C2000 CSM使用方法

在TI C2000系列DSP中,CSM模块用于对给芯片进行加密,以防止未经授权的代码逆向等行为,TI在其文档中对此模块的说明如下:

The code security module (CSM) is a security feature incorporated in 28x devices. It prevents access/visibility to on-chip memory to unauthorized persons—that is, it prevents duplication/reverse engineering of proprietary code.
The word secure means access to on-chip memory is protected. The word unsecure means access to onchip secure memory is not protected — that is, the contents of the memory could be read by any means (through a debugging tool such as Code Composer Studio™, for example).

关于DSP中具体哪些部分受到CSM模块的保护,以及此模块的详细信息可参阅TI的相关文档,此处仅从使用的角度来讨论下如何对DSP芯片进行加密与解密。本文基于CCS 6.0。

密码设定

最简单的方法是直接使用controlSUITE中提供的DSP28***_CSMPasswords.asm文件,将此文件加入工程中,修改其中的密码即可。此文件的内容如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
.sect "csmpasswds"

.int 0xFFFF ;PWL0 (LSW of 128-bit password)
.int 0xFFFF ;PWL1
.int 0xFFFF ;PWL2
.int 0xFFFF ;PWL3
.int 0xFFFF ;PWL4
.int 0xFFFF ;PWL5
.int 0xFFFF ;PWL6
.int 0xFFFF ;PWL7 (MSW of 128-bit password)

.sect "csm_rsvd"
.loop (3F7FF5h - 3F7F80h + 1)
.int 0x0000
.endloop

对应的CMD文件中地址分配情况:

1
2
3
4
5
6
7
8
9
10
11
MEMORY
{
PAGE 0: /* Program Memory */
CSM_RSVD : origin = 0x3F7F80, length = 0x000076 /* Part of FLASHA. Program with all 0x0000 when CSM is in use. */
CSM_PWL_P0 : origin = 0x3F7FF8, length = 0x000008 /* Part of FLASHA. CSM password locations in FLASHA */
}
SECTIONS
{
csmpasswds : > CSM_PWL_P0 PAGE = 0
csm_rsvd : > CSM_RSVD PAGE = 0
}

设置密码时有一些关键点需要注意:

  1. 将128-bit全部设为1意味着不加密,即所谓的”unsecure”。
  2. 将128-bit全部设为0意味着永久加密,此时芯片不可被解密,即无法再进行编程,也无法读取其中的程序和数据。一般情况下,不要进行此设置。
  3. 如果设置了128-bit中的低64-bit(即不为全1),会触发所谓的ECSL(Emulation Code Security Logic)功能,这时如需使用仿真器下载程序,需要进行些特殊设置,下文会对此进行详细讨论。

加密后使用仿真器下载程序

如果芯片没有被加密,自然可以直接使用仿真器通过JATG正常下载程序;但如果芯片设置了密码被加密了,就需要在仿真器设置中正确填入密码才能下载程序和Debug。具体来看,分为两种情况:没有设置低64位密码与设置了低64位密码。

没有设置低64位密码

此时ECSL功能没有被触发,只要在仿真器设置中正确填入密码即可正常下载程序。以CCS v6.0及XDS100V3仿真器为例,设置界面如图所示:

图中设置的CSM密码为0xAAAABBBBCCCCDDDDFFFFFFFFFFFFFFFF
设置好后,就可以正常Debug了。

设置了低64位密码

此时情况要复杂一些,当设置了低64位密码时,DSP中的ECSL功能会被触发,关于此功能,TI文档中的说明如下:

In addition to the CSM, the emulation code security logic (ECSL) has been implemented to prevent unauthorized users from stepping through secure code. Any code or data access to flash, user OTP, L0 memory while the emulator is connected will trip the ECSL and break the emulation connection.

When initially debugging a device with the password locations in flash programmed (that is, secured), the emulator takes some time to take control of the CPU. During this time, the CPU will start running and may execute an instruction that performs an access to a protected ECSL area. If this happens, the ECSL will trip and cause the emulator connection to be cut.

简而言之,当ECSL功能有效时,会强制切断仿真器与器件间的JTAG连接,导致连接失败。此时,就算是按之前的步骤正确设置了密码也是无法下载程序的。点击Debug按钮后会出现如下错误提示:

C28xx: Error connecting to the target: (Error -1015 @ 0x0) Device is not responding to the request. Device may be locked, or the emulator connection may be unreliable. Unlock the device if possible (e.g. use wait in reset mode, and power-cycle the board). If error persists, confirm configuration and/or try more reliable JTAG settings (e.g. lower TCLK). (Emulation package 5.1.450.0)

此错误提示与密码错误时的提示是不一样的,密码错误时的提示如下:

C28xx: Flash Programmer: Device is locked or not connected. Operation cancelled.
C28xx: Error Writing Flash @ Address 0x003F74C6 of Length 0x00000016 (page 0)
C28xx: GEL: File: D:\Forklift\MS8000V10\Project\Release\MS8000V10.out: Load failed.

同时会有一个对话框提示:

TI的文档中也给出了此问题的解决办法:

  1. The first is to use the Wait-In-Reset emulation mode, which will hold the device in reset until the emulator takes control. The emulator must support this mode for this option.
  2. The second option is to use the “Branch to check boot mode” boot option. This will sit in a loop and continuously poll the boot mode select pins. You can select this boot mode and then exit this mode once the emulator is connected by re-mapping the PC to another address or by changing the boot mode selection pin to the desired boot mode.

简而言之,第一种方法是保持器件处于复位状态直至仿真器接管器件,这需要仿真器与器件的支持;第二种方法是通过BOOT引脚的配置,使得DSP进入一个所谓的”Branch to check boot mode”,然后再连接仿真器。
我使用的XDS100v3仿真器并不支持第一种方法,在仿真器设置中”Halt the target on a connect”一项是不可选的,如图所示:

此时只能采用第二种方法,然而第二种方法中的”Branch to check boot mode”具体指什么文档中并没有很明确的指出来。不过TI的Wiki Page上给出了正确的操作方法:

Q: Why does Code Composer Studio give me an emulator error when I try to connect to my locked device?

On devices with ECSL protection which do not support hardware wait-in-reset mode (such as the Piccolo devices), if the device is locked:
When the device is powered up, the CPU will start running and may execute an instruction that performs an access to an ECSL protected area. If this happens, the ECSL will trip and cause the emulator connection to be cut. To resolve this:

  1. Disconnect your emulator.
  2. Set your boot pins for “WAIT” boot mode. Note: on 2833x/2823x this is documented as the “loop to check” boot mode.
  3. Reset your device.
  4. Reconnect your emulator.
    At this point you should be able to proceed and unlock your device.

简而言之,对于2803x系列单片机来说,需要使DSP先复位进入Wait模式后再连接仿真器就可以顺利下载程序了。至于如何进入Wait模式,在器件参考手册中可以查到,以28031为例,上电时将GPIO34拉低即可(GPIO34默认情况下有内部上拉):

实际测试表明,这样设置后就可以通过仿真器正常下载程序并进行Debug了。

文章目录
  1. 1. 密码设定
  2. 2. 加密后使用仿真器下载程序
    1. 2.1. 没有设置低64位密码
    2. 2.2. 设置了低64位密码