TMS320F28388D: Copy code from DCSM secure zone to un-secure zone

Part Number: TMS320F28388D

Dear Champs,

Customer tried to copy the code to run from secure zone in DCSM to normal Flash section but met crash result. 

They configured "Device_init” in secure Flash by DCSM but met CPU crash when is running in Flash_initModule (in RAMGSx).

Does anyone have any suggestions for this issue? Because we can  use this method in F2837x but always failed to crash in F2838x.

If you have any suggestions, please feel free to let me know.

Thanks a lot.

Best regards,

Janet

  • Hi Janet,

    So in this case customer is copying some function (flash initialization) from secure flash to non-secure RAM. Correct ? If yes, can you confirm where the memcpy function is placed ? This should be in secure memory only to be able to copy data from secure flash. Please refer section "Usage of memcpy Function From the RTS Library" in this appnote for more detail on this.

    Next thing to check is the security configuration of flash sector. There is a bit difference in configuration value if using both the zone. If using only one zone then  this should not matter as long as other zone is unsecure (done by BOOTROM code for default passwords).

    Regards,

    Vivek Singh

  • Hi Janet.

    Let me know if you have any further queries on this topic.

    Regards,

    Vivek Singh

  • Dear Vivek,

    Thanks for your following up.

    Our customer will explain their detail concerns later.

    Thanks a lot.

    Best regards,

    Janet

  • Dear Vivek,

        Yes, we had check memcpy(rts2800_fpu64_eabi.lib) in flash2( address 0x0008285D), even, we try to use a for loop copy code to global ram, it still crash at jump to Flash_initModule function.

        We had try a sample as  follow. In this case, We try to make all the code in  secure Flash by DCSM. After DCSM, this code will not work, continuous trigger reset(XRS) and reboot. Hope this code is helpful to this topic.

    #include "device.h"
    #include "driverlib.h"
    
    #define ON                      1
    #define OFF                     0
    #define GPIO_PIN_LED_RED     34
    
    void Init_GPIO(void)
    {
        //
        // Enable a GPIO output on GPIO6, set it high
        //
        GPIO_setPadConfig(GPIO_PIN_LED_RED, GPIO_PIN_TYPE_PULLUP);     // Enable pullup on GPIO6
        GPIO_writePin(GPIO_PIN_LED_RED, ON);                           // Load output latch
        GPIO_setPinConfig(GPIO_34_GPIO34);                                  // GPIO6 = GPIO6
        GPIO_setDirectionMode(GPIO_PIN_LED_RED, GPIO_DIR_MODE_OUT);    // GPIO6 = output
    }
    
    void delayMS(uint32_t t) {
        int i;
        for(i=0;i<t;++i) {
            DEVICE_DELAY_US(1000);
        }
    }
    
    int main(void)
    {
        //
        // Initialize device clock and peripherals
        //
        Device_init();
    
        //
        // Disable pin locks and enable internal pull-ups.
        //
        Device_initGPIO();
    
        //
        // Initialize PIE and clear PIE registers. Disables CPU interrupts.
        //
        Interrupt_initModule();
    
        //
        // Initialize the PIE vector table with pointers to the shell Interrupt
        // Service Routines (ISR).
        //
        Interrupt_initVectorTable();
    
        //
        // Initialize other function
        //
        Init_GPIO();
        while(1) {
            GPIO_writePin(GPIO_PIN_LED_RED, ON);
            delayMS(500);
            GPIO_writePin(GPIO_PIN_LED_RED, OFF);
            delayMS(500);
        }
    	return 0;
    }

    MEMORY
    {
       /* BEGIN is used for the "boot to Flash" bootloader mode   */
       BEGIN            : origin = 0x080000, length = 0x000004
       BOOT_RSVD        : origin = 0x000002, length = 0x0001AE     /* Part of M0, BOOT rom will use this for stack */
       RAMM0            : origin = 0x0001B0, length = 0x000250
       RAMM1            : origin = 0x000400, length = 0x000400     /* on-chip RAM block M1 */
       RAMD0_1          : origin = 0x00C000, length = 0x001000
       RAMLS0_1         : origin = 0x008000, length = 0x001000
       RAMLS2_7           : origin = 0x009000, length = 0x003000
       RAMGS0_15           : origin = 0x00D000, length = 0x010000
    
       /* Flash sectors */
       FLASH0_4         : origin = 0x080004, length = 0x00FFFC  /* on-chip Flash */
       FLASH5_8         : origin = 0x090004, length = 0x01FFFC  /* on-chip Flash */
       FLASH9_12        : origin = 0x0B0000, length = 0x00E000  /* on-chip Flash */
       FLASH13          : origin = 0x0BE000, length = 0x002000  /* on-chip Flash */
    
       CPU1TOCPU2RAM   : origin = 0x03A000, length = 0x000800
       CPU2TOCPU1RAM   : origin = 0x03B000, length = 0x000800
       CPUTOCMRAM      : origin = 0x039000, length = 0x000800
       CMTOCPURAM      : origin = 0x038000, length = 0x000800
    
       CANA_MSG_RAM     : origin = 0x049000, length = 0x000800
       CANB_MSG_RAM     : origin = 0x04B000, length = 0x000800
    
       RESET            : origin = 0x3FFFC0, length = 0x000002
    }
    
    SECTIONS
    {
       codestart        : > BEGIN  ,PAGE = 0, ALIGN(4)
       .text            : >> FLASH0_4,PAGE = 0, ALIGN(4)
       .cinit           : > FLASH0_4,PAGE = 0, ALIGN(4)
       .switch          : > FLASH0_4, PAGE = 0,ALIGN(4)
       .reset           : > RESET, TYPE = DSECT /* not used, */
       .stack           : > RAMD0_1
       dcsm_data_section : > RAMLS2_7                   PAGE = 0
    
    #if defined(__TI_EABI__)
       .init_array      : > FLASH0_4, ALIGN(4)
       .bss             : > RAMGS0_15
       .bss:output      : > RAMGS0_15
       .bss:cio         : > RAMGS0_15
       .data            : > RAMGS0_15
       .sysmem          : > RAMGS0_15
       /* Initalized sections go in Flash */
       .const           : > FLASH0_4, ALIGN(4)
    #else
       .pinit           : > FLASH1, ALIGN(4)
       .ebss            : > RAMLS5
       .esysmem         : > RAMLS5
       .cio             : > RAMLS5
       /* Initalized sections go in Flash */
       .econst          : >> FLASH4 | FLASH5, ALIGN(4)
    #endif
    
       MSGRAM_CPU1_TO_CPU2 : > CPU1TOCPU2RAM, type=NOINIT
       MSGRAM_CPU2_TO_CPU1 : > CPU2TOCPU1RAM, type=NOINIT
       MSGRAM_CPU_TO_CM    : > CPUTOCMRAM, type=NOINIT
       MSGRAM_CM_TO_CPU    : > CMTOCPURAM, type=NOINIT
    
    
       #if defined(__TI_EABI__)
           .TI.ramfunc : {} LOAD = FLASH0_4,
                            RUN = RAMGS0 | RAMGS1 | RAMGS2 |RAMGS3,
                            LOAD_START(RamfuncsLoadStart),
                            LOAD_SIZE(RamfuncsLoadSize),
                            LOAD_END(RamfuncsLoadEnd),
                            RUN_START(RamfuncsRunStart),
                            RUN_SIZE(RamfuncsRunSize),
                            RUN_END(RamfuncsRunEnd),
                            ALIGN(4)
       #else
           .TI.ramfunc : {} LOAD = FLASH3,
                            RUN = RAMLS0 | RAMLS1 | RAMLS2 |RAMLS3,
                            LOAD_START(_RamfuncsLoadStart),
                            LOAD_SIZE(_RamfuncsLoadSize),
                            LOAD_END(_RamfuncsLoadEnd),
                            RUN_START(_RamfuncsRunStart),
                            RUN_SIZE(_RamfuncsRunSize),
                            RUN_END(_RamfuncsRunEnd),
                            ALIGN(4)
       #endif
    
    }

          .sect "dcsm_z1otp_link_pointer"
          .retain
          .long 0x00003FFF     ;Z1OTP_LINKPOINTER1
          .long 0x00003FFF     ;Z1OTP_LINKPOINTER2
          .long 0x00003FFF     ;Z1OTP_LINKPOINTER3
    
          .sect "dcsm_z1otp_jlm_enable"
          .retain
          .long 0xFFFF000F     ;Z1OTP_JLM_ENABLE
    
          .sect "dcsm_z1otp_gpreg"
          .retain
          .long 0xFFFFFFFF     ;Z1OTP_GPREG1
          .long 0xFFFFFFFF     ;Z1OTP_GPREG2
          .long 0xFFFFFFFF     ;Z1OTP_GPREG3
          .long 0xFFFFFFFF     ;Z1OTP_GPREG4
    
          .sect "dcsm_z1otp_pswd_lock"
          .retain
          .long 0x007FFFFF     ;Z1OTP_PSWDLOCK
    
          .sect "dcsm_z1otp_crc_lock"
          .retain
          .long 0x7FFFFFFF     ;Z1OTP_CRCLOCK
    
          .sect "dcsm_z1otp_jtag_pswdh"
          .retain
          .long 0x4bFFFFFF     ;Z1OTP_JTAGPSWDH0
          .long 0x3FFFFFFF     ;Z1OTP_JTAGPSWDH1
    
          .sect "dcsm_z1otp_cmac_key"
          .retain
          .long 0xFFFFFFFF     ;Z1OTP_CMACKEY0
          .long 0xFFFFFFFF     ;Z1OTP_CMACKEY1
          .long 0xFFFFFFFF     ;Z1OTP_CMACKEY2
          .long 0xFFFFFFFF     ;Z1OTP_CMACKEY3
    
          .sect "dcsm_zsel_z1"
          .retain
          .long 0x87654321     ;Z1OTP_CSMPSWD0 (LSW of 128-bit password)
          .long 0x4D770000     ;Z1OTP_CSMPSWD1
          .long 0x12345678     ;Z1OTP_CSMPSWD2
          .long 0x19916140     ;Z1OTP_CSMPSWD3 (MSW of 128-bit password)
    
          .long 0x05555555     ;Z1OTP_GRABSECT1 CPU1 flash : ALL
          .long 0x0FFFFFFF     ;Z1OTP_GRABSECT2 CM core
          .long 0x0FFFFFFF     ;Z1OTP_GRABSECT3 CPU2 flash
          .long 0x00055555     ;Z1OTP_GRABRAM1
          .long 0xFFFFFF0F     ;Z1OTP_GRABRAM2
          .long 0x000FFFFF     ;Z1OTP_GRABRAM3
    
    ;;    .long 0x3FFF3FFF     ;Z1OTP_EXEONLYSECT1
    ;;    .long 0x00003FFF     ;Z1OTP_EXEONLYSECT2
    ;;    .long 0xFFC303FF     ;Z1OTP_EXEONLYRAM1
    ;;    .long 0xFFFFFFFF     ;Reserved
    ;;    .long 0xFFFFFFFF     ;Z1OTP_JTAGPSWDL0
    ;;    .long 0x27FFFFFF     ;Z1OTP_JTAGPSWDL1

    Regards,

    Kenny Jhan

  • Did you check if the code is getting copied correctly ? You can do that by halting CPU at  Flash_initModule function and then unlocking the zone and check the value.

    Regards,

    Vivek Singh

  • Dear Vivek,

        If I connected XDS200 (unlock DCSM), it copied correctly. If not, it will crash and reboot. When lanch and load symbols RAMGS0(0xD000) hacen't any data, and code stay in function _Fapi_setupFlashStateMachine (F2838x_C28x_FlashAPI.lib).

  • When lanch and load symbols RAMGS0(0xD000) hacen't any data, and code stay in function _Fapi_setupFlashStateMachine (F2838x_C28x_FlashAPI.lib).

    This is strange because if code is not getting copied then CPU should on stay in flash setup function. In this case an ITRAP will happen and CPU will jump to ITRAP handler in BOOTROM. 

    Can you follow below steps -

    • Connect to CCS
    • load the symbol (assuming code is already loaded into flash).
    • Issue debug reset (this will turn on the security)
    • Write 0x0B5A at address 0xD00 via CCS memory watch window.
    • Now write the correct value of CSMKEY0 and CSMKEY1 (64 bit password) to unlock ECSL. You need to use register view to write to these register of DCSM.
    • Now set the hardware breakpoint at function Flash_initModule
    • Click on RUN.

    After CPU halts at breakpoint, open the GSRAM location in memory watch window and see if any data is copied.

    Regards,

    Vivek Singh