John Winters

How to mass errase a secured device of MC56F82xxx (not MC56F82xx)

Discussion created by John Winters Employee on Nov 22, 2013


The following script may be used with a USB TAP, or the primitive commands in the latter part of the script may be adopted to other debugging and programming systems.

 

The script follows.

 

--------------------------------cut here-------------------------------------------

 


#This is a CCS script, Command Converter Server
#It is in play with the Freescale USB TAP
#These commands may be entered at the console window of CCS
#CCS can be initiated from the Freescale directory, the same directory that CW10.5 is located in.
#These are generic JTAG commands for MC56F82xxx (not MC56F82xx) to mass errase the device, even when locked.

 

#these command tell CCS what kind of device is being dealt with and prepare the utap to respond to the script:
#these commands are generic and already in use by vendors for other DSC devices:


delete all
config cc utap
show cc
ccs::config_chain hawkv3
display ccs::get_config_chain
ccs::reset_to_debug
ccs::config_template 0 18 0
after 1000
ccs::reset_to_debug
after 100

# you can ignore the commands above this line, since they are just to set up the USB TAP.  Below is what is needed at a low level to errase the flash:

 

#The jtag::lock command does not lock the flash.  It locks the CCS protocol at the jtag level, the level below the ccs level
#When locked with the jtag::lock command, ccs commands will be ignored, and only jtag command will be recognized.
#jtag commands can be input with hbug for most DSC devices (accept Anguilla Silver).  They can be input with CCS.
#A vendor who is making a product to talk to jtag will likely have their own jtag command API to which the following script may be apapted:


jtag::lock

 

#the following command, state_move, is used to move the JTAG state machine to the test_logic_reset state.

jtag::state_move test_logic_reset


#this command shifts 32  dr (data register) bits from the target to the host, shifting in all zeros to the dr.

jtag::scan_in dr 32
#0x16B4801D, just to check idcode, optional step

 

# shift 8 bits of data binary 00000101 from the host to the instruction register (ir) of the target to effect
# tlm select.  tlm is tap link mode, one of two major states of the jtag machine, as in all DSC devices.
jtag::scan_out ir 8 5

 

# shift 4 bits of data binary 0001 from the host to the data register of the target to effect chip select
# chip select
jtag::scan_out dr 4 1

 

# shift 8 bits of 00001001 to the instruction register, ir from the host to the target to effect
# flash tdr
jtag::scan_out ir 8 9


#this is the mass errase, shift 16 bits of data 0000000000000001 to the data register from the host to the target device to effect mass errase
# ftfl_erase_all_req
jtag::scan_out dr 16 1
jtag::scan_out dr 16 0   #this is key to making this work.  Do not check status.  Just turn this off on next command.
                         #must deassert between 6usec and 16ms after assertion.  Too soon, and may not errase.  To late,and may start another
                         #errase cycle!


#the jtag::unlock command only puts the CCS into a state where it can accept normal ccs command, not the low level jtag commands.
jtag::unlock

Outcomes