Custom Teensy and Lockable code

jensa

Well-known member
Hi all,
I'm making a custom board and want to protect the firmware. The process is explained well for boards made by PJRC, but in my case I'm buying the core parts from PJRC and putting them on my own boards. I asked PJRC the following:

So just so I'm sure that I understand this correctly - any MKL02 (from PJRC) can enable this on any iMXRT1060 (from anywhere)? It's the Teensy 4 Security Tool that enables this using firmware in the MKL02 chip?

Paul then replied:

1: Only specific iMXRT1060 chips are supported, as documented on the web page. For example, "1064" parts definitely do not work. Parts with an extra "X" in the part number also will not work. Only specific flash memory chips are supported. Pay attention to "M" vs "Q" in the part number!

2: Yes, a MKL02 chip from PJRC pairs with a brand new IMXRT1062 chip as sold by NXP through distributors. Once paired, that MKL02 only works with that specific IMXRT1062.

3: Custom boards begin the same as Lockable Teensy. Details are thoroughly documented on the code security page. If you haven't already, I would highly recommend you buy at least one Lockable Teensy so you can experience the process of locking before you design a custom PCB. Try using it with Arduino IDE on another PC that doesn't have your key.pem file. Also try copying only the .hex or .ehex file and open it with Teensy Loader on another PC. This stuff is all documented, but there's really no substitute for experiencing it first hand.


Posting his reply here as Paul suggested, so others can find the answer via search. My core takeaway is that for any Teensy from PJRC, these fuses are pre-programmed. On a custom board and a blank MIMXRT1062DVJ6B, you are free to set the fuses as you like. When you set them to be locked (Tools > Teensy 4 Security), they're permanent.
 
Yes, the IMXRT fuse memory absolutely is permanent. Setting a fuse bit physically alters the chip in an irreversible way. NXP doesn't give details of how it's implemented, but the on-chip technology is likely amorphous silicon anti-fuse.

The MKL02 chip will pair with your IMXRT1062 on first use. Part of that process involves setting some of the fuses as needed by all Teensy boards.

When Teensy 4.0 was released in late 2019 and Teensy 4.1 in early 2020, those fuses were set only by PJRC's bed-of-nails test fixture. We couldn't sell the bootloader chips at that time, because they depended upon the test fixture to configure the fuses and do other stuff. The MKL02 bootloader chips became available in 2021 when the pairing process was added. It allows a pre-programmed MKL02 to initialize the IMXRT1062 chip without needing the PJRC test fixture.

When you run the 3 setup programs for code security, step #1 sets fuses with your encryption key. After step #1, your board can run both encrypted .ehex and also regular plaintext .hex. In this mode you code is NOT secure even if encrypted. All 3 steps run checks, but step #2 is purely a verification which doesn't set any fuses. Step #3 sets the fuses needed to permanently set secure mode. Once in secure mode, your board will only run encrypted .ehex files created with your key.pem file.

PJRC signed a non-disclosure agreement with NXP, so I can't talk about some aspects of the fuses and secure mode which NXP considers confidential.

But I will again mention the most important thing in practice: make backup copies of your key.pem file. If you lose your key, there is no recovery method. You need your key.pem file to create new .ehex files which work on all the boards you initialized with those 3 steps.
 
Back
Top