Changes

CW308T-CEC1702

4,468 bytes added, 20:15, 4 April 2018
no edit summary
|Hardware Crypto = AES, SHA, RSA
|Purchase Hardware =
|Supported Applications = [http://wiki.newae.com/SimpleSerial SimpleSerial AES], others possible
|Programmer = Generic SPI Flash Programmer
|Status = In Development
|}
== Hardware Cryptography<sup><ref name=":0" /></sup> ==
==== Multi-purpose AES Cryptographic Engine ====
- Monotonic Counter  
== Programming Process Firmware ==Programming The firmware provided with Chipwhisperer (or its own repo) is designed to work with the target involves writing an image into [http://www.mikroe.com/mikroc/arm MikroC PRO for ARM IDE]. This IDE supports the SPI flash chipmany peripherals of the CEC1702, including the process is detailed belowhardware security features and comes with extensive libraries and example code. The board layout has been designed to be compatible with many of the provided examples, while some others can be easily modified to work with the CW308T-CEC1702. After the binaries have been created, they can either be loaded into SPI Flash or directly into RAM via JTAG.
==== 1) Writing Creating and Modifying Code Examples ====The [httpfollowing notes may prove useful when using mikroC examples or creating your own://www* Any example which uses UART1 needs to be changed to use UART0 by changing the UART1_* functions to UART0_*.mikroe.com/mikroc/arm MikroC PRO * The plain text and encrypted text buffers need to be 16 byte aligned for ARM IDE] supports programming of the CEC1702 and comes with extensive libraries and example code's DMA to function properly. The CW308T-CEC1702 shares If the same SPI configuration as all development boards currently on aes_crypt() call fails or the market so is largely compatible with code developed on encryption never completes, this may be the platformcause. The IDE allows See simpleserial_base.c or mikroC PRO's AES examples for editing code in both C and ASMexamples of this.* All variable declarations need to be done at the beginning of functions, before any variables are modified or functions are called.==== 2) Building * The mikroC compiler may have strange sizes for integer constants, meaning changing 4 8 bit numbers into a Valid SPI Image ====32 bit number via bitshifts may not work as intended. Instead, using memcpy() may prove easier and more reliable.A special image * When using mikroC's "Clean Project Folder", ensure that .mcpar files are not selected, as this will cause the project file must be generated to be compatible deleted.* The port base for use with the CEC1702 Boot sequenceGPIO library is actually GPIO_PORT_xxx_xxx, not _GPIO_PORT_xxx_xxx. The MikroC IDE Additionally, this is capable not a pointer, meaning the address of building this image automatically but some settings must variable needs to be configured before running a buildpassed to the gpio functions* There are no GPIO library functions to write or read from pins. Instead, use GPIO_OUTPUT_xxx_xxx.Bn/GPIO_INPUT_xxx_xxx.Bn for bit n of pin range xxx-xxx.
==== Compilation Settings ====
'''Project > Edit Project'''
Select CEC1702 in the MCU Name dropbox, change the MCU Clock Frequency to 48MHz.
 
If you want to program and run off of the SPI flash, additional configuration is needed:
'''> General Output Settings ...'''
'''Build > Build'''
The messages dialog should indicate a successful build, and the image binary (PROJECTNAME_img.bin) and hex (PROJECTNAME.hex) can now be found in the project output folder. To confirm correct build settings, check the image binary using your SPI flash software or a HEX editor. The image binary should begin with the 8 bytes '''01 00 00 3E 01 00 00 3E''' at offset 000000, and the rest of the program should begin at offset 000100.
==== 3) Erasing, Loading, and Verifying Programming the SPI Flash ==Device ==The [httpCEC1702 supports loading code in two ways://ww1.microchip.com/downloads/en/DeviceDoc/20005262C.pdf SST26VF016B] from external flash chip can be programmed by an SPI programmer attached to the SPI pins of the CW308. Attach a jumper to J8 on the CW308, pulling nRST to GND. Ensure both the target memory into RAM and your SPI programmer are powered. PDIC must be driven high during the programming process to enable communication through the buffer chipdirectly into RAM over JTAG.
==== Programming the SPI Flash ====The [http://ww1.microchip.com/downloads/en/DeviceDoc/20005262C.pdf SST26VF016B] flash chip on the target board can be programmed by an SPI programmer attached to the SPI pins of the CW308. To program the chip, the nRST chip must be pulled to ground by holding the nRST button down or by connecting a jumper to J8 on the CW308. Additionally, the SDIC pin must be driven high during the programming process the enable communication through a buffer chip. The [http://ww1.microchip.com/downloads/en/DeviceDoc/20005262C.pdf SST26VF016B] flash chip uses global block protection that must be disabled before every write operation. This is done by sending the command code '''98''' to the chip before erasing or writing to the device. This can be done by configuring a custom transaction in your flash programming software. Below is a table of useful information for configuring your programming software. The Parameters listed here have been tested with the Total Phase Flash Center software and the Aardvark I<sup>2</sup>C/SPI Host adapter. Additionally, a [https://www.totalphase.com/products/flash-center/ Total Phase Flash Center] script is provided with the firmware for additional reference. See the [http://ww1.microchip.com/downloads/en/DeviceDoc/20005262C.pdf SST26VF016B data sheet] and the manual for your SPI flash program for more details.
{| class="wikitable"
|addressWidth
|3
|-
|eraseInstruction
|0x20
|-
|eraseSize
|4*1024
|-
|eraseTime
|18000
|-
|writeSize
|expectedDeviceId
|\xbf\x26\x41
|-
|readInstruction
|0x03
|-
|eraseAllInstruction
|false
|}
Load the image binary on to the flash chip and verify that the write was performed. If verify fails refer to the data sheet and your programming software manual to make sure the necessary command codes were sent in the appropriate order.
==== 4Programming over JTAG/SWD ====In addition to the SPI flash method, the CEC1702 can be temporarily (until power off) programmed using a JTAG debugger. This has been tested using Ozone V2.56d with a j-Trace Pro from Segger. The mikroC Pro IDE also supports programming and debugging using the Segger. Note that the CEC1702 only supports JTAG when the Debug Select bit (Byte 482 Bit[6]) of EFUSE is 0 and SWD when the Debug Select bit is 1. If one does not work, try the other. Load the image binary on to the flash chip and verify that the write was performed. If verification fails, ensure the nRST pin was held low for the entirety of the erase/write/verify cycle. If verification still fails, refer to the data sheet and your programming software manual to make sure the necessary command codes were sent in the appropriate order.  ==== Running the Program ====Remove If you programmed the reset device via SPI flash, remove the nRST jumper /release the nRST button and disconnect the 3.3V source from J8 PDIC. If you loaded your code from JTAG, hit go on your debugging software. == Performing CPA Attacks ==The CEC1702 has no option to run off on an external clock. To make CPA attacks easier, a 12MHz PWM signal is generated on the CW308 CLKOUT pin. This can be used by putting a jumper on the lower HS1/IN pins on J3 and running the ChipWhisperer off of the ExtClk. == ATE and EFUSE ==The CEC1702 may ship in ATE mode from other suppliers, which prevents booting off of SPI flash and seems to allow mess with the target UART baud rate (57600 baud corresponded to power up32000 baud). Startup The device can take some be changed into normal mode by setting Byte 35 Bit[7] of the EFUSE memory. This can be done via an external SPI flash such as the mikroProg, or by loading a program that modifies the bits via JTAG. For additional information, see the CEC1702 datasheet and errata. Before modifying the EFUSE, keep the following in mind:* EFUSE bits are one time with larger programs programmable (OTP) to 1. This means there's no way to set the bits back to 0 once they are set to 1.* To modify the EFUSE, VREF must be set to between 1.52V and 1.6V.* Make sure that FSOURCE_EN_READ and FSOURCE_EN_PRGM are never set to 1 at the same time, as this will short ground and power.* Note that both the Secure Boot ROM loads EFUSE instructions in the CEC1702 datasheet and mikroC's EFUSE program into RAMrely on VREF being set to ground while FSOURCE_EN_READ and FSOURCE_EN_PRGM are being switched. Instead, to modify the EFUSE, set both to 0, wait for the registers to be set, then set the appropriate bit.* Some additional features of the EFUSE include setting keys for flash decryption and authentication by the bootloader. == Useful Links ==* [http://ww1.microchip.com/downloads/en/DeviceDoc/00002207C.pdf CEC1702 Datasheet]* [http://ww1.microchip.com/downloads/en/DeviceDoc/80000726C.pdf CEC1702 Errata]* [https://www.totalphase.com/products/aardvark-i2cspi/ Aardvark I2C/SPI Programmer]* [http://www.mikroe.com/mikroc/arm mikroC PRO for ARM IDE]* [http://ww1.microchip.com/downloads/en/DeviceDoc/20005262C.pdf SST26VF016B Flash Datasheet]
Approved_users, administrator
366
edits