We recently had a Power Aware Computing class on the university where we used the microcontroller MSP430FR59xx. We had to examine how different voltages, clock frequencies, ULP modes affect the power consumption of the uc.
To change the DCO clock frequency we had to change the DCORSEL/DCOFSEL bits of the CTL1 register. But we weren't able to change them until we put the CSKEY password into the CTL0 register. Then it worked.
My question is now, why are these registers "protected" by a passkey? Is this to prevent tampering from the outside, because the programmer can always set the passkey anyways?
2 Answers 2
Is this to prevent tampering from the outside, because the programmer can always set the passkey anyways?
Precisely. You're correct that yes, you can always use the programmer to set the passkey but the programmer is a proprietary tool provided by, in this case, Texas Instruments, and they're not cheap.
If you're a hacker that has access to this hardware, there's probably a very small chance that they will have the appropriate programmer on hand, be able to identify this chip, read through the datasheet, and tamper with it.
According to the datasheet:
The DCO frequency can be changed at any time, but care should be taken to ensure no other system clock frequency constraints are exceeded with the new frequency selection. Any change in the DCOFSEL or DCORSEL bits causes the DCOCLK to be held for four clock cycles before releasing the new value into the system. This allows for the DCO to settle properly.
While programmers can ultimately set the passkey, it adds a crucial layer of protection against accidental or unauthorized modifications of critical system settings. This ensures stable operation, protects against tampering, and allows for controlled access and configuration consistency. Certain registers, like CTL0 and CTL1, control critical system settings like clock frequency and power modes. Accidental or unintended changes to these settings can lead to malfunctions, unstable operation, or even permanent damage to the microcontroller.
-
1\$\begingroup\$ What you are describing would be used to protect the code from being stolen. This type of password is used to keep errors from propagating when the software goes into the weeds. \$\endgroup\$Mattman944– Mattman9442023年12月14日 18:50:07 +00:00Commented Dec 14, 2023 at 18:50
-
\$\begingroup\$ @Mattman944 That's true! Looking at the clock system block diagram (Figure 3-1 in the datasheet), there appears to be a large clock network with mux controls. Looks like the chip is trying to provide some tamper-proof design to prevent various clocks external oscillators from dominating other clocks. \$\endgroup\$user319168– user3191682023年12月14日 18:58:33 +00:00Commented Dec 14, 2023 at 18:58
First let me describe a situation that is more obvious. In the 1990s there was a unmanned space mission called Clementine. Its primary mission was to map the moon, this completed successfully. New software was then uploaded for a secondary mission. This software had a fatal flaw; and went into the weeds (crashed). The spacecraft thrusters were controlled by registers and these registers were hit by the wayward code. The spacecraft fuel was depleted, and the secondary mission had to be scrapped. This could have been prevented if the thruster registers were protected by passkeys.
Apparently this MCU has some critical registers that if they are set wrong, the MCU can be put in a state that is difficult (or impossible) to recover from. As a last resort, a watchdog timer if often used to rescue the MCU from wayward code. I have used MSP430s quite a bit, but not the watchdog timer. I suspect that there are some bad states that a watchdog timeout will not fix.