All the hardware you need for BSL is a USB (or RS232 if you have one) to TTL serial adapter. The software is available in the mspgcc release (msp430-bsl). Say your adapter is enumerated as COM8:
msp430-bsl --comport=7 --invert-reset -epr foo.elf You may also need --invert-test depending on whether your device has a TEST pin. See TI doc "slaa089d.pdf" for more info. The software may complain that it doesn't recognize the device code, however it usually works anyway. David > -----Original Message----- > From: [email protected] [mailto:mspgcc-users- > [email protected]] On Behalf Of TonyB > Sent: Thursday, June 26, 2008 9:35 PM > To: GCC for MSP430 - http://mspgcc.sf.net > Subject: Re: [Mspgcc-users] JTAG Security Fuse > > Thank you all for your responses... you've saved me a lot of time. I'm a > week from getting production boards and I had thought that the JTAG fuse > was > 'un-blowable' (probably from studying a different processor). > > Can I get some recommendations on good BSL adapters and/or software. I can > do the interface hardware, but I don't want to spend my time on software > if > I can get it elsewhere. In fact, if there's good commercially available > hardware I'd probably just rather get that. > > TonyB > > ----- Original Message ----- > From: "Gunther Lemm" <[email protected]> > To: "GCC for MSP430 - http://mspgcc.sf.net"; > <[email protected]> > Sent: Thursday, June 26, 2008 5:47 PM > Subject: Re: [Mspgcc-users] JTAG Security Fuse > > > Hi Travis, > > thanks for the detailed info on the BSL key. For all the other guys here > who didn't follow your link to SLAA089: > > "The password itself consists of the 16 interrupt vectors located at > addresses FFE0h to FFFFh (256 bits), starting with the first byte at > address FFE0h. After mass erase and with unprogrammed devices, all > password bits are logical high (1)." > > The note in the MSP430F248 datasheet (below the interrupt vector table > assignment) is somewhat misleading: > > "The address 0xFFDE is used as bootstrap loader security key (BSLSKEY). > A 0xAA55 at this location disables the BSL completely. > A zero disables the erasure of the flash if an invalid password is > supplied." > > This seems to be the register that's not always located at the same > address. MSP430FG461x devices have their DMA interrupt vector at 0xFFDE. > > Do you know anything about that flash erasure on invalid passwords? I > guess not, cause otherwise you would've seen it while disassembling the > BSL code. So what does TI mean with that note? > > Gunther > > Travis Goodspeed schrieb: > > Howdy y'all, > > > > I've been doing a bit of work with the BSL, mostly Version 2.12 which I > > dumped from an MSP430FG4618, disassembled, and annotated. > > > > --The BSL password isn't beneath the IVT, it *is* the IVT. > > > > --There is an unprotected command, Mass Erase, which erases all of > > memory. The idea is that you should be able to replace the firmware, > > but not to extract the firmware, as you could always replace the whole > > chip on any board. Once memory is erased, every bit of the IVT--and > > thus the password--becomes 1. > > > > --In very recent versions of the BSL, you can set a flag in flash to > > password-protect the Mass Erase command. > > > > --Versions 1.60 and 1.61 are the best candidates for brute-forcing, as > > they have an unprotected command, Change Baud Rate, for writing directly > > to the clock registers. Earlier versions have no such command, while > > later versions require the password to be sent before the baud rate is > > changed. Supposing only 40 bits of the password are random and you are > > attacking a chip which is clocked to 16mhz, it will still take 32 years > > to guarantee a break. It can be made a bit faster, but not so much as > > to make brute forcing practical. > > > > Gotchas: > > --Version 2.12 is vulnerable to a side-channel timing attack. 2.01 and > > earlier are not. > > --If you are blowing JTAG and expect the BSL to protect cryptographic > > keys, realize that the key is not part of the IVT and therefore it is > > not part of the password. > > > > --rand_int.pl, attached, will randomize the interrupts by making them > > point to branch instructions that direct back to the real address. > > > > For more details BSL brute forcing, see > > http://travisgoodspeed.blogspot.com/2008/06/msp430-bsl-passwords-brute- > force.html > > For the official docco, > > http://www.google.com/search?q=slaa089 > > > > Cheers, > > --Travis Goodspeed > > > > Gunther Lemm wrote: > >> There was a discussion about the security fuses and some enhancements > of > >> the BSL password protection on the MSP430 day 2008 in berlin. I only > >> remember some basic infos: > >> > >> - you can only blow the JTAG security fuse once because it's a physical > >> fuse. so there's no way to reset these fuses. > >> > >> - the BSL password is stored at a memory address just before the > >> interrupt vector table (take a look at the device specific datasheets > >> because the location depends on 32/64 byte vector table size) > >> > >> - AFAIR there is some brute force password cracking protection in > >> msp430f2xxx devices > >> > >> - there is a way to reset the BSL password, but this also deletes the > >> complete flash contents (don't ask me how to do it) > >> > >> > > > > > > ------------------------------------------------------------------------ > > > > ------------------------------------------------------------------------ > - > > Check out the new SourceForge.net Marketplace. > > It's the best place to buy or sell services for > > just about anything Open Source. > > http://sourceforge.net/services/buy/index.php > > > > > > ------------------------------------------------------------------------ > > > > _______________________________________________ > > Mspgcc-users mailing list > > [email protected] > > https://lists.sourceforge.net/lists/listinfo/mspgcc-users > > > -- > *************************** > Dipl.Ing. (FH) Gunther Lemm > > Daqtix GbR > -+- Robert Dallmann > +- Gunther Lemm > +- Oliver Niekrenz > Alte Dorfstraße 16 > D-29588 Oetzen (OT Süttorf) > Germany > > Tel: +49 5805 979 5 797 > Fax: +49 5805 9 795 795 > *************************** > > ------------------------------------------------------------------------- > Check out the new SourceForge.net Marketplace. > It's the best place to buy or sell services for > just about anything Open Source. > http://sourceforge.net/services/buy/index.php > _______________________________________________ > Mspgcc-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/mspgcc-users > > > ------------------------------------------------------------------------- > Check out the new SourceForge.net Marketplace. > It's the best place to buy or sell services for > just about anything Open Source. > http://sourceforge.net/services/buy/index.php > _______________________________________________ > Mspgcc-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/mspgcc-users
