9 Replies Latest reply on Sep 16, 2016 10:09 AM by Intel_Alvarado

    Flash protection on D2000: various questions


      After reading about the flash protection mechanisms available on the D2000 in the datasheets as well as the supplied code examples, I have some questions:


      1) I tried to read-lock a range of Flash memory within the ROM code. Later on, I tried to read the section within the application to test whether the read-lock was functional. However, I was able to read back memory elements within the application. Here is a code snippet which sets up the read-lock for Flash memory. It is implemented in the ROM code


          /* Configure MPR to allow R/W from CPU agent only */

          cfg.en_mask = QM_FPR_ENABLE;

          cfg.en_mask = QM_FPR_LOCK_ENABLE;

          cfg.allow_agents = 0;

          //cfg.allow_agents = QM_FPR_DMA;

          cfg.up_bound = low_bound + 1;

          cfg.low_bound = low_bound;

          qm_fpr_set_config(flash_num, QM_FPR_0, &cfg, QM_MAIN_FLASH_SYSTEM);



      I guess the reason that it is possible to read the locked region is that it is not really locked because I am using QM_MAIN_FLASH_SYSTEM and I should rather use QM_MAIN_FLASH_DATA.


      2) If one configures an FPR to read lock a certain Flash range, is it possible to define a second FPR on the same region and "overwrite" the read lock?


      3) Is it possible to write protect a Flash region? I stumbled upon the register MPR_WR_CFG (MPR_WR_CFG). However, the datasheet says that it serves no purpose. However, there is an mpr example that protects an SRAM region. Is it possible to simply let it point on Flash region?



        • 1. Re: Flash protection on D2000: various questions



          Those are interesting questions. I’ve never tried to implement read-lock functions, let me investigate a bit and I’ll post my results here. Thank you for your patience.



          • 2. Re: Flash protection on D2000: various questions
            Mike Hibbett

            I'll help follow up too and advise the correct sequence. The simple answer to question 2) is no, you cannot.


            Question 3) is a bit more involved; I'll dig a bit on Monday before commenting fully.


            - Mike.

            • 3. Re: Flash protection on D2000: various questions

              Just had a look.


              For 1) above, this is taken from the d2000 datasheet

              The register

     CTRL (CTRL)

              Has the following :


              3 RW/1S 1'h0 ROM_RD_DIS_U (ROM_RD_DIS_U)

              Rom read disable for upper 4k region of ROM

              2 RW/1S 1'h0 ROM_RD_DIS_L (ROM_RD_DIS_L)

              Rom read disable for lower 4k region of ROM


              So the following should block off reads for the ROM section, but I have not tried this at all, so I can't say for certain if it will suddenly destroy things or not.


              QM_FLASH[flash].ctrl |= BIT(2) | BIT(3);

              depending on which ones you want to disable reading from.


              As for 3) Mike should be able to help.

              • 4. Re: Flash protection on D2000: various questions
                Mike Hibbett

                Hello aschaller,


                I've looked into this further (and thanks for some details there Malcolm)


                The 8KB OTP Flash section can be locked from further write access by setting bit 0 of location 0 to 0. This will completely lock out JTAG access and any further writes by firmware to that OTP region.

                You should be careful with using this as it cannot be reversed, and you have no JTAG access. You should use it to protect your start up / bootloader code in the OTP flash.


                SRAM can be protected from read or write access using the MPR registers; those do not apply to the OTP flash though, it has a separate control mechanism.





                • 5. Re: Flash protection on D2000: various questions

                  Hi aschaller


                  Do you still need assistance with this thread?



                  • 6. Re: Flash protection on D2000: various questions

                    Dear Sergio,


                    thanks for all the feedback so far. Currently, I am traveling and I will only be able to investigate it further next week.




                    • 7. Re: Flash protection on D2000: various questions

                      Don’t worry. We’ll be waiting for your response.



                      • 8. Re: Flash protection on D2000: various questions

                        Dear all,


                        here are my first results: In order to enable write- and read-protection for OTP memory, the qm_flash_config_t struct can be used. In particular:

                        qm_flash_config_t cfg_flash;

                          cfg_flash.us_count = US_COUNT;

                          cfg_flash.wait_states = WAIT_STATES;

                          cfg_flash.write_disable = QM_FLASH_WRITE_DISABLE;

                          cfg_flash.rom_read_up_lock = QM_FLASH_READ_DISABLE;


                        Regarding the FPR, if one uses System Flash, it is not lockable. Thus, one must use Data Flash.


                        However, I am still puzzling about the low_bound and up_bound parameters. They define the 1KB-aligned bounds of a certain FPR. So, imagine, I want to protect the last 4 bytes in data flash, I would use the following code below. It basically determines the correct value for the low_bound parameter (i.e. the starting address of the last 1K in data flash), as well as values for up_bound and the address that is accessed to check whether the FPR works. However, the code doesn't work, as I can access the values stored at address instead of triggering an FPR interrupt.


                          uint32_t value;

                            uint32_t low;

                            uint32_t up;

                            uint32_t address;


                            qm_fpr_config_t cfg = {0};

                            /* Set the violation policy to trigger an interrupt */

                            qm_irq_request(QM_IRQ_FLASH_0, qm_fpr_isr_0);

                            qm_fpr_set_violation_policy(FPR_VIOL_MODE_INTERRUPT, QM_FLASH_0, fpr_example_cb, NULL);


                            low = (0x1000 / FPR_SIZE) - 1;    // size of data flash = 0x1000

                            up = low+1;


                            address = 0x200ffC;    // starting address of the last 4 bytes in data flash


                            QM_PRINTF("low: %x\r\n", low);

                            QM_PRINTF("address: %x\r\n", address);


                            cfg.en_mask = QM_FPR_LOCK_ENABLE;

                            cfg.allow_agents = 0;

                            cfg.low_bound = low;

                            cfg.up_bound = up;


                            qm_fpr_set_config(QM_FLASH_0, QM_FPR_0, &cfg, QM_MAIN_FLASH_DATA);


                            /* Trigger a violation event by attempting to read in the FLASH */

                            value = REG_VAL(address);

                            QM_PRINTF("value: %x\r\n", value);

                            value = value;

                            while (false == callback_invoked) {


                        • 9. Re: Flash protection on D2000: various questions

                          Hi André,


                          We wanted to let you know we’re still investigating on your case. Thank you for your patience.