S12X flash protection problem CW SE 5.1 HIWAVE

"Yes, programming flash sector at 0xFF00 on devices with ECC flash, CW should erase flash sector first."

The issue is that by default HIWAVE is programming the security phrase _during_ the erase command. It isn't that it is missing an additional erase, it's the "erase" that is doing it. The (unexpected) security programming code is part of the "control" applet that is used for flash erasing as I posted above.

What's also troubling for me is that HIWAVE reads back the flash after programming, but fails to notice that it doesn't match. (I have HIWAVE command window logs with "show protocol" that show this.)

Using the "flash" dialogue in HIWAVE also doesn't permit erasing without also unsecuring. The secure/unsecure buttons are greyed out for me. Surely this dialogue ought to offer full control?

• "Yes, programming flash sector at 0xFF00 on devices with ECC flash, CW should erase flash sector first."
• The issue is that by default HIWAVE is programming the security phrase _during_ the erase command. It isn't that it is missing an additional erase, it's the "erase" that is doing it. The (unexpected) security programming code is part of the "control" applet that is used for flash erasing as I posted above.

I mean that it would be OK, if CW debugger wrote 0xFE to  0xFF0F after mass erase step, and then, when it comes to program phrase (or sector) at 0xFFxx, CW debugger could erase and reprogram whole sector.  

• Using the "flash" dialogue in HIWAVE also doesn't permit erasing without also unsecuring. The secure/unsecure buttons are greyed out for me. Surely this dialogue ought to offer full control?

Sure.

ZhangJennie wrote:

• It is also good to remember that in order to have BDM communication and therefore the possibility to debug the code, the security bits have to be in a 1:0 combination (SEC[1:0] = 10).

To be more precise, BDM communications are still enabled while SEC[1:0]!=10! More than that, flash is programmable and eraseable while SEC[1:0]!=10. More than that, having mass erased chip, flash is eraseable, programable and even readable (verifyable) (until reset). I agree that debugger won't work with SEC[1:0]!=10, but without proper programming what are you going to debug??? Right flashing is more important than ability to step over source lines.

CW cyclone/multilink flasher always was bit troublesome. I understand that very old devices with no BDM SYNC support (912D60, 912DT128?) were problematic to detect bus clock, and thus, I think, hiwave wants devices to be unsecured and scanned (RAM write/verify check?) to verify proper BDM speed. But those old devices had no flash security feature, so why newer S12's have to be SEC[1:0]==10 all the time for proper communications? Why also it is a problem for CW debugger to unsecure accidentally secured devices? Unsecure scripts are ~80% or even more likely to fail with unsecure task. Certainly SYNC is not used to determine bus speed.

Regards

Edward

Edward,

this CW 5.1 version of HIWAVE is more unreliable than the one in 4.7. Previously (4.7) when I tried to flash a secured device it would give me the option to unsecure it.

Now it just keeps beeping and failing and beeping some more until I've cleared all of the dialogues.

Then I have to manually unsecure it, then quit HIWAVE, then unplug and replug the USB cable (fails otherwise.)

Then try to programme again.

To be clear, with 4.7, HIWAVE would automatically give you the choice to unsecure a device. That no longer works.

Are you sure CW4.7 supported S12XE family? I think it supported only S12(X) with non-ECC flash. It's hard to find CW 4.7 readme files.

DEMO9S12XEP100 came with a CW 4.5 CD.

I'm sure that I was using CW 4.7 with the XEP100 until very recently when an update to the P&E drivers appears to have broken it. I've subsequently uninstalled all the old versions of CodeWarrior I had.

I guess you are right and something gone wrong with updated P&E drivers. I don't have working S12XE target to try it. My last time S12XE project wasn't too hard to debug with CW 5.x Hiwave and Multilink, the only issue was with missing FLASH NOUNSECURE command, when flash protection word had to be programmed.

Edward

I attached a zip of my test project to the SR mentioned.

Hi James

yes, Edward Karpicz's solution is right.

Let's start with the fact that when working with the flash you can change a bit that has a value of '1' into a '0' with a write command but to turn a '0' into a '1' you need to perform an erase command which erases a full sector. It is also good to remember that in order to have BDM communication and therefore the possibility to debug the code, the security bits have to be in a 1:0 combination (SEC[1:0] = 10).

Based on the previous statements, the programming algorithm using CodeWarrior and the BDM programmer (either a USB Multilink, Softec, etc.) is designed to mass erase the memory first and then write a combination of 1:0 to the security bits in order to allow the debugger to communicate with the part and to allow any user to debug through the code using single stepping, breakpoints, etc. Whenever you configure your code to write a value of either 1:1 or 0:1 to secure the device, the debugger will try to change a bit that is already a '0' because of the programming algorithm into a '1'; in this case, bit 0 of the FSEC register.

command

FLASH NOUNSECURE

will not change security byte to unsecured state prior to programming that can solve the problem.

Have a great day,
Zhang Jun

-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------

I do fully understand how the flash security works, there's no need for a lesson here, that's how I was able to hack the binary blob to create my workaround.

When did this behaviour change (CW 4.7 worked without it) and is it documented?

The CW SE 5.1 generated scripts do not include that critical command.

Thanks for the answer, I'll apply that in the future. Just a shame that I wasted a good $1500 in labour time getting to my workaround.

Yes, it was a bit different. This worked in CW4.7.I don't find any document on this related. I am sorry for the inconvenience. I will feedback the team to improve it.

thank you for bringing the problem to our attention.

Have a great day,

Zhang Jun

-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------

I cannot upload the project here as it is commercially sensitive.

I'll see if I can create a small test-case that replicates the problem.

James

OK, so I've done some more digging. I trimmed my project down and have it spit out the values of some registers down the serial line after boot:

In non secure mode I'm programming:

*0xff0c = 0xcc

*0xff0f = 0xfe

On boot I see that:

*0xff0c = 0xcc

*0xff0f = 0xfe

FPROT = 0xcc

FSEC = 0xfe

This is exactly as it should be.

In secure mode, I'm programming:

*0xff0c = 0xcc

*0xff0f = 0x7d

On boot I see that:

*0xff0c = 0xcc

*0xff0f = 0x7c (incorrect!!)

FPROT = 0x7f (incorrect - full protection)

FSEC = 0xff (different value - secured)

This is WRONG!!!

According to the datasheet, the values in ff0c and ff0f are copied to FPROT and FSEC on boot unless there is a double bit-fault, in which case the device is set with full security and full flash protection.

I notice that the value in 0xff0f is incorrect and doesn't match the value in my code. I checked the generated S19 and .ABS files and they both match my code, so HIWAVE is causing the wrong value to go to flash. The Cyclone-Pro standalone doesn't do this.

Is HIWAVE silently doing something weird and programming these addresses twice? That could explain the incorrect value and the double bit fault.

My colleague confirms similar bad behaviour on his install with the current CW tools. It seems that something in HIWAVE has changed or there is a fault in the generated scripts?

Hi

regarding your latest reply. is this problem only in CW5.1? does CW4.7 have same problem?

because my computer currently doesn't have CW4.7 installed. I need classify the issue. thanks!

Have a great day,
Zhang Jun

-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------

This is with CW 5.1 Special Edition.

The latest P&E USB multilink drivers seem to have broken CW 4.7, it will never connect to the target, so I gave up trying to use it.

so may I understand your problem turns to as:

there is programming problem in CW5.1. but you don't test if it also work in CW4.7, right?

please send me the demo project for this issue under CW5.1. I will test the problem directly. thanks!

Have a great day,
Zhang Jun

-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------

Jennie, James

There is a SR related to this question: 1-3881214301.

I don't know it this can help but I recommend you to install the last P&E firmware.

Please have a look to the post:

      Problem with Multilink Rev C - not running after MCU V10.6 Update4 installed & CW for MCF V7.2

Have a great day,
Pascal
Freescale Technical Support
-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------