Bricked MPC5676R Setting Password and Censorship

Embedded Security ChipWhisperer Hardware
1

Hello I’m using the MPC5676R target board and wanted to set the flash password and censorship value. I could find any code in the GitHub repo that illustrated this, and the PEMicro debugging software only offers a uncensor option, but not a set password or censor option. Additionally, the MPC5676 doesn’t have an application note on how to implement this, so I reluctantly used the the application note for the MPC563x series (AN3787). I used the exact code reprogramming the default values for the password and censorship mode. The only difference was that I set the SLOCK/SSLOCK bits manually opposed to the 0x800FFFFF value they listed.

This unfortunately bricked my chip. It is stuck in censored mode and the password is corrupted. I cannot attach with the PEMicro even with the default, zero’d, and FF’d out values as the password.

How were you able to set the password and censorship mode on the chip? Was there some sort of application that you used, or did you write it into the application code? And if you did implement it in code could you provide it?

Also, in your BAM BAM whitepaper is it correct to assume that all of your successful attempts were done with a custom password and censorship mode enabled? Thanks

2

Hello,

The censorship is configured in the ‘shadow address’ on those chips. It’s been a while so details aren’t as clear sorry… but I think I just used PEMicro to erase/program that row, as had that software for other uses (along with the JTAG programmer). You can make a hex file that you can load in PEMicro to do so, and you just specify a specific range to erase/program:

image
image1351×813 131 KB

The problem here is both the censorship control word + the password itself. You need the MPC5676R Microcontroller Reference Manual.

Ah - so the problem is they also have some “validity” check:

image
image1387×230 66.4 KB

IIRC it’s the same on JTAG, although I never used JTAG on this beyond usage in PEMicro so I could be remembering this wrong.

But for that reason you always had to be careful doing a shadow row erase, as if you left it erased (e.g., power cycled or reset chip before reprogramming) you’d brick the chip!

Yup. From memory it’s possible the invalid password was done with another (hardware) mechanism instead of just a firmware check. I don’t think I was successful with an invalid password unfortunutly.

Thanks,

-Colin