1 /***************************************************************************
2 * Copyright (C) 2015 by Ivan Meleca *
5 * Modified from kinetis.c *
7 * Copyright (C) 2011 by Mathias Kuester *
10 * Copyright (C) 2011 sleep(5) ltd *
11 * tomas@sleepfive.com *
13 * Copyright (C) 2012 by Christopher D. Kilgour *
14 * techie at whiterocker.com *
16 * Copyright (C) 2013 Nemui Trinomius *
17 * nemuisan_kawausogasuki@live.jp *
19 * Copyright (C) 2015 Tomas Vanek *
22 * This program is free software; you can redistribute it and/or modify *
23 * it under the terms of the GNU General Public License as published by *
24 * the Free Software Foundation; either version 2 of the License, or *
25 * (at your option) any later version. *
27 * This program is distributed in the hope that it will be useful, *
28 * but WITHOUT ANY WARRANTY; without even the implied warranty of *
29 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the *
30 * GNU General Public License for more details. *
32 * You should have received a copy of the GNU General Public License *
33 * along with this program. If not, see <http://www.gnu.org/licenses/>. *
34 ***************************************************************************/
40 #include "jtag/interface.h"
42 #include <helper/binarybuffer.h>
43 #include <target/algorithm.h>
44 #include <target/armv7m.h>
45 #include <target/cortex_m.h>
48 #define SIM_SRSID 0x40048000
49 #define ICS_C1 0x40064000
50 #define ICS_C2 0x40064001
51 #define ICS_C3 0x40064002
52 #define ICS_C4 0x40064003
53 #define ICS_S 0x40064004
54 #define SIM_BUSDIV 0x40048018
55 #define SIM_CLKDIV_KE06 0x40048024
56 #define SIM_CLKDIV_KE04_44_64_80 0x40048024
57 #define SIM_CLKDIV_KE04_16_20_24 0x4004801C
58 #define WDOG_CS1 0x40052000
60 #define ICS_C2_BDIV_MASK 0xE0
61 #define ICS_C2_BDIV_SHIFT 5
62 #define ICS_C2_BDIV(x) (((uint8_t)(((uint8_t)(x))<<ICS_C2_BDIV_SHIFT))&ICS_C2_BDIV_MASK)
63 #define ICS_S_LOCK_MASK 0x40
64 #define ICS_C4_SCFTRIM_MASK 0x1
65 #define SIM_CLKDIV_OUTDIV2_MASK 0x1000000
66 #define FTMRX_FCLKDIV_FDIV_MASK 0x3F
67 #define FTMRX_FCLKDIV_FDIV_SHIFT 0
68 #define FTMRX_FCLKDIV_FDIV(x) (((uint8_t)(((uint8_t)(x))<<FTMRX_FCLKDIV_FDIV_SHIFT))&FTMRX_FCLKDIV_FDIV_MASK)
69 #define FTMRX_FCLKDIV_FDIVLCK_MASK 0x40
70 #define FTMRX_FCLKDIV_FDIVLCK_SHIFT 6
71 #define FTMRX_FCLKDIV_FDIVLD_MASK 0x80
72 #define FTMRX_FCLKDIV_FDIVLD_SHIFT 7
73 #define FTMRX_FSTAT_CCIF_MASK 0x80
74 #define FTMRX_FSTAT_MGSTAT0_MASK 0x01
75 #define FTMRX_FSTAT_MGSTAT1_MASK 0x02
78 #define FTMRX_CMD_ALLERASED 0x01
79 #define FTMRX_CMD_BLOCKERASED 0x02
80 #define FTMRX_CMD_SECTIONERASED 0x03
81 #define FTMRX_CMD_READONCE 0x04
82 #define FTMRX_CMD_PROGFLASH 0x06
83 #define FTMRX_CMD_PROGONCE 0x07
84 #define FTMRX_CMD_ERASEALL 0x08
85 #define FTMRX_CMD_ERASEBLOCK 0x09
86 #define FTMRX_CMD_ERASESECTOR 0x0A
87 #define FTMRX_CMD_UNSECURE 0x0B
88 #define FTMRX_CMD_VERIFYACCESS 0x0C
89 #define FTMRX_CMD_SETMARGINLVL 0x0D
90 #define FTMRX_CMD_SETFACTORYLVL 0x0E
91 #define FTMRX_CMD_CONFIGNVM 0x0F
94 #define FTMRX_ERROR_ACCERR 0x20
95 #define FTMRX_ERROR_FPVIOL 0x10
97 #define KINETIS_KE_SRSID_FAMID(x) ((x >> 28) & 0x0F)
98 #define KINETIS_KE_SRSID_SUBFAMID(x) ((x >> 24) & 0x0F)
99 #define KINETIS_KE_SRSID_PINCOUNT(x) ((x >> 16) & 0x0F)
101 #define KINETIS_KE_SRSID_KEX2 0x02
102 #define KINETIS_KE_SRSID_KEX4 0x04
103 #define KINETIS_KE_SRSID_KEX6 0x06
105 struct kinetis_ke_flash_bank {
106 uint32_t sector_size;
107 uint32_t protection_size;
110 uint32_t ftmrx_fclkdiv_addr;
111 uint32_t ftmrx_fccobix_addr;
112 uint32_t ftmrx_fstat_addr;
113 uint32_t ftmrx_fprot_addr;
114 uint32_t ftmrx_fccobhi_addr;
115 uint32_t ftmrx_fccoblo_addr;
118 #define MDM_REG_STAT 0x00
119 #define MDM_REG_CTRL 0x04
120 #define MDM_REG_ID 0xfc
122 #define MDM_STAT_FMEACK (1<<0)
123 #define MDM_STAT_FREADY (1<<1)
124 #define MDM_STAT_SYSSEC (1<<2)
125 #define MDM_STAT_SYSRES (1<<3)
126 #define MDM_STAT_FMEEN (1<<5)
127 #define MDM_STAT_BACKDOOREN (1<<6)
128 #define MDM_STAT_LPEN (1<<7)
129 #define MDM_STAT_VLPEN (1<<8)
130 #define MDM_STAT_LLSMODEXIT (1<<9)
131 #define MDM_STAT_VLLSXMODEXIT (1<<10)
132 #define MDM_STAT_CORE_HALTED (1<<16)
133 #define MDM_STAT_CORE_SLEEPDEEP (1<<17)
134 #define MDM_STAT_CORESLEEPING (1<<18)
136 #define MEM_CTRL_FMEIP (1<<0)
137 #define MEM_CTRL_DBG_DIS (1<<1)
138 #define MEM_CTRL_DBG_REQ (1<<2)
139 #define MEM_CTRL_SYS_RES_REQ (1<<3)
140 #define MEM_CTRL_CORE_HOLD_RES (1<<4)
141 #define MEM_CTRL_VLLSX_DBG_REQ (1<<5)
142 #define MEM_CTRL_VLLSX_DBG_ACK (1<<6)
143 #define MEM_CTRL_VLLSX_STAT_ACK (1<<7)
145 #define MDM_ACCESS_TIMEOUT 3000 /* iterations */
147 static int kinetis_ke_mdm_write_register(struct adiv5_dap *dap, unsigned reg, uint32_t value)
150 LOG_DEBUG("MDM_REG[0x%02x] <- %08" PRIX32, reg, value);
152 retval = dap_queue_ap_write(dap_ap(dap, 1), reg, value);
153 if (retval != ERROR_OK) {
154 LOG_DEBUG("MDM: failed to queue a write request");
158 retval = dap_run(dap);
159 if (retval != ERROR_OK) {
160 LOG_DEBUG("MDM: dap_run failed");
167 static int kinetis_ke_mdm_read_register(struct adiv5_dap *dap, unsigned reg, uint32_t *result)
170 retval = dap_queue_ap_read(dap_ap(dap, 1), reg, result);
171 if (retval != ERROR_OK) {
172 LOG_DEBUG("MDM: failed to queue a read request");
176 retval = dap_run(dap);
177 if (retval != ERROR_OK) {
178 LOG_DEBUG("MDM: dap_run failed");
182 LOG_DEBUG("MDM_REG[0x%02x]: %08" PRIX32, reg, *result);
186 static int kinetis_ke_mdm_poll_register(struct adiv5_dap *dap, unsigned reg, uint32_t mask, uint32_t value)
190 int timeout = MDM_ACCESS_TIMEOUT;
193 retval = kinetis_ke_mdm_read_register(dap, reg, &val);
194 if (retval != ERROR_OK || (val & mask) == value)
200 LOG_DEBUG("MDM: polling timed out");
204 static int kinetis_ke_prepare_flash(struct flash_bank *bank)
206 struct target *target = bank->target;
207 struct kinetis_ke_flash_bank *kinfo = bank->driver_priv;
208 uint8_t c2, c3, c4, s = 0;
209 uint16_t trim_value = 0;
210 uint16_t timeout = 0;
211 uint32_t bus_clock = 0;
212 uint32_t bus_reg_val = 0;
213 uint32_t bus_reg_addr = 0;
214 uint32_t flash_clk_div;
219 * The RM states that the flash clock has to be set to 1MHz for writing and
220 * erasing operations (otherwise it can damage the flash).
221 * This function configures the entire clock tree to make sure we
222 * run at the specified clock. We'll set FEI mode running from the ~32KHz
223 * internal clock. So we need to:
224 * - Trim internal clock.
225 * - Configure the divider for ICSOUTCLK (ICS module).
226 * - Configure the divider to get a bus clock (SIM module).
227 * - Configure the flash clock that depends on the bus clock.
229 * For MKE02_40 and MKE02_20 we set ICSOUTCLK = 20MHz and bus clock = 20MHz.
230 * For MKE04 and MKE06 we run at ICSOUTCLK = 48MHz and bus clock = 24MHz.
234 * Trim internal clock
236 switch (KINETIS_KE_SRSID_SUBFAMID(kinfo->sim_srsid)) {
238 case KINETIS_KE_SRSID_KEX2:
239 /* Both KE02_20 and KE02_40 should get the same trim value */
243 case KINETIS_KE_SRSID_KEX4:
247 case KINETIS_KE_SRSID_KEX6:
252 result = target_read_u8(target, ICS_C4, &c4);
253 if (result != ERROR_OK)
257 c4 = (c4 & ~(ICS_C4_SCFTRIM_MASK)) | ((trim_value >> 8) & 0x01);
259 result = target_write_u8(target, ICS_C3, c3);
260 if (result != ERROR_OK)
263 result = target_write_u8(target, ICS_C4, c4);
264 if (result != ERROR_OK)
267 result = target_read_u8(target, ICS_S, &s);
268 if (result != ERROR_OK)
272 while (!(s & ICS_S_LOCK_MASK)) {
274 if (timeout <= 1000) {
281 result = target_read_u8(target, ICS_S, &s);
282 if (result != ERROR_OK)
286 /* ... trim done ... */
289 * Configure SIM (bus clock)
291 switch (KINETIS_KE_SRSID_SUBFAMID(kinfo->sim_srsid)) {
293 /* KE02 sub-family operates on SIM_BUSDIV */
294 case KINETIS_KE_SRSID_KEX2:
296 bus_reg_addr = SIM_BUSDIV;
297 bus_clock = 20000000;
300 /* KE04 and KE06 sub-family operates on SIM_CLKDIV
301 * Clocks are divided by:
302 * DIV1 = core clock = 48MHz
303 * DIV2 = bus clock = 24Mhz
304 * DIV3 = timer clocks
305 * So we need to configure SIM_CLKDIV, DIV1 and DIV2 value
307 case KINETIS_KE_SRSID_KEX4:
308 /* KE04 devices have the SIM_CLKDIV register at a different offset
309 * depending on the pin count. */
310 switch (KINETIS_KE_SRSID_PINCOUNT(kinfo->sim_srsid)) {
312 /* 16, 20 and 24 pins */
316 bus_reg_addr = SIM_CLKDIV_KE04_16_20_24;
319 /* 44, 64 and 80 pins */
323 bus_reg_addr = SIM_CLKDIV_KE04_44_64_80;
327 LOG_ERROR("KE04 - Unknown pin count");
331 bus_reg_val = SIM_CLKDIV_OUTDIV2_MASK;
332 bus_clock = 24000000;
335 case KINETIS_KE_SRSID_KEX6:
336 bus_reg_val = SIM_CLKDIV_OUTDIV2_MASK;
337 bus_reg_addr = SIM_CLKDIV_KE06;
338 bus_clock = 24000000;
342 result = target_write_u32(target, bus_reg_addr, bus_reg_val);
343 if (result != ERROR_OK)
347 * Configure ICS to FEI (internal source)
349 result = target_read_u8(target, ICS_C2, &c2);
350 if (result != ERROR_OK)
353 c2 &= ~ICS_C2_BDIV_MASK;
355 switch (KINETIS_KE_SRSID_SUBFAMID(kinfo->sim_srsid)) {
357 case KINETIS_KE_SRSID_KEX2:
358 /* Note: since there are two KE02 types, the KE02_40 @ 40MHz and the
359 * KE02_20 @ 20MHz, we divide here the ~40MHz ICSFLLCLK down to 20MHz,
362 c2 |= ICS_C2_BDIV(1);
365 case KINETIS_KE_SRSID_KEX4:
366 case KINETIS_KE_SRSID_KEX6:
367 /* For KE04 and KE06, the ICSFLLCLK can be 48MHz. */
368 c2 |= ICS_C2_BDIV(0);
372 result = target_write_u8(target, ICS_C2, c2);
373 if (result != ERROR_OK)
376 /* Internal clock as reference (IREFS = 1) */
377 result = target_write_u8(target, ICS_C1, 4);
378 if (result != ERROR_OK)
381 /* Wait for FLL to lock */
382 result = target_read_u8(target, ICS_S, &s);
383 if (result != ERROR_OK)
386 while (!(s & ICS_S_LOCK_MASK)) {
388 if (timeout <= 1000) {
392 return ERROR_FLASH_OPERATION_FAILED;
395 result = target_read_u8(target, ICS_S, &s);
396 if (result != ERROR_OK)
401 * Configure flash clock to 1MHz.
403 flash_clk_div = bus_clock / 1000000L - 1;
405 /* Check if the FCLKDIV register is locked */
406 result = target_read_u8(target, kinfo->ftmrx_fclkdiv_addr, &fclkdiv);
407 if (result != ERROR_OK)
410 if (!(fclkdiv & FTMRX_FCLKDIV_FDIVLCK_MASK)) {
411 /* Unlocked. Check if the register was configured, and if so, if it has the right value */
412 if ((fclkdiv & FTMRX_FCLKDIV_FDIVLD_MASK) &&
413 ((fclkdiv & FTMRX_FCLKDIV_FDIV_MASK) != FTMRX_FCLKDIV_FDIV(flash_clk_div))) {
414 LOG_WARNING("Flash clock was already set and contains an invalid value.");
415 LOG_WARNING("Please reset the target.");
419 /* Finally, configure the flash clock */
420 fclkdiv = (fclkdiv & ~(FTMRX_FCLKDIV_FDIV_MASK)) | FTMRX_FCLKDIV_FDIV(flash_clk_div);
421 result = target_write_u8(target, kinfo->ftmrx_fclkdiv_addr, fclkdiv);
422 if (result != ERROR_OK)
425 /* Locked. Check if the current value is correct. */
426 if ((fclkdiv & FTMRX_FCLKDIV_FDIV_MASK) != FTMRX_FCLKDIV_FDIV(flash_clk_div)) {
427 LOG_WARNING("Flash clock register is locked and contains an invalid value.");
428 LOG_WARNING("Please reset the target.");
433 LOG_INFO("Flash clock ready");
437 int kinetis_ke_stop_watchdog(struct target *target)
439 struct working_area *watchdog_algorithm;
440 struct armv7m_algorithm armv7m_info;
444 static const uint8_t watchdog_code[] = {
445 #include "../../../contrib/loaders/flash/kinetis_ke/kinetis_ke_watchdog.inc"
448 if (target->state != TARGET_HALTED) {
449 LOG_ERROR("Target not halted");
450 return ERROR_TARGET_NOT_HALTED;
453 /* Check if the watchdog is enabled */
454 retval = target_read_u8(target, WDOG_CS1, &cs1);
455 if (retval != ERROR_OK)
459 /* Already stopped */
463 /* allocate working area with watchdog code */
464 if (target_alloc_working_area(target, sizeof(watchdog_code), &watchdog_algorithm) != ERROR_OK) {
465 LOG_WARNING("No working area available for watchdog algorithm");
466 return ERROR_TARGET_RESOURCE_NOT_AVAILABLE;
469 retval = target_write_buffer(target, watchdog_algorithm->address,
470 sizeof(watchdog_code), watchdog_code);
471 if (retval != ERROR_OK)
474 armv7m_info.common_magic = ARMV7M_COMMON_MAGIC;
475 armv7m_info.core_mode = ARM_MODE_THREAD;
477 retval = target_run_algorithm(target, 0, NULL, 0, NULL,
478 watchdog_algorithm->address, 0, 100000, &armv7m_info);
479 if (retval != ERROR_OK) {
480 LOG_ERROR("Error executing Kinetis KE watchdog algorithm");
482 LOG_INFO("Watchdog stopped");
485 target_free_working_area(target, watchdog_algorithm);
490 COMMAND_HANDLER(kinetis_ke_disable_wdog_handler)
492 struct target *target = get_current_target(CMD_CTX);
495 return ERROR_COMMAND_SYNTAX_ERROR;
497 return kinetis_ke_stop_watchdog(target);
500 COMMAND_HANDLER(kinetis_ke_mdm_mass_erase)
502 struct target *target = get_current_target(CMD_CTX);
503 struct cortex_m_common *cortex_m = target_to_cm(target);
504 struct adiv5_dap *dap = cortex_m->armv7m.arm.dap;
507 LOG_ERROR("Cannot perform mass erase with a high-level adapter");
513 /* According to chapter 18.3.7.2 of the KE02 reference manual */
516 if (jtag_get_reset_config() & RESET_HAS_SRST)
517 adapter_assert_reset();
520 * 1. Reset the device by asserting RESET pin or DAP_CTRL[3]
522 retval = kinetis_ke_mdm_write_register(dap, MDM_REG_CTRL, MEM_CTRL_SYS_RES_REQ);
523 if (retval != ERROR_OK)
527 * ... Read the MDM-AP status register until the Flash Ready bit sets...
529 retval = kinetis_ke_mdm_poll_register(dap, MDM_REG_STAT,
530 MDM_STAT_FREADY | MDM_STAT_SYSRES,
532 if (retval != ERROR_OK) {
533 LOG_ERROR("MDM : flash ready timeout");
538 * 2. Set DAP_CTRL[0] bit to invoke debug mass erase via SWD
539 * 3. Release reset by deasserting RESET pin or DAP_CTRL[3] bit via SWD.
541 retval = kinetis_ke_mdm_write_register(dap, MDM_REG_CTRL, MEM_CTRL_FMEIP);
542 if (retval != ERROR_OK)
545 /* As a sanity check make sure that device started mass erase procedure */
546 retval = kinetis_ke_mdm_poll_register(dap, MDM_REG_STAT,
547 MDM_STAT_FMEACK, MDM_STAT_FMEACK);
548 if (retval != ERROR_OK)
552 * 4. Wait till DAP_CTRL[0] bit is cleared (after mass erase completes,
553 * DAP_CTRL[0] bit is cleared automatically).
555 retval = kinetis_ke_mdm_poll_register(dap, MDM_REG_CTRL,
558 if (retval != ERROR_OK)
561 if (jtag_get_reset_config() & RESET_HAS_SRST)
562 adapter_deassert_reset();
567 static const uint32_t kinetis_ke_known_mdm_ids[] = {
568 0x001C0020, /* Kinetis-L/M/V/E/KE Series */
572 * This function implements the procedure to connect to
573 * SWD/JTAG on Kinetis K and L series of devices as it is described in
574 * AN4835 "Production Flash Programming Best Practices for Kinetis K-
575 * and L-series MCUs" Section 4.1.1
577 COMMAND_HANDLER(kinetis_ke_check_flash_security_status)
579 struct target *target = get_current_target(CMD_CTX);
580 struct cortex_m_common *cortex_m = target_to_cm(target);
581 struct adiv5_dap *dap = cortex_m->armv7m.arm.dap;
584 LOG_WARNING("Cannot check flash security status with a high-level adapter");
592 * ... The MDM-AP ID register can be read to verify that the
593 * connection is working correctly...
595 retval = kinetis_ke_mdm_read_register(dap, MDM_REG_ID, &val);
596 if (retval != ERROR_OK) {
597 LOG_ERROR("MDM: failed to read ID register");
602 for (size_t i = 0; i < ARRAY_SIZE(kinetis_ke_known_mdm_ids); i++) {
603 if (val == kinetis_ke_known_mdm_ids[i]) {
610 LOG_WARNING("MDM: unknown ID %08" PRIX32, val);
613 * ... Read the MDM-AP status register until the Flash Ready bit sets...
615 retval = kinetis_ke_mdm_poll_register(dap, MDM_REG_STAT,
618 if (retval != ERROR_OK) {
619 LOG_ERROR("MDM: flash ready timeout");
624 * ... Read the System Security bit to determine if security is enabled.
625 * If System Security = 0, then proceed. If System Security = 1, then
626 * communication with the internals of the processor, including the
627 * flash, will not be possible without issuing a mass erase command or
628 * unsecuring the part through other means (backdoor key unlock)...
630 retval = kinetis_ke_mdm_read_register(dap, MDM_REG_STAT, &val);
631 if (retval != ERROR_OK) {
632 LOG_ERROR("MDM: failed to read MDM_REG_STAT");
636 if (val & MDM_STAT_SYSSEC) {
637 jtag_poll_set_enabled(false);
639 LOG_WARNING("*********** ATTENTION! ATTENTION! ATTENTION! ATTENTION! **********");
640 LOG_WARNING("**** ****");
641 LOG_WARNING("**** Your Kinetis MCU is in secured state, which means that, ****");
642 LOG_WARNING("**** with exception for very basic communication, JTAG/SWD ****");
643 LOG_WARNING("**** interface will NOT work. In order to restore its ****");
644 LOG_WARNING("**** functionality please issue 'kinetis_ke mdm mass_erase' ****");
645 LOG_WARNING("**** command, power cycle the MCU and restart OpenOCD. ****");
646 LOG_WARNING("**** ****");
647 LOG_WARNING("*********** ATTENTION! ATTENTION! ATTENTION! ATTENTION! **********");
649 LOG_INFO("MDM: Chip is unsecured. Continuing.");
650 jtag_poll_set_enabled(true);
656 LOG_ERROR("MDM: Failed to check security status of the MCU. Cannot proceed further");
657 jtag_poll_set_enabled(false);
661 FLASH_BANK_COMMAND_HANDLER(kinetis_ke_flash_bank_command)
663 struct kinetis_ke_flash_bank *bank_info;
666 return ERROR_COMMAND_SYNTAX_ERROR;
668 LOG_INFO("add flash_bank kinetis_ke %s", bank->name);
670 bank_info = malloc(sizeof(struct kinetis_ke_flash_bank));
672 memset(bank_info, 0, sizeof(struct kinetis_ke_flash_bank));
674 bank->driver_priv = bank_info;
679 /* Kinetis Program-LongWord Microcodes */
680 static uint8_t kinetis_ke_flash_write_code[] = {
681 #include "../../../contrib/loaders/flash/kinetis_ke/kinetis_ke_flash.inc"
684 static int kinetis_ke_write_words(struct flash_bank *bank, const uint8_t *buffer,
685 uint32_t offset, uint32_t words)
687 struct kinetis_ke_flash_bank *kinfo = bank->driver_priv;
688 struct target *target = bank->target;
689 uint32_t ram_buffer_size = 512 + 16;
690 struct working_area *write_algorithm;
691 struct working_area *source;
692 uint32_t address = bank->base + offset;
693 struct reg_param reg_params[4];
694 struct armv7m_algorithm armv7m_info;
695 int retval = ERROR_OK;
696 uint32_t flash_code_size;
698 LOG_INFO("Kinetis KE: FLASH Write ...");
700 /* allocate working area with flash programming code */
701 if (target_alloc_working_area(target, sizeof(kinetis_ke_flash_write_code),
702 &write_algorithm) != ERROR_OK) {
703 LOG_WARNING("no working area available, can't do block memory writes");
704 return ERROR_TARGET_RESOURCE_NOT_AVAILABLE;
707 /* Patch the FTMRx registers addresses */
708 flash_code_size = sizeof(kinetis_ke_flash_write_code);
709 buf_set_u32(&kinetis_ke_flash_write_code[flash_code_size-16], 0, 32, kinfo->ftmrx_fstat_addr);
710 buf_set_u32(&kinetis_ke_flash_write_code[flash_code_size-12], 0, 32, kinfo->ftmrx_fccobix_addr);
711 buf_set_u32(&kinetis_ke_flash_write_code[flash_code_size-8], 0, 32, kinfo->ftmrx_fccobhi_addr);
712 buf_set_u32(&kinetis_ke_flash_write_code[flash_code_size-4], 0, 32, kinfo->ftmrx_fccoblo_addr);
714 retval = target_write_buffer(target, write_algorithm->address,
715 sizeof(kinetis_ke_flash_write_code), kinetis_ke_flash_write_code);
716 if (retval != ERROR_OK)
720 if (target_alloc_working_area(target, ram_buffer_size, &source) != ERROR_OK) {
721 /* free working area, write algorithm already allocated */
722 target_free_working_area(target, write_algorithm);
724 LOG_WARNING("No large enough working area available, can't do block memory writes");
725 return ERROR_TARGET_RESOURCE_NOT_AVAILABLE;
728 armv7m_info.common_magic = ARMV7M_COMMON_MAGIC;
729 armv7m_info.core_mode = ARM_MODE_THREAD;
731 init_reg_param(®_params[0], "r0", 32, PARAM_IN_OUT);
732 init_reg_param(®_params[1], "r1", 32, PARAM_OUT);
733 init_reg_param(®_params[2], "r2", 32, PARAM_OUT);
734 init_reg_param(®_params[3], "r3", 32, PARAM_OUT);
736 buf_set_u32(reg_params[0].value, 0, 32, address);
737 buf_set_u32(reg_params[1].value, 0, 32, words);
738 buf_set_u32(reg_params[2].value, 0, 32, source->address);
739 buf_set_u32(reg_params[3].value, 0, 32, source->address + source->size);
741 retval = target_run_flash_async_algorithm(target, buffer, words, 4,
744 source->address, source->size,
745 write_algorithm->address, 0,
748 if (retval == ERROR_FLASH_OPERATION_FAILED) {
749 if (buf_get_u32(reg_params[0].value, 0, 32) & FTMRX_ERROR_ACCERR)
750 LOG_ERROR("flash access error");
752 if (buf_get_u32(reg_params[0].value, 0, 32) & FTMRX_ERROR_FPVIOL)
753 LOG_ERROR("flash protection violation");
756 target_free_working_area(target, source);
757 target_free_working_area(target, write_algorithm);
759 destroy_reg_param(®_params[0]);
760 destroy_reg_param(®_params[1]);
761 destroy_reg_param(®_params[2]);
762 destroy_reg_param(®_params[3]);
767 static int kinetis_ke_protect(struct flash_bank *bank, int set, int first, int last)
769 LOG_WARNING("kinetis_ke_protect not supported yet");
772 if (bank->target->state != TARGET_HALTED) {
773 LOG_ERROR("Target not halted");
774 return ERROR_TARGET_NOT_HALTED;
777 return ERROR_FLASH_BANK_INVALID;
780 static int kinetis_ke_protect_check(struct flash_bank *bank)
782 struct kinetis_ke_flash_bank *kinfo = bank->driver_priv;
784 if (bank->target->state != TARGET_HALTED) {
785 LOG_ERROR("Target not halted");
786 return ERROR_TARGET_NOT_HALTED;
791 uint8_t fpopen, fpldis, fphdis;
793 uint32_t lprot_size = 0, hprot_size = 0;
794 uint32_t lprot_to = 0, hprot_from = 0;
796 /* read protection register */
797 result = target_read_u8(bank->target, kinfo->ftmrx_fprot_addr, &fprot);
799 if (result != ERROR_OK)
802 fpopen = fprot & 0x80;
803 fpldis = fprot & 0x04;
804 fphdis = fprot & 0x20;
805 fphs = (fprot >> 3) & 0x03;
808 /* Fully unprotected? */
809 if (fpopen && fpldis && fphdis) {
810 LOG_WARNING("No flash protection found.");
812 for (uint32_t i = 0; i < (uint32_t) bank->num_sectors; i++)
813 bank->sectors[i].is_protected = 0;
815 kinfo->protection_size = 0;
817 LOG_WARNING("Flash protected. FPOPEN=%i FPLDIS=%i FPHDIS=%i FPLS=%i FPHS=%i", \
818 fpopen ? 1 : 0, fpldis ? 1 : 0, fphdis ? 1 : 0, fpls, fphs);
820 /* Retrieve which region is protected and how much */
823 lprot_size = (kinfo->sector_size * 4) << fpls;
826 hprot_size = (kinfo->sector_size * 2) << fphs;
829 lprot_size = (kinfo->sector_size * 4) << fpls;
832 hprot_size = (kinfo->sector_size * 2) << fphs;
835 kinfo->protection_size = lprot_size + hprot_size;
837 /* lprot_to indicates up to where the lower region is protected */
838 lprot_to = lprot_size / kinfo->sector_size;
840 /* hprot_from indicates from where the upper region is protected */
841 hprot_from = (0x8000 - hprot_size) / kinfo->sector_size;
843 for (uint32_t i = 0; i < (uint32_t) bank->num_sectors; i++) {
845 /* Check if the sector is in the lower region */
846 if (bank->sectors[i].offset < 0x4000) {
847 /* Compare the sector start address against lprot_to */
848 if (lprot_to && (i < lprot_to))
849 bank->sectors[i].is_protected = 1;
851 bank->sectors[i].is_protected = 0;
853 /* Check if the sector is between the lower and upper region
854 * OR after the upper region */
855 } else if (bank->sectors[i].offset < 0x6000 || bank->sectors[i].offset >= 0x8000) {
856 /* If fpopen is 1 then these regions are protected */
858 bank->sectors[i].is_protected = 0;
860 bank->sectors[i].is_protected = 1;
862 /* Check if the sector is in the upper region */
863 } else if (bank->sectors[i].offset < 0x8000) {
864 if (hprot_from && (i > hprot_from))
865 bank->sectors[i].is_protected = 1;
867 bank->sectors[i].is_protected = 0;
875 static int kinetis_ke_ftmrx_command(struct flash_bank *bank, uint8_t count,
876 uint8_t *FCCOBIX, uint8_t *FCCOBHI, uint8_t *FCCOBLO, uint8_t *fstat)
880 struct target *target = bank->target;
881 struct kinetis_ke_flash_bank *kinfo = bank->driver_priv;
882 uint32_t timeout = 0;
884 /* Clear error flags */
885 result = target_write_u8(target, kinfo->ftmrx_fstat_addr, 0x30);
886 if (result != ERROR_OK)
889 for (i = 0; i < count; i++) {
891 result = target_write_u8(target, kinfo->ftmrx_fccobix_addr, FCCOBIX[i]);
892 if (result != ERROR_OK)
895 /* Write high part */
896 result = target_write_u8(target, kinfo->ftmrx_fccobhi_addr, FCCOBHI[i]);
897 if (result != ERROR_OK)
900 /* Write low part (that is not always required) */
902 result = target_write_u8(target, kinfo->ftmrx_fccoblo_addr, FCCOBLO[i]);
903 if (result != ERROR_OK)
908 /* Launch the command */
909 result = target_write_u8(target, kinfo->ftmrx_fstat_addr, 0x80);
910 if (result != ERROR_OK)
913 /* Wait for it to finish */
914 result = target_read_u8(target, kinfo->ftmrx_fstat_addr, fstat);
915 if (result != ERROR_OK)
918 while (!(*fstat & FTMRX_FSTAT_CCIF_MASK)) {
919 if (timeout <= 1000) {
923 return ERROR_FLASH_OPERATION_FAILED;
926 result = target_read_u8(target, kinfo->ftmrx_fstat_addr, fstat);
927 if (result != ERROR_OK)
934 COMMAND_HANDLER(kinetis_ke_securing_test)
937 struct target *target = get_current_target(CMD_CTX);
938 struct flash_bank *bank = NULL;
941 uint8_t FCCOBIX[2], FCCOBHI[2], FCCOBLO[2], fstat;
943 result = get_flash_bank_by_addr(target, 0x00000000, true, &bank);
944 if (result != ERROR_OK)
947 assert(bank != NULL);
949 if (target->state != TARGET_HALTED) {
950 LOG_ERROR("Target not halted");
951 return ERROR_TARGET_NOT_HALTED;
954 address = bank->base + 0x00000400;
957 FCCOBHI[0] = FTMRX_CMD_ERASESECTOR;
958 FCCOBLO[0] = address >> 16;
961 FCCOBHI[1] = address >> 8;
962 FCCOBLO[1] = address;
964 return kinetis_ke_ftmrx_command(bank, 2, FCCOBIX, FCCOBHI, FCCOBLO, &fstat);
967 static int kinetis_ke_erase(struct flash_bank *bank, int first, int last)
970 uint8_t FCCOBIX[2], FCCOBHI[2], FCCOBLO[2], fstat;
971 bool fcf_erased = false;
973 if (bank->target->state != TARGET_HALTED) {
974 LOG_ERROR("Target not halted");
975 return ERROR_TARGET_NOT_HALTED;
978 if ((first > bank->num_sectors) || (last > bank->num_sectors))
979 return ERROR_FLASH_OPERATION_FAILED;
981 result = kinetis_ke_prepare_flash(bank);
982 if (result != ERROR_OK)
985 for (i = first; i <= last; i++) {
987 FCCOBHI[0] = FTMRX_CMD_ERASESECTOR;
988 FCCOBLO[0] = (bank->base + bank->sectors[i].offset) >> 16;
991 FCCOBHI[1] = (bank->base + bank->sectors[i].offset) >> 8;
992 FCCOBLO[1] = (bank->base + bank->sectors[i].offset);
994 result = kinetis_ke_ftmrx_command(bank, 2, FCCOBIX, FCCOBHI, FCCOBLO, &fstat);
996 if (result != ERROR_OK) {
997 LOG_WARNING("erase sector %d failed", i);
998 return ERROR_FLASH_OPERATION_FAILED;
1001 bank->sectors[i].is_erased = 1;
1009 ("flash configuration field erased, please reset the device");
1015 static int kinetis_ke_write(struct flash_bank *bank, const uint8_t *buffer,
1016 uint32_t offset, uint32_t count)
1019 uint8_t *new_buffer = NULL;
1020 uint32_t words = count / 4;
1022 if (bank->target->state != TARGET_HALTED) {
1023 LOG_ERROR("Target not halted");
1024 return ERROR_TARGET_NOT_HALTED;
1027 if (offset > bank->size)
1028 return ERROR_FLASH_BANK_INVALID;
1031 LOG_WARNING("offset 0x%" PRIx32 " breaks the required alignment", offset);
1032 return ERROR_FLASH_DST_BREAKS_ALIGNMENT;
1035 result = kinetis_ke_stop_watchdog(bank->target);
1036 if (result != ERROR_OK)
1039 result = kinetis_ke_prepare_flash(bank);
1040 if (result != ERROR_OK)
1044 uint32_t old_count = count;
1045 count = (old_count | 3) + 1;
1046 new_buffer = malloc(count);
1047 if (new_buffer == NULL) {
1048 LOG_ERROR("odd number of bytes to write and no memory "
1049 "for padding buffer");
1053 LOG_INFO("odd number of bytes to write (%" PRIu32 "), extending to %" PRIu32 " "
1054 "and padding with 0xff", old_count, count);
1056 memset(new_buffer, 0xff, count);
1057 buffer = memcpy(new_buffer, buffer, old_count);
1061 result = kinetis_ke_write_words(bank, buffer, offset, words);
1067 static int kinetis_ke_probe(struct flash_bank *bank)
1070 uint32_t offset = 0;
1071 struct target *target = bank->target;
1072 struct kinetis_ke_flash_bank *kinfo = bank->driver_priv;
1074 result = target_read_u32(target, SIM_SRSID, &kinfo->sim_srsid);
1075 if (result != ERROR_OK)
1078 if (KINETIS_KE_SRSID_FAMID(kinfo->sim_srsid) != 0x00) {
1079 LOG_ERROR("Unsupported KE family");
1080 return ERROR_FLASH_OPER_UNSUPPORTED;
1083 switch (KINETIS_KE_SRSID_SUBFAMID(kinfo->sim_srsid)) {
1084 case KINETIS_KE_SRSID_KEX2:
1085 LOG_INFO("KE02 sub-family");
1088 case KINETIS_KE_SRSID_KEX4:
1089 LOG_INFO("KE04 sub-family");
1092 case KINETIS_KE_SRSID_KEX6:
1093 LOG_INFO("KE06 sub-family");
1097 LOG_ERROR("Unsupported KE sub-family");
1098 return ERROR_FLASH_OPER_UNSUPPORTED;
1101 /* We can only retrieve the ke0x part, but there is no way to know
1102 * the flash size, so assume the maximum flash size for the entire
1105 bank->base = 0x00000000;
1106 kinfo->sector_size = 512;
1108 switch (KINETIS_KE_SRSID_SUBFAMID(kinfo->sim_srsid)) {
1110 case KINETIS_KE_SRSID_KEX2:
1112 bank->size = 0x00010000;
1113 bank->num_sectors = 128;
1115 /* KE02 uses the FTMRH flash controller,
1116 * and registers have a different offset from the
1117 * FTMRE flash controller. Sort this out here.
1119 kinfo->ftmrx_fclkdiv_addr = 0x40020000;
1120 kinfo->ftmrx_fccobix_addr = 0x40020002;
1121 kinfo->ftmrx_fstat_addr = 0x40020006;
1122 kinfo->ftmrx_fprot_addr = 0x40020008;
1123 kinfo->ftmrx_fccobhi_addr = 0x4002000A;
1124 kinfo->ftmrx_fccoblo_addr = 0x4002000B;
1127 case KINETIS_KE_SRSID_KEX6:
1128 case KINETIS_KE_SRSID_KEX4:
1130 bank->size = 0x00020000;
1131 bank->num_sectors = 256;
1133 /* KE04 and KE06 use the FTMRE flash controller,
1134 * and registers have a different offset from the
1135 * FTMRH flash controller. Sort this out here.
1137 kinfo->ftmrx_fclkdiv_addr = 0x40020003;
1138 kinfo->ftmrx_fccobix_addr = 0x40020001;
1139 kinfo->ftmrx_fstat_addr = 0x40020005;
1140 kinfo->ftmrx_fprot_addr = 0x4002000B;
1141 kinfo->ftmrx_fccobhi_addr = 0x40020009;
1142 kinfo->ftmrx_fccoblo_addr = 0x40020008;
1146 if (bank->sectors) {
1147 free(bank->sectors);
1148 bank->sectors = NULL;
1151 assert(bank->num_sectors > 0);
1152 bank->sectors = malloc(sizeof(struct flash_sector) * bank->num_sectors);
1154 for (i = 0; i < bank->num_sectors; i++) {
1155 bank->sectors[i].offset = offset;
1156 bank->sectors[i].size = kinfo->sector_size;
1157 offset += kinfo->sector_size;
1158 bank->sectors[i].is_erased = -1;
1159 bank->sectors[i].is_protected = 1;
1165 static int kinetis_ke_auto_probe(struct flash_bank *bank)
1167 struct kinetis_ke_flash_bank *kinfo = bank->driver_priv;
1169 if (kinfo->sim_srsid)
1172 return kinetis_ke_probe(bank);
1175 static int kinetis_ke_info(struct flash_bank *bank, char *buf, int buf_size)
1177 (void) snprintf(buf, buf_size,
1178 "%s driver for flash bank %s at 0x%8.8" PRIx32 "",
1179 bank->driver->name, bank->name, bank->base);
1184 static int kinetis_ke_blank_check(struct flash_bank *bank)
1186 uint8_t FCCOBIX[3], FCCOBHI[3], FCCOBLO[3], fstat;
1187 uint16_t longwords = 0;
1190 if (bank->target->state != TARGET_HALTED) {
1191 LOG_ERROR("Target not halted");
1192 return ERROR_TARGET_NOT_HALTED;
1195 result = kinetis_ke_prepare_flash(bank);
1196 if (result != ERROR_OK)
1199 /* check if whole bank is blank */
1201 FCCOBHI[0] = FTMRX_CMD_ALLERASED;
1203 result = kinetis_ke_ftmrx_command(bank, 1, FCCOBIX, FCCOBHI, NULL, &fstat);
1205 if (result != ERROR_OK)
1208 if (fstat & (FTMRX_FSTAT_MGSTAT0_MASK | FTMRX_FSTAT_MGSTAT1_MASK)) {
1209 /* the whole bank is not erased, check sector-by-sector */
1212 for (i = 0; i < bank->num_sectors; i++) {
1214 FCCOBHI[0] = FTMRX_CMD_SECTIONERASED;
1215 FCCOBLO[0] = (bank->base + bank->sectors[i].offset) >> 16;
1218 FCCOBHI[1] = (bank->base + bank->sectors[i].offset) >> 8;
1219 FCCOBLO[1] = (bank->base + bank->sectors[i].offset);
1224 FCCOBHI[2] = longwords >> 8;
1225 FCCOBLO[2] = longwords;
1227 result = kinetis_ke_ftmrx_command(bank, 3, FCCOBIX, FCCOBHI, FCCOBLO, &fstat);
1229 if (result == ERROR_OK) {
1230 bank->sectors[i].is_erased = !(fstat & (FTMRX_FSTAT_MGSTAT0_MASK | FTMRX_FSTAT_MGSTAT1_MASK));
1232 LOG_DEBUG("Ignoring errored PFlash sector blank-check");
1233 bank->sectors[i].is_erased = -1;
1237 /* the whole bank is erased, update all sectors */
1239 for (i = 0; i < bank->num_sectors; i++)
1240 bank->sectors[i].is_erased = 1;
1246 static const struct command_registration kinetis_ke_security_command_handlers[] = {
1248 .name = "check_security",
1249 .mode = COMMAND_EXEC,
1252 .handler = kinetis_ke_check_flash_security_status,
1255 .name = "mass_erase",
1256 .mode = COMMAND_EXEC,
1259 .handler = kinetis_ke_mdm_mass_erase,
1262 .name = "test_securing",
1263 .mode = COMMAND_EXEC,
1266 .handler = kinetis_ke_securing_test,
1268 COMMAND_REGISTRATION_DONE
1271 static const struct command_registration kinetis_ke_exec_command_handlers[] = {
1274 .mode = COMMAND_ANY,
1277 .chain = kinetis_ke_security_command_handlers,
1280 .name = "disable_wdog",
1281 .mode = COMMAND_EXEC,
1282 .help = "Disable the watchdog timer",
1284 .handler = kinetis_ke_disable_wdog_handler,
1286 COMMAND_REGISTRATION_DONE
1289 static const struct command_registration kinetis_ke_command_handler[] = {
1291 .name = "kinetis_ke",
1292 .mode = COMMAND_ANY,
1293 .help = "Kinetis KE NAND flash controller commands",
1295 .chain = kinetis_ke_exec_command_handlers,
1297 COMMAND_REGISTRATION_DONE
1300 struct flash_driver kinetis_ke_flash = {
1301 .name = "kinetis_ke",
1302 .commands = kinetis_ke_command_handler,
1303 .flash_bank_command = kinetis_ke_flash_bank_command,
1304 .erase = kinetis_ke_erase,
1305 .protect = kinetis_ke_protect,
1306 .write = kinetis_ke_write,
1307 .read = default_flash_read,
1308 .probe = kinetis_ke_probe,
1309 .auto_probe = kinetis_ke_auto_probe,
1310 .erase_check = kinetis_ke_blank_check,
1311 .protect_check = kinetis_ke_protect_check,
1312 .info = kinetis_ke_info,
1313 .free_driver_priv = default_flash_free_driver_priv,