MSP430 common encryption summary

1> Why encrypt, how to encrypt?

When your product is brought to market, your competitors will start to focus on it. If your product hardware is easily imitated and your MSP430 microcontroller is not encrypted, then your hard work is successful. It's easy to become a competitor's product. Although you can use the JTAG debug tool FET to download the program to the inside of the chip, only the professional programmer can prevent the program from being stolen.

2> What is the difference and relationship between JTAG, BSL, BOOTLOADER, and fuse?

The JTAG interface can access all the resources inside the MSP430 MCU. Through JTAG, the program can be downloaded, code debugged, memory modified, etc. The JTAG can also blow the encryption fuse. Once the fuse is blown, most functions of the JTAG interface. If it fails, it can no longer be programmed through it.

The BSL interface is self-programming realized by the bootloader program resident in the chip. The CPU enters the bootloader code through a specific timing, and then uses a Timer A of each MSP430 chip to form a software serial port to communicate with the host computer. The code can be downloaded to the inside of the chip. In addition to some pins of the JTAG interface, the BSL also needs to use two TA0 function pins. Therefore, if you need to encrypt when designing the product, you should consider connecting these two pins. To blow the fuse (encryption), the JTAG interface must be used; after the fuse is blown, the programming update can only be done via the BSL or user code.

3> What is the BSL verification password?

BSL can also read the code inside the chip, which can achieve post-programming verification and other functions. There is no need to verify the password when erasing all Flash information through the BSL, but for further operation, a 32-byte password is required for verification.

The BSL protocol stipulates that the 32-byte password is the highest 32 bytes of the FLASH area of ​​the chip, which is the program's 16 interrupt vectors. If you have the last 32 bytes of this program, you can read all the code inside the chip through the BSL. take out.

4> Why use advanced encryption?

The 32-byte password seems almost impossible to use the exhaustive method to achieve the crack, but don't forget, the 16 interrupt vectors of msp430 are not necessarily used every time, the unused interrupt vector is 0 xffff, if you The program only uses the reset vector, so the cracker only needs to try up to 32768 times (the interrupt vector is even, so divide by 2) to crack it. In addition, if the chip itself has a small Flash capacity, such as 4K bytes, then The cracker only needs to try up to 2K times to crack it. This is almost a matter of time for an automated computer. Then, the more interrupt vectors you use, the harder it is to crack. The best way to do this is to fill all unused interrupt vectors with random data. This is called "advanced encryption."

5> About TI-TXT files

The TI-TXT file is a programming code format defined by TI for the MSP430 microcontroller. The content is in plain text format and can be read by any text editor. Here is an example of such a file:

@FEFE

B2 40 80 5A 20 01 F2 40 9D 00 90 00 F2 40 2E 00

40 00 F2 D0 80 00 01 00 F2 43 33 00 C2 43 95 00

C2 43 9A 00 F2 D0 20 00 53 00 F2 40 1F 00 52 00

F2 43 91 00 F2 43 92 00 F2 43 93 00 F2 43 94 00

F2 43 95 00 F2 43 96 00 F2 43 97 00 F2 43 98 00

F2 43 99 00 F2 43 9A 00 32 D0 D0 00 FD 3F 31 40

00 03 B0 12 A2 FF 0C 93 18 24 3C 40 00 02 0E 43

30 12 00 00 B0 12 C4 FF 3C 40 00 02 3E 40 FE FE

30 12 00 00 B0 12 A6 FF 21 52 3C 40 00 02 3E 40

FE FE 30 12 00 00 B0 12 A6 FF B0 12 FE FE 30 40

A0 FF FF 3F 1C 43 30 41 0A 12 1D 41 04 00 0F 4C

0A 4D 1D 83 0A 93 05 24 EF 4E 00 00 1F 53 1E 53

F7 3F 3A 41 30 41 0A 12 1D 41 04 00 0F 4C 0A 4D

1D 83 0A 93 04 24 CF 4E 00 00 1F 53 F8 3F 3A 41

30 41

@FFFE

5C FF

q

The first line of @FEFE indicates starting at address 0 xFEFE with the following code. Each line is 16 bytes, each byte is represented by a hexadecimal number, and a space is opened between every two bytes.

The @FFFE at the end of the content is the program's reset vector, indicating that the program's entry address is 0xFF5C. Finally, use a lowercase q character to add a line break. Of course, you can put the two lines of the interrupt vector to the front. For example, the following code has the same meaning as above, and it also conforms to the rules.

@FFFE

5C FF

@FEFE

B2 40 80 5A 20 01 F2 40 9D 00 90 00 F2 40 2E 00

40 00 F2 D0 80 00 01 00 F2 43 33 00 C2 43 95 00

C2 43 9A 00 F2 D0 20 00 53 00 F2 40 1F 00 52 00

F2 43 91 00 F2 43 92 00 F2 43 93 00 F2 43 94 00

F2 43 95 00 F2 43 96 00 F2 43 97 00 F2 43 98 00

F2 43 99 00 F2 43 9A 00 32 D0 D0 00 FD 3F 31 40

00 03 B0 12 A2 FF 0C 93 18 24 3C 40 00 02 0E 43

30 12 00 00 B0 12 C4 FF 3C 40 00 02 3E 40 FE FE

30 12 00 00 B0 12 A6 FF 21 52 3C 40 00 02 3E 40

FE FE 30 12 00 00 B0 12 A6 FF B0 12 FE FE 30 40

A0 FF FF 3F 1C 43 30 41 0A 12 1D 41 04 00 0F 4C

0A 4D 1D 83 0A 93 05 24 EF 4E 00 00 1F 53 1E 53

F7 3F 3A 41 30 41 0A 12 1D 41 04 00 0F 4C 0A 4D

1D 83 0A 93 04 24 CF 4E 00 00 1F 53 F8 3F 3A 41

30 41

q

Manually modify the TI-TXT file to implement advanced encryption:

The following is an interrupt vector using a piece of code with less interrupt vectors:

@FFE0

10 FF A0 FF

@FFFE

5C FF

It has the same meaning as the following code:

@FFE0

10 FF A0 FF FF FF FF FF FF FF FF FF FF FF FF FF

FF FF FF FF FF FF FF FF FF FF FF FF FF FF 5C FF

Here we implement the advanced encryption by changing the unused interrupt vector to random data, but be careful not to change the effective interrupt vector.

@FFE0

10 FF A0 FF A5 5A 37 21 F3 44 E0 77 9A 00 22 33

44 55 66 77 88 99 AA BB CC DD EE 3E E3 0F 5C FF