Infineon PSOC Control C3 Debug Port Authentication

The Infineon PSoC Control C3 series supports secure debug by using AP access authentication with a signed debug token. SEGGER implements this flow with Device Provisioner. For more information about Device Provisioner, refer to the Device Provisioner article.

PSoC Control C3 AP access authentication is implemented in the PCode_DevPro_Infineon_PSC3_DebugAuth.pex script file.

Important notes

1. After successful AP access authentication, the enabled debug access is temporary and remains available only until the device is reset or power-cycled.
2. A debug token cannot enable an access port that was permanently disabled by the device debug policy.
3. The SYS-AP must remain available. If SYS-AP access is disabled by provisioning policy, the debugger cannot upload the token or communicate with the BootROM wait-for-application (WFA) flow.
4. The debug token must match the device provisioning state and must be signed by the key expected by the BootROM.
5. The debug token file is a binary file.

Device and token requirements

The PSoC Control C3 debug authentication mechanism is handled by the device BootROM.

A valid debug token must be generated as part of the Infineon provisioning flow. In practice, the token is generated by the Infineon provisioning tools (ModusToolbox-Edge-Protect-Security-Suite), during the provisioning of the device with a debug-enabled policy. The token is generated based on the device's unique identifiers and the provisioning state, and it is signed with a key expected by the BootROM.

• Reference (Infineon):
  • 002-38998 - PSoC Control C3 MCU Programming Specification, Chapter 5.4 "Unlock the access to the CPU" and Appendix E.12/E.13.
  • AN240106 - Getting started with PSoC Control C3 security, debug token sections.
  • AN241344 - PSoC Control provisioning specification, DLM/wait-for-application (WFA) flow sections.

Locking/provisioning the device

Debug access is restricted through the PSoC Control C3 provisioning flow by programming the device debug policy and lifecycle-related assets. This is normally done with Infineon's provisioning tools and a signed DLM/RAM application package, not by the SEGGER debug-authentication script. During provisioning, the policy can configure APs as open, temporarily disabled and reopenable with a valid debug token, or permanently disabled. For secure-debug use, keep SYS-AP available and configure the required CPU APs for authenticated debug instead of permanent disable.

Usage with other SEGGER tools

During the connection procedure of some tools or during debugging, a reset may be executed. This can cause the device to require authentication again.

To avoid an unintended reset after authentication, use one of the following options where applicable:

• J-Flash: Delete the Reset init step under Options -> Project settings -> Init. steps.
• Generic solution (all SEGGER tools): Include a J-Link Script file that overrides the ResetTarget() function. See ResetTarget() for details.
• Ozone: In addition to overriding ResetTarget() in the J-Link script file, the TargetReset() function in the Ozone project file should be adjusted so the debugger attaches without relocking the target.

Usage

DevPro -operation [operation_name] -if SWD -speed 1000 [-SetConfigVal parameter_name=value] -ScriptFile PCode_DevPro_Infineon_PSC3_DebugAuth.pex

Examples

AP access authentication

Command

DevPro.exe -operation DebugAccessPortAuth -SetConfigVal DebugCertFile="debug_token.bin" -SetConfigVal DebugCertKeyType=OEM_ROT -ScriptFile "PCode_DevPro_Infineon_PSC3_DebugAuth.pex" -if SWD -speed 1000

Output

Command line: -operation DebugAccessPortAuth -SetConfigVal DebugCertFile=debug_token.bin -SetConfigVal DebugCertKeyType=OEM_ROT -ScriptFile PCode_DevPro_Infineon_PSC3_DebugAuth.pex -if SWD -speed 1000
Firmware: J-Link V12 compiled Mar 26 2026 10:14:53
S/N: 602004466

J-Link log: AP access authentication succeeded.