Hello, from the memory map in the datasheet i wonder how i could access (read/write) the EEPROM inside the chip, as the map shows that it will be overloaded by RAM- and Register-space. I've played around with BDM to set INITEE register of MMC in order to map it to a different location, but all locations are already occupied by RAM oder Flash. Regardless where i map the EEPROM array, i always get RAM oder Flash data in return, not EEPROM data.
AN2400 says " If the EEPROM is located at an address that overlaps the RAM, registers, or Flash, then the EEPROM takes priority over Flash but the RAM and registers take priority over EEPROM."
I also could not find how to disable RAM oder Flash pages in order to map EEPROM there. And it also seems that RAM and Flash always "hides/overrules" the EEPROM data on the same memory address.
Solved! Go to Solution.
By accessing the BDM-Register BDMSTS (BDM-Address 0xFF01)
% rdreg 0xFF01
:rDreg addr=0xFF01(BDMSTS)->0x00000080
i found out the BDM is enabled (ENBDM=1) but not activ (BDMACT=0). That may explains why i can access memory but can't execute debug-commands (halt, single step, regs, and such). And hmmm, UNSEC=0 indicate that the chip is secured...
Next i looked up the BDMINR register at 0xFF07 (for some reason it appears labled as "BDMCCRH" in TCL interpreter):
% rdreg 0xFF07
:rDreg addr=0xFF07(BDMCCRH)->0x00000030
This register mirrors the INITRG from Register-Space, without the ROMON at bit 0. This tells me that Register-Space has bin remapped to 0x3000, and indeet i find the correct values there:
% rb 0x3000 0x3FF
:rb =>
0x00003000 : 00 88 00 8A 00 00 00 00 17 08 10 80 90 00 01 00
0x00003010 : 00 30 39 01 00 0F 00 10 00 00 01 15 13 80 40 F2
0x00003020 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00003030 : 38 00 BF 00 03 01 00 8C 10 80 E1 50 04 00 80 00
0x00003040 : 00 00 00 00 67 9F A0 00 00 00 00 00 00 05 80 80
0x00003050 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 9C 40
0x00003060 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00003070 : 00 00 00 00 00 00 FF FF 00 00 00 00 00 00 00 00
0x00003080 : 00 00 A0 00 01 10 80 00 01 00 00 FF 00 80 00 7F
0x00003090 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 40
0x000030A0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000030B0 : 00 00 00 00 FF FF FF FF FF FF FF FF FF FF FF FF
0x000030C0 : FF FF FF FF 00 00 00 00 00 04 00 00 C0 00 00 00
0x000030D0 : 00 04 00 00 C0 00 00 00 5C 02 31 20 00 00 00 00
0x000030E0 : 00 00 00 80 00 00 00 00 C0 00 40 00 47 00 00 00
0x000030F0 : 04 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00
0x00003100 : 00 FE 00 00 D7 C0 00 00 00 00 00 00 00 00 00 00
0x00003110 : A8 00 00 00 FF C0 00 00 00 00 00 00 04 02 30 88
0x00003120 : 00 00 00 20 05 00 00 00 80 00 00 00 00 00 00 FF
0x00003130 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00003140 : 10 80 87 23 00 01 07 00 00 00 00 10 00 00 00 00
0x00003150 : 00 00 FF FF FF E7 00 00 FF FF FF FF 00 00 00 00
0x00003160 : 77 03 14 1C B2 D0 D6 08 63 19 AD 5D 5A 00 3B 49
0x00003170 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00003180 : 01 11 00 00 00 00 07 00 00 00 00 00 00 00 00 00
0x00003190 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000031A0 : AE C7 63 89 99 B5 79 D2 65 BC C9 E6 08 00 68 A9
0x000031B0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000031C0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000031D0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000031E0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000031F0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00003200 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00003210 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00003220 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00003230 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00003240 : 00 00 DC 00 00 00 00 00 00 00 00 00 00 FF 00 00
0x00003250 : 03 33 F8 00 00 00 00 10 02 02 AF 00 00 00 00 00
0x00003260 : 00 00 00 00 00 00 00 00 00 00 80 00 00 00 00 03
0x00003270 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00003280 : 01 11 00 00 00 00 07 00 00 00 00 00 00 00 00 00
0x00003290 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000032A0 : 9E 87 CB 41 02 5E 15 9A 3B 37 67 E6 79 00 88 A7
0x000032B0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000032C0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000032D0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000032E0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000032F0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00003300 : 81 00 00 00 00 00 00 00 00 00 00 0F 00 00 80 00
0x00003310 : 00 00 00 00 00 FF 00 00 00 00 00 00 00 00 00 00
0x00003320 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00003330 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00003340 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00003350 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00003360 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00003370 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00003380 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00003390 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000033A0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000033B0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000033C0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000033D0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000033E0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000033F0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0
%
Now there is a valid Device-ID, MEMSIZE and also the MODE is shown. I has the value 0x80 (0b1000 0000) and so MODC=1, MODB=0 and
MODA=0, what tells me that chip is in "Normal Single Chip Mode". So the software inside has run and modified the values.
The question remains: how to get into BDM active mode? How to issue the BACKGROUND BDM command?
By accessing the BDM-Register BDMSTS (BDM-Address 0xFF01)
% rdreg 0xFF01
:rDreg addr=0xFF01(BDMSTS)->0x00000080
i found out the BDM is enabled (ENBDM=1) but not activ (BDMACT=0). That may explains why i can access memory but can't execute debug-commands (halt, single step, regs, and such). And hmmm, UNSEC=0 indicate that the chip is secured...
Next i looked up the BDMINR register at 0xFF07 (for some reason it appears labled as "BDMCCRH" in TCL interpreter):
% rdreg 0xFF07
:rDreg addr=0xFF07(BDMCCRH)->0x00000030
This register mirrors the INITRG from Register-Space, without the ROMON at bit 0. This tells me that Register-Space has bin remapped to 0x3000, and indeet i find the correct values there:
% rb 0x3000 0x3FF
:rb =>
0x00003000 : 00 88 00 8A 00 00 00 00 17 08 10 80 90 00 01 00
0x00003010 : 00 30 39 01 00 0F 00 10 00 00 01 15 13 80 40 F2
0x00003020 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00003030 : 38 00 BF 00 03 01 00 8C 10 80 E1 50 04 00 80 00
0x00003040 : 00 00 00 00 67 9F A0 00 00 00 00 00 00 05 80 80
0x00003050 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 9C 40
0x00003060 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00003070 : 00 00 00 00 00 00 FF FF 00 00 00 00 00 00 00 00
0x00003080 : 00 00 A0 00 01 10 80 00 01 00 00 FF 00 80 00 7F
0x00003090 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 40
0x000030A0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000030B0 : 00 00 00 00 FF FF FF FF FF FF FF FF FF FF FF FF
0x000030C0 : FF FF FF FF 00 00 00 00 00 04 00 00 C0 00 00 00
0x000030D0 : 00 04 00 00 C0 00 00 00 5C 02 31 20 00 00 00 00
0x000030E0 : 00 00 00 80 00 00 00 00 C0 00 40 00 47 00 00 00
0x000030F0 : 04 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00
0x00003100 : 00 FE 00 00 D7 C0 00 00 00 00 00 00 00 00 00 00
0x00003110 : A8 00 00 00 FF C0 00 00 00 00 00 00 04 02 30 88
0x00003120 : 00 00 00 20 05 00 00 00 80 00 00 00 00 00 00 FF
0x00003130 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00003140 : 10 80 87 23 00 01 07 00 00 00 00 10 00 00 00 00
0x00003150 : 00 00 FF FF FF E7 00 00 FF FF FF FF 00 00 00 00
0x00003160 : 77 03 14 1C B2 D0 D6 08 63 19 AD 5D 5A 00 3B 49
0x00003170 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00003180 : 01 11 00 00 00 00 07 00 00 00 00 00 00 00 00 00
0x00003190 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000031A0 : AE C7 63 89 99 B5 79 D2 65 BC C9 E6 08 00 68 A9
0x000031B0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000031C0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000031D0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000031E0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000031F0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00003200 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00003210 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00003220 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00003230 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00003240 : 00 00 DC 00 00 00 00 00 00 00 00 00 00 FF 00 00
0x00003250 : 03 33 F8 00 00 00 00 10 02 02 AF 00 00 00 00 00
0x00003260 : 00 00 00 00 00 00 00 00 00 00 80 00 00 00 00 03
0x00003270 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00003280 : 01 11 00 00 00 00 07 00 00 00 00 00 00 00 00 00
0x00003290 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000032A0 : 9E 87 CB 41 02 5E 15 9A 3B 37 67 E6 79 00 88 A7
0x000032B0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000032C0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000032D0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000032E0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000032F0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00003300 : 81 00 00 00 00 00 00 00 00 00 00 0F 00 00 80 00
0x00003310 : 00 00 00 00 00 FF 00 00 00 00 00 00 00 00 00 00
0x00003320 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00003330 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00003340 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00003350 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00003360 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00003370 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00003380 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00003390 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000033A0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000033B0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000033C0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000033D0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000033E0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000033F0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0
%
Now there is a valid Device-ID, MEMSIZE and also the MODE is shown. I has the value 0x80 (0b1000 0000) and so MODC=1, MODB=0 and
MODA=0, what tells me that chip is in "Normal Single Chip Mode". So the software inside has run and modified the values.
The question remains: how to get into BDM active mode? How to issue the BACKGROUND BDM command?
For active mode trying issuing BACKGROUND command. This should pause CPU since it is running in NS mode. Debuggers use that command to pause on user request.
But the best would be to fix issue you posted previously. Without that spurious /RESET pulse you would enter active BDM just with the help of /REST and BKGD pins. Perhaps you have some supervisor circuit with built in watchdog reset? Some low voltage detect circuits sense not only power pin, but as well /RESET pin, it could be something like that in your case.
You're right, but it may was an error myself that i opened up another threat to handle that reset problem. It turned out that an external watchdog-device has added the "small" reset pulses. This device expects high/low pulses from the MC9S12 to reset it's watchdog, which does not come when i brought the device into special mode. But shortly it resets the MPU back into normal mode. The reason why the reset-pulse is weaker/smaller than the one from the BDM-interface is that it is routed over a 4,7k resistor to the pin. So the watchdog was able to drag down the level, but not fully to ground.
Now that i found how to fix this (by disabling that device) everything works like expected.
I've played around with TCL-Interpreter and an DSO attached to RESET, BKGD and VDD. I can set RESET to LOW using "pinSet BKGD=L" and also to HIGH with "pinSet BKGD=H". This does not work with power and only half with RESET. When i tell "pinSet RST=L", the pin goes to 0V, but a "pinSet RST=H" gives an errormessage:
% pinSet RST=L
BDM status => Ackn, Speed-sync, Vpp-Off, Vdd-External, RSTO=0, Reset, CFVx-running
:pinSet PIN_RESET_LOW|
% pinSet RST=H
BDM status => Ackn, Speed-sync, Vpp-Off, Vdd-External, RSTO=0, Reset, CFVx-running
:pinSet PIN_RESET_??|
Strange, eh?
And also all kind of RESET methods in TCL results in the same pulses:
See that extra-reset-pulse? Why is it? Where does it come from? And why has it that strange amplitude? It will definitively return the chip into "Normal Single Chip Mode".
When i pull down both, RESET and BKGD and then release RESET (leaving BKGD down) the RESET constantly produces this pulses until i also release BKGD:
Could it be that an internal reset causes the RESET-Pin to reflect this? So something in the chip will reset until the "Normal Single Chip Mode" is reached? Is that possible without software? Some kind of protection to prevent sombody looking into the system?
This is the reason why all my efforts fail.
See MMC module INITEE, INITRG, INITRM registers.
I've already read it. But i guess my problem is that the software in the chip already set the values as i came along with BDM. And as at least INITEE is told to be "write once" in Normal Single Chip mode, so my changes do not have an effect.
So what i need to do is to bring chip into Special Single Chip mode, but that is where i currently fail. In that mode, it should be possible to set INITEE many times.
Which BDM SW are you using? Most of them use special single chip mode by default, it is more difficult to persuade them to connect to already running target without reset. Try reading MODE register @0xB. 3 MSB bits of it should read as $00 for special single chip mode, $80 for normal single chip. Even if your BDM doesn't reset MCU to special mode, you can do it by powering MCU up with BKGD pin pulled low, then try reading MODE again, it should indicate special mode. (I assume your board MODA/MODB pins aren't configured for expanded mode out of reset, in that case BDM access may complicate even more).
Are you sure your chip isn't secured? In that case you won't be able to read anything meaningful. See FSEC register @101, two LSB bits should read as $2.
Hi, thanks for trying to help me out, i really appreciate this!
Here is a dump (taken by flat-read using USBDM):
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00000000 00 00 00 00 02 02 01 00 00 00 0E 00 00 00 00 00 ................
00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000020 64 00 00 00 00 00 00 00 00 00 00 00 22 01 00 00 d..........."...
00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 01 01 01 ................
00000040 00 12 01 00 02 00 00 00 00 00 00 00 00 01 00 07 ................
00000050 02 01 02 01 00 00 02 B1 00 00 00 1D 00 00 00 5F .......±......._
00000060 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000070 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 ................
00000080 00 00 5F 5F 00 00 00 80 79 6C 79 6C 00 00 00 00 ..__...€ylyl....
00000090 00 00 00 00 00 00 00 00 00 00 02 00 00 00 11 78 ...............x
000000A0 EF 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ï...............
000000B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000100 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000110 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000120 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
As you can see, MODE register is 0x00. BUT, in the init code of the software, programmed on this chip (unsecured) the init does some things which seem already have taken place.
MODA and MODB are both pulled down to GND with a resistor.
FSEC is also 0x00, like most others, even those where i expected readonly data like Device ID.
I'll try that BKGD pulldown like you suggest.
This memory dump doesn't look right. PARTID registers @ $1A/$1B can't be zero. FSTAT register $105 should indicate idle state CBEIF=1, etc. Something is wrong with your BDM, perhaps clock settings, perhaps unability to work well with secured part, perhaps something else.
I've done a readout of the whole memory, incl. some pages of Flash and that looked good. But i'm with you that register-space looks wrong. Maybe it's not possible to read this area?
Well, Tthis is where my journey starts... that i don't trust what i saw. And this is why i wanted to start the chip in a mode where i have full control from the first cycle of code executed, on the lowest level i can get to.
I'm pretty shure the chip is not secured, but how can i determine this? I thought if it is secured, i don't get anything out of it?
Now, i really beed to know if BDM is done the right way. So for me it should at first set reset to 0, the apply power to the chip, set the BKGD line and raise reset to 1. I try to find out what it does by attaching a DSO to Vddr, BKGD and RESET pins.
I must admit that i'm using a clone USBDM tester and software from sourceforge.
Hello Mindblaster,
Please use the standard USB Multilink for the work with our MCUs. You can select one from:
https://www.pemicro.com/products/product_viewDetails.cfm?product_id=15320180&productTab=1
Connect BDM to MCU and make MCU power off/on to take BDM control over MCU. The MCU must be in Special Single Chip mode. Then make mass erase and load your application into unsecured MCU for debug and tests.
Best Regards,
Stano.
Thanks, but this is C code. How to i read EEPROM by only using BDM oder Assembler?
Hello Mindblaster,
The first point – is the MCU “secured”? If secured make the mass erase and load your application to MCU for test and debug. If unsecured, you should have access to whole memory area.
Please read first the MMC registers INITEE, MEMSIZ0, to recognize which memory area you have accessible. The you will know the start and end address of RAM and EEPROM and then you can properly set the memory area visible by connected BDM in debug mode. The refresh of memory when halting must be enabled for this area.
The BDM has access to whole available memory area in debug mode. If you want to use the asm code you need to know the available address space also.
The range of EEPROM is defined in Start12.c file in sent example:
//===============================================================
*(unsigned char*)0x10 = 0x20; // INITRM = 0x20; // Set the RAM map position 0x2000 - 0x3fff
asm nop; // recommended
*(unsigned char*)0x12 = 0x09; // INITEE = 0x05; // Set the EEPROM map position 0x0800 - 0x0fff, EEON=1
asm nop; // recommended
*(unsigned char*)0x11 = 0x00; // INITRG = 0x00; // Set the REG map position 0x0000 - 0x03FF
asm nop; // recommended
//================================================================
And make correction in linker *.prm file:
EEPROM = READ_ONLY 0x0800 TO 0x0FEF;
// EEPROM = NO_INIT 0x0800 TO 0x0FEF;
I think it should help you with your task.
Best Regards,
Stano.