• State Resolved
  • Locked Locked
  • Replies 2 replies
  • Subscribers 78 subscribers
  • Views 642 views
  • Users 0 members are here
Support feedback
Options
Options
Similar topics

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

How to write into the BSL memory on MSP430F5438A

Radoslav Marinov
Intellectual 1000 points

Hi,

My device is locked by the electronic fuse that depends on the values at addresses 0x17FC to 0x17FF, zeroes or Fs keep device unlocked any other values lock the device (in my case they are DE AD BA BE). So I have access to the device trough BSL. I tried to write directly to these addresses using BSL but writing into that memory field failed. However I still can program the main memory. So I decided to make a program that can overwrite the that BSL part of memory that lock/unlock the JTAG access. So, my program failed. Let me show what I have done, and may be you can show me where am I wrong.

This is the function that suppose to write (4bytes) into the BSL:

void WriteByteToBSL(uint16_t address, uint8_t* data)
{
   uint8_t * BSL_p = (uint8_t *)address;
   SYSBSLC &= ~SYSBSLPE;
   FCTL3 = FWKEY + LOCKA_L;      
   FCTL1 = FWKEY + WRT;          //Write byte or word
#if defined (_DEBUG_)
   printf("%u \n",SYSBSLC);
#endif
   *BSL_p = *data;
   FCTL1 = FWKEY;
   FCTL3 = FWKEY + LOCK_L + LOCKA_L;
   SYSBSLC |= SYSBSLPE;
}

This is the function that reads part of the BSL memory (seems to work!):

uint8_t ReadBSL(uint16_t address)
{
   SYSBSLC &= ~SYSBSLPE;
   uint8_t * BSL_p = (uint8_t *)address;
   SYSBSLC |= SYSBSLPE;
   return *BSL_p;
}

And this is the caller into the main():

int main(void)
{
uint8_t flag = 1;
uint8_t i;
uint8_t arr[] = {0xff, 0xff, 0xff, 0xff};
WDTCTL = WDTPW + WDTHOLD;
uart_init(BAUD_RATE_9600);
IO_init();
__delay_cycles(50000);
WriteByteToBSL(0x17FF, &arr[0]);
P4OUT |= BIT0;
   while(1)
   {
      if(BUTT_PRESSED && flag == 1)
      {
         for(i = 0; i < 4; i++)
            WriteByteToBSL(0x17FC + i, &arr[i]);    
         __delay_cycles(50000);              //debounce time 
         if(BUTT_PRESSED && flag == 1)
         {
            flag = 0;                        //flip-flop flag
            printf("%u \n",SYSBSLC);
            for(i = 0; i < 16; i++)
            {
               printf("%X ", ReadBSL(0x17F0 + i));    //print the values from 0x17F0 to 0x17FF
            }
            printf("\n");
         }
      }
      
      if(!BUTT_PRESSED && flag == 0)
         flag = 1;
      P4OUT ^= BIT1;
   }
}


  • 0
    TI__Guru 68116 points
    Hi Radoslav,

    The problem is actually in main you are telling it to write 0xFF to all bytes. Flash doesn't work this way - with Flash the only way for a byte to go from 0->1 is an erase. And you can't do that in this case because erase will erase an entire flash segment, which would mean you would lose your BSL and be locked out for good. So what you should do is instead set arr[] to all 0x00, because the flash write can knock bits down from 1->0. This is why the JTAG lock accepts either 00 or FF for unlocking the JTAG.

    Other potential solutions - use the BSL to write 0's here, instead of having your application code do it. You can do this by using the commands to first write to the address of the SYSBSLC register (should be able to find this in datasheet or map file or somewhere) and write the register to make SYSBSLPE = 0. Then perform the write to the 0x17FC-FF address to set all to 0.

    -Katie
  • 0 in reply to Katie Pier
    Intellectual 1000 points
    Thank you Katie You are right as always :)

**Attention** This is a public forum