DCF program in MPC5746B

aosilva87 · ‎09-04-2020

Dear all,

I have developed a CAN bootloader for my MPC5746B with S32 IDE. Everything is working ok and I can download and play my application.

Now I am trying to protect my device based on AN12092. I just want to insert a JTAG password. I have made some tests and running the code step by step I can program the JTAG password, DCFs and change the life cycle of the device. In this case, the device became censored as expected.

But when I try to run the bootloader without step by step mode, the code goes to the “IVOR1” exception after the “C55FMC.MCR.B.EHV = 1”. I’ve tried to treat the exception but didn't get success.

Can someone help me?

Here is the code for flash program:

void _flash_program(uint32_t prog_addr, uint32_t data32_0, uint32_t data32_1)
{
/* clear lock */
//C55FMC.LOCK0.B.TSLOCK = 0;
C55FMC.LOCK0.R = 0;
C55FMC.LOCK1.R = 0;
C55FMC.LOCK2.R = 0;
C55FMC.LOCK3.R = 0;

C55FMC.MCR.B.PGM = 1;
WRITE32(prog_addr, data32_0);
WRITE32(prog_addr+4, data32_1);
C55FMC.MCR.B.EHV = 1;
while(C55FMC.MCR.B.DONE == 0);
C55FMC.MCR.B.EHV = 0;
C55FMC.MCR.B.PGM = 0;

/* set lock */
//C55FMC.LOCK0.B.TSLOCK = 1;
C55FMC.LOCK0.R = 0xFFFFFFFF;
C55FMC.LOCK1.R = 0xFFFFFFFF;
C55FMC.LOCK2.R = 0xFFFFFFFF;
C55FMC.LOCK3.R = 0xFFFFFFFF;
}

Here is the code for exception:

IVOR1_Handler:

prolog_IVOR1:

e_stwu r1,-0x50(r1) ;// Create stack frame and store back chain Store word with Update

e_stw r3, 0x24(r1) ;// Save working register Store Word

mfspr r3, 571 ;// Get MCSRR1 Move From Special Purpose Register

e_stw r3, 0x10(r1) ;// and save CSRR1 Store Word

mfspr r3, 572 //Move From Special Purpose Register

mtspr 572, r3 //Move To Special Purpose Register

;// STEP 2: READ IACKR & RE-ENABLE INTERRUPTS

e_stw r0, 0x20(r1) ;// Save another working register Store Word

e_lis r0, EER_exception_handler@h //Load Immediate Shifted

e_or2i r0, EER_exception_handler@l //OR (2operand) Immediate

;// STEP 3: SAVE OTHER APPROPRIATE CONTEXT

se_mflr r3 ;// Get LR Move From Link Register

e_stw r3, 0x08(r1) ;// and save LR Store Word

mfspr r3, 0x01 ;// Get XER Move From Special Purpose Register

e_stw r3, 0x14(r1) ;// and save XER Store Word

se_mfctr r3 ;// Get CTR Move From Count Register

e_stw r3, 0x18(r1) ;// and save CTR Store Word

mfcr r3 ;// Get CR Move From Condition Register

e_stw r3, 0x1C(r1) ;// and save CR

e_stw r4, 0x28(r1) ;// Store GPR4

e_stw r5, 0x2C(r1) ;// Store GPR5

e_stw r6, 0x30(r1) ;// Store GPR6

e_stw r7, 0x34(r1) ;// Store GPR7

e_stw r8, 0x38(r1) ;// Store GPR8

e_stw r9, 0x3C(r1) ;// Store GPR9

e_stw r10, 0x40(r1) ;// Store GPR10

e_stw r11, 0x44(r1) ;// Store GPR11

e_stw r12, 0x48(r1) ;// Store GPR12

;// STEP 4: DETERMINE INTERRUPT SOURCE

;// (Interrupt source's vector is in r0)

se_mtlr r0 //Move To Link Register

mfspr r3,570 ;// Get CSRR0 and pass it to the C function Move From Special Purpose Register

e_lhz r4,0(r3) ;// pass also the current instruction to the C function Load Halfword and Zero

;// STEP 5: EXECUTE INTERRUPT SERVICE ROUTINE

se_blrl ;// Go to vector, but return here Branch to Link Register [and Link]

epilog_IVOR1:

mtspr 570,r3 ;// and restore the new CSRR0 Move To Special Purpose Register

;// STEP 6 : RESTORE CONTEXT

e_lwz r0, 0x20(r1) //Load Word and Zero

e_lwz r4, 0x28(r1) ;// Restore GPR4

e_lwz r5, 0x2C(r1) ;// Restore GPR5

e_lwz r6, 0x30(r1) ;// Restore GPR6

e_lwz r7, 0x34(r1) ;// Restore GPR7

e_lwz r8, 0x38(r1) ;// Restore GPR8

e_lwz r9, 0x3C(r1) ;// Restore GPR9

e_lwz r10, 0x40(r1) ;// Restore GPR10

e_lwz r11, 0x44(r1) ;// Restore GPR11

e_lwz r12, 0x48(r1) ;// Restore GPR12

e_lwz r3, 0x14(r1) ;// Get XER

mfspr r3, 0x01 ;// and restore XER Move From Special Purpose Register

e_lwz r3, 0x18(r1) ;// Get CTR

se_mtctr r3 ;// and restore CTR Move To Count Register

e_lwz r3, 0x1C(r1) ;// Get CR

mtcrf 0xff, r3 ;// and restore CR Move to Condition Register Fields

e_lwz r3, 0x08(r1) ;// Get LR

se_mtlr r3 ;// and restore LR Move To Link Register

wrteei 0 ;// Disable interrupts until Write MSR External Enable Immediate

;// end of routine

;e_lwz r3, 0x0C(r1) ;// Get CSRR0 from stack

;mtspr 58, r3 ;// and restore SRR0

e_lwz r3, 0x10(r1) ;// Get MCSRR1 from stack

mtspr 571, r3 ;// and restore MCSRR1

e_lwz r3, 0x24(r1) ;// Restore R3

e_addi r1, r1, 0x50 ;// Clean up stack Add Immediate Carrying [and Record]

;// STEP 7: Return to Program

se_rfmci ;// End of Interrupt Return From Machine Check Interrupt

///----------------------------------------------------------------------------------------------

/// exception handler for EER/RWE error

///----------------------------------------------------------------------------------------------

uint32_t EER_exception_handler(uint32_t return_address, uint16_t instruction)

{

if ((instruction & 0x9000) == 0x1000)

{

// first 4 Bits have a value of 1,3,5,7

return_address += 4; // instruction was 32 bit

}

else

{

// first 4 Bits have a value of 0,2,4,6,8,9,A,B,C,D,E (and F, but F is reserved)

return_address += 2; // instruction was 16 bit

}

if (C55_REG_BIT_TEST(C55_REG_BASE + C55_MCR, C55_MCR_RWE) == C55_MCR_RWE)

{

C55_REG_BIT_SET(C55_REG_BASE + C55_MCR, C55_MCR_RWE);

}

if (C55_REG_BIT_TEST(C55_REG_BASE + C55_MCR, C55_MCR_EER) == C55_MCR_EER)

{

C55_REG_BIT_SET(C55_REG_BASE + C55_MCR, C55_MCR_EER);

}

return return_address;

}

petervlna · ‎09-16-2020

Hi,

How did you censor the device?

You censor just JTAG access or also the serial interface?

Which JTAG debugger do you use?

So when the debugger is connected you can execute code step by step? And when not, you are running into IVOR1?

regards,

Peter

DCF program in MPC5746B

DCF program in MPC5746B

S32 SDK for Power Architecture®