This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

AT89C51 HSB Security Bits

Hi,

I am trying to unlock the security on a AT89c51 processor to call subroutines in external flash.

When I do an LCALL from internal flash and a RET from external flash, the processor reboots. I have MOVX from the internal flash bootloader 0x22 to a specific external location, and can verify that it is there.

The LCALL is to this external 16-bit address.

In the data sheet the manufacturer, Atmel, sets the default level of security to level 4 no external code execution is possible.

I have built a parallel programmer and have successfully read the security bytes.

When I try to perform a chip erase, as discussed in some application notes, the erase doesn't occur.

I provide these voltages on the corresponding pins:
Pin 44 VCC 4.96V (H)
Pin 10 RST 4.45V (H)
Pin 30 P2.6 4.96V (H)
Pin 31 P2.7 0.7mV (L)
Pin 18 P3.6 0.4mV (L)
Pin 19 P3.7 151.7mV (L)
Pin 22 GND 0.1mV (L)
Pin 32 PSEN 0.1mV (L)
Pin 33 PROG 4.92V b4 program pulse (H)
Pin 35 EA/Vpp 4.48V (H)

I am running a 6MHz XTAL.

When I perform a program pulse for >=10mS, the low
voltage level is: 151.7mV.

The data sheet says that the programming voltage is
generated internally from Vcc so I don't provide a
12 volt programming pulse (Although I did give it a try
because the above wasn't working!)

Is there any thing that looks incorrect here?
Do I need to do anything with the address, data pins?
Can I get confirmation of success using the described technique?
Am I totally in left field here????

Thank You.
Sincerely,
RJohn Nesselhauf

Parents
  • The need for a 8051 core to run an application that was originally written in 8051 code started this.

    I chose this processor because it is very close in functionality to the original 87C51 that the board currently uses.

    I started this project using serial comms and RxD and TxD with Flexible InSystem Programming FLIP.

    I have written a bootloader and it can MOVX data from XRAM to an external flash. It can verify the code in flash.

    Everything was progressing nicely until I tried to execute the code from external flash.

    If I try and put a RET (0x22) in a external flash location, and then do an LCALL from an internal flash location using the 16 bit address where the RET resides, the processor reboots.

    I have looked at the data sheet for the part and it says that the manufacturer ships the part with default level 4 security in the Hardware Security Byte bits 2-0
    (011b).

    According to documentation, I can not execute code from external flash at this security level. And the only way to unlock this security level is through the use of a parallel programmer.

    I have built the parallel programmer on the ATMEL website in their app notes, I have built a dedicated
    erase flash socket with momentary switch on !PROG and
    cannot erase the internal flash on this part.

    The reset is low when the bootloader is running. According to the app notes, if they are correct, the reset is pulled high in the parallel programming mode
    by the programmer.

Reply
  • The need for a 8051 core to run an application that was originally written in 8051 code started this.

    I chose this processor because it is very close in functionality to the original 87C51 that the board currently uses.

    I started this project using serial comms and RxD and TxD with Flexible InSystem Programming FLIP.

    I have written a bootloader and it can MOVX data from XRAM to an external flash. It can verify the code in flash.

    Everything was progressing nicely until I tried to execute the code from external flash.

    If I try and put a RET (0x22) in a external flash location, and then do an LCALL from an internal flash location using the 16 bit address where the RET resides, the processor reboots.

    I have looked at the data sheet for the part and it says that the manufacturer ships the part with default level 4 security in the Hardware Security Byte bits 2-0
    (011b).

    According to documentation, I can not execute code from external flash at this security level. And the only way to unlock this security level is through the use of a parallel programmer.

    I have built the parallel programmer on the ATMEL website in their app notes, I have built a dedicated
    erase flash socket with momentary switch on !PROG and
    cannot erase the internal flash on this part.

    The reset is low when the bootloader is running. According to the app notes, if they are correct, the reset is pulled high in the parallel programming mode
    by the programmer.

Children