• State Resolved
  • Locked Locked
  • Replies 22 replies
  • Subscribers 80 subscribers
  • Views 3319 views
  • Users 0 members are here
Support feedback
Options
Options
Similar topics

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

JTAG blocking/unblocking on MSP430F5638

Boris Bychkov
Prodigy 140 points
Other Parts Discussed in Thread: MSP430F5638

Hello everyone.

Sorry for my bad English. I need to block JTAG on MSP430F5638 but not permanently. After reading "Programming Via the JTAG Interface User's Guide" (slac320t) I think that I should do the following actions.

To block JTAG via JTAG:

  1. set the SYSBSLPE in the SYSBSLC register to 0,
  2. set any value other than 0 or 0xFFFFFFFF at addresses 0x17FC to 0x17FF,
  3. initiate a Brownout Reset.

To unblock JTAG via BSL (there are no other unblocking ways):

  1. set the SYSBSLPE in the SYSBSLC register to 0,
  2. set 0 or 0xFFFFFFFF at addresses 0x17FC to 0x17FF,
  3. initiate a Brownout Reset.

Is it correct? According to a few forums and docs it is. But I don't understand what commands I should use (both JTAG and BSL), where I should that command write, how I should run they, what software and hardware I need. On all forums I read users write about "program a value to an address in memory". But how do it? Should I reprogram a programmer to perform these actions? Is it necessary to get a BSL programmer for program via BSL?

I'm a student. Possibly these questions are absurd. Possibly I don't understand English docs correctly and I miss the point...

I have:

  • MSP-TS430PZ100USB with MSP430F5638,
  • programmer MSP-FET430UIF,
  • IAR EWB MSP430 6.3.

Thank you for you help.

  • 0
    Guru 33653 points

    Boris Bychkov said:

    To block JTAG via JTAG:

    1. set the SYSBSLPE in the SYSBSLC register to 0,
    2. set any value other than 0 or 0xFFFFFFFF at addresses 0x17FC to 0x17FF,
    3. initiate a Brownout Reset.

    To unblock JTAG via BSL (there are no other unblocking ways):

    1. set the SYSBSLPE in the SYSBSLC register to 0,
    2. set 0 or 0xFFFFFFFF at addresses 0x17FC to 0x17FF,
    3. initiate a Brownout Reset.

    Yes. Soft JTAG fuse is located inside BSL area (017FCh). Blowing can be done by writing four 055h bytes, and unblow can be done by writing four 000h bytes. For returning fuse values to initial state (0FFh) BSL must be reflashed.

    http://forum.43oh.com/topic/2972-sbw-msp430f550x-based-programmer/?p=44019

  • 0 in reply to zrno soli
    Prodigy 140 points
    Thank you very much!
    According to those posts you created a hand made programmer to program MSP430. And all examples in that topic are for your programmer.
    But what hardware and software I need to block/unblock JTAG? Is it necessary for me to assemble and use your programmer? In case I can't do JTAG blocking without your programmer: where I can find any examples suitable for MSP430F5638?
  • 0 in reply to Boris Bychkov
    Guru 33653 points

    Boris Bychkov said:
    Thank you very much!
    According to those posts you created a hand made programmer to program MSP430. And all examples in that topic are for your programmer.
    But what hardware and software I need to block/unblock JTAG? Is it necessary for me to assemble and use your programmer? In case I can't do JTAG blocking without your programmer: where I can find any examples suitable for MSP430F5638?

    Linked post is related to blowing / unblowing JTAG fuse in general, with any available tool, not only with my programmer. By default JTAG fuse values are erased (0FFh). Writing 055h can be done by BSL / JTAG / SBW or application code (executing on target device). Changing 055h > 000h (unlocking) can be done by BSL or application code. Changing again 000h value (back to 0FFh) is not possible without erasing BSL.
    This is related to all MSP430F5xx devices. For BSL can be used TI open source BSL_Scripter with LP based BSL. for SBW can be used LP. 
  • 0 in reply to zrno soli
    Prodigy 140 points
    OK. I thought we can't do these operations by application code...
    1) Explain me please which memory access commands I should use to write values (055h) to BSL memory.
    2) Why we can't write 0FFh without erasing BSL?
    3) Is it important for unblocking what value (0FFh or 000h) is in 017FCh?
  • 0 in reply to Boris Bychkov
    Prodigy 140 points

    Boris Bychkov said:

    1) Explain me please which memory access commands I should use to write values (055h) to BSL memory.
     

    Sorry...

    1) Explain me please which memory access commands I should use to write values (055h) to BSL memory by application code.

  • 0 in reply to Boris Bychkov
    Guru 33653 points

    Boris Bychkov said:
    OK. I thought we can't do these operations by application code...
    1) Explain me please which memory access commands I should use to write values (055h) to BSL memory.
    2) Why we can't write 0FFh without erasing BSL?
    3) Is it important for unblocking what value (0FFh or 000h) is in 017FCh?

    BSL memory (017FCh) is flash, not RAM. First, BSL area must be unlocked by updating value on address 0128h (SYSBSLC / SYSBSLPE). Than flash byte / word write can update 017FCh fuse values. Flash write code examples can be found in 5xx / 6xx family datasheet.
    Locking device...
    @182
    03 00
    @017FC
    55 55 55 55
    Or unlocking...
    @182
    03 00
    @017FC
    00 00 00 00
    After flash memory is erased (0FFh) only 1 to 0 bit changing is possible by flash write. When bits are set to 0 (fuse bytes 000h) it is possible to change it again only after flash segment erase (0FFh). Fuse values are stored in BSL flash segment, and if segment is erased BSL must be recovered (by flash write). Both fuse byte values 000h and 0FFh will enable SBW / JTAG.
  • 0 in reply to zrno soli
    Prodigy 140 points

    Thank you.

    zrno soli said:

    Than flash byte / word write can update 017FCh fuse values. Flash write code examples can be found in 5xx / 6xx family datasheet.

    I tried to search the examples but my efforts haven't given any useful result... Can you help me?
     And there is more question.
    If the BSL reflashing (BSL erasing + BSL recovering) is necessary to repeat block values (55...) , I can't do blocking/unblocking JTAG only by an application code. Is it true?
  • 0 in reply to Boris Bychkov
    Guru 33653 points

    Boris Bychkov said:
    I tried to search the examples but my efforts haven't given any useful result... Can you help me?

    Files msp430f665x_flashwrite_0x.c from slac539 MSP430F665x MSP430F565x Code Examples.
    It is also explained with code examples in Flash Memory Controller (Chapter 7) in slau208 MSP430x5xx MSP430x6xx Family User's Guide.
    Boris Bychkov said:
    And there is more question.
    If the BSL reflashing (BSL erasing + BSL recovering) is necessary to repeat block values (55...) , I can't do blocking/unblocking JTAG only by an application code. Is it true?
    Flash memory after erase (0FFh values) can be changed (by flash write) to 055h and from 055h to 000h only once. There is no way to back from 000h to 055h or 0FFh without erasing. And erasing fuse segment will also erase part of BSL, so BSL must be restored.
  • 0 in reply to zrno soli
    Prodigy 140 points
    Thank you.
    Is an application program on MSP430 protected from copiyng If I block JTAG? Because BSL interface is protected by password.
  • 0 in reply to zrno soli
    Prodigy 140 points
    One more question.
    Why I can't copy the BSL segment to INFO segments, then erase BSL segment, then restore BSL data from INFO memory but add my JTAG lock key value (00h, 55h, ffh or another)? Is that proccess possible? It is without festored BSL by special hardware.
  • 0 in reply to Boris Bychkov
    Guru 33653 points

    Boris Bychkov said:
    One more question.
    Why I can't copy the BSL segment to INFO segments, then erase BSL segment, then restore BSL data from INFO memory but add my JTAG lock key value (00h, 55h, ffh or another)? Is that proccess possible? It is without festored BSL by special hardware.

    Yes, this is possible, and it can be done by your application without special hardware. BSL size is 4 KByte, and Info size is 512 bytes. It will be enough to restore just BSL3 segment (01600h-017FFh, 512 bytes) where JTAG fuse values are stored.

  • 0 in reply to zrno soli
    Prodigy 140 points
    Thank you very much!
  • 0 in reply to zrno soli
    Prodigy 140 points

    I think application code writing necessary value to BSL flash should consist of the following parts.

    1. erase info flash segments (A,B,C,D)
    2. write data from BSL3 to info flash
    3. erase BSL3 segment
    4. write data from info flash to BSL3 (except the last four bytes)
    5. write necessary values (JTAG lock key) to the last four bytes in BSL3

    The code is here.

    1) But what will happen in case a power off occurs during the part 4? Will MSP430 be operability after reset? If the device is all right I think it's possible to write up saved BSL3 data from info flash.

    2) Can we use RAM instead of info flash in this algorithm?

    //------------------------------------------------------------------------------
// Fill JTAG lock key in BSL flash area with given bytes
// |_ value: a value which JTAG lock key will be fill with
//------------------------------------------------------------------------------
void write_JTAGkey(char value)
{
  unsigned int i;
  char * Flash_ptr;                         // Flash pointer
  char * FlashBSL_ptr;                      // BSL flash pointer
  
  _DINT();                                  // Disable interrupts
  FCTL3 = FWKEY;                            // Clear LOCK bit
  
  // Erase info flash segments A,B,C,D
  FCTL1 = FWKEY|ERASE;                      // Set ERASE bit
  Flash_ptr = (char *) 0x1800;              // Seg D
  *Flash_ptr = 0;                           // Dummy write to erase flash seg
  Flash_ptr = (char *) 0x1880;              // Seg C
  *Flash_ptr = 0;                           // Dummy write to erase flash seg
  Flash_ptr = (char *) 0x1900;              // Seg B
  *Flash_ptr = 0;                           // Dummy write to erase flash seg
  Flash_ptr = (char *) 0x1980;              // Seg A
  *Flash_ptr = 0;                           // Dummy write to erase flash seg
  FCTL1 = FWKEY;                            // Clear ERASE bit
  
  SYSBSLC &= ~SYSBSLPE;                     // Clear SYSBSLPE bit
    
  // Write data from BSL3 to A,B,C,D
  FCTL1 = FWKEY|WRT;                        // Set WRT bit
  Flash_ptr = (char *) 0x1800;              // Seg D
  FlashBSL_ptr = (char *) 0x1600;           // BSL3 seg
  for (i = 0; i < 512; i++)
  {
    *Flash_ptr++ = *FlashBSL_ptr++;         // Copy BSL3 to info flash
  }
  FCTL1 = FWKEY;                            // Clear WRT bit
  
  // Erase BSL3 seg
  FCTL1 = FWKEY|ERASE;                      // Set ERASE bit
  FlashBSL_ptr = (char *) 0x1600;           // BSL3 seg
  *FlashBSL_ptr = 0;                        // Dummy write to erase flash seg
  FCTL1 = FWKEY;                            // Clear ERASE bit
  
  // Write data from A,B,C,D to BSL3
  FCTL1 = FWKEY|WRT;                        // Set WRT bit
  Flash_ptr = (char *) 0x1800;              // Seg D
  FlashBSL_ptr = (char *) 0x1600;           // BSL3 seg
  for (i = 0; i < 508; i++)                 // 512-4=508 byte
  {
    *FlashBSL_ptr++ = *Flash_ptr++;         // Copy info flash to BSL3
  }
  FCTL1 = FWKEY;                            // Clear WRT bit
  
  // Write JTAG lock key to BSL3
  FCTL1 = FWKEY|WRT;                        // Set WRT bit
  FlashBSL_ptr = (char *) 0x17FC;           // JTAG lock key address
  for (i = 0; i < 4; i++)                   // 4 byte
  {
    *FlashBSL_ptr++ = value;                // Fill key with value
  }
  FCTL1 = FWKEY;                            // Clear WRT bit
  
  SYSBSLC |= SYSBSLPE;                      // Set SYSBSLPE bit
  
  FCTL3 = FWKEY|LOCK;                       // Set LOCK bit
  _EINT();                                  // Enable interrupts
}

  • 0 in reply to Boris Bychkov
    Guru 58965 points
    A very good start!
    The devil is in the details. I will try to examine t he details of your code.
  • 0 in reply to old_cow_yellow
    Guru 58965 points
    Additional comments.

    (a) If the current 4-byte JTAG lock are all 0xFF, one may use a short-cut -- just re-write them with the (long)value without Erase operation.

    (b) Otherwise, one may modify your step#2 so that the high-address 4-byte of InfoA has the new (long)value instead of the old JTAG lock. This is so that your step#4 and step#5 do not need to do that.

    (c) Use RAM instead of InfoFlash is risky and not possible for chips with small RAM.
  • 0 in reply to Boris Bychkov
    Guru 33653 points

    Boris Bychkov said:

    I think application code writing necessary value to BSL flash should consist of the following parts.

    1. erase info flash segments (A,B,C,D)
    2. write data from BSL3 to info flash
    3. erase BSL3 segment
    4. write data from info flash to BSL3 (except the last four bytes)
    5. write necessary values (JTAG lock key) to the last four bytes in BSL3

    The code is here.

    1) But what will happen in case a power off occurs during the part 4? Will MSP430 be operability after reset? If the device is all right I think it's possible to write up saved BSL3 data from info flash.

    2) Can we use RAM instead of info flash in this algorithm?

    Info A segment must be unlocked for flash operations. BSL will not be updated, so you can store last BSL segment to Info only once (together with main memory flashing), forever. Later, it can be recovered from Info anytime. Copy flashing function (erase / block write) to RAM and execute it from there to minimize power-off impact.

  • 0 in reply to zrno soli
    Guru 58965 points
    info B, C, D are not protected. it is more risky if we rely on them to backup BSL3 (in long term) without protection and checking.

    come to think of it, to store in flash (in long term) any code fragments that access the flash controller and the SYSBSLC Register is risky too. (the CPU may crash into those code fragments and erase or write flash unintentionally.)
  • 0 in reply to zrno soli
    Prodigy 140 points

    zrno soli said:
    Info A segment must be unlocked for flash operations.

    It is performing by the command FCTL3 = FWKEY, isn't it?

    zrno soli said:

    BSL will not be updated, so you can store last BSL segment to Info only once (together with main memory flashing), forever. Later, it can be recovered from Info anytime.

    Will MSP430 restart properly with erased BSL3 segment?

    zrno soli said:
    Copy flashing function (erase / block write) to RAM and execute it from there to minimize power-off impact.

    Is it necessary? How is it minimize power-off impact and how is it doing?...
  • 0 in reply to old_cow_yellow
    Prodigy 140 points

    old_cow_yellow said:

    (b) Otherwise, one may modify your step#2 so that the high-address 4-byte of InfoA has the new (long)value instead of the old JTAG lock. This is so that your step#4 and step#5 do not need to do that.

    I think step#4 is necessary in any case... This step recovers BSL3 data.

    old_cow_yellow said:

    come to think of it, to store in flash (in long term) any code fragments that access the flash controller and the SYSBSLC Register is risky too. (the CPU may crash into those code fragments and erase or write flash unintentionally.)

    Is there a more safety way to block/unblock JTAG by application code?

  • 0 in reply to Boris Bychkov
    Guru 33653 points

    Boris Bychkov said:

    It is performing by the command FCTL3 = FWKEY, isn't it?

    Will MSP430 restart properly with erased BSL3 segment?

    Is it necessary? How is it minimize power-off impact and how is it doing?...

    Info A is can be unlocked by FCTL3 = FWKEY + LOCKA
    MSP430F5xx will start with completely erased BSL. If it will start with erased only BSL3 segment? I don't know, didn't try this.
    Flash block write executed from RAM will go around 100 KByte/s, without stopping execution.
    Flash write executed from flash is slower, and execution will be stopped during byte/word writing.
    Faster flash writing, shorter vulnerable period.
    Boris Bychkov said:
    Is there a more safety way to block/unblock JTAG by application code?
    You can blow fuse and use your customized BSL with AES (or something similar) for updates.
    Or your application code can update itself.
    Don't see any reason that application must enable / disable JTAG fuse, for updates by JTAG.
    And in this case nothing is protected. Code or target device, whatever.
  • 0 in reply to Boris Bychkov
    Guru 58965 points
    Boris,

    The 32-bit JTAG lock has only three states. When all 32 bits are:
    (a) “all 1”, JTAG access is unlocked,.
    (b) “ mixed 1 and 0”, JTAG access is locked
    (c) “all 0”, JTAG access is unlocked.

    A. It is relatively easy to change from (a) to (b).
    B. It is just as easy to change from (b) to (c).
    C. But it is more complex to change from (c) or (b) to (a).

    I suggest instead of the can-do-them-all subroutine you already wrote, you write three complete self-sufficient routines to handle A, B, and C separately.

    As self-sufficient routines, you can use a conservative DCO frequency to generate MCLK and avoid FLL and external crystal. You do not need to enable any interrupts. You can keep it simple and stupid.

    To do A or B, you could use BSL to download your code into ram and execute it there without altering the content of any flash other than the JTAG lock bytes. After your code has done its job and checked it, it could do a self-destruct and disappear.

    To do C, you could use either BSL or JTAG to download your code and erase all the other main flash. If all the chips you use have the same BSL code, you could include a copy of BSL3 in part of the main flash. Otherwise you must copy BSL3 to part of main flash at run time. Again, it could do self-destruct and disappear after it verified that the job is done.

    I do not have MSP430F5638, but I can read your code if you want.

    --OCY
  • 0 in reply to old_cow_yellow
    Prodigy 140 points
    Thank you everybody for help!

    • **Attention** This is a public forum