CTRLSTAT = 0xffffffff

Sir,

I am working on Cortex-M4 over serial wire debug protocol, i am able to read IDCODE(0x2ba01477) which is correct as per arm cortex m4 technical reference manual, and i am writing 0x50000000 to CTRLSTAT register to enable CSYSPWRUPREQ and CDBGPWRREQ which is also success without any ACK error,but the thing is when i am trying to read the CTRLSTAT register i got 0xffffffff . I don't understand what might be the problem,Please suggest me what would be the problem??

Thanks & Regards

Parents
  • I do not have any flowchart myself, but I do have some important information, which you will need, in order to unlock the device.

    The RM0090 is a great help here. it may not be a flowchart, but I think you might be able to pull the entire programming off by using RM0090 as reference.

    One thing I know you would benefit from, is to make a "block write"; eg. create a small function, which sends data to the target. For instance:

    uint32_t write_block(const char *aDataBlock, uint32_t aLength);

    A function like this should check the FLASH_SR register for errors. For instance, bit 4, WRPERR means that the target is write-protected., but there are other errors that can occur as well. Bit 16 is the BSY bit, and means that an operation is in progress; you'll have to wait until the BSY bit is cleared, before you issue another operation. (see section 3.9.5 for the F405 and F407 - note: there are also information about the F41x, F42x and 43x devices, so make sure you read the correct sections).

    You'll need to familiarize yourself with these registers (I've included some example values from my device):

    0x40023C00, FLASH_ACR:        00000000

    0x40023C04, FLASH_KEYR:       00000000

    0x40023C08, FLASH_OPTKEYR:    00000000

    0x40023C0C, FLASH_SR:         00000010

    0x40023C10, FLASH_CR:         00000004

    0x40023C14, FLASH_OPTCR:      00aaaae1

    0x40023C18, FLASH_OPTCR1:     110000c0

    You can find detailed information about them in RM0090, section 3.

    The first thing you want to know, is what is in the FLASH_CR register.

    You then want to know how to unlock the FLASH_CR register (by default, it has bit 31 set, which is a lock-bit. You can't just write a zero to this bit, you'll have to ask the microcontroller to zero it for you).

    The following two commands are commands I've used in OpenOCD, they read and write 32-bit values.

    The 'mww' command means Memory Write Word.

    The 'mdw' command means Memory Display Word:

    First you'll want to read FLASH_CR (this sequence is shown in section 3.6.1 and is essential, before you can proceed):

    mdw 0x40023C10

    Next, you'll want to write the value 0x45670123 to FLASH_KEYR, then write the value 0xCDEF89AB to FLASH_KEYR.

    mww 0x40023C04 0x45670123; mww 0x40023C04 0xcdef89ab

    After this, bit 31 in FLASH_CR should be zero (we'll start by displaying the FLASH_SR register to see if there were any problems):

    mdw 0x40023C0c; mdw 0x40023C10

    You're now allowed write access to the FLASH_CR register, but you're not allowed to change the option register.

    To do so, you'll need to write a sequence to the FLASH_OPTKEYR, followed by a write to FLASH_OPTCR, which will unlock your Flash-memory.

    Note: You do not need to unlock FLASH_CR, if you only need to work with FLASH_OPTCR.

    First, let's see the contents of the option register, followed by the FLASH_SR register:

    mdw 0x40023C14; mdw 0x40023C0c

    I recommend reading the old value of FLASH_OPTCR, parsing it and writing back a new value with the bits set for the sectors you want to modify, in case you need to set any bits. Perhaps they're already set, and if they are, it's a good idea not to change the register contents.

    This is the sequence that unlocks your Flash-memory (see section 3.7.2):

    mww 0x40023C08 0x08192A3B; mww 0x40023C08 0x4C5D6E7F; mww 0x40023C14 0x0fffaaed

    mdw 0x40023C0c; mdw 0x40023C10; mdw 0x40023C14

    You will need to "mass erase" (section 3.6.3) before you write your program data (section 3.6.4).

    These sources might be helpful (I didn't have a look at them yet):

    git clone  https://github.com/texane/stlink.git

Reply
  • I do not have any flowchart myself, but I do have some important information, which you will need, in order to unlock the device.

    The RM0090 is a great help here. it may not be a flowchart, but I think you might be able to pull the entire programming off by using RM0090 as reference.

    One thing I know you would benefit from, is to make a "block write"; eg. create a small function, which sends data to the target. For instance:

    uint32_t write_block(const char *aDataBlock, uint32_t aLength);

    A function like this should check the FLASH_SR register for errors. For instance, bit 4, WRPERR means that the target is write-protected., but there are other errors that can occur as well. Bit 16 is the BSY bit, and means that an operation is in progress; you'll have to wait until the BSY bit is cleared, before you issue another operation. (see section 3.9.5 for the F405 and F407 - note: there are also information about the F41x, F42x and 43x devices, so make sure you read the correct sections).

    You'll need to familiarize yourself with these registers (I've included some example values from my device):

    0x40023C00, FLASH_ACR:        00000000

    0x40023C04, FLASH_KEYR:       00000000

    0x40023C08, FLASH_OPTKEYR:    00000000

    0x40023C0C, FLASH_SR:         00000010

    0x40023C10, FLASH_CR:         00000004

    0x40023C14, FLASH_OPTCR:      00aaaae1

    0x40023C18, FLASH_OPTCR1:     110000c0

    You can find detailed information about them in RM0090, section 3.

    The first thing you want to know, is what is in the FLASH_CR register.

    You then want to know how to unlock the FLASH_CR register (by default, it has bit 31 set, which is a lock-bit. You can't just write a zero to this bit, you'll have to ask the microcontroller to zero it for you).

    The following two commands are commands I've used in OpenOCD, they read and write 32-bit values.

    The 'mww' command means Memory Write Word.

    The 'mdw' command means Memory Display Word:

    First you'll want to read FLASH_CR (this sequence is shown in section 3.6.1 and is essential, before you can proceed):

    mdw 0x40023C10

    Next, you'll want to write the value 0x45670123 to FLASH_KEYR, then write the value 0xCDEF89AB to FLASH_KEYR.

    mww 0x40023C04 0x45670123; mww 0x40023C04 0xcdef89ab

    After this, bit 31 in FLASH_CR should be zero (we'll start by displaying the FLASH_SR register to see if there were any problems):

    mdw 0x40023C0c; mdw 0x40023C10

    You're now allowed write access to the FLASH_CR register, but you're not allowed to change the option register.

    To do so, you'll need to write a sequence to the FLASH_OPTKEYR, followed by a write to FLASH_OPTCR, which will unlock your Flash-memory.

    Note: You do not need to unlock FLASH_CR, if you only need to work with FLASH_OPTCR.

    First, let's see the contents of the option register, followed by the FLASH_SR register:

    mdw 0x40023C14; mdw 0x40023C0c

    I recommend reading the old value of FLASH_OPTCR, parsing it and writing back a new value with the bits set for the sectors you want to modify, in case you need to set any bits. Perhaps they're already set, and if they are, it's a good idea not to change the register contents.

    This is the sequence that unlocks your Flash-memory (see section 3.7.2):

    mww 0x40023C08 0x08192A3B; mww 0x40023C08 0x4C5D6E7F; mww 0x40023C14 0x0fffaaed

    mdw 0x40023C0c; mdw 0x40023C10; mdw 0x40023C14

    You will need to "mass erase" (section 3.6.3) before you write your program data (section 3.6.4).

    These sources might be helpful (I didn't have a look at them yet):

    git clone  https://github.com/texane/stlink.git

Children
  • Thank you sir,

    Sir I am able to write data to core register like r0,r1,r2........ but when I am trying to read it back,  i got data as 0, my reading and writing procedure as following

    writing

    selecting bank0

    writing data to DCRDR

    writing address to DCRSR

    waiting until S_REGRDY bit in DHCSR register was set

    reading

    selecting bank0

    writing address to DCRSR

    waiting until S_REGRDY bit in DHCSR register was set

    reading data from DCRDR

    my approach

    core halt & reset

    write into register

    read from register (where i wrote)

    Thanks & Regards

  • It looks like you've come a long way.

    I think, that at this time you may know much more about all this than I do.

    -So I think we'll need to call for a SWD-expert in this case.

  • ,

    after writing into flash  if i am trying to  reading from the flash address i got 0xffffffff i don't know why that happening ??

    Thanks & Regards.

  • Thanks for Reply sir,

                                  in above post you wrote "0x40023c04=0x45670123. 0x4002c304=0xcdef89ab" hear both addresses are different , in stm32f4 reference manual  3.6.1 he mentioned that both keys 0x45670123 and 0xcdef89ab should be send to FLASH_KEYR(0x40023C04) register please make a clarity on that and another thing is my flash Unlock was unsuccess full.

    my procedure was

    halt

    reset

    reading status of FLASH_CR register if LOCK bit is set then

    sending 0x45670123 and 0xcdef89ab  to FLASH_KEYR register.

    delay: for loop ->1000

    then reading status of FLASH_CR register.

    Thanks and Regards.

  • Most likely your Flash memory is protected.

    It's important that you know there are two unlock sequences.

    First you will need to check that the LOCK bit of FLASH_CR is zero. If it is not zero, you will want to unlock it by sending the unlock sequence mentioned earlier:

    0x40023c04=0x45670123. 0x40023c04=0xcdef89ab.

    Then you may need to wait for a few milliseconds; I do not know how long, but try giving it a good delay at first, then you can reduce it and see when it fails.

    Now read FLASH_SR first. It is important to check all the things in this register that can go wrong. In particular, we're interested in bit 4, the WRPERR bit.

    -If the WRPERR bit is set, we're in trouble, but we'll also need to be free of other errors.

    If there are no errors, however, then we can proceed and read FLASH_CR again, to verify that the LOCK bit is now zero.

    If the LOCK bit of FLASH_CR is zero, then we can proceed.

    Read the FLASH_OPTCR register. by reading address 0x40023c14. If this register does not contain 0x0fffaae1, then you'll most likely get write protection errors in FLASH_SR after attempting to write to the flash-memory.

    So if FLASH_OPTCR register's bits 27:16 are not all 1, then we'll need to modify them. Bits 15:8 must be 0xaa. So we'll write the following:

    0x40023c08=0x08192a3b. 0x40023c08=0x4c5d6e7f. 0x40023c14=0x0fffaaed.

    Right after that sequence, we should read FLASH_SR, to check for errors.

    Then read FLASH_CR and verify that the LOCK bit is still zero.

    After that, we should read the FLASH_OPTCR register, to verify that the value is now changed; expect 0x0fffaae1.

    OK, we're about to flash-program the device, so now we'll do the checking again.

    Read the FLASH_OPTCR register (address 0x40023c14), if bits 27:16 are not all ones, we can't write to the flash-memory.

    Now read FLASH_SR, and verify that there were no error reading FLASH_OPTCR.

    Finally, read FLASH_CR and verify that the LOCK bit is still zero (I expect that it always is zero).

    If all checks out, try writing a block of data to the Flash memory.

    Right after writing the last 32-bit word of your data block, you should immediately read FLASH_SR and check for any errors.

    If bit 4 is set, then you could not write to the flash memory, because it's write-protected (somehow that means that the FLASH_OPTCR does not contain the value we'd expect by now).

    If any of the above sequences do not contain the values I wrote, please let me know, I could have made a typo.

  • I'm sorry, 0x4002c304 was a typo, I believe the right address should be 0x40023c04.

    Did you try reading FLASH_SR right after writing the two values to FLASH_KEYR ?

    What are the values you read from FLASH_SR and FLASH_CR ?

  • thank you for suggestion,

    after sending the key to FLASH_KEYR register

    reading

    FLASH_CR = 0x80000000

    FLASH_SR = 0x000000c0

    Thanks & regards.

  • Hmm, at least you can read the registers.

    I'm about to run out of ideas, but maybe it will help, if you try inserting dummy-clocks (for instance 50 zero-bits) between writing the unlocking-sequence, like this:

    Write the first word, send 50 dummy-clocks, write the second word, send 50 dummy-clocks, read CR, read CR.

  • thanks for quick reply,

    i got error resolved, the problem is each time while writing i selcting CSW register, with out that i wrote the following sequence

    setting CSW register with proper bit settings then

    TAR = FLASH_KEYR

    DRW = KEY1

    idle cycle

    TAR = FLASH_KEYR

    DRW = KEY2

    idle cycle

    now i am reading

    FLASH_CR = 0x00000000

    FLASH_SR = 0x000000C0

    after above

    i wrote data to flash memory as following procedure

    checking BSY bit in FLASH_SR register wait until this bit is cleared.

    setting PG bit and 32bit selection by

    FLASH_CR = 0x00000201

    after that I am trying to read the FLASH_CR and FLASH_SR register

    but i got as following

    FLASH_CR = 0x00000000

    FLASH_SR = 0x000000C0

    data is not updated on FLASH_CR register???

    my doubt is after halt and reset no registers are modified why??

  • Try writing 0x00000200 first, then 0x00000201.

    For instance:

    read 0x40023c0c  (FLASH_SR)

    read 0x40023c10 (FLASH_CR)

    0x40023c10 = 0x00000200;

    read 0x40023c0c  (FLASH_SR)

    read 0x40023c10 (FLASH_CR)

    0x40023c10 = 0x00000201;

    read 0x40023c0c  (FLASH_SR)

    read 0x40023c10 (FLASH_CR)

    -But before that, I think it would be a good idea to read FLASH_OPTCR (0x40023c14) and check that it allows you to write to the Flash-memory.

    This could also be a power issue. Make sure VOS in PWR_CR is set to Scale1 mode. (there's also a VOS_RDY bit you'll have to wait for)

  • thank you sir,

                        i tried your above approach i got FLASH_OPTCR = 0x0FFFAAED , and PWR_CR = 0x0000C000. is there any wrong with these values??

    Thanks & Regards,

  • FLASH_OPTCR looks good to me; excellent!

    I think your PWR_CR looks good too. Mine is also 0x0000c000.

    I think I'll have to call for jyiu's help now, because I've run out of clues what can be wrong.

    Although we're dealing with a problem specific to the STM32F407 at the moment, I just came across this document from ARM about the Debug Interface Architecture: http://infocenter.arm.com/help/topic/com.arm.doc.ihi0031a/index.html

    -You can download it for free; you just need to register first.

  • err....sorry.... I don't think I can help in this STM32F4 specific question.

    My suggestion is to post this on STM32 forum and see if anyone there can help.

    regards,

    Joseph

  • Well, it was worth the try, thank you for taking the time to look at it, Joseph.

    harshan_behra -This is a very special case, only very few people have been working with it, so there might not be many people who can answer.

    That means you're in pioneer-land, which is one of the most interesting places to be, but also one of the most difficult places to be at the same time.

    If / when you find the answer, please let us know what caused the problem.

  • I just looked in the sources for the stlink tool. This might bring you to the solution.

    In the file "stlink-common.c", line 1593 ...

    After the sequence you mentioned, it writes a small piece of code into the SRAM and executes it.

    This piece of code copies a data block from the address that register r0 points to, to the address that register r1 points to, the length of the data block is r2 bytes.

    So this small piece of code can be used for both reading flash memory and writing flash memory.

    In the same file, line 1765, you'll find the routine (run_flash_loader) that sets the parameters and runs the piece of code in SRAM.

    The routine, which sets the value of a core register is also interesting, it's called stlink_write_reg, and is actually located in stlink-usb.c as _stlink_usb_write_reg at line 680.