In it's bare state after bootup, the DATA fields CANNOT be read because U-Boot on the WODE sets the "READ-PROTECTION" bit in the OTP READ-PROT field. Trying to read the data stored there anyway, will only return zero ("0x00") output.

​

POI's:

​

• Offset 0x13005000: Start of the OTP area (32-bit CONTROL registers) *

• Offset 0x13005004: 32-bit READ-PROTECTION registers **

• Offset 0x13005008: 32-bit WRITE-PROTECTION registers ***

• Offset 0x1300501C: First word of 128 bit bootloader AES key

• Offset 0x13005020: Second word of 128 bit bootloader AES key

• Offset 0x13005024: Third word of 128 bit bootloader AES key

• Offset 0x13005028: Fourth word of 128 bit bootloader AES key

• Offset 0x13005044: USB-DFU 16-bit Vendor ID & 16-bit Product ID (UNUSED)

• Offset 0x13005048: 32-bit Chip configuration data ****

• Offset 0x1300504B: End of the OTP area

​​

* - The CONTROL field holds value 0x000001F0 value after startup (bits 4 - 8 are set). This is the address for writing and copying the FUSE data.

​

** - The READ-PROTECTION field holds value 0x8000FFFF after startup (bits 0-15 and bit 31 are set). This means, that the OTP DATA FIELDS 0 - 15 cannot be read and that it's set to READ-LOCK.

​

*** - The WRITE-PROTECTION field holds value 0x0000FFFF after startup (bits 0-15 are set). This means, that the OTP DATA FIELDS 0 - 15 cannot be written to.

​

**** - The chip configuration data field sets up several bits to the end user, like security, ID and boot options:

​

• bit 0 - 5: Chip ID

• bit 6 - 21: Reserved by NXP (at least stores "TEST MODE ENABLE" and "ALLOW UNSEURE BOOT" bits)

• bit 22: DFU-Passthrough option (kind of failsafe option for recovery if anything goes wrong during bootup)

• bit 23: "VALIDITY" bit for Vendor ID and Product ID of the USB-Controller used by USB-DFU boot mode

• bit 24: "VALIDITY" bit for the programmed bootloader AES key

• bit 25 - 28: Reserved

• bit 29 - 31: JTAG security (there are up to 4 different levels of security possible *****)

​​

***** - JTAG Security Levels:

​

• Level 0 (no bit is set): Absolutely no security at all

• Level 1 (bit 29 is set): Password protected (needs end-user application to be unlocked)

• Level 2 (bit 29 and bit 30 are set): Used by NXP for RMA (Return Material Analysis)

• Level 3 (bit 29, bit 30 and bit 31 are set): No access (Boundary Scan ONLY) / Chip is LOCKED

​

The data of address 0x13005048 was recovered by investigating the source code of the Xk3y firmware, which runs on a LPC3143 as well. It also runs the same bootloader (though, the source code base was updated) and was designed by the very same developers. It includes the OTP factory programming code.

​

When it comes to the WODE and by inspecting the bits as well as the source code of the Xk3y bootloader and the CDL of the LPC3141 / LPC3143, these bits were recovered for it's setup at factory:

​

OTP_data_15 = 0xE160000B

​

Bits 0, 1, 3 are set (0xB) for the Chip ID (which is an LPC3143).

Bits 20 is NOT set (disallowing "UNSECURE BOOT" to the end user).

​

Bit 21 is set (allows for "TEST MODE")

​

Bit 22 is NOT set (no recovery possible which means, the LPC3143 won't switch to USB-DFU boot mode automatically once it failed booting from the SPI-NOR flash). Though, this can be circumvented by boot mode manipulation of the GPIO0, GPIO1 and GPIO2 pins.

​

Bit 23 is NOT set (as the USB Vendor ID and Product ID fields are of no use).

Bit 24 is set (the programmed bootloader AES key is VALID).

​

Bits 29 - 31 are set (the Chip is LOCKED / Boundary Scan is possible by pulling the JTAGSEL pin of port J6 on the back of the WODE main PCB to GND).

​