ZHCS009J November 2010 – September 2021 TMS320F28062 , TMS320F28062-Q1 , TMS320F28062F , TMS320F28062F-Q1 , TMS320F28063 , TMS320F28064 , TMS320F28065 , TMS320F28066 , TMS320F28066-Q1 , TMS320F28067 , TMS320F28067-Q1 , TMS320F28068F , TMS320F28068M , TMS320F28069 , TMS320F28069-Q1 , TMS320F28069F , TMS320F28069F-Q1 , TMS320F28069M , TMS320F28069M-Q1
PRODUCTION DATA
The devices support high levels of security to protect the user firmware from being reverse-engineered. The security features a 128-bit password (hardcoded for 16 wait states), which the user programs into the flash. One code security module (CSM) is used to protect the flash/OTP and the L0/L1 SARAM blocks. The security feature prevents unauthorized users from examining the memory contents through the JTAG port, or trying to boot-load some undesirable software that would export the secure memory contents. To enable access to the secure blocks, the user must write the correct 128-bit KEY value that matches the value stored in the password locations within the Flash.
In addition to the CSM, the debug code security logic (ECSL) has been implemented to prevent unauthorized users from stepping through secure code. Any code or data access to CSM secure memory while the debug probe is connected will trip the ECSL and break the debug probe connection. To allow debug of secure code, while maintaining the CSM protection against secure memory reads, the user must write the correct value into the lower 64 bits of the KEY register (KEY0 – KEY3), which matches the value stored in the lower 64 bits of the password locations within the flash. Dummy reads of all 128 bits of the password in the flash must still be performed. If the lower 64 bits of the password locations (PWL0 – PWL3) are all ones (unprogrammed), then the KEY value does not need to match. During debug of secure code, operations like single-stepping is possible. However, the actual contents of the secure memory cannot be seen in the CCS window.
When power is applied to a secure device that is connected to a JTAG debug probe, the CPU will start executing and may execute an instruction that performs an access to a protected area. If this happens, the ECSL will trip and cause the JTAG circuitry to be deactivated. Under this condition, a host (such as a computer running CCS or flash programming software) would not be able to establish connection with the device.
The solution is to use the Wait boot option. In this mode, the device loops around a software breakpoint to allow a debug probe to be connected without tripping security. These devices do not support a hardware wait-in-reset mode.
THE CODE SECURITY MODULE (CSM) INCLUDED ON THIS DEVICE WAS DESIGNED TO PASSWORD PROTECT THE DATA STORED IN THE ASSOCIATED MEMORY (EITHER ROM OR FLASH) AND IS WARRANTED BY TEXAS INSTRUMENTS (TI), IN ACCORDANCE WITH ITS STANDARD TERMS AND CONDITIONS, TO CONFORM TO TI'S PUBLISHED SPECIFICATIONS FOR THE WARRANTY PERIOD APPLICABLE FOR THIS DEVICE.
TI DOES NOT, HOWEVER, WARRANT OR REPRESENT THAT THE CSM CANNOT BE COMPROMISED OR BREACHED OR THAT THE DATA STORED IN THE ASSOCIATED MEMORY CANNOT BE ACCESSED THROUGH OTHER MEANS. MOREOVER, EXCEPT AS SET FORTH ABOVE, TI MAKES NO WARRANTIES OR REPRESENTATIONS CONCERNING THE CSM OR OPERATION OF THIS DEVICE, INCLUDING ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
IN NO EVENT SHALL TI BE LIABLE FOR ANY CONSEQUENTIAL, SPECIAL, INDIRECT, INCIDENTAL, OR PUNITIVE DAMAGES, HOWEVER CAUSED, ARISING IN ANY WAY OUT OF YOUR USE OF THE CSM OR THIS DEVICE, WHETHER OR NOT TI HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. EXCLUDED DAMAGES INCLUDE, BUT ARE NOT LIMITED TO LOSS OF DATA, LOSS OF GOODWILL, LOSS OF USE OR INTERRUPTION OF BUSINESS OR OTHER ECONOMIC LOSS.