In the demand for information security, the requirements for JTAG cannot be overlooked. To maximize information security, products after mass production may even permanently lock the JTAG. This means setting a random password for JTAG (for example, a password length of 128 bits) and writing it to the Password storage area through software. In this way, no one knows the JTAG Password, which is equivalent to permanently locking the JTAG.Permanently locking the JTAG enhances security; however, if a serious market issue arises and there is no debugging interface, it will be impossible to obtain more information. Therefore, to facilitate problem analysis, it is generally required that JTAG only be locked with a Password, and if the JTAG Password can be obtained, the JTAG can still be unlocked.However, in certain OEM (Original Equipment Manufacturer) requirements, the JTAG Password scheme is abandoned in favor of the CMD_DEBUG scheme of SHE (Secure Hardware Extension). Why is this the case?
1. JTAG Password Scheme VS CMD_DEBUG Scheme
Compared to the JTAG Password scheme, CMD_DEBUG is a command used to activate the internal debugging function of SHE.CMD_DEBUG will delete all keys but retain SECRET_KEY, UID, and PRNG_SEED. It is typically used for debugging or restoring SHE to factory default settings.
Based on the CMD_DEBUG command, the process to activate internal debugging is as follows:
The CMD_DEBUG command can only be successfully executed when no keys are write-protected.The comparison between the JTAG Password scheme and the CMD_DEBUG scheme is as follows:
| Feature | CMD_DEBUG Scheme | JTAG Password Scheme |
| Standardization | AUTOSAR/SHEv1.1 defined, cross-platform consistency | Chip manufacturers define, not standardized |
| Authentication Mechanism | Based on challenge-response | Usually a static password |
| Security Level | High: supports dynamic authentication, key protection, access control | Medium: static keys may be brute-forced or leaked |
| Debug Granularity Control | Can refine control functions (e.g., read-only, authentication only, etc.) | Usually fully open or fully closed |
| Auditability | Can log debugging requests, authentication failures, and other events | Usually no log output |
Therefore, from a more secure perspective, the JTAG Password can serve as an additional layer of protection for the CMD_DEBUG scheme.Some may wonder: if the goal is to debug issues and troubleshoot, why delete all keys?The CMD_DEBUG command deletes keys to prevent key leakage during debugging, ensuring that the system does not expose any sensitive information when entering debug mode. Specifically, there are several reasons:
(1) Prevent Key Leakage
CMD_DEBUG is a command used to activate the internal debugging function of SHE. The debug mode may expose internal registers, memory contents, or execution paths. If keys are retained during debugging, attackers may extract keys through debugging interfaces (such as JTAG), compromising the entire system’s security.
(2) Meet Security Design Principles
A basic principle in secure hardware design is: once entering debug mode, all sensitive data must be cleared. SHE adheres to this principle, retaining only SECRET_KEY (for importing/exporting keys), UID (unique identifier), and PRNG_SEED (pseudo-random number seed).
(3) Debugging = Factory Reset
CMD_DEBUG can also be viewed as a mechanism for “factory resetting.” It allows developers or chip manufacturers to clear all user keys during debugging or fault analysis to reinitialize SHE.
(4) Prevent Bypassing Security Mechanisms
CMD_DEBUG ignores debugging protection and secure boot protection flags, meaning it can be executed in any state. To prevent malicious exploitation, the command must be executed after passing challenge-response authentication, and all keys must not be in a write-protected state.
Clickbelow to follow and discuss Autosar/embedded systems. If needed, contact the author to join the group for more professional answers.
Previous Highlights Recap
Summary of previous exciting articles on Autosar: 451~510Safe storage of Flash memory area for Flash DriverEngineering issues, communication interruption caused by unsuccessful CAN Busoff recoveryInvalid wake-up, does the ECU need to sleep immediately?How to safely store and retrieve Debug passwordUDE or APP interface display bug (toolbar display too small), how to resolve?A discussion on a software-implemented dual Bootloader SWAP schemeA discussion on a scheme for updating HSM Firmware