While reading more and more datasheets and application notes relating to the TI msp430, I am ready to summarize the two methods for getting data into the device after it has left the factory. For the purposes of this post, I am referring to MSP430F149 (datasheet) device, but this is generic enough to apply to any of the flash based devices with individual JTAG pins. The first method is to use a JTAG interface to put the device through the necessary steps to erase, program and verify the flash memory in the device. The other method is to access the Bootstrap Loader (BSL) on the device where flash can be programmed and verified using the UART0 running at 9600bps.

As for the JTAG interface, there are the standard pins: TMS, TCK, TDI/TCLK, TDO. TMS controls the JTAG machine state, TCK is used to clock data in, on TDI, on the rising edge and clock data out of the chip, via TDO, on the falling edge. The TCLK pin is internally latched to TDI when the state machine is in the RUN TEST/IDLE (RTI) state and controls the main CPU, memory, and other internal clocks. The slaa149.pdf application note from TI does a good job explaining how to use JTAG to program the chip, including verification and pseudo code, except for setting and unsetting TCLK, so this will be the focus of this paragraph. Effectively, the various scan modes are used to set the chip’s internal data, memory, and instruction registers, and then TCLK is cycled a given number of times to execute the instruction. That is to say, TDI is used to drive TCLK during the RTI state while it is used to serially input data during all other modes. One of the requirements for this to work is that TCLK does not change outside of the RTI state, so, the value of TDI must be saved before leaving the RTI state and must be set to the previous value before returning to RTI. To be more exact, if we are in RTI state, TMS is low and we cycle TDI to run TCLK. When we want to exit the RTI state, we first save the current value of TDI, then set TMS high and bring TCK high to go into SELECT DATA REGISTER SCAN state. When we are ready to go back to RTI state and we are in the UPDATE DR/IR state, we must first restore TDI to the previous TCLK value, then bring TMS low, then cycle TCK. Of course, this information is only useful to those who wish to create a custom JTAG interface for the chip, as all of this is already included in many of the ready-made JTAG cables for the msp430. Another thing to remember is that the msp430 is a LVCMOS device, so its JTAG inputs are compliant to Vcc (1.8-3.6V) and not the full 5V. The device also features a code protection fuse on TDI/TCLK which burns at a minimum voltage of 6V thereby disabling the JTAG interface. The datasheet specifies that during the 1ms burn, a 100mA current can be driven through TDI/TCLK pin, so it would appear that the fuse refers to critical failure of a polysilicon interconnect instead of something that can be reset at a later time.

The other method for programming the msp430 is by accessing the Bootstrap Loader (BSL). The sequence requires the use of the RST and TCK pins. Starting with RST low, TCK is cycled low to high to low, then back to high. While TCK is high, RST is brought high, and then TCK is brought back to low. At this point, the BSL begins executing and expects a synchronization byte. The baud rate is 9600 baud, 8 data bits, even parity and one stop bit. On the MSP430F149, P1.1 is used for transmit and P2.2 is used to receive. The slaa096b.pdf application note describes the sync byte and all subsequent commands. The important point is that device memory can still be accessed via BSL even after blowing the JTAG fuses. To allow code security, the functions accessible by the BSL are divided into those which are unprotected and those which are protected by a password. To be more specific, the password must be given to the device to allow direct access to memory. The “password” in this case is the 16 word interrupt-vector table, which would be located at address range 0xFFE0 to 0xFFFF. After a mass erase and after arriving from the factory, this portion of memory is set to all ones. The above mentioned application note gives an overview of a viable hardware design. Over-all, the JTAG method is preferred due to it’s faster clock rate (~400kHz), however, this is the only remaining method of accessing device memory once the JTAG fuse has been blown. That is, if you know the “password.”

 
del.icio.us | digg