kopia lustrzana https://github.com/rs1729/RS
152 wiersze
5.4 KiB
Plaintext
152 wiersze
5.4 KiB
Plaintext
|
|
M10v05:
|
|
16-bit Microcontroller TI MSP430F233
|
|
|
|
|
|
Dokumente
|
|
slas5471: MSP430F233 data sheet
|
|
slau144 : MSP430x2xx User's Guide
|
|
slau278 : MSP430 Hardware Tools
|
|
slaa089 : Features of the MSP430 Bootstrap Loader
|
|
slau319 : MSP430 Programming With the Bootloader (BSL)
|
|
slau320 : MSP430 Programming With the JTAG Interface
|
|
|
|
|
|
slaa089:
|
|
5.1
|
|
Unprotected Commands
|
|
• Receive password
|
|
• Mass erase
|
|
• Transmit BSL version (V1.50 or higher or in loadables BL_150S_14x.txt, BL_150S_44x.txt)
|
|
• Change baud rate (V1.60 or higher or in loadables BL_150S_14x.txt, BL_150S_44x.txt)
|
|
5.2
|
|
Password Protected Commands
|
|
• Receive data block to program flash memory, RAM, or peripherals
|
|
• Transmit data block
|
|
• Erase segment
|
|
• Erase check (V1.50 or higher or in loadables BL_150S_14x.txt, BL_150S_44x.txt)
|
|
• Load program counter and start user program
|
|
|
|
slau319:
|
|
2.7
|
|
Password Protection
|
|
The password protection prohibits every command that potentially allows direct or indirect data access.
|
|
Only the unprotected commands like mass erase and RX password (optionally, TX BSL version and
|
|
change baud rate) can be performed without prior receipt of the correct password after BSL entry.
|
|
Applying the RX password command for receiving the correct password unlocks the remaining
|
|
commands.
|
|
After it is unlocked, it remains unlocked until initiating another BSL entry.
|
|
The password itself consists of the 16 interrupt vectors located at addresses FFE0h to FFFFh (256 bits),
|
|
starting with the first byte at address FFE0h. After mass erase and with unprogrammed devices, all
|
|
password bits are logical high (1).
|
|
BSL versions 2.00 and higher have enhanced security features. These features are controlled by the flash
|
|
data word located beneath the interrupt vector table addresses (for example, for the MSP430F2131,
|
|
address 0xFFDE). If this word contains:
|
|
• 0x0000: The flash memory is not erased if an incorrect BSL password has been received by the target.
|
|
• 0xAA55: The BSL is disabled. This means that the BSL is not started with the default initialization
|
|
sequence shown in Section 1.3.
|
|
• All other values: If an incorrect password is transmitted, the entire flash memory address space is
|
|
erased automatically.
|
|
|
|
|
|
|
|
|
|
M10v05 mit MSP430F233, MCU_ID 0xF249, BSL_VER 2.02.
|
|
|
|
olimex-JTAG:
|
|
$ mspdebug -j olimex "hexout 0x0200 0xFE00 m10v05.hex"
|
|
$ msp430-objdump -m msp430 -D m10v05.hex > m10v05.asm
|
|
USB-TTL CP2102:
|
|
$ ./msp430-bsl.py -c /dev/ttyUSB0 --invert-reset --invert-test -P pwd_m10v05.txt --upload=0x0200 --size=0xFE00 > f233hex.out
|
|
|
|
|
|
In den letzten 32 Bytes (0xFFE0-0xFFFF) stehen 16 Interrupt-Vektoren, die auch als Passwort fuer die "Protected Commands" dienen.
|
|
Will man den Speicher lesen (Protected Command), muss man die richtigen 32 Bytes des IVT uebergeben. (Durch "Mass Erase" wird der
|
|
Speicher mit 0xFF beschrieben. Somit haben auch die 32 (pwd-)Bytes des IVT den (default) Wert 0xFF. Danach koennen auch die
|
|
"Protected Commands" genutzt und ein neues Programm geschrieben werden.)
|
|
|
|
In Version 2.02 des BSL steht in Adresse 0xFFDE, ob bei falschem Passwort der Speicher geloescht wird. Wenn man den Speicher mit
|
|
JTAG ausliest, kann man in die Adresse 0xFFDE den Wert 0x0000 schreiben, um leichter mit BSL zu arbeiten.
|
|
|
|
Abfrage von TX_BSL in Version 2.02 gibt DATA_NAK=A0h zurueck.
|
|
|
|
|
|
|
|
|
|
0x0000-0x000F special function registers
|
|
0x0010-0x01FF peripheral modules
|
|
0x0200 RAM
|
|
|
|
0x0C00-0x0FFF boot strap loader (BSL)
|
|
BSLSKEY-cmp:
|
|
c0c: b2 90 55 aa cmp #-21931,&0xffde ;#0xaa55, BSLSKEY==0xAA55?
|
|
c10: de ff
|
|
c12: ff 27 jz $+0 ;abs 0xc12
|
|
...
|
|
d30: 36 40 e0 ff mov #-32, r6 ;#0xffe0 &0xffe0: IVT
|
|
d34: 37 40 20 00 mov #32, r7 ;#0x0020 32 bytes
|
|
d38: 2b c2 bic #4, r11 ;r2 As==10
|
|
BSL-pwd_cmp:
|
|
d3a: b0 12 54 0f call #0x0f54 ; read byte
|
|
d3e: 7c 96 cmp.b @r6+, r12
|
|
d40: 03 24 jz $+8 ;abs 0xd48
|
|
d42: 3b d0 40 00 bis #64, r11 ;#0x0040 set pwd-bit
|
|
d46: 02 3c jmp $+6 ;abs 0xd4c
|
|
d48: 00 3c jmp $+2 ;abs 0xd4a
|
|
d4a: 00 3c jmp $+2 ;abs 0xd4c
|
|
d4c: 17 83 dec r7
|
|
d4e: f5 23 jnz $-20 ;abs 0xd3a loop 32 bytes
|
|
d50: b0 12 58 0e call #0x0e58
|
|
d54: 3b b0 40 00 bit #64, r11 ;#0x0040 pwd-bit set?
|
|
d58: b0 27 jz $-158 ;abs 0xcba pwd correct
|
|
d5a: 82 93 de ff tst &0xffde ; BSLSKEY==0x0000?
|
|
d5e: 07 24 jz $+16 ;abs 0xd6e
|
|
MCU_ID/BSL_VER:
|
|
ff0: f2 49 ; MCU_ID F249
|
|
ff2: 04 60
|
|
ff4: 00 00
|
|
ff6: 00 00
|
|
ff8: 00 00
|
|
ffa: 02 02 ; BSL 2.02
|
|
ffc: 01 00
|
|
ffe: f5 2b
|
|
|
|
0x1000-0x10FF info memory
|
|
1080: 31 25 ; SN
|
|
1082: 02 08 ; SN
|
|
1084: 3a 08 ; SN 310 2 11329
|
|
1086: 00 0d
|
|
1088: 00 00
|
|
108a: e8 03
|
|
108c: e8 03
|
|
108e: 00 01
|
|
1090: df 07 ; Freq [kHz/200]: 403000 kHz
|
|
1092: 00 00
|
|
|
|
0xE000-0xFFBF code memory
|
|
|
|
0xFFC0-0xFFDF interrupt vector table (IVT)
|
|
BSLSKEY:
|
|
ffde: ff ff ; BSLSKEY
|
|
0xFFE0-0xFFFF interrupt vector table (IVT)
|
|
IVT:
|
|
ffe0: ff ff
|
|
ffe2: ff ff
|
|
ffe4: ff ff
|
|
ffe6: ff ff
|
|
ffe8: ff ff
|
|
ffea: ff ff
|
|
ffec: ff ff
|
|
ffee: e6 f4
|
|
fff0: b4 ed
|
|
fff2: 48 f3
|
|
fff4: ff ff
|
|
fff6: ff ff
|
|
fff8: b0 fd
|
|
fffa: d0 f8
|
|
fffc: ff ff
|
|
fffe: 00 e0 ; RESET
|
|
|
|
|
|
|