I have a product using an LPC2103 which has been in production since about 2010 and there are an increasing number of returns (old and new equipment) since they stop working. In each case it is found that a single (or maybe more) sector of flash has been deleted (often the first sector 0x0000..0x07ff but also others can lose their program - eg. 0x6800..0x6fff).
The application does include a parameter system that can erase flash but it only erases a single sector (last one) when it becomes full. The API routines that are used also check the sector that is commanded and will reject anything other than this last sector's number. Since the last sector is only party filled when such code loss take place there is no reason to suspect that an intentional erase is going wring.
The application stores its present state in battery backed up RTC registers so after power loss an active program can be continued (that is, the products operation can continue after a power failure half way through). When the code is reprogrammed (to recover the operation) it is usually the case that the program continues from where it was in active operation, rather than from an idle state. In active operation is switches some actuators that could potentially cause some interference and it is assumed that such interference is the root cause of the problem.
If interference causes a reset (watchdog) is is not serious since the program continues from where it was but the fact that program code is lost is of course a more major concern.
Since all points to ISP being started randomly due to some interference and deleting a random sector of code I would be interest in finding a method to block ISP from being able to delete any of the code sectors.
Chips show :
Device ID 4FF11 Bootloaderversion 2.21
Are any such cases of this behavior known and what could be done to protect the program code??