EmbeddedRelated.com
Forums
The 2024 Embedded Online Conference
   Forums    More Forums    comp.arch.embedded  

AVR Bootloader protection

Started by ralp...@gmail.com January 9, 2005
Does anyone have any good way to protect an AVR from accidential flash
/ erase commands?

Imagine, a bug in the application software causes a jump into the
bootloader - that just happens to be around the code that calls page
erase or page write - so that routine does what's it's supposed to,
writes random data to a random page or  erases a random page.  There is
no protection, SPM works b/c we are in bootloader code.

How can you protect from this - seems the lock bits are no good b/c
once you set them you have to do a chip erase to clear them.

Ideally you would be able to stop the chip from being able to jump to
any code in the bootloader, only being able to get there from a reset.
But this isn't a reality.

Thanks for any thoughts
Ralph
Reply by Ulf Samuelsson January 10, 20052005-01-10
Define 8 positions in th eboot loader that the CPU must run though to
get to the boot loader write.
In each position, the CPU sets a bit of a byte..
When exiting the bootloader, clear this byte.

Let an interrupt clear this byte periodically. It should verify that it is
clear
in a loop

    volatile BYTE x;
    do
        x = 0;
    while (x != 0);

    The code generated would be similar to:
    LDI r16,0
    ST   (z),r16

    And you dont want to jump into the routine at the ST instruction
    with R16 set to 0xff.


The only instructions that set the bits should be in the bootloasder
unless you execute the boot loader from the start,. you should not
have all bits set.

There is always the chance that you do an indirect store of 0xFF to this
location
but the chance is reduced significantly when this is done.

It is a little similar to how you can use a watchdog.
Set a bit if a certain task has executed.
If all bits are set, service the watchdog, and clear the byte.
If not all tasks has executed at least once in the watchdog period
the reset will come.

-- 
Best Regards,
Ulf Samuelsson   ulf@a-t-m-e-l.com
This is a personal view which may or may not be
share by my Employer Atmel Nordic AB


<ralph.mason@gmail.com> skrev i meddelandet
news:1105303676.224988.97460@c13g2000cwb.googlegroups.com...

> Does anyone have any good way to protect an AVR from accidential flash
> / erase commands?
>
> Imagine, a bug in the application software causes a jump into the
> bootloader - that just happens to be around the code that calls page
> erase or page write - so that routine does what's it's supposed to,
> writes random data to a random page or  erases a random page.  There is
> no protection, SPM works b/c we are in bootloader code.
>
> How can you protect from this - seems the lock bits are no good b/c
> once you set them you have to do a chip erase to clear them.
>
> Ideally you would be able to stop the chip from being able to jump to
> any code in the bootloader, only being able to get there from a reset.
> But this isn't a reality.
>
> Thanks for any thoughts
> Ralph
>
Reply by ralp...@gmail.com January 10, 20052005-01-10
Ulf Samuelsson wrote:

> Define 8 positions in th eboot loader that the CPU must run though to
> get to the boot loader write.
> In each position, the CPU sets a bit of a byte..
> When exiting the bootloader, clear this byte.
>
> Let an interrupt clear this byte periodically. It should verify that

it is

> clear
> in a loop
>
>     volatile BYTE x;
>     do
>         x = 0;
>     while (x != 0);
>
>     The code generated would be similar to:
>     LDI r16,0
>     ST   (z),r16
>
>     And you dont want to jump into the routine at the ST instruction
>     with R16 set to 0xff.
>
>
> The only instructions that set the bits should be in the bootloasder
> unless you execute the boot loader from the start,. you should not
> have all bits set.
>
> There is always the chance that you do an indirect store of 0xFF to

this

> location
> but the chance is reduced significantly when this is done.
>
> It is a little similar to how you can use a watchdog.
> Set a bit if a certain task has executed.
> If all bits are set, service the watchdog, and clear the byte.
> If not all tasks has executed at least once in the watchdog period
> the reset will come.
>
> --
> Best Regards,
> Ulf Samuelsson   ulf@a-t-m-e-l.com
> This is a personal view which may or may not be
> share by my Employer Atmel Nordic AB
>
>
> <ralph.mason@gmail.com> skrev i meddelandet
> news:1105303676.224988.97460@c13g2000cwb.googlegroups.com...
> > Does anyone have any good way to protect an AVR from accidential

flash

> > / erase commands?
> >
> > Imagine, a bug in the application software causes a jump into the
> > bootloader - that just happens to be around the code that calls

page

> > erase or page write - so that routine does what's it's supposed to,
> > writes random data to a random page or  erases a random page.

There is

> > no protection, SPM works b/c we are in bootloader code.
> >
> > How can you protect from this - seems the lock bits are no good b/c
> > once you set them you have to do a chip erase to clear them.
> >
> > Ideally you would be able to stop the chip from being able to jump

to

> > any code in the bootloader, only being able to get there from a

reset.

> > But this isn't a reality.
> >
> > Thanks for any thoughts
> > Ralph
> >


So I guess the answer is there is no way you can 100 % protect your
application from accidental corruption of the image if you are using a
bootloader.

Why is there not a write only register - called something like SPM
DISABLE that can only be cleared by a reset.  As SPM can already be
disabled by the processor it seems like that would only be a couple of
latches and would make it easy to protect your application.

Ralph
You might also like... (promoted content)
Upcoming Course - Python Applications for Digital Design and Signal Processing
Upcoming Course - Python Applications for Digital Design and Signal Processing
Upcoming Course - Python Applications for Digital Design and Signal Processing
Check out Memfault's New Sandbox!
Check out Memfault's New Sandbox!
Check out Memfault's New Sandbox!
The 2024 Embedded Online Conference - Register Early and Save with Promo Code ER2024!
The 2024 Embedded Online Conference - Register Early and Save with Promo Code ER2024!
The 2024 Embedded Online Conference - Register Early and Save with Promo Code ER2024!
The 2024 Embedded Online Conference