RMA Entry Method and Process
The chip enters and exits the RMA state by burning the physical OTP:
Program the number of bit 1 in
0x700 bit[7:0]to an odd number to enter RMA mode.The initial value of
0x700 bit[7:0]is0xFF. The first time entering RMA state, it should be programmed to0xFE(number of bit 1 is 7, which is odd) to enter RMA mode.AT+OTP=WRAW,0x700,1,FE
Reset the chip. The chip will enter RMA state.
After the RMA process is completed, the customer can program the number of bit 1 in
0x700 bit[7:0]to an even number to exit RMA mode:AT+OTP=WRAW,0x700,1,FC
Reset the chip. The chip will exit RMA state.
Note
For chips after RTL8721F, the RMA-related areas can only be accessed under secure mode.
Ameba SoCs allow a maximum of 3 transitions into and out of RMA state. Exceeding this count will cause the chip to enter the decommissioned state. Before triggering RMA, it is recommended that the user first export the required data.
User Data Protection in RMA State
To ensure the privacy and security of user data, parts of the OTP area are inaccessible after the chip enters RMA state:
In RMA mode, the security area 0x200 ~ 0x37F and user-defined physical area 0x380 ~ 0x4FF will be inaccessible.
In RMA mode, the security area 0x200 ~ 0x37F and user-defined physical area 0x380 ~ 0x3FF will be inaccessible.
In RMA mode, the security area 0x200 ~ 0x37F and user-defined physical area 0x380 ~ 0x3FF will be inaccessible.
In RMA mode, the security area 0x200 ~ 0x37F and user-defined physical area 0x380 ~ 0x3FF will be inaccessible.
In RMA mode, the security area 0x200 ~ 0x37F and user-defined physical area 0x380 ~ 0x3FF will be inaccessible.
In RMA mode, the security area 0x200 ~ 0x37F and user-defined physical area 0x380 ~ 0x3FF will be inaccessible.
In RMA mode, the security area 0x200 ~ 0x37F and user-defined physical area 0x380 ~ 0x4FF will be inaccessible.
Since the security area is unreadable, all data encryption and identity authentication that depend on HUK will be invalid.
Secure Boot in RMA State
To prevent the execution of unauthorized firmware during the RMA process, Realtek implements an RMA secure boot mechanism. After the user writes the RMA Public Key Hash, only firmware signed with this key can be executed.
Note
For detailed mechanism, refer to Secure Boot
SWD Password Protection in RMA State
SWD (Serial Wire Debug) is the main means of chip debugging. To prevent malicious usage in RMA state, the chip requires entering the RMA SWD key after enabling SWD key protection in the RMA state to connect the debugger.
Note
For detailed mechanism, refer to SWD Protection
Decommission State (EOL/Decommission)
When the chip is EOL (End-Of-Life), fails, or is intentionally destructed for security, it will enter the irreversible decommission state.
Users have to implement the decommission state logic by themselves. Realtek recommends: If the User Define area of the OTP is not locked, this OTP area must be fully erased by writing zeros to protect sensitive data from leakage.
Users have to implement the decommission state logic by themselves. Realtek recommends: If the User Define area of the OTP is not locked, this OTP area must be fully erased by writing zeros to protect sensitive data from leakage.
Users have to implement the decommission state logic by themselves. Realtek recommends: If the User Define area of the OTP is not locked, this OTP area must be fully erased by writing zeros to protect sensitive data from leakage.
Users have to implement the decommission state logic by themselves. Realtek recommends: If the User Define area of the OTP is not locked, this OTP area must be fully erased by writing zeros to protect sensitive data from leakage.
Users have to implement the decommission state logic by themselves. Realtek recommends: If the User Define area of the OTP is not locked, this OTP area must be fully erased by writing zeros to protect sensitive data from leakage.
Users have to implement the decommission state logic by themselves. Realtek recommends: If the User Define area of the OTP is not locked, this OTP area must be fully erased by writing zeros to protect sensitive data from leakage.
Users can enter the decommission state by programming the physical OTP:
Program the value of
0x700 bit[7:0]to0to enter the decommission state.AT+OTP=WRAW,0x700,1,00
Reset the chip. The chip will fail to boot.
After OTP programming:
All OTP bits are permanently erased.
The entire chip’s boot phase is completely locked, preventing recovery to any other lifecycle state.
No further entry into RMA state is possible, and the chip cannot be debugged or unlocked.
In decommission state, if the chip attempts to power on, it will only output a decommission log via LOG_UART and cannot execute any application programs.
Caution
All production lines, after-sales, and maintenance stages must strictly record/audit the decommissioning process and confirm its irreversibility.
Unlike the general RMA state, after entering the decommissioned state, the chip is completely scrapped, with higher security level, and cannot be used for analysis or recovery.
