|
Title: TC1791 0xF8000511 Register, what is it? Post by: d3irb on December 19, 2020, 10:38:55 PM Hi,
I am working through making a complete TC1791 BSL and found something odd - both Simos18 SBOOT and the TC1791 Mask ROM manipulate a seemingly undocumented register address at 0xF8000511, sending the command sequence "5A 25 0F 70" cycle-wise like other flash commands. They do this after checking the highest bit in the first flash controller's PROCON2, which is also undocumented. The documentation makes several allusions to "tune protection features" that are not public - does this relate to one, or am I paranoid and there is just something I'm missing in the docs? Thanks in advance! Title: Re: TC1791 0xF8000511 Register, what is it? Post by: terminator on December 24, 2020, 04:20:05 PM Program Memory Unit (PMU)??
Reserved; must not be read or written; otherwise unpredictable results may occur. F800 0510 H U, SV SV – Title: Re: TC1791 0xF8000511 Register, what is it? Post by: d3irb on December 24, 2020, 05:30:02 PM Yes, thanks...what I am looking for is more of what the "unpredictable results" actually are, since that flash control register _is_ read and written in both Mask ROM and more telling, in the OTP part of SBOOT.
This "5A 25 0F 70" sequence is written once in the Mask ROM at afffd20e and again in the OTP "protection/crypto functions" library, from the export at 80014040, which is called just before jumping into CBOOT from the "happy path" execution of SBOOT where everything is "correct" (block flags, CRC, and no PWM break-in). In Mask ROM the highest bit (bit 31) in PROCON2 is checked first before applying this sequence, which is documented only as "RES31 31rh Reserved: Deliver the corresponding content of UCB2." It seems, of course, based on this behavior, to be an extra protection that is configured as part of the programming of UCB2 (the OTP configuration) - but I am not certain what it actually does. |