Home
General Guide
Renesas
Microchip
dsPIC Design Notes
dsPIC30F Flash Issue
Texas Instruments
Analog Devices
Mobile Devices
.NET Tips
Miscellaneous
Contact Us
Forum
 
Be Careful: dsPIC30F Flash Might Be Erased Completely

1         Introduction

There was a report about a field device with dsPIC30F4011 that the entire flash memory got erased after an abnormal power failure. This article identifies the cause of the self-erase issue and provides solutions to it.

 

2         Issue Description

The device with Microchip dsPIC30F4011 had been running in the field for a while. Upon an abnormal power failure, the device stopped working after power reset. The device was brought back to the factory for analysis. Using emulator ICD2 or Real ICE connected to the ICSP (In-Circuit Serial Programming) port, it was found that the entire flash memory read 0xFFFFFF. People were shocked by the results as there was no particular function to erase the flash memory, although there was a function to read and write the on-chip EEPROM at the beginning of the application code.

 

3         Issue Analysis

Microchip dsPIC30F4011 has two programming modes, In Circuit Serial Programming (ICSP), and Run Time Self Programming (RTSP).  ICSP is used for an emulator (such as ICD 2/3, Real ICE) to read, erase, and write on-chip flash; while RTSP is used for user software to erase and write the on-chip flash or EEPROM.

3.1      ICSP Mode

According to Microchip document DS70102J, dsPIC30F Flash Programming Specification, ICSP mode is a special programming protocol that allows you to read and write to dsPIC30F memory. This mode also has the ability to read the contents of the executive memory to determine whether the programming executive is present. This capability is accomplished by applying control codes and instructions serially to the device using pins PGC and PGD. In ICSP mode, the system clock is taken from the PGC pin, regardless of the device’s oscillator Configuration bits. All instructions are first shifted serially into an internal buffer, then loaded into the Instruction register and executed. No program fetching occurs from internal memory. Instructions are fed in 24 bits at a time. PGD is used to shift data in and PGC is used as both the serial shift clock and the CPU execution clock.

 

To enter this mode, specific external signals must be applied to ICSP pins, PGD, PGC, and MCLR, as shown in the diagram Figure 11-3. First, hold PGD and PGC at low voltage, then raise MCLR/VPP to VIHH (high voltage), and then perform 4 NOP instructions using the SIX control code. Once ICSP mode is entered, a set of commands can be used to erase or program the on-chip flash or EEPROM memory. In terms of erase functions, the applicable commands are listed in Table 11-2.

 

 

 Diagram excerpted from Microchip document DS70102J

 

 

Table excerpted from Microchip document DS70102J

 

3.2      RTSP Mode

According to Microchip document DS70052D, dsPIC30F Family Reference Manual, RTSP allows the user code to read, erase, and write flash program memory as well as EEPROM contents. RTSP is accomplished using TBLRD (table read) and TBLWT (table write) instructions, and the NVM Control registers. With RTSP, the user may erase program memory, 32 instructions (96 bytes) at a time and can write program memory data, 32 instructions (96 bytes) at a time. The programming techniques used for the data EEPROM are similar to those used for Flash program memory RTSP. The key difference between Flash and data EEPROM programming operations is the amount of data that can be programmed or erased during each program/erase cycle.

 

The NVMCON register is the primary control register for Flash and EEPROM program/erase operations. This register selects Flash or EEPROM memory, whether an erase or program operation will be performed, and is used to start the program or erase cycle. The NVMCON register is shown in Table 5-1.

 

Table excerpted from Microchip document DS70052D

 

As far as the erase function is concerned, the procedure of erase EEPROM and Flash are similar as described below.

 

  • Set up NVMCON register with command to erase one word of EEPROM or one row of flash.
  • Write address of word to be erased into NVMADRU, NVMADR registers.
  • Clear NVMIF status bit and enable NVM interrupt (optional).
  • Write the key sequence (0x55, 0xAA) to NVMKEY.
  • Set the WR bit of NVMCON to initiate erase cycle.
  • Poll the WR bit to be cleared or wait for the NVM interrupt

 

3.3      Cause Identified

As shown in the tables above, the commands used in the ICSP mode and RTSP mode are different. Hence, the commands used for ICSP mode have no effects in user code. However, tests have proven that one specific ICSP mode command, 0x404E, if set in NVMCON in the procedure of EEPROM or Flash erase function, the same effect for ICSP mode will occur in the RTSP mode, which means that the entire flash memory as well as EEPROM will be erased completely. The test code is given below.

 

NVMADRU = 0x00;           //high address byte to NVMADRU

            NVMADR = 0x0000;          //low address word to NVMADR

            NVMCON = 0x404E;         //ICSP erase general segments command to NVMCON

            NVMKEY = 0x55;              //unlock key 1

            NVMKEY = 0xAA;            //unlock key 2

            NVMCONbits.WR = 1;      //enable erase operation

            asm ("  nop");                       //required nop operation

            asm ("  nop");

            while (NVMCONbits.WR != 0);     //wait until completion

 

Create a simple project and include the above test code, run it either in Debug mode or Program mode. Once the test code is executed, read flash memory and EEPROM, you’ll see that all contents become 0xFFFFFF. This test is repeatable. With this test results, it can be inferred that the entire memory got erased if the NVMCON register got set to 0x404E, while it was supposed to be set to 0x4044 in the EEPROM erase function when power glitch occurred.

 

4         Solutions

Now that there is a possibility of flash memory as well as EEPROM being erased completely by accident, the following solutions must be taken into action to minimize the possibilities of the accident.

4.1      Enable Code Protection and Write Protection

Code Protection feature is read protection, e.g., Intellectual Property protection. With that feature enabled, reading the memory returns all zeros. Write Protection is to avoid being overwritten. With this feature enabled, it requires VDD greater than 4.5V to erase the protection configuration bits. This condition will reduce the chances to be erased significantly because software malfunction is usually caused by power glitches.

4.2      Enable BOR (Brown-Out Reset) feature

The nominal power VDD for the dsPIC30F is 5V. Set the BOR trip level at 4.5V, which means that the dsPIC30F will be held in reset as long as the power VDD is below the trip level. The reset is released as long as the power VDD is above the trip level.