Hcs08 Sys Protect Wbt

18
Course Introduction Purpose The intent of this course is to provide an overview of the operation and function of the system protection features of the HCS08 architecture. Objectives Describe each of the HCS08 system protection features. Describe how to use the HCS08 system protection features to protect against code runaway or unexpected behavior. Describe how to configure and operate each of the HCS08 system protection features. Content 18 pages 3 questions Learning Time 25 minutes Welcome to the HCS08 System Protection Features course. These features are designed to provide greater system integrity and greater system protection while your software is operating. The intent of this course is to provide an overview of the operation and function of the system protection features of the HCS08 architecture. These features, which can be used to provide greater stability and performance in your programs, include the computer operating properly (COP) watchdog timer; a low-voltage detection system, which includes a low-voltage warning (LVW) and a low-voltage detect (LVD); illegal opcode (ILOP) and illegal address (ILAD) detection; loss-of-lock and loss-of-clock detection; and flash memory protection features. This course will describe each of the HCS08 system protection features. It will also examine how to use these features to protect against code runaway or unexpected behavior. Finally, this course will describe how to configure and operate each of the system protection features.

Transcript of Hcs08 Sys Protect Wbt

Page 1: Hcs08 Sys Protect Wbt

0

Course Introduction

Purpose• The intent of this course is to provide an overview of the operation and function

of the system protection features of the HCS08 architecture.

Objectives• Describe each of the HCS08 system protection features.• Describe how to use the HCS08 system protection features to protect against

code runaway or unexpected behavior.• Describe how to configure and operate each of the HCS08 system protection

features.

Content• 18 pages• 3 questions

Learning Time• 25 minutes

Welcome to the HCS08 System Protection Features course. These features are designed to provide greater system integrity and greater system protection while your software is operating.

The intent of this course is to provide an overview of the operation and function of the system protection features of the HCS08 architecture. These features, which can be used to provide greater stability and performance in your programs, include the computer operating properly (COP) watchdog timer; a low-voltage detection system, which includes a low-voltage warning (LVW) and a low-voltage detect (LVD); illegal opcode (ILOP) and illegal address (ILAD) detection; loss-of-lock and loss-of-clock detection; and flash memory protection features.

This course will describe each of the HCS08 system protection features. It will also examine how to use these features to protect against code runaway or unexpected behavior. Finally, this course will describe how to configure and operate each of the system protection features.

Page 2: Hcs08 Sys Protect Wbt

1

What is System Protection?

• Protection in the case of:– Sudden loss of power– Code runaway– Software processing errors

• Which can cause:– Flash and memory corruption– Unstable/unpredictable input and output states and behavior

• System protection features of the HCS08:– COP Watchdog timer– LVW and LVD– ILOP and ILAD detection– Loss-of-lock and loss-of-clock detection– Flash memory protection features

Let's begin by looking at system protection and why it is necessary. System protection, in this course, refers to protection against a sudden loss of power (or a gradual loss of power), code runaway (corruption of your program counter), and software processing errors.

Any of these types of situations can result in flash and memory corruption as well as unstable and unpredictable input and output states and behavior. The features shown here are designed to protect against these types of situations.

Page 3: Hcs08 Sys Protect Wbt

2

COP Watchdog Timer

• Free-running counter cleared by user code

• Provides system integrity protection

• Allows the CPU to recover to a known, fixed state after unexpected events:– Runaway software– Software processing errors

• Includes a selectable time-out period

• Timer resets microcontroller if not serviced within the time-out period

• Enabled by default

Now, let’s move on to the COP Watchdog timer (also known as the COP timer).

First of all, it is a free-running counter that is cleared by user code. It provides system integrity protection by containing any unexpected or undesired system behavior to a minimum amount of time and, in so doing, contains the behavior to a minimum number of instruction cycles.

The COP timer allows the CPU to recover to a known, fixed state after some sort of unexpected event (such as runaway software or a software processing error) occurs. The COP timer also allows you to select the time-out period and the length of the time-out period.

The COP timer resets the microcontroller if it is not cleared manually by the user software within the time-out period. As a result, the timer requires application software intervention to prevent it from resetting the part.

The COP timer is turned on and enabled by default out of reset, so you must actively disable it using software if you choose not to use the timer.

Page 4: Hcs08 Sys Protect Wbt

3

COP Watchdog Timer

• Configuration handled in SOPT registers:– SOPT (in GB/GT)– SOPT1 and SOPT2 (in QG)

• From reset, the COP timer:– Is enabled automatically

(Can be disabled by clearing COPE bit)– Defaults to longest time-out period

(Can be shortened by clearing COPT bit)– Defaults to 1-KHz clock source (in QG)

(Can be clocked from bus clock by clearing COPCLKS in SOPT2)

• Changes to COP timer configuration can be done only once after reset of part. All the control bits are write-once.

The COP Watchdog timer can be configured using the system option (SOPT) registers. These registers will vary slightly from microcontroller to microcontroller. Please refer to the microcontroller data sheet for the device you are using in order to obtain exact details of bit and register locations.

In the GB and GT family parts, the COP timer configuration is contained in the SOPT registers. In the QG family parts, the timer configuration is contained in the system option registers 1 and 2 (SOPT1 and SOPT2).

As stated previously, the COP timer is automatically enabled. It can be overridden and disabled by clearing the COP enable (COPE) bit. The COP timer always defaults to its longest time-out period between resets. You can adjust this default setting by clearing the COP time-out (COPT) bit, which is also located in the SOPT registers. In the case of the QG family, the COP timer defaults to the slower 1-KHz clock source by clearing the COP clock select (COPCLKS) in SOPT2. This action will result in the longest possible time-out period.

All of these configuration bit changes can only be done once after the part is reset because all of these control bits are write-once only. You will learn why this is important later in the course.

Page 5: Hcs08 Sys Protect Wbt

4

COP Watchdog Timer

218 cyclesBus11

213 cyclesBus01

28 cycles (256 ms)1~1 KHz10

25 cycles (32 ms)1~1 KHz00

COPTCOPCLKSCOP Overflow CountClock Source

Control Bits

1 Values are shown in this column based on tRTI = 1 ms.

HC

S08GB

/GT

HC

S08QG

COPT: Selects the number of clock cycles before COP timer expires

COPCLKS: Allows the COP timer to be clocked from the CPU bus clock or 1-KHz internal clock source (on some devices)

Let's take a look at the COP Watchdog timer configuration bits.

Depending on the microcontroller involved, some of the features shown here may or may not be present. In the simplest case, the GB/GT family, there is only a COPT bit, which simply allows you to choose the time-out period of the COP timer. It is either 213 cycles of the bus clock or 218

cycles of the bus clock, a short and long period.

In the case of the QG family, you have the options mentioned previously, as well as an additional bit, the COPCLKS bit. This bit allows you to choose not only the CPU bus clock as your clock source, but it also allows you to select an internal 1-KHz clock source, which is significantly slower and allows for different COP time-out values. As you can see in this table, the 1-KHz clock source allows you to choose either a 25 cycle or 28 cycle count, which results in approximately 32 milliseconds or 256 milliseconds, respectively. That assumes that your 1-KHz clock is nominally 1 KHz.

In the case of the bus clock being your clock source, the COP timer does not increment when the microcontroller is in Stop mode. The timer simply stops; once the STOP instruction is issued, the COP timer stops counting. Once the microcontroller exits Stop mode, the timer resumes counting from where it stopped. If you are using the 1-KHz clock source, the COP timer is actually reinitialized to a value of zero as the part is put into Stop mode. Once the microcontroller exits Stop mode, the COP timer starts counting again from zero. Note that the 1-KHz clock source will run, even if the bus clock is lost.

It is important to understand that by selecting all these different times, you make a tradeoff between the level of system protection you have and the amount of work that has to be done by the application software. The shorter the COP time-out period is, the more often you need to reset the COP timer so that it doesn't reset the microcontroller. It also means that code runaway, in that type of situation, is allowed a fewer number of instruction cycles that it can execute before the COP timer resets the part (which minimizes the amount of possible damage or unexpected behavior).

Page 6: Hcs08 Sys Protect Wbt

5

COP Watchdog Timer

Refresh rate depends on COP clock frequency (1 KHz or bus clock).

For example:COP clock source = bus clock Bus clock = 16 MHz COPT = longest time-out (218 clock cycles)

COP time-out = 218

262,144 COP clock cycles

16,000,000 COP clock cycles/second= 0.016384 seconds

or 1.6384 ms

This means that the COP timer must be serviced in software at least every 1.638 ms or so to prevent the microcontroller from resetting.

Let’s look at a calculation that determines the COP time-out. Assume that you select the bus clock as your clock source (in the case of the GB/GT family, that is the only clock source available), your bus clock is running at 16 MHz, and your COPT bit is set for your longest time-out period (218 cycles). You can see from the calculations shown here that you get approximately 1.638 milliseconds between COP timer resets. This means that you must execute a COP servicing routine (clear the COP timer) manually in your user software at least once every 1.638 milliseconds to prevent it from resetting the microcontroller.

Page 7: Hcs08 Sys Protect Wbt

6

COP Watchdog Timer

• Initialization:– Always write the COP timer configuration, even when using default values

(locks in values and prevents accidental clearing of COPE bit).

• Operation:– Software clearing of the COP timer is performed by writing any value to the

SRS register.– COP timer bit in the SRS register indicates that a COP timer reset has

occurred.

• Tips for more robust system protection:– Always place COP timer service code into main software loop.– Don’t place COP timer servicing in ISRs or other subroutines.– Use a single section of code to clear the COP timer, inside main loop.

So, what do you need to know about setting up the COP Watchdog timer? Let’s discuss a few hints that will help you maximize the use of this timer.

As far as initialization goes, even if you choose to use the default settings for the COP timer for your application, you should always write the COP timer configuration bits. This locks in the values and prevents any accidental clearing of the COPE bit. For example, if you encounter a code runaway situation and you have not written to the COP timer configuration bits, it is possible that the runaway code will actually clear the COPE bit. This would disable the COP timer and the code would continue to run away unchecked.

During the operation of the COP timer, what other things can you do? The actual servicing of the COP timer is done by writing a value to the system reset status (SRS) register. If you get a reset on the part and you check the SRS register and see that the COP bit is set, then it indicates that the COP timer did reset the part.

You should always place the COP timer servicing code in your main software loop. Do not place it inside an interrupt service routine (ISR) or other subroutine. It is possible that the subroutine will begin to execute, particularly if it is in an ISR. The subroutine may execute continuously and periodically, and continue to clear the COP timer. You will then have code executing even though you are effectively in a code runaway situation.

In addition, you should always use a single section of code to clear the COP timer. It is easier to calculate and predict how often you are servicing the COP timer if you only do it in one place in your code. It is possible that your code will take too much time to execute and you may need to clear it in multiple places. However, you should always service the COP timer in as few places in your code as possible. Note that the COP timer is disabled when the microcontroller is in active background debug mode.

Page 8: Hcs08 Sys Protect Wbt

7

Question

What are some of the features of the COP Watchdog timer? Select all that apply and then click Done.

It must be actively enabled using software.

It allows the CPU to recover to a known, fixed state after some sort of unexpected event.

It includes a fixed time-out period.

It is a free-running counter that is cleared by user code.

It resets the microcontroller if it is not cleared within the time-out period.

It provides system integrity protection by containing any unexpected or undesired system behavior.

Check your understanding of the COP Watchdog timer.

Correct. The COP Watchdog timer allows the CPU to recover to a known, fixed state after some sort of unexpected event. The timer is also a free-running counter that is cleared by user code, and it resets the microcontroller if it is not cleared manually by the user software within the time-out period. The timer provides system integrity protection by containing any unexpected or undesired system behavior. It is turned on and enabled by default out of reset, so you must actively disable it using software if you choose not to use the timer. It is also configurable to allow you to select the time-out period and the length of the time-out period.

Page 9: Hcs08 Sys Protect Wbt

8

Low-voltage Detection System

• LVW– Additional warning that VDD is falling – Flag, not an interrupt– Selectable for either 2.1V or 2.4V nominal

• LVD– Can be configured as a reset or interrupt– 1.8V nominal trip (default)– 2.1V nominal trip also available– Can be set to function in Stop mode

Now that you understand how to use the COP Watchdog timer, let's look at another system protection feature: the low-voltage detection system. The low-voltage detection system is comprised of two components: the LVW and the LVD.

The LVW indicates that your voltage is dropping on VDD. The LVW is a flag, not an interrupt, and its level is selectable for either 2.1V or 2.4V nominal.

The LVD can be used to trigger a reset or interrupt on the microcontroller. Its level is also configurable, either 1.8V or 2.1V nominal. The LVD can also be set to function in Stop mode.

In battery applications, it is useful to use the LVW to detect a falling battery voltage while the system still has enough power to operate. For example, the system can store away data into non-volatile memory (NVM) to prepare for an imminent battery replacement. Additionally, the LVW is a useful warning when the LVD is configured to reset the part by providing an early indication to the software that a reset might be coming soon.

Page 10: Hcs08 Sys Protect Wbt

9

Low-voltage Detection System

VDD NormalOperatingVoltage

Low-voltageDetect

Low-voltageWarning

VLVW

VLVD

1 – VLVWH (High Trip Point)0 – VLVWL (Low Trip Point)

LVWV-Warning Voltage Select 1 – VLVDH (High Trip Point)

0 – VLVDL (Low Trip Point)

LVDV-Detect Voltage Select

• Sets LVWF only• Triggers interrupt

when enabled by LVDIE

• Sets LVDF

• Forces microcontroller to reset when enabled by LVDRE

Low-voltage detection system controls and flags are located in the system power management status and control registers.

Now, it’s time to examine the control bits for the low-voltage detection system as well as how the trip points relate to each other.

Under normal operating conditions, neither the flags or any of the low-voltage detection circuitry should give you any interrupts. However, as the voltage drops down to the voltage level for the warning voltage, either the high trip point or the low trip point, the low-voltage warning flag (LVWF) will be set.

If the voltage continues to drop to the level of the low-voltage detection threshold, either its high trip point or low trip point depending on how it is configured by the low-voltage detection voltage (LVDV) bit, then the low-voltage detection circuitry kicks in. If an interrupt is enabled with the low-voltage detection interrupt enable (LVDIE) bit, that will trigger an interrupt, with the low-voltage detection flag (LVDF) set. If the low-voltage detection reset enable (LVDRE) bit is also set, that will reset the microcontroller based on this low-voltage detection. Note: Low-voltage detection system controls and flags are located in the system power management status and control registers.

The low-voltage detection circuitry is very useful in battery-type applications and applications where the supply voltage may be unexpectedly interrupted or unexpectedly decay.

Page 11: Hcs08 Sys Protect Wbt

10

ILOP and ILAD Detection

Reset was caused by an attempt to access either data or an instruction at an unimplemented memory address.

0 - Reset was not caused by an ILAD.1 - Reset was caused by an ILAD.

ILAD

Reset was caused by an attempt to execute an unimplemented or illegal opcode. The STOP instruction is considered illegal if Stop is disabled by STOPE = 0 in the SOPT register. The BGND instruction is considered illegal if active background debug mode is disabled by ENBDM = 0 in the BDCSC register.

0 - Reset was not caused by an ILOP.1 - Reset was caused by an ILOP.

ILOP

Let’s take a look at two more features of the HCS08 families that allow you to protect your system against code runaway or unexpected code execution: ILOP and ILAD. These two bits are located in the SRS register.

If the program counter corrupts and you have a code runaway situation, it is possible that you will attempt to execute an unimplemented or illegal opcode. The STOP instruction is considered illegal if Stop is disabled by STOPE = 0 in the SOPT register. The background (BGND) instruction is considered illegal if active background debug mode is disabled by ENBDM = 0 in the background debug controller status and control (BDCSC) register. If the CPU does not recognize your input as a valid opcode, it will set the ILOP flag and a reset will occur. A “0” indicates that the reset was not caused by an ILOP. A “1” indicates that the reset was caused by an ILOP.

Additionally, an ILAD flag will be set and a reset will occur if an attempt is made to access either data or instruction at an unimplemented memory address. This is further protection against code runaway. A “0” indicates that the reset was not caused by an ILAD. A “1” indicates that the reset was caused by an ILAD.

Page 12: Hcs08 Sys Protect Wbt

11

Question

Match each HCS08 system protection feature to its description by dragging the letters on the left to the boxes on the right. Click “Done” when you are finished.

B

A

C

D C

D

B

A

LVW

LVD

ILOP

ILAD

Can be configured as a reset or interrupt; can be set to function in Stop mode

Warning that VDD is falling; selectable for either 2.1V or 2.4V nominal

Reset caused by an attempt to access data or instruction at an unimplemented memory addressReset caused by an attempt to execute an unimplemented or illegal opcode

Done Reset ShowSolution

Let’s review some of the HCS08 system protection features.

Correct.

The LVW indicates that your voltage is dropping on VDD. The level is selectable for either 2.1V or 2.4V nominal. The LVD can be used to trigger a reset or interrupt on the microcontroller and it can also be set to function in Stop mode. If the program counter gets corrupted and you have a code runaway situation, it is possible that you will be attempting to execute an unimplemented or illegal opcode. If the CPU does not recognize your input as a valid opcode, it will set the ILOP flag and a reset will occur. An ILAD flag will be set and a reset will occur if an attempt is made to access either data or instruction at an unimplemented memory address.

Page 13: Hcs08 Sys Protect Wbt

12

Loss of Lock and Loss of Clock

• Feature on the HC9S08GB/GT family of devices

• ICG module controls:– ICGC2 register

• LOLRE• LOCRE

– ICGS1 register• LOLS• LOCS

• If either reset capability is enabled after reset by the ICG, the ICG bit in the SRS register will be set.

Another system protection feature on the HC9S08GB/GT family of devices is loss-of-lock and loss-of-clock detection, which is located within the internal clock generation (ICG) module.

Inside these devices, you will find a control register, ICGC2, which contains a loss-of-lock reset enable (LOLRE) and a loss-of-clock reset enable (LOCRE). In the status register, ICGS1, you will find the FLL loss-of-lock status (LOLS) register bit and the loss-of-clock status (LOCS) register bit.

These features allow you to reset the part in case the primary clock is lost. If the clock gets out of regulation and becomes unlocked, these features will set the status flag and then, if enabled, will reset the part. If LOLRE or LOCRE are not enabled, an interrupt is generated, rather than a reset. Therefore, it is important to create an ISR if you are not using these reset mechanisms.

Page 14: Hcs08 Sys Protect Wbt

13

Flash Memory Protection

• Flash block protection settings loaded at reset and cannot be modified by user code– NVPROT (NVM location) loaded into FPROT (high-page register)– FPROT only modified through background debug commands

• GB/GT family– Block sizes of 512 bytes, 1 Kbytes, 2 Kbytes, 4 Kbytes, 8 Kbytes,

16 Kbytes, 32 Kbytes, and entire array

• QG family– Similar to HC08 and S12– Protect in increments of 512 bytes– Set by setting end address

Let’s move on to some of the flash memory protection features.

The first feature is the flash block protection feature. These flash block protection settings are actually loaded at reset and they cannot be modified by user code. They are loaded from an NVM location called non-volatile flash protect (NVPROT). They are then loaded into a high-page register called flash protect (FPROT). FPROT can then only be modified through background debug commands.

The way in which the memory is divided for flash block protection varies slightly between microcontrollers. For the GB/GT family, the block sizes range from 512 bytes to 8 Kbytes to the entire array.

With the QG family, the block sizes are similar to the HC08 and S12. They offer protection in increments of 512 bytes and are set by configuring the end address.

Page 15: Hcs08 Sys Protect Wbt

14

Flash Block Protection

FPS2:0 1 1 1FPS2:0 1 1 0

$FFFF

$0100$1800

FLASH

Vectors

High-page Registers

Vectors

$182C

$FFC0

FPROT

NVPROT

$8000

FPS2:0 1 0 1

FPS2:0 1 0 0

FPS2:0 011

FPS2:0 010

FPS2:0 001

FPS2:0 000

$C000

$E000

$F000

$F800

$FC00

$FE00

NOT TO SCALE

1 1111 1111

A8-A0

$xxFFLast unprotected memory address

GB/GT FamilyQG Family

Here, you can see some examples of the block sizes for the GB/GT and QG families.

In the GB/GT family, flash is protected in blocks that double in size from 512 bytes to 32,768 bytes (in powers of 2). Three FPS bits control the protected flash block size. Here you can see which ranges of memory are covered and protected for each FPS bit setting.

Notice that in the QG family, seven bits control the size of the block protection in increments of 512 bytes. These seven bits are concatenated with values of ones on the lower bits to create a 16-bit address. This address sets the final ending address of the unprotected portion of flash.

Page 16: Hcs08 Sys Protect Wbt

15

Vector Redirection

• Available when flash block protection is enabled

• Allows user to modify interrupt vector information without disabling flash block protection

• Disabled by FNORED bit in NVOPT register

• When engaged, interrupt vectors are fetched from unprotected section of flash, leaving original interrupt vectors (0xFFC0 to 0xFFFF) unchanged and protected

The second flash memory protection feature is vector redirection.

The interrupt vectors are redirected when the flash block protection is enabled, so you can modify interrupt vector information in a different location without disabling the flash block protection. This is helpful when you are updating ISRs during development, but you need to maintain flash block protection. Vector redirection can be disabled using the flash vector redirection disable (FNORED) bit in the non-volatile memory option (NVOPT) register. However, when vector redirection is engaged, the interrupt vectors are fetched from an unprotected section of flash, which leaves the original interrupt vectors (0xFFC0 to 0xFFFF) unchanged and protected. Note: The reset vector (0xFFFE to 0xFFFF) is not redirected.

Page 17: Hcs08 Sys Protect Wbt

16

Question

Is the following statement true or false? Click Done when you are finished.

“In the GB/GT family, seven bits control the size of the block protection in increments of 512 bytes.”

True

False

Consider this question regarding flash memory protection.

Correct.

In the GB/GT family, flash is protected in blocks that double in size from 512 bytes to 32,768 bytes (in powers of 2). In the QG family, seven bits control the size of the block protection in increments of 512 bytes.

Page 18: Hcs08 Sys Protect Wbt

17

Course Summary

• COP Watchdog timer

• Low-voltage detection system: LVW and LVD

• ILOP and ILAD detection

• Loss-of-lock and loss-of-clock detection

• Flash memory protection

• EB398/D available at www.freescale.com

In this course, you learned about the operation and function of the system protection features of the HCS08 architecture. These features are designed to provide greater system integrity and greater system protection while your software is operating.

You also reviewed the purpose of the COP Watchdog timer and discovered how it is configured using the SOPT registers. You examined the COP timer’s configuration bits, a calculation for determining a COP time-out, and a few helpful hints that will help you ensure that you are maximizing the use of your timer.

You then learned about the low-voltage detection system. The LVW indicates that your voltage isdropping on VDD. It is a flag, not an interrupt, and its level is selectable for either 2.1V or 2.4V nominal. The LVD can be used to trigger a reset or interrupt on the microcontroller. Its level is also configurable, either 1.8V or 2.1V nominal. The LVD can also be set to function in Stop mode.

You examined other features of the HCS08 families that allow you to protect your system against code runaway or unexpected code execution, such as ILOP, ILAD, loss-of-lock and loss-of-clock detection, and flash memory protection.

If you would like to examine some different options for system protection, refer to Engineering Bulletin 398 (EB398/D), entitled “Techniques to Protect MCU Applications Against Malfunction Due to Code Run-Away.” This Engineering Bulletin is designed for the HC08 family of products. However, the principles for the concepts apply to any microcontroller in the Freescale portfolio, if the appropriate features are enabled.