| Author |
Message |
ralph.mason@gmail.com
Guest
|
 Posted:
Mon Jan 10, 2005 1:47 am Post subject:
AVR Bootloader protection |
|
|
Does anyone have any good way to protect an AVR from accidential flash
/ erase commands?
Imagine, a bug in the application software causes a jump into the
bootloader - that just happens to be around the code that calls page
erase or page write - so that routine does what's it's supposed to,
writes random data to a random page or erases a random page. There is
no protection, SPM works b/c we are in bootloader code.
How can you protect from this - seems the lock bits are no good b/c
once you set them you have to do a chip erase to clear them.
Ideally you would be able to stop the chip from being able to jump to
any code in the bootloader, only being able to get there from a reset.
But this isn't a reality.
Thanks for any thoughts
Ralph |
|
| Back to top |
|
 |
Ulf Samuelsson
Guest
|
| Posted:
Mon Jan 10, 2005 7:58 am Post subject:
Re: AVR Bootloader protection |
|
|
Define 8 positions in th eboot loader that the CPU must run though to
get to the boot loader write.
In each position, the CPU sets a bit of a byte..
When exiting the bootloader, clear this byte.
Let an interrupt clear this byte periodically. It should verify that it is
clear
in a loop
volatile BYTE x;
do
x = 0;
while (x != 0);
The code generated would be similar to:
LDI r16,0
ST (z),r16
And you dont want to jump into the routine at the ST instruction
with R16 set to 0xff.
The only instructions that set the bits should be in the bootloasder
unless you execute the boot loader from the start,. you should not
have all bits set.
There is always the chance that you do an indirect store of 0xFF to this
location
but the chance is reduced significantly when this is done.
It is a little similar to how you can use a watchdog.
Set a bit if a certain task has executed.
If all bits are set, service the watchdog, and clear the byte.
If not all tasks has executed at least once in the watchdog period
the reset will come.
--
Best Regards,
Ulf Samuelsson ulf@a-t-m-e-l.com
This is a personal view which may or may not be
share by my Employer Atmel Nordic AB
<ralph.mason@gmail.com> skrev i meddelandet
news:1105303676.224988.97460@c13g2000cwb.googlegroups.com...
| Quote: | Does anyone have any good way to protect an AVR from accidential flash
/ erase commands?
Imagine, a bug in the application software causes a jump into the
bootloader - that just happens to be around the code that calls page
erase or page write - so that routine does what's it's supposed to,
writes random data to a random page or erases a random page. There is
no protection, SPM works b/c we are in bootloader code.
How can you protect from this - seems the lock bits are no good b/c
once you set them you have to do a chip erase to clear them.
Ideally you would be able to stop the chip from being able to jump to
any code in the bootloader, only being able to get there from a reset.
But this isn't a reality.
Thanks for any thoughts
Ralph
|
|
|
| Back to top |
|
|
ralph.mason@gmail.com
Guest
|
| Posted:
Tue Jan 11, 2005 1:54 am Post subject:
Re: AVR Bootloader protection |
|
|
Ulf Samuelsson wrote:
| Quote: | Define 8 positions in th eboot loader that the CPU must run though to
get to the boot loader write.
In each position, the CPU sets a bit of a byte..
When exiting the bootloader, clear this byte.
Let an interrupt clear this byte periodically. It should verify that
it is
clear
in a loop
volatile BYTE x;
do
x = 0;
while (x != 0);
The code generated would be similar to:
LDI r16,0
ST (z),r16
And you dont want to jump into the routine at the ST instruction
with R16 set to 0xff.
The only instructions that set the bits should be in the bootloasder
unless you execute the boot loader from the start,. you should not
have all bits set.
There is always the chance that you do an indirect store of 0xFF to
this
location
but the chance is reduced significantly when this is done.
It is a little similar to how you can use a watchdog.
Set a bit if a certain task has executed.
If all bits are set, service the watchdog, and clear the byte.
If not all tasks has executed at least once in the watchdog period
the reset will come.
--
Best Regards,
Ulf Samuelsson ulf@a-t-m-e-l.com
This is a personal view which may or may not be
share by my Employer Atmel Nordic AB
ralph.mason@gmail.com> skrev i meddelandet
news:1105303676.224988.97460@c13g2000cwb.googlegroups.com...
Does anyone have any good way to protect an AVR from accidential
flash
/ erase commands?
Imagine, a bug in the application software causes a jump into the
bootloader - that just happens to be around the code that calls
page
erase or page write - so that routine does what's it's supposed to,
writes random data to a random page or erases a random page.
There is
no protection, SPM works b/c we are in bootloader code.
How can you protect from this - seems the lock bits are no good b/c
once you set them you have to do a chip erase to clear them.
Ideally you would be able to stop the chip from being able to jump
to
any code in the bootloader, only being able to get there from a
reset.
But this isn't a reality.
Thanks for any thoughts
Ralph
|
So I guess the answer is there is no way you can 100 % protect your
application from accidental corruption of the image if you are using a
bootloader.
Why is there not a write only register - called something like SPM
DISABLE that can only be cleared by a reset. As SPM can already be
disabled by the processor it seems like that would only be a couple of
latches and would make it easy to protect your application.
Ralph |
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in