MSP430FR6877: BSL Scripter Error

Does it work now?

If the password is wrong, the device will do a mass erase to main memory. As JTAG lock is 0xff80, that means the device is unlocked.

Eason

Hi Eason,
Thank you for your reply.

>Are the error messages listed below caused by hardware factors?
>[ACK _ ERROR _ MESSAGE] Unknown ACK value!

For an unknown reason, the FR5xx,6xx device appears to be running MassErase even though it shows "[ACK _ ERROR _ MESSAGE] Unknown ACK value!".

I intentionally enabled JTAG Lock on the MSP 430 FR 5969 LaunchPad, and initialized it by intentionally mistaking the password on the BSL.
(Verify the LED stops blinking when the reset button is pressed.)
As a result, we were able to disable JTAG Lock.
****************logs below ************************
---------------------------------------------------------
BSL Scripter 3.4.0.1
PC software for BSL programming
2020-May-12 15:54:59
---------------------------------------------------------

Input file script is : C:/ti/BSL-Scripter/ScriptExampleWindows/FRxx_uart/script_FRxx_uart.txt
MODE FRxx UART 9600 COM5

RX_PASSWORD pass32_normal.txt
Read Txt File : C:\ti\BSL-Scripter\ScriptExampleWindows\FRxx_uart\pass32_normal.txt
BSL Password is correct!

RX_PASSWORD pass32_wrong.txt
Read Txt File : C:\ti\BSL-Scripter\ScriptExampleWindows\FRxx_uart\pass32_wrong.txt
[ACK_ERROR_MESSAGE]Unknown ACK value!
[ACK_ERROR_MESSAGE]Unknown ACK value!
*********************************************************

However, for some reason JTAG Lock is still enabled on the customer's board, even though it was initialized.
(0xFF80 - 0xFF81 is FF FF)

Q1: Are there cases where initialization is performed but JTAG Lock is still enabled?

Q2: Are the following errors caused by factors other than JTAG Lock being enabled?

Q3: Is there any other solution other than using BSL?
When I check the following thread, I know that I can connect from CCS if I know the contents of 0xFF 80 - 0xFF83.

Best Regards,
O.H

1. BSL mass erase will only erase the main memory. For flash device like F5x an F6x which password is in bootloader memory, it can't be unlocked by BSL. But for FR6x, it is not the case.

2. Password might extend up to the reset vector at 0xFFFE. Not only from 0xFF80 to 0xFF81.

3. I think this can help you(SLAU320AH):

Hi Eason,

>3. I think this can help you(SLAU320AH):
Thank you. I will try to use the JTAG mailbox.

Sorry. Q2 did not contain an error, so I will correct it.
Q2': Are the following errors caused by factors other than JTAG Lock being enabled?

Best Regards,
O.H

Hi ,

This is a part of REP430F code same as MSP-FET. You can find that, at lest this information means JTAG peripheral works fine. I haven't meet other situations, can you tell me your assumption?

//----------------------------------------------------------------------------
//! \brief Function to take target device under JTAG control. Disables the
//! target watchdog. Sets the global DEVICE variable as read from the target
//! device.
//! \return word (STATUS_ERROR if fuse is blown, incorrect JTAG ID or
//! synchronizing time-out; STATUS_OK otherwise)
word GetDevice_430Xv2(void)
{
if(GetCoreID () != STATUS_OK)
{
return(STATUS_ERROR);
}
if (IsLockKeyProgrammed()) // Stop here if fuse is already blown
{
return(STATUS_FUSEBLOWN);
}
if (GetCoreipIdXv2()!= STATUS_OK)
{
return(STATUS_ERROR);
}
if(SyncJtag_AssertPor() != STATUS_OK)
{
return(STATUS_ERROR);
}
// CPU is now in Full-Emulation-State
// read DeviceId from memory
ReadMemQuick_430Xv2(DeviceIdPointer + 4, 1, (word*)&DeviceId);

return(STATUS_OK);
}

Hi Eason,

Thank you for your reply.

>This is a part of REP430F code same as MSP-FET. You can find that, at lest this information means JTAG peripheral works fine. I haven't meet other >situations, can you tell me your assumption?

Attempted to initialize the device with BSL again and connected to the CCS via JTAG, and the connection was successful.
As you said, JTAG Perriferal seems to be fine.

However, when I intentionally enabled JTAG lock again, I could no longer communicate with the BSL.
Probably there is a problem with the circuit, so I will check the difference with the target board.

Best Regards,
O.H

Do you mean you can unlock the device with BSL for the first time but you can't unlock it again?

Yes.

We found out that the reason we couldn't unlock it was because we mistakenly wrote 0x55 for BSL Signature1 (memory location 0xFF84 h) and BSL Signature2 (memory location 0xFF86 h).

If writing 0x55 into the 0xFF80 to 0xFF86 area, is there any way to restore the device...?

Best Regards,
O.H

Hi Eason,

Sorry for the additional question.

Please tell me the following differences when initializing with BSL.
The same hardware (Custom board with MSP430FR6877) was used.
When "Test_Pattern2_2020May12_094043.log" was performed, "The Debug Interface to the device has been secured.JPG" was displayed. 
When "script_FRxx_uart_2020May19_162431.log" was performed, I was able to connect to the CCS.

Q: The two methods differ in the following ways.Do these items affect the results?
・Whether to use "RX_PASSWORD pass32_wrong.txt" or not
・Whether to use "DELAY 2000" or not
・Byte length of "Send (TX) _ READ"
・Contents of "blinkLED_FR6989.txt" and "BlinkLED_FR6877.txt"

I have attached the log and the file I used.

Best Regards,
O.H

---------------------------------------------------------
BSL Scripter 3.4.0.1

PC software for BSL programming
2020-May-12 09:40:38
---------------------------------------------------------
Input file script is : C:/ti/BSL-Scripter/Test_Pattern2.txt
MODE FRxx UART 9600 COM11
RX_PASSWORD pass32_default.txt
	Read Txt File  : C:\ti\BSL-Scripter\pass32_default.txt
	BSL Password is correct!
RX_DATA_BLOCK blinkLED_FR6989.txt
	Read Txt File  : C:\ti\BSL-Scripter\blinkLED_FR6989.txt
	Time elapsed of writing 262 bytes : 0.4524 seconds
	Speed of writing data :0.5656(kB/s)
TX_DATA_BLOCK 0xFF80 0x0004 Data_Read.txt
	Write Txt File : C:/ti/BSL-Scripter/Data_Read.txt
	Time elapsed of reading 4 bytes : 0.0468 seconds
	Speed of reading data : 0.08347(kB/s)

@4400
81 00 00 24 B1 13 94 00 0C 93 02 24 B1 13 00 00 
0C 43 B1 13 6C 00 B1 13 98 00 32 D0 10 00 FD 3F 
@ff80
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 
@ffc6
1A 44 1A 44 1A 44 1A 44 1A 44 1A 44 1A 44 1A 44 
1A 44 1A 44 1A 44 1A 44 1A 44 1A 44 1A 44 1A 44 
1A 44 1A 44 1A 44 1A 44 1A 44 1A 44 1A 44 1A 44 
1A 44 1A 44 1A 44 1A 44 00 44 2A 14 40 18 1A 42 
5C 01 40 18 B2 40 80 5A 5C 01 8F 00 00 00 9F 00 
00 00 13 24 89 00 00 00 88 00 00 00 0C 3C 0C 09 
7F 4C 5F 06 00 18 5F 4F 00 00 A9 00 04 00 0D 09 
4F 13 A9 00 04 00 D9 08 F2 23 7A C2 3A D0 08 5A 
40 18 82 4A 5C 01 8F 00 00 00 9F 00 00 00 09 24 
8A 00 00 00 03 3C 6A 13 AA 00 04 00 9A 00 00 00 
FA 23 28 16 10 01 F1 03 B2 40 80 5A 5C 01 92 C3 
30 01 D2 D3 04 02 D2 E3 02 02 B1 40 10 27 00 00 
91 83 00 00 81 93 00 00 F6 27 FA 3F 03 43 1C 43 
10 01 03 43 FF 3F 
q

@4400
81 00 00 24 B1 13 00 00 B1 13 5A 00 0C 43 B1 13 
2C 00 1C 43 B1 13 54 00 32 D0 10 00 FD 3F 03 43 
@ff80
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 
@ffc8
18 44 18 44 18 44 18 44 18 44 18 44 18 44 18 44 
18 44 18 44 18 44 18 44 18 44 18 44 18 44 18 44 
18 44 18 44 18 44 18 44 
@fff2
18 44 18 44 18 44 18 44 18 44 18 44 00 44 B2 40 
00 A5 A0 05 3F 40 40 04 82 4F A6 05 3F 40 40 04 
82 4F A4 05 3F 40 13 15 82 4F A8 05 3F 40 01 A5 
82 4F A0 05 C2 43 A1 05 10 01 F1 03 B2 40 80 5A 
5C 01 92 C3 30 01 D2 D3 04 02 D2 E3 02 02 B1 40 
10 27 00 00 91 83 00 00 81 93 00 00 F6 27 FA 3F 
03 43 03 43 FF 3F 03 43 1C 43 10 01 
q

---------------------------------------------------------
BSL Scripter 3.4.0.1

PC software for BSL programming
2020-May-19 16:24:31
---------------------------------------------------------
Input file script is : C:/ti/BSL-Scripter/ScriptExampleWindows/FRxx_uart/script_FRxx_uart.txt
MODE FRxx UART 9600 COM5
//gives wrong password to do mass erase
RX_PASSWORD pass32_wrong.txt
	Read Txt File  : C:\ti\BSL-Scripter\ScriptExampleWindows\FRxx_uart\pass32_wrong.txt
	[ACK_ERROR_MESSAGE]Unknown ACK value!
//
//add delay after giving wrong password
//because the device does not give
//any response after wrong password applied
//
DELAY 2000
	Delay 2000 ms
RX_PASSWORD pass32_default.txt
	Read Txt File  : C:\ti\BSL-Scripter\ScriptExampleWindows\FRxx_uart\pass32_default.txt
	BSL Password is correct!

RX_DATA_BLOCK BlinkLED_FR6877.txt
	Read Txt File  : C:\ti\BSL-Scripter\ScriptExampleWindows\FRxx_uart\BlinkLED_FR6877.txt
	Time elapsed of writing 196 bytes : 0.3574 seconds
	Speed of writing data :0.5355(kB/s)
TX_DATA_BLOCK 0xFF80 0x0008 Data_Read.txt
	Write Txt File : C:/ti/BSL-Scripter/ScriptExampleWindows/FRxx_uart/Data_Read.txt
	Time elapsed of reading 8 bytes : 0.0469 seconds
	Speed of reading data : 0.1666(kB/s)

@FF80
FF FF FF FF 
q

@FF80
FF FF FF FF FF FF FF FF 
q

Yes, 

you can here is the solution. No other choice.

Hi Eason,

Thank you for the quick reply.

>you can here is the solution. No other choice.
In other words, I understand that there is no recovery method when it is not possible to connect via BSL and also via JTAG.

>Read or delay should not influence writing memory and make the device lock.
It is better not to use "RX_PASSWORD pass32_wrong.txt" to execute MassErase by intentionally making a wrong password and to use "DELAY 2000" because it may lock the device. Is not it?

For the reasons above, is it better to send the correct BSL password to the device and compare the results of trying 1,2?
1.try to download the device with "blinkLED_FR6989.txt" and "BlinkLED_FR6877.txt" directly and check if it is locked.
2. Read the 8 bytes from 0xff80.

Best Regards,
O.H

I hope you can check these condition to double confirm:

1. try to download the device with "blinkLED_FR6989.txt" and "BlinkLED_FR6877.txt"  directly and check if it is locked.

2. Read the 8 bytes from 0xff80, when "Test_Pattern2_2020May12_094043.log" was performed.

Just see blinkLED_FR6989.txt, it should not lock the device, that is why I want to you try the first test.

Eason

Hi Eason,

Thank you for your advice.

The currently faulty board I have has disabled the BSL and JTAG features (wrote 0x55 in area from 0xFF80 to 0xFF87), so I cannot verify it.
In order to verify it again, I checked if the customer could lend me another board with a problem (MSP 430FR6877 included), but they said they couldn't.

Therefore, according to the current information, the JTAG lock is not performed when the contents of "blinkLED_FR6989.txt" are written in the MSP430FR6877.
So if "blinkLED_FR6989.txt" is written on the MSP430FR6877 but "Error connecting to target: Debug interface to device is protected" is displayed, is there problem with the device?

In the previous reply, you said " I haven't meet other situations", but if possible, could you tell me the reason that you can assume as a manufacturer?

I would appreciate it if you could reply by 5/27.

Best Regards,

O.H

Hi Quote,

I must say assumption will have no help, if you can't get the problem board. 

My colleague will help you under this thread: MSP430FR6877: Suddenly writing becomes impossible due to GANG

Eason

Hi, Eason

Thank you for your response despite the fact that there is little information we provide.
At present, it is not possible to obtain a defective substrate, so we have decided to observe whether the defect occurs again.
Thank you for your kind support.
And I apologize for taking up your time.

Best Regards,
O.H