更新历史
- 20220303:
首次编辑并发布,添加在 jlink-commander 可读写寄存器的情况下,接触都保护的方式;- 20220304
添加在 jlinkcommander 中手工无法通信的情况下,解除读保护的操作;
引言
由于产品安全的要求,在产品量产后通常会对固件开启保护功能,如此篇文章 嵌入式 -GD32代码读保护 中提到的一样,读保护就是常见的方式之一;
解除读保护
这里 MCU 以 GD32F303 为例:
可以通信的情况下
现象描述
读保护是开启了防反读的功能,并没有停止调试接口的功能;但是存在一些情况,触发了读保护本身的防护机制并擦除了桩端代码后,读保护功能依然开启,此时发现可通过 JlinkCommander 进行读写寄存器。
jflash 编程闪存会执行先擦除的动作,但是 303 都保护开启后会对前 4kB 的闪存空间开启页擦除保护,所以呈现出来的现象就是,jflash 可成功连接,但是什么也做不了。
点击 回读之后,显示下方提示,会弹出以下提示:
进度条无新增,直到尝试超时:
如果在尝试擦除的时候直接点击“取消”按钮,会提示 :
jlinkCommander
通过 JlinkCommander 是可以读写其寄存器的:
通过 ?字符,可查看支持的命令及其语法:
这里我们主要使用的是:
w4 // 写 32 bit 数据至指定地址内存,语法为 w4 <addr> <data>, 均为 hex 格式
mem // 读取指定内存的制定字节数据,语法为 mem <addr> <numBytes>, 均为 hex 格式
mem32 // 读取指定内存的多组 4Bytes(item) 数据,语法为 mem <addr> <numItems>, 均为 hex 格式
代码为:
// 查看当前 SPC 字节
mem 0x1fffF800 0x10
// 解锁 FMC_Bank0
w4 0x40022004 0x45670123 //FMC_KEY = UNLOCK_KEY0;
W4 0x40022004 0xcdef89ab // FMC_KEY = UNLOCK_KEY1;
// 查看寄存器
mem32 0x40022000 0x10
w4 0x40022008 0x45670123 //FMC_OBKEY = UNLOCK_KEY0;
w4 0x40022008 0xcdef89ab //FMC_OBKEY = UNLOCK_KEY1;
mem32 0x40022000 0x10
// 清楚可能存在的错误标志位
w4 0x4002200C 0x00000034 //fmc_flag_clear(FMC_FLAG_PGERR | FMC_FLAG_WPERR | FMC_FLAG_END);
// OB 字节擦除指令使能
w4 0x40022010 0x0220 // OBER
// 执行擦除
w4 0x40022010 0x0260 //STAR
// 使能 OB 字节编程
w4 0x40022010 0x0270 //OBPG
// 恢复默认值,退回未保护态
w2 0x1ffff800 0x5aa5
// 开启寄存器锁保护
w4 0x40022010 0x80
// 可再次查看 SPC 字节
mem 0x1fffF800 0x10 //
结果
- 通过 JlinkCommander 操作并查看结果
- jflash
jlinkcommander 操作后,通过 jflash 连接后可正常操作:;
无法通信的情况下
其实这个无法通信,是在我们在手工操作下无法和 MCU 通过 SWJ 建立通信,但是清楚 MCU 上电时序到执行用户代码的会知道,上电伊始会先执行厂家固化在 MCU 中的 bootloader,进行一系列的初始化(比如寄存器空间映射)之后会进入到用户代码,先执行用户的代码(启动文件,用户程序)。
而 MCU 在上电后,检测到读保护开启到保护,这段时间我们手动是无法介入的,如果在 MCU 初始化后到保护功能开始生效将 SPC 字节改写并启动,则可以达到破解的目的,当然厂家为了进一步保护固件,在破解安全保护功能后,会主动删除闪存空间内的数据。
核心代码
在这种情况下,我们需要借助脚本执行破解:
log yourLog.log
// 通过 USB 连接 Jlink
usb
// select target device, 选择连接方式
si swd
// 等待 100 ms
speed 100
// 重启目标设备
r
// 刚上电后等待 MCU 寄存器初始化
Sleep 10
usb
// 执行寄存器编程,解锁 + 读保护关闭
mem 0x1fffF800 0x10
mem32 0x40022000 0x10
w4 0x40022004 0x45670123 //FMC_KEY = UNLOCK_KEY0;
W4 0x40022004 0xcdef89ab // FMC_KEY = UNLOCK_KEY1;
mem32 0x40022000 0x10
w4 0x40022008 0x45670123 //FMC_OBKEY = UNLOCK_KEY0;
w4 0x40022008 0xcdef89ab //FMC_OBKEY = UNLOCK_KEY1;
mem32 0x40022000 0x10
w4 0x4002200C 0x00000034 // fmc_flag_clear(FMC_FLAG_PGERR | FMC_FLAG_WPERR | FMC_FLAG_END);
mem32 0x40022000 0x10
w4 0x40022010 0x0220 // OBER
mem32 0x40022000 0x10
w4 0x40022010 0x0260 //STAR
mem32 0x40022000 0x10
w4 0x40022010 0x0270 //OBPG
mem32 0x40022000 0x10
w2 0x1ffff800 0x5aa5 // close read protection
w4 0x40022010 0x80
mem 0x1fffF800 0x10 //
r
Sleep 10
usb
mem 0x1fffF800 0x10
mem32 0x8000000 0x10
// 关闭 Jlink 连接并退出
qc
将上述代码保存为 .jlink, 文件名称自定义。
辅助脚本代码
将输出重定向,输出 log,这里的 log 名称为上述“核心代码”的第一行名称,可以不提前创建;
set PATH=%PATH%;..\ ;..\
JLink.exe -autoconnect 1 -device cortex-m4 -if swd -speed 1000 -commandfile <FileName>.jlink >yourLog.log
上述代码保存为 BAT 脚本。
将脚本文件、jlink 命令行文件放置于 jlink 安装文件夹下:
双击脚本执行命令,执行过后 MCU 固件已经清除。
执行结果
- 查看日志记录:
SEGGER J-Link Commander V7.52d (Compiled Aug 17 2021 17:16:21)
DLL version V7.52d, compiled Aug 17 2021 17:15:01
J-Link Command File read successfully.
Processing script file...
J-Link connection not established yet but required for command.
Connecting to J-Link via USB...O.K.
Firmware: J-Link V9 compiled May 7 2021 16:26:12
Hardware version: V9.20
S/N: 86802686
License(s): GDB, RDI, FlashBP, FlashDL, JFlash
VTref=3.272V
Disconnecting from J-Link...O.K.
Connecting to J-Link via USB...O.K.
Firmware: J-Link V9 compiled May 7 2021 16:26:12
Hardware version: V9.20
S/N: 86802686
License(s): GDB, RDI, FlashBP, FlashDL, JFlash
VTref=3.272V
Selecting SWD as current target interface.
Selecting 100 kHz as target interface speed
Target connection not established yet but required for command.
Device "CORTEX-M4" selected.
Connecting to target via SWD
Found SW-DP with ID 0x2BA01477
DPIDR: 0x2BA01477
Scanning AP map to find all available APs
AP[1]: Stopped AP scan as end of AP map has been reached
AP[0]: AHB-AP (IDR: 0x24770011)
Iterating through AP map to find AHB-AP to use
AP[0]: Core found
AP[0]: AHB-AP ROM base: 0xE00FF000
CPUID register: 0x410FC241. Implementer code: 0x41 (ARM)
Found Cortex-M4 r0p1, Little endian.
FPUnit: 6 code (BP) slots and 2 literal slots
CoreSight components:
ROMTbl[0] @ E00FF000
ROMTbl[0][0]: E000E000, CID: B105E00D, PID: 000BB00C SCS-M7
ROMTbl[0][1]: E0001000, CID: B105E00D, PID: 003BB002 DWT
ROMTbl[0][2]: E0002000, CID: B105E00D, PID: 002BB003 FPB
ROMTbl[0][3]: E0000000, CID: B105E00D, PID: 003BB001 ITM
ROMTbl[0][4]: E0040000, CID: B105900D, PID: 000BB9A1 TPIU
ROMTbl[0][5]: E0041000, CID: 00000000, PID: 00000000 ???
Cortex-M4 identified.
Reset delay: 0 ms
Reset type NORMAL: Resets core & peripherals via SYSRESETREQ & VECTRESET bit.
Reset: Halt core after reset via DEMCR.VC_CORERESET.
Reset: Reset device via AIRCR.SYSRESETREQ.
Sleep(10)
Disconnecting from J-Link...O.K.
Disconnecting from J-Link...O.K.
Connecting to J-Link via USB...O.K.
Firmware: J-Link V9 compiled May 7 2021 16:26:12
Hardware version: V9.20
S/N: 86802686
License(s): GDB, RDI, FlashBP, FlashDL, JFlash
VTref=3.272V
Device "CORTEX-M4" selected.
Connecting to target via SWD
Found SW-DP with ID 0x2BA01477
DPIDR: 0x2BA01477
Scanning AP map to find all available APs
AP[1]: Stopped AP scan as end of AP map has been reached
AP[0]: AHB-AP (IDR: 0x24770011)
Iterating through AP map to find AHB-AP to use
AP[0]: Core found
AP[0]: AHB-AP ROM base: 0xE00FF000
CPUID register: 0x410FC241. Implementer code: 0x41 (ARM)
Found Cortex-M4 r0p1, Little endian.
FPUnit: 6 code (BP) slots and 2 literal slots
CoreSight components:
ROMTbl[0] @ E00FF000
ROMTbl[0][0]: E000E000, CID: B105E00D, PID: 000BB00C SCS-M7
ROMTbl[0][1]: E0001000, CID: B105E00D, PID: 003BB002 DWT
ROMTbl[0][2]: E0002000, CID: B105E00D, PID: 002BB003 FPB
ROMTbl[0][3]: E0000000, CID: B105E00D, PID: 003BB001 ITM
ROMTbl[0][4]: E0040000, CID: B105900D, PID: 000BB9A1 TPIU
ROMTbl[0][5]: E0041000, CID: 00000000, PID: 00000000 ???
Cortex-M4 identified.
1FFFF800 = BB 44 FF FF FF FF FF FF FF FF FF FF FF FF FF FF .D..............
Writing 45670123 -> 40022004
Writing CDEF89AB -> 40022004
40022000 = 00000030 00000000 00000000 00000000
40022010 = 00000000 00000000 00000000 03FFFFFE
40022020 = FFFFFFFF 00000000 00000000 00000000
40022030 = 00000000 00000000 00000000 00000000
Writing 45670123 -> 40022008
Writing CDEF89AB -> 40022008
40022000 = 00000030 00000000 00000000 00000000
40022010 = 00000200 00000000 00000000 03FFFFFE
40022020 = FFFFFFFF 00000000 00000000 00000000
40022030 = 00000000 00000000 00000000 00000000
Writing 45670123 -> 40022004
Writing CDEF89AB -> 40022004
40022000 = 00000030 00000000 00000000 00000000
40022010 = 00000200 00000000 00000000 03FFFFFE
40022020 = FFFFFFFF 00000000 00000000 00000000
40022030 = 00000000 00000000 00000000 00000000
Writing 45670123 -> 40022008
Writing CDEF89AB -> 40022008
40022000 = 00000030 00000000 00000000 00000000
40022010 = 00000200 00000000 00000000 03FFFFFE
40022020 = FFFFFFFF 00000000 00000000 00000000
40022030 = 00000000 00000000 00000000 00000000
Writing 00000034 -> 4002200C
40022000 = 00000030 00000000 00000000 00000000
40022010 = 00000200 00000000 00000000 03FFFFFE
40022020 = FFFFFFFF 00000000 00000000 00000000
40022030 = 00000000 00000000 00000000 00000000
Writing 00000220 -> 40022010
40022000 = 00000030 00000000 00000000 00000000
40022010 = 00000220 00000000 00000000 03FFFFFE
40022020 = FFFFFFFF 00000000 00000000 00000000
40022030 = 00000000 00000000 00000000 00000000
Writing 00000260 -> 40022010
40022000 = 00000030 00000000 00000000 00000001
40022010 = 00000260 00000000 00000000 03FFFFFE
40022020 = FFFFFFFF 00000000 00000000 00000000
40022030 = 00000000 00000000 00000000 00000000
Writing 00000270 -> 40022010
40022000 = 00000030 00000000 00000000 00000021
40022010 = 00000270 00000000 00000000 03FFFFFE
40022020 = FFFFFFFF 00000000 00000000 00000000
40022030 = 00000000 00000000 00000000 00000000
Writing 5AA5 -> 1FFFF800
Writing 00000080 -> 40022010
Failed to write memory
Could not read memory.
Reset delay: 0 ms
Reset type NORMAL: Resets core & peripherals via SYSRESETREQ & VECTRESET bit.
Reset: Halt core after reset via DEMCR.VC_CORERESET.
Reset: Reset device via AIRCR.SYSRESETREQ.
Reset: SYSRESETREQ has confused core.
Found SW-DP with ID 0x2BA01477
DPIDR: 0x2BA01477
AP map detection skipped. Manually configured AP map found.
AP[0]: AHB-AP (IDR: Not set)
AP[0]: Core found
AP[0]: AHB-AP ROM base: 0xE00FF000
CPUID register: 0x410FC241. Implementer code: 0x41 (ARM)
Found Cortex-M4 r0p1, Little endian.
Reset: Using fallback: VECTRESET.
Reset: Halt core after reset via DEMCR.VC_CORERESET.
Reset: Reset device via AIRCR.VECTRESET.
Sleep(10)
Disconnecting from J-Link...O.K.
Disconnecting from J-Link...O.K.
Connecting to J-Link via USB...O.K.
Firmware: J-Link V9 compiled May 7 2021 16:26:12
Hardware version: V9.20
S/N: 86802686
License(s): GDB, RDI, FlashBP, FlashDL, JFlash
VTref=3.270V
Device "CORTEX-M4" selected.
Connecting to target via SWD
Found SW-DP with ID 0x2BA01477
DPIDR: 0x2BA01477
Scanning AP map to find all available APs
AP[1]: Stopped AP scan as end of AP map has been reached
AP[0]: AHB-AP (IDR: 0x24770011)
Iterating through AP map to find AHB-AP to use
AP[0]: Core found
AP[0]: AHB-AP ROM base: 0xE00FF000
CPUID register: 0x410FC241. Implementer code: 0x41 (ARM)
Found Cortex-M4 r0p1, Little endian.
FPUnit: 6 code (BP) slots and 2 literal slots
CoreSight components:
ROMTbl[0] @ E00FF000
ROMTbl[0][0]: E000E000, CID: B105E00D, PID: 000BB00C SCS-M7
ROMTbl[0][1]: E0001000, CID: B105E00D, PID: 003BB002 DWT
ROMTbl[0][2]: E0002000, CID: B105E00D, PID: 002BB003 FPB
ROMTbl[0][3]: E0000000, CID: B105E00D, PID: 003BB001 ITM
ROMTbl[0][4]: E0040000, CID: B105900D, PID: 000BB9A1 TPIU
ROMTbl[0][5]: E0041000, CID: 00000000, PID: 00000000 ???
Cortex-M4 identified.
1FFFF800 = A5 5A FF FF FF FF FF FF FF FF FF FF FF FF FF FF .Z..............
Could not read memory.
Script processing completed.
- 反读 MCU 固件
此时重新上电,(不上电可能 jflash 还是会无法连接,固件擦除后 MCU 需要更新功能),使用 jflash 反读:
此时已经清除固件。
总结
这个功能虽然只是调用固件库中的函数,进行一系列的寄存器配置,但是涉及到的知识点还是比较多的。包括 MCU 上电顺序,读保护编程后生效条件,调试工具的使用等等, 整个功能做下来还是收获很多的。
后续如有相关其它 MCU 的保护功能调试总结,会对比更新的。