Unbricking a secured Freescale K20

| tagged with
  • jtag
  • openocd
  • k20

Due to the… interesting behavior of OpenOCD’s K20 FLASH writing algorithm, you can sometimes end up in a situation where you inadvertently end up with a secured chip. In particular, if your image doesn’t explicitly write to the FLASH configuration block (which starts at 0x400) but writes anywhere in the sector that contains it, OpenOCD will erase the sector without zeroing the configuration fields. Bam… secured chip.

Thankfully recovering from this is quite simple:

Simply hold SRST low and run kinetis mdm mass_erase from the OpenOCD console (e.g. nc localhost 4444). You’ll see something like this,

> kinetis mdm mass_erase
kinetis mdm mass_erase
Polling target k20.cpu succeeded again, trying to reexamine
k20.cpu: hardware has 6 breakpoints, 4 watchpoints
target state: halted
target halted due to debug-request, current mode: Thread 
xPSR: 0x01000000 pc: 0xfffffffe msp: 0xfffffffc
> 

Yay! Unbricked chip!