device is OK and protected or broken?

This thread it's great help to me.


Thank you very much for your time.

Best regards,
Peter

SEGGER - Erik

Super Moderator

Date of registration: Dec 20th 2011

Posts: 387

10

Tuesday, May 19th 2015, 6:26pm

Hi Peter,

In general, when the system security is not set (flash can be read out), the program flash protection as well as the system security can be determined by reading out the memory at 0x400 (Flash Configuration Field). This can be done by using J-Link Commander and the "mem 400 10" command. For further information regarding the meaning of the values of the flash configuration field, please refer to the Freescale KV reference manual.

In case, the system security is set and therefore the debugger does not have access to the system bus or any other memory mapped peripherals, the system security can be determined through AP[1] (MDM-AP) bank 0. Using the AP/DP access, the MDMAP_REG_STAT can be read out which contains different system information (e.g. system security, mass erase enable, etc...). For further information regarding this, please refer to the "Debug" -> "JTAG status and control registers" chapter in the Freescale KV RM.


- Erik

peter_cz

Beginner

Date of registration: May 12th 2015

Posts: 8

11

Thursday, May 21st 2015, 9:48am

Erik,

I guess I found issue on my device. The XACC (program once) bits are set. The XACC registers mark the regions as execute-only; it means it is truly program once and cannot be erased even by a mass erase. The execute-only marking cannot be removed by any means.

So question is when using IAR IDE+JLink to program/debug device how to set it to avoid this region?

Now I am just getting an error

The flash loader program reported an error.

an IAR download got frozen when I use OpenSDAv2_1.

Thank you very much for your support.

Best regards,
Peter

SEGGER - Alex

Super Moderator

Date of registration: Dec 18th 2007

Posts: 1,514

12

Friday, May 22nd 2015, 9:46pm

Hi Peter,

Quoted

So question is when using IAR IDE+JLink to program/debug device how to set it to avoid this region?


J-Link does *not* write this region.
If it is written, it is done by your application.
The IFR area that holds the XACC bits is not even memory mapped visible.


Best regards
Alex

Tilak

Beginner

Date of registration: Feb 14th 2017

Posts: 1

13

Tuesday, February 14th 2017, 3:21pm

Protection Byte is set by J-Link

Dear Alex,

In this thread, JLink on unsecure and erase Kinetis FLASH
You mention:
"J-Link does *not* write this region.
If it is written, it is done by your application."

Our production programming team has performed "Erase chip". This has resulted in the kinetics MK64FN1M0VLL12 locking up. We have a a whole bunch of PCBs with this problem.

I believe, the "Erase chip" command from J-Link puts 0x00 instead of 0xFF at address 0x400. Hence, J-Link does write in this region!

It would be great if you can help us how to solve this problem and revive a complete batch of PCBs with this problem.

Thanks,
Tilak
ps: Using J-Flash V6.12a

SEGGER - Alex

Super Moderator

Date of registration: Dec 18th 2007

Posts: 1,514

14

Tuesday, February 14th 2017, 4:07pm

Hi,

Quoted

I believe, the "Erase chip" command from J-Link puts 0x00 instead of 0xFF at address 0x400. Hence, J-Link does write in this region!

Does not make sense...
If you do a chip erase, all bytes in the internal flash will be set to 0xFF.
Please note that the readout protection at 0x40C is defined as: 0xFF == device is read protected. This is a specification that comes from the Kinetis device.
However, J-Link is able to recover a device that has all bytes (including the readout protection) erased (0xFF).
For the Kinetis series it is recommended to not perform a chip erase + reset before programming new data.
It should be:
Reset
Erase
Program
Reset
to avoid any "read protected device detected" messages.


- Alex

sm4thi

Beginner

Date of registration: Feb 15th 2017

Posts: 1

Location: Sweden

Occupation: HW/SW developer

15

Wednesday, February 15th 2017, 2:33pm

locked MCU after chip erase

Hi,

Quoted

I believe, the "Erase chip" command from J-Link puts 0x00 instead of 0xFF at address 0x400. Hence, J-Link does write in this region!


Does not make sense...
If you do a chip erase, all bytes in the internal flash will be set to 0xFF.
Please note that the readout protection at 0x40C is defined as: 0xFF == device is read protected. This is a specification that comes from the Kinetis device.
However, J-Link is able to recover a device that has all bytes (including the readout protection) erased (0xFF).
For the Kinetis series it is recommended to not perform a chip erase + reset before programming new data.
It should be:
Reset
Erase
Program
Reset
to avoid any "read protected device detected" messages.


- Alex
Hi Alex,
I have the same problem as Tilak, after I have done 'erase chip' with JFlash. I'm not able to connect afterwards.
I tried JLink Commander and could not connect when I tried.
-Hans