• State Resolved
  • Locked Locked
  • Replies 15 replies
  • Subscribers 83 subscribers
  • Views 621 views
  • Users 0 members are here
Support feedback
Options
Options
Similar topics

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

TMS320F28388D: Copy code from DCSM secure zone to un-secure zone

Janet Shen
Expert 7795 points
Part Number: TMS320F28388D

Dear Champs,

Customer tried to copy the code to run from secure zone in DCSM to normal Flash section but met crash result. 

They configured "Device_init” in secure Flash by DCSM but met CPU crash when is running in Flash_initModule (in RAMGSx).

Does anyone have any suggestions for this issue? Because we can  use this method in F2837x but always failed to crash in F2838x.

If you have any suggestions, please feel free to let me know.

Thanks a lot.

Best regards,

Janet

  • 0
    TI__Guru** 113615 points

    Hi Janet,

    So in this case customer is copying some function (flash initialization) from secure flash to non-secure RAM. Correct ? If yes, can you confirm where the memcpy function is placed ? This should be in secure memory only to be able to copy data from secure flash. Please refer section "Usage of memcpy Function From the RTS Library" in this appnote for more detail on this.

    Next thing to check is the security configuration of flash sector. There is a bit difference in configuration value if using both the zone. If using only one zone then  this should not matter as long as other zone is unsecure (done by BOOTROM code for default passwords).

    Regards,

    Vivek Singh

  • 0 in reply to Vivek Singh
    TI__Guru** 113615 points

    Hi Janet.

    Let me know if you have any further queries on this topic.

    Regards,

    Vivek Singh

  • 0 in reply to Vivek Singh
    TI__Expert 7795 points

    Dear Vivek,

    Thanks for your following up.

    Our customer will explain their detail concerns later.

    Thanks a lot.

    Best regards,

    Janet

  • 0
    Prodigy 50 points

    Dear Vivek,

        Yes, we had check memcpy(rts2800_fpu64_eabi.lib) in flash2( address 0x0008285D), even, we try to use a for loop copy code to global ram, it still crash at jump to Flash_initModule function.

        We had try a sample as  follow. In this case, We try to make all the code in  secure Flash by DCSM. After DCSM, this code will not work, continuous trigger reset(XRS) and reboot. Hope this code is helpful to this topic.

    Fullscreen
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    #include "device.h"
    #include "driverlib.h"
    #define ON 1
    #define OFF 0
    #define GPIO_PIN_LED_RED 34
    void Init_GPIO(void)
    {
    //
    // Enable a GPIO output on GPIO6, set it high
    //
    GPIO_setPadConfig(GPIO_PIN_LED_RED, GPIO_PIN_TYPE_PULLUP); // Enable pullup on GPIO6
    GPIO_writePin(GPIO_PIN_LED_RED, ON); // Load output latch
    GPIO_setPinConfig(GPIO_34_GPIO34); // GPIO6 = GPIO6
    GPIO_setDirectionMode(GPIO_PIN_LED_RED, GPIO_DIR_MODE_OUT); // GPIO6 = output
    }
    void delayMS(uint32_t t) {
    int i;
    for(i=0;i<t;++i) {
    XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

    Fullscreen
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    MEMORY
    {
    /* BEGIN is used for the "boot to Flash" bootloader mode */
    BEGIN : origin = 0x080000, length = 0x000004
    BOOT_RSVD : origin = 0x000002, length = 0x0001AE /* Part of M0, BOOT rom will use this for stack */
    RAMM0 : origin = 0x0001B0, length = 0x000250
    RAMM1 : origin = 0x000400, length = 0x000400 /* on-chip RAM block M1 */
    RAMD0_1 : origin = 0x00C000, length = 0x001000
    RAMLS0_1 : origin = 0x008000, length = 0x001000
    RAMLS2_7 : origin = 0x009000, length = 0x003000
    RAMGS0_15 : origin = 0x00D000, length = 0x010000
    /* Flash sectors */
    FLASH0_4 : origin = 0x080004, length = 0x00FFFC /* on-chip Flash */
    FLASH5_8 : origin = 0x090004, length = 0x01FFFC /* on-chip Flash */
    FLASH9_12 : origin = 0x0B0000, length = 0x00E000 /* on-chip Flash */
    FLASH13 : origin = 0x0BE000, length = 0x002000 /* on-chip Flash */
    CPU1TOCPU2RAM : origin = 0x03A000, length = 0x000800
    CPU2TOCPU1RAM : origin = 0x03B000, length = 0x000800
    CPUTOCMRAM : origin = 0x039000, length = 0x000800
    XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

    Fullscreen
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    .sect "dcsm_z1otp_link_pointer"
    .retain
    .long 0x00003FFF ;Z1OTP_LINKPOINTER1
    .long 0x00003FFF ;Z1OTP_LINKPOINTER2
    .long 0x00003FFF ;Z1OTP_LINKPOINTER3
    .sect "dcsm_z1otp_jlm_enable"
    .retain
    .long 0xFFFF000F ;Z1OTP_JLM_ENABLE
    .sect "dcsm_z1otp_gpreg"
    .retain
    .long 0xFFFFFFFF ;Z1OTP_GPREG1
    .long 0xFFFFFFFF ;Z1OTP_GPREG2
    .long 0xFFFFFFFF ;Z1OTP_GPREG3
    .long 0xFFFFFFFF ;Z1OTP_GPREG4
    .sect "dcsm_z1otp_pswd_lock"
    .retain
    .long 0x007FFFFF ;Z1OTP_PSWDLOCK
    XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

    Regards,

    Kenny Jhan

  • 0 in reply to kenny jhan
    TI__Guru** 113615 points

    Did you check if the code is getting copied correctly ? You can do that by halting CPU at  Flash_initModule function and then unlocking the zone and check the value.

    Regards,

    Vivek Singh

  • 0
    Prodigy 50 points

    Dear Vivek,

        If I connected XDS200 (unlock DCSM), it copied correctly. If not, it will crash and reboot. When lanch and load symbols RAMGS0(0xD000) hacen't any data, and code stay in function _Fapi_setupFlashStateMachine (F2838x_C28x_FlashAPI.lib).

  • 0 in reply to kenny jhan
    TI__Guru** 113615 points
    kenny jhan said:
    When lanch and load symbols RAMGS0(0xD000) hacen't any data, and code stay in function _Fapi_setupFlashStateMachine (F2838x_C28x_FlashAPI.lib).

    This is strange because if code is not getting copied then CPU should on stay in flash setup function. In this case an ITRAP will happen and CPU will jump to ITRAP handler in BOOTROM. 

    Can you follow below steps -

    • Connect to CCS
    • load the symbol (assuming code is already loaded into flash).
    • Issue debug reset (this will turn on the security)
    • Write 0x0B5A at address 0xD00 via CCS memory watch window.
    • Now write the correct value of CSMKEY0 and CSMKEY1 (64 bit password) to unlock ECSL. You need to use register view to write to these register of DCSM.
    • Now set the hardware breakpoint at function Flash_initModule
    • Click on RUN.

    After CPU halts at breakpoint, open the GSRAM location in memory watch window and see if any data is copied.

    Regards,

    Vivek Singh

  • 0
    Prodigy 50 points

    Dear Vivek,

    I think there have something wrong. It stay in RAMGS0 when I unlock DCSM. My detailed steps are as follows:

    1.  Download code and re-power on development board

    2.  (Now, XRS continuous trigger,) pull low GPIO72 to stay in wait boot mode

    3.  Open CCS and lanch chip

    4.  Connect C28xx_CPU1 and load symbol

    5.  Push Icon "CPU Reset" (Break at address "0x3fd2ae" with no debug information available, or outside of program code)

    6.  Open "Memory Browser", switch address to 0xD00 and write 0B5A

    7.  Open "Memory Map"->"On-Chop Flash"

    8.  Type CSMPSWD and unlock (Break at address "0xd058" with no debug information available, or outside of program code.)

    9.  Set the hardware breakpoint at function Flash_initModule

    10. Push Icon "Resume" (Break at address "0x3fe96f" with no debug information available, or outside of program code.) --> ESTOP0

    11. Open the RAMGS0 location (0xD000) in "memory Browser", the data is all 0x0000

    Regards,

    Kenny Jhan

  • 0 in reply to kenny jhan
    TI__Guru** 113615 points

    Hi,

    kenny jhan said:
    8.  Type CSMPSWD and unlock (Break at address "0xd058" with no debug information available, or outside of program code.)

    You should use CCS register view to enter the password and not via CCS On-Chip flash plug-in GUI because that one is used before loading the program.

    Also if you look the steps I mentioned, I requested you to only enter KEY0 and KEY1 (64bit value) to unlock ECSL and not full security. Please try this the correct steps and let me know the result.

    Regards,

    Vivek Singh

  • 0
    Prodigy 50 points

    Dear Vivek,

    I correction step 8. Use register view to write Z1_CSMKET0 and Z1_CSMKEY1. After I set hardware breakpoint , I push Icon "Resume". XRS(Reset) pin trigger and reset power. Even I set hardware breakpoint on fist line (Device_init) after it jumps to main, I get same result...

    Regards,

    Kenny Jhan

  • 0 in reply to kenny jhan
    TI__Guru** 113615 points

    Hi,

    That means issue is happening even before memcpy ? Earlier you mentioned that code get stuck in flash function. Let me request Janet to setup a webex session to look into this.

    Regards,

    Vivek Singh

  • 0
    Prodigy 50 points

    Dear Vivek,

    Maybe yes in this result...But if I change .TI.ramfunc run in RAMLS0_1(now work in RAMGS0_15) , it will work well, cmd file as follow(Output format is eabi). And I try to remove the function in .TI.ramfunc section. it also work.

    Fullscreen
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    MEMORY
    {
    /* BEGIN is used for the "boot to Flash" bootloader mode */
    BEGIN : origin = 0x080000, length = 0x000004
    BOOT_RSVD : origin = 0x000002, length = 0x0001AE /* Part of M0, BOOT rom will use this for stack */
    RAMM0 : origin = 0x0001B0, length = 0x000250
    RAMM1 : origin = 0x000400, length = 0x000400 /* on-chip RAM block M1 */
    RAMD0_1 : origin = 0x00C000, length = 0x001000
    RAMLS0_1 : origin = 0x008000, length = 0x001000
    RAMLS2_7 : origin = 0x009000, length = 0x003000
    RAMGS0_15 : origin = 0x00D000, length = 0x010000
    /* Flash sectors */
    FLASH0_4 : origin = 0x080004, length = 0x00FFFC /* on-chip Flash */
    FLASH5_8 : origin = 0x090004, length = 0x01FFFC /* on-chip Flash */
    FLASH9_12 : origin = 0x0B0000, length = 0x00E000 /* on-chip Flash */
    FLASH13 : origin = 0x0BE000, length = 0x002000 /* on-chip Flash */
    CPU1TOCPU2RAM : origin = 0x03A000, length = 0x000800
    CPU2TOCPU1RAM : origin = 0x03B000, length = 0x000800
    CPUTOCMRAM : origin = 0x039000, length = 0x000800
    XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

    Regards,

    Kenny Jhan

  • 0 in reply to kenny jhan
    TI__Guru** 113615 points

    This will get discussed offline.

    Regards,

    Vivek Singh

  • +1 in reply to Vivek Singh
    TI__Guru** 113615 points

    Stack was placed in secure RAM hence it was not working. Once stack was moved into non-secure RAM, it worked fine.

  • 0 in reply to Vivek Singh
    TI__Expert 7795 points

    Dear Vivek,

    Thanks for your help.

    I found this reminder in compiler user guide that said "The .stack section has to be linked into the low 64K of data memory in M0/M0 rather than other RAM section" and problem was solved. 

    Many thanks.

    Best regards,

    Janet