introduction

Company product refuelling , Used GD32F3 Series of MCU, The customer requires that the code be read protected , When viewing the user manual again , See what it offers “ safeguard ”, Just want to see the actual effect through experiments ;

Manual introduction

From here GD32F303 Extract key information from the user manual of ：

Chip memory structure

chart 1 Basic memory allocation table

Here's what we need to pay attention to , The main memory here is divided into bank0, bank1. bank0 The page size of is 2KB each page ,bank1 The size is 4KB each page ;
And there are information blocks and optional byte blocks , This optional byte block is also closely related to the read protection we want to do ;

Here, let's make it clear , Enabling the read protection function requires setting Optional byte block , So let's expand around optional byte blocks .

Flash operation instructions

We know , Certain actions are required before routine memory programming , erase 、 Unlocking and other operations , This is through Two layer unlocking and erasing before programming ：

chart 2 Memory control instructions

Pass diagram 2 in , We can learn the following key information ：

1. The memory needs to be unlocked before operation , The way to unlock is to assign a register FMC_KEY0 Write key value in ;
2. Programming of optional bytes , yes Two levels of unlocking are required Of , namely FMC bank0 After unlocking , Also right FMC_OBKEY Register writes corresponding key value to unlock Programming permissions for optional byte registers ;

Optional byte block description

Function effective conditions

After each system reset , The optional byte block of flash memory is reloaded into FMC_OBSTAT and FMC_WP register , Optional bytes are valid . The complement of optional bytes is the inverse of optional bytes . When the optional bytes are reloaded , If the complement of the optional byte does not match the optional byte ,FMC_OBSTAT The register of OBERR The bit will be set to 1, Optional bytes are forced to 0xFF. If the optional byte and its complement byte are the same 0xFF, be OBERR Bit not set .

Above we can extract the key information ：

1. After the read protection is turned on , At least system reset is required ;
2. After resetting, the detection information does not match , Optional bytes are forced to be erased ;

See the following figure for the specific meaning of optional bytes ：

chart 3 Optional byte block description

Safety protection function description

chart 4 Safety protection function description

From the picture 4 We know from the description of ：

1. Change from unprotected mode SPC After byte , The read protection function takes effect after reset ： If the user code is modified , System reset is required to make it effective ; If it is modified in debugging mode , Power on reset is required .
2. In safe mode , Want to turn off the protection state , Can only be modified from the user code ;
3. In safe mode , Before main memory 4KB Non erasable , That is to say bank0 The first two pages of ;【 If IAP The words here , It's going to fail 】.
4. In safe mode , The main memory read in any startup mode is invalid ;
5. In safe mode , Modifiable SPC Bytes to exit read protection , But it will erase the whole main memory ;

Code implementation

The protection function is turned on

After the above analysis , Combined library function , We have determined that the driving function is ：

#include "gd32fmc.h"
fmc_state_enum GD32FMC_OB_Toggle(uint8_t ob_spc)
{
    
	fmc_state_enum res = FMC_BUSY;
	fmc_unlock();	//  relieve  bank0  Programming restrictions for 
	ob_unlock();	//  relieve   Optional bytes   Programming restrictions for 
	
	ob_erase();		//  Optional byte erasure   Here, I thought that  A5 5A FF FF FF ...  So here we just wipe it out 
	res = ob_security_protection_config(ob_spc);	//  Start stop protection function 
	ob_lock();		//  sign out   Optional bytes   Edit status 
	fmc_lock();		//  sign out  bank0  Edit status 
	
	return res;
}

The test method

During the test , because SPC Byte only supports user code modification , So a certain IO Level detection , And modify it SPC Byte code , Here's a brief share ：

	static uint8_t time1 = 0, time2 = 0;
	
	if(GetInputStatus(oneIO) > 0)
	{
    
		time2 = 0;
		if(time1 == 0)
		{
    
			time1++;
			ob_security_protection_config(FMC_USPC);
		}
	}
	else
	{
    
		time1 = 0;
		if(time2 == 0)
		{
    
			time2++;
			ob_security_protection_config(FMC_NSPC);
		}
	}

Phenomenon description

1. After the read protection is turned on ,jflash Tools can be connected , But the main memory cannot be read , You will eventually be prompted to time out ：

2. It can be done by Jlink Commander Check it out. SPC Byte content ：

Here is the data of optional bytes when the read protection is enabled , When locked , The read value will become ：

BB 44 FF FF FF FF FF FF FF FF FF FF FF FF FF FF

At this time, it needs to be restarted to take effect ;
3. In operation , Trigger unlocking signal , Meeting immediately Cause the whole piece to be erased immediately , The product looks stuck , But at this time MCU It supports reading and writing , It is similar to restoring the factory settings ;

Overall analysis

1. The whole piece of data will be erased immediately after the read protection is turned off , So this function is too risky , Consider other anti duplication schemes .
2. When read protection is turned on , Conduct IAP Words , This will cause the chip to be self-locking and unable to exit the read protection in the read protection state , Chip read protection can only be exited by contacting factory support ;