Dear all,
I have developed a CAN bootloader for my MPC5746B with S32 IDE. Everything is working ok and I can download and play my application.
Now I am trying to protect my device based on AN12092. I just want to insert a JTAG password. I have made some tests and running the code step by step I can program the JTAG password, DCFs and change the life cycle of the device. In this case, the device became censored as expected.
But when I try to run the bootloader without step by step mode, the code goes to the “IVOR1” exception after the “C55FMC.MCR.B.EHV = 1”. I’ve tried to treat the exception but didn't get success.
Can someone help me?
Here is the code for flash program:
void _flash_program(uint32_t prog_addr, uint32_t data32_0, uint32_t data32_1)
{
/* clear lock */
//C55FMC.LOCK0.B.TSLOCK = 0;
C55FMC.LOCK0.R = 0;
C55FMC.LOCK1.R = 0;
C55FMC.LOCK2.R = 0;
C55FMC.LOCK3.R = 0;
C55FMC.MCR.B.PGM = 1;
WRITE32(prog_addr, data32_0);
WRITE32(prog_addr+4, data32_1);
C55FMC.MCR.B.EHV = 1;
while(C55FMC.MCR.B.DONE == 0);
C55FMC.MCR.B.EHV = 0;
C55FMC.MCR.B.PGM = 0;
/* set lock */
//C55FMC.LOCK0.B.TSLOCK = 1;
C55FMC.LOCK0.R = 0xFFFFFFFF;
C55FMC.LOCK1.R = 0xFFFFFFFF;
C55FMC.LOCK2.R = 0xFFFFFFFF;
C55FMC.LOCK3.R = 0xFFFFFFFF;
}
Here is the code for exception:
IVOR1_Handler:
prolog_IVOR1:
e_stwu r1,-0x50(r1) ;// Create stack frame and store back chain Store word with Update
e_stw r3, 0x24(r1) ;// Save working register Store Word
mfspr r3, 571 ;// Get MCSRR1 Move From Special Purpose Register
e_stw r3, 0x10(r1) ;// and save CSRR1 Store Word
mfspr r3, 572 //Move From Special Purpose Register
mtspr 572, r3 //Move To Special Purpose Register
;// STEP 2: READ IACKR & RE-ENABLE INTERRUPTS
e_stw r0, 0x20(r1) ;// Save another working register Store Word
e_lis r0, EER_exception_handler@h //Load Immediate Shifted
e_or2i r0, EER_exception_handler@l //OR (2operand) Immediate
;// STEP 3: SAVE OTHER APPROPRIATE CONTEXT
se_mflr r3 ;// Get LR Move From Link Register
e_stw r3, 0x08(r1) ;// and save LR Store Word
mfspr r3, 0x01 ;// Get XER Move From Special Purpose Register
e_stw r3, 0x14(r1) ;// and save XER Store Word
se_mfctr r3 ;// Get CTR Move From Count Register
e_stw r3, 0x18(r1) ;// and save CTR Store Word
mfcr r3 ;// Get CR Move From Condition Register
e_stw r3, 0x1C(r1) ;// and save CR
e_stw r4, 0x28(r1) ;// Store GPR4
e_stw r5, 0x2C(r1) ;// Store GPR5
e_stw r6, 0x30(r1) ;// Store GPR6
e_stw r7, 0x34(r1) ;// Store GPR7
e_stw r8, 0x38(r1) ;// Store GPR8
e_stw r9, 0x3C(r1) ;// Store GPR9
e_stw r10, 0x40(r1) ;// Store GPR10
e_stw r11, 0x44(r1) ;// Store GPR11
e_stw r12, 0x48(r1) ;// Store GPR12
;// STEP 4: DETERMINE INTERRUPT SOURCE
;// (Interrupt source's vector is in r0)
se_mtlr r0 //Move To Link Register
mfspr r3,570 ;// Get CSRR0 and pass it to the C function Move From Special Purpose Register
e_lhz r4,0(r3) ;// pass also the current instruction to the C function Load Halfword and Zero
;// STEP 5: EXECUTE INTERRUPT SERVICE ROUTINE
se_blrl ;// Go to vector, but return here Branch to Link Register [and Link]
epilog_IVOR1:
mtspr 570,r3 ;// and restore the new CSRR0 Move To Special Purpose Register
;// STEP 6 : RESTORE CONTEXT
e_lwz r0, 0x20(r1) //Load Word and Zero
e_lwz r4, 0x28(r1) ;// Restore GPR4
e_lwz r5, 0x2C(r1) ;// Restore GPR5
e_lwz r6, 0x30(r1) ;// Restore GPR6
e_lwz r7, 0x34(r1) ;// Restore GPR7
e_lwz r8, 0x38(r1) ;// Restore GPR8
e_lwz r9, 0x3C(r1) ;// Restore GPR9
e_lwz r10, 0x40(r1) ;// Restore GPR10
e_lwz r11, 0x44(r1) ;// Restore GPR11
e_lwz r12, 0x48(r1) ;// Restore GPR12
e_lwz r3, 0x14(r1) ;// Get XER
mfspr r3, 0x01 ;// and restore XER Move From Special Purpose Register
e_lwz r3, 0x18(r1) ;// Get CTR
se_mtctr r3 ;// and restore CTR Move To Count Register
e_lwz r3, 0x1C(r1) ;// Get CR
mtcrf 0xff, r3 ;// and restore CR Move to Condition Register Fields
e_lwz r3, 0x08(r1) ;// Get LR
se_mtlr r3 ;// and restore LR Move To Link Register
wrteei 0 ;// Disable interrupts until Write MSR External Enable Immediate
;// end of routine
;e_lwz r3, 0x0C(r1) ;// Get CSRR0 from stack
;mtspr 58, r3 ;// and restore SRR0
e_lwz r3, 0x10(r1) ;// Get MCSRR1 from stack
mtspr 571, r3 ;// and restore MCSRR1
e_lwz r3, 0x24(r1) ;// Restore R3
e_addi r1, r1, 0x50 ;// Clean up stack Add Immediate Carrying [and Record]
;// STEP 7: Return to Program
se_rfmci ;// End of Interrupt Return From Machine Check Interrupt
///----------------------------------------------------------------------------------------------
/// exception handler for EER/RWE error
///----------------------------------------------------------------------------------------------
uint32_t EER_exception_handler(uint32_t return_address, uint16_t instruction)
{
if ((instruction & 0x9000) == 0x1000)
{
// first 4 Bits have a value of 1,3,5,7
return_address += 4; // instruction was 32 bit
}
else
{
// first 4 Bits have a value of 0,2,4,6,8,9,A,B,C,D,E (and F, but F is reserved)
return_address += 2; // instruction was 16 bit
}
if (C55_REG_BIT_TEST(C55_REG_BASE + C55_MCR, C55_MCR_RWE) == C55_MCR_RWE)
{
C55_REG_BIT_SET(C55_REG_BASE + C55_MCR, C55_MCR_RWE);
}
if (C55_REG_BIT_TEST(C55_REG_BASE + C55_MCR, C55_MCR_EER) == C55_MCR_EER)
{
C55_REG_BIT_SET(C55_REG_BASE + C55_MCR, C55_MCR_EER);
}
return return_address;
}
Hi,
How did you censor the device?
You censor just JTAG access or also the serial interface?
Which JTAG debugger do you use?
So when the debugger is connected you can execute code step by step? And when not, you are running into IVOR1?
regards,
Peter