annotate doc/Flash-write-protection @ 999:30fad2b3afd2

doc/Flash-write-protection: document flash lock-state retrieval
author Mychaela Falconia <falcon@freecalypso.org>
date Mon, 04 Dec 2023 20:40:50 +0000
parents 67513b9446da
children 11391cb6bdc0
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
997
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
1 Some Calypso-based GSM MS designs (phones, modems, development boards) use
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
2 AMD-style (Spansion or Samsung) flash chips, while others use Intel flash.
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
3 In the case of Calypso devices that use Spansion or Samsung flash chips, all of
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
4 those chips support a rarely used feature: an ability to write-protect selected
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
5 flash sectors, disallowing erase and program operations in those areas. With
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
6 earlier AMD-style flash chips (actual AMD-branded ones prior to introduction of
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
7 Spansion brand, as well as Samsung K5A32xx used in Openmoko devices) this
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
8 sector-level write protection can only be applied or lifted by way of external
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
9 programming equipment, executing special commands with a high voltage applied
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
10 to one of the pins - hence when the chip resides on a product board, no new
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
11 sector locks can be applied. (We are not aware of any Calypso GSM device manuf
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
12 who locked some flash sectors and then populated the chip onto the board in
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
13 that state.)
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
14
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
15 With newer Spansion and Samsung flash families, however, sector locks became
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
16 more easily accessible: they have Persistent Protection Bits (PPBs) which can
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
17 be programmed (locking a sector or a group of sectors) and erased (removing all
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
18 such locks) in-system under normal operating conditions, using only special
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
19 software commands. These flash chips also have "hard" locking modes: a Password
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
20 Sector Protection mode in which PPBs can only be modified after feeding a
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
21 matching 64-bit key to the chip, and an OTP "master lock" mode in which the
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
22 ability to erase PPBs is irreversibly disabled, locking all write-protected
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
23 sectors forever - but so far we (FreeCalypso community) have not yet encountered
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
24 any devices in which any of these "hard" locks have been activated. There is,
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
25 however, at least one Calypso-based phone out there (Sony Ericsson K2x0 family)
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
26 in which the shipping state of the device includes some flash sector locks -
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
27 but these locks are of the "soft" kind, removable by performing a PPB erase
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
28 operation which is not further blocked.
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
29
999
30fad2b3afd2 doc/Flash-write-protection: document flash lock-state retrieval
Mychaela Falconia <falcon@freecalypso.org>
parents: 997
diff changeset
30 fc-loadtool support for sector write-protection
30fad2b3afd2 doc/Flash-write-protection: document flash lock-state retrieval
Mychaela Falconia <falcon@freecalypso.org>
parents: 997
diff changeset
31 ===============================================
30fad2b3afd2 doc/Flash-write-protection: document flash lock-state retrieval
Mychaela Falconia <falcon@freecalypso.org>
parents: 997
diff changeset
32
30fad2b3afd2 doc/Flash-write-protection: document flash lock-state retrieval
Mychaela Falconia <falcon@freecalypso.org>
parents: 997
diff changeset
33 As of fc-host-tools-r21, fc-loadtool provides the following facilities in
30fad2b3afd2 doc/Flash-write-protection: document flash lock-state retrieval
Mychaela Falconia <falcon@freecalypso.org>
parents: 997
diff changeset
34 relation to sector write-protection features on AMD-style flash chips:
30fad2b3afd2 doc/Flash-write-protection: document flash lock-state retrieval
Mychaela Falconia <falcon@freecalypso.org>
parents: 997
diff changeset
35
30fad2b3afd2 doc/Flash-write-protection: document flash lock-state retrieval
Mychaela Falconia <falcon@freecalypso.org>
parents: 997
diff changeset
36 * flash lock-state command is available when operating on those flash chips for
30fad2b3afd2 doc/Flash-write-protection: document flash lock-state retrieval
Mychaela Falconia <falcon@freecalypso.org>
parents: 997
diff changeset
37 which we've implemented the necessary table, listing how sectors are grouped
30fad2b3afd2 doc/Flash-write-protection: document flash lock-state retrieval
Mychaela Falconia <falcon@freecalypso.org>
parents: 997
diff changeset
38 for the purpose of write protection, how they are grouped for the purpose of
30fad2b3afd2 doc/Flash-write-protection: document flash lock-state retrieval
Mychaela Falconia <falcon@freecalypso.org>
parents: 997
diff changeset
39 lock status retrieval via Autoselect read mode, and what additional lock
30fad2b3afd2 doc/Flash-write-protection: document flash lock-state retrieval
Mychaela Falconia <falcon@freecalypso.org>
parents: 997
diff changeset
40 status words should be checked. We have implemented the necessary knowledge
30fad2b3afd2 doc/Flash-write-protection: document flash lock-state retrieval
Mychaela Falconia <falcon@freecalypso.org>
parents: 997
diff changeset
41 tables for all chips on which we support PPB manipulation (see below), but
30fad2b3afd2 doc/Flash-write-protection: document flash lock-state retrieval
Mychaela Falconia <falcon@freecalypso.org>
parents: 997
diff changeset
42 also for some chips on which sector lock state can be modified only by high-
30fad2b3afd2 doc/Flash-write-protection: document flash lock-state retrieval
Mychaela Falconia <falcon@freecalypso.org>
parents: 997
diff changeset
43 voltage methods - on the latter chips we can examine the lock state, but not
30fad2b3afd2 doc/Flash-write-protection: document flash lock-state retrieval
Mychaela Falconia <falcon@freecalypso.org>
parents: 997
diff changeset
44 modify it.
30fad2b3afd2 doc/Flash-write-protection: document flash lock-state retrieval
Mychaela Falconia <falcon@freecalypso.org>
parents: 997
diff changeset
45
30fad2b3afd2 doc/Flash-write-protection: document flash lock-state retrieval
Mychaela Falconia <falcon@freecalypso.org>
parents: 997
diff changeset
46 * flash ppb-* commands actively alter sector write protection state by
30fad2b3afd2 doc/Flash-write-protection: document flash lock-state retrieval
Mychaela Falconia <falcon@freecalypso.org>
parents: 997
diff changeset
47 programming and erasing PPBs on those Spansion and Samsung flash chips that
30fad2b3afd2 doc/Flash-write-protection: document flash lock-state retrieval
Mychaela Falconia <falcon@freecalypso.org>
parents: 997
diff changeset
48 allow these PPB alterations by software commands alone (without high-voltage
30fad2b3afd2 doc/Flash-write-protection: document flash lock-state retrieval
Mychaela Falconia <falcon@freecalypso.org>
parents: 997
diff changeset
49 circuits) and for which we have implemented the necessary knowledge tables.
30fad2b3afd2 doc/Flash-write-protection: document flash lock-state retrieval
Mychaela Falconia <falcon@freecalypso.org>
parents: 997
diff changeset
50 The set of flash chips for which we have implemented these active commands is
30fad2b3afd2 doc/Flash-write-protection: document flash lock-state retrieval
Mychaela Falconia <falcon@freecalypso.org>
parents: 997
diff changeset
51 a proper subset of those for which we have implemented flash lock-state
30fad2b3afd2 doc/Flash-write-protection: document flash lock-state retrieval
Mychaela Falconia <falcon@freecalypso.org>
parents: 997
diff changeset
52 retrieval.
30fad2b3afd2 doc/Flash-write-protection: document flash lock-state retrieval
Mychaela Falconia <falcon@freecalypso.org>
parents: 997
diff changeset
53
30fad2b3afd2 doc/Flash-write-protection: document flash lock-state retrieval
Mychaela Falconia <falcon@freecalypso.org>
parents: 997
diff changeset
54 These commands are primarily aimed at unlocking flash regions that have been
30fad2b3afd2 doc/Flash-write-protection: document flash lock-state retrieval
Mychaela Falconia <falcon@freecalypso.org>
parents: 997
diff changeset
55 write-protected by previous parties. It is very helpful, however, to understand
30fad2b3afd2 doc/Flash-write-protection: document flash lock-state retrieval
Mychaela Falconia <falcon@freecalypso.org>
parents: 997
diff changeset
56 some theory before using these commands, which the present document aims to
30fad2b3afd2 doc/Flash-write-protection: document flash lock-state retrieval
Mychaela Falconia <falcon@freecalypso.org>
parents: 997
diff changeset
57 explain.
30fad2b3afd2 doc/Flash-write-protection: document flash lock-state retrieval
Mychaela Falconia <falcon@freecalypso.org>
parents: 997
diff changeset
58
30fad2b3afd2 doc/Flash-write-protection: document flash lock-state retrieval
Mychaela Falconia <falcon@freecalypso.org>
parents: 997
diff changeset
59 How PPBs work
30fad2b3afd2 doc/Flash-write-protection: document flash lock-state retrieval
Mychaela Falconia <falcon@freecalypso.org>
parents: 997
diff changeset
60 =============
997
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
61
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
62 Spansion and Samsung flash chips that feature PPBs have one PPB per sector or
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
63 per sector group - some sectors are aggregated into groups (of 4 sectors max)
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
64 for the purpose of write protection control. All of these PPBs are contained
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
65 in one special-purpose non-volatile memory element inside the flash chip, and
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
66 this NV memory element behaves like a little flash sector of its own: it has a
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
67 program operation, affecting each PPB individually, and an erase operation that
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
68 affects all PPBs across the chip at once. (See How-flash-really-works article
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
69 for an explanation of program and erase operations.) The programmed state of a
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
70 PPB corresponds to the associated flash sector or sector group being locked
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
71 (write-protected), and the erased state of a PPB corresponds to the flash
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
72 location being unlocked (free to erase and program at will).
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
73
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
74 fc-loadtool commands for manipulating PPBs are flash ppb-program and flash
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
75 ppb-erase-all; they are named in this manner (as opposed to a naming scheme
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
76 based on "lock/unlock" or "protect/unprotect") to emphasize the physical nature
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
77 of what they actually do in the flash chip. flash ppb-program command (or
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
78 flash2 ppb-program for the second bank of 16 MiB flash chips) addresses a
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
79 specific sector and programs that sector's PPB, causing the sector to become
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
80 write-protected; flash ppb-erase-all erases all PPBs across the flash chip,
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
81 causing the entire main flash array to become unlocked for write operations.
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
82
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
83 The internal implementation of these PPB manipulation commands is very different
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
84 between PL-J and PL-N flash types, as required by the respective flash chip
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
85 families presenting a very different type of command interface for PPB
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
86 operations. The command interface implemented on Spansion PL-J family and at
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
87 least some Samsung flash chips (K5L29xx in particular) exposes the raw physics
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
88 of the flash (see How-flash-really-works article) to the user for PPB
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
89 operations, requiring flashing software tool developers to understand all of
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
90 that theory and implement it in practice. OTOH, the command interface for PPB
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
91 program and erase operations implemented on Spansion PL-N family (of which only
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
92 PL129N is usable with Calypso) brings these special operations into harmony with
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
93 ordinary flash programming and erasure procedures. We don't know (and may never
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
94 know) if Spansion aimed to simplify life for flash low-level driver implementors
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
95 or if internal advancements from PL-J to PL-N flash necessitated some changes
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
96 in physics-level program/erase algorithms and Spansion didn't feel like exposing
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
97 the internal details of their newer flash - but the practical implication for us
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
98 is that we had to implement two different code paths to support both ways of
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
99 performing these operations, as we need to support all flash chip types that are
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
100 found in Calypso GSM devices of different ages.
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
101
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
102 It also needs to be noted that at least in Spansion PL-J and Samsung flash chips
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
103 the special non-volatile memory element that holds PPBs has a *very* limited
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
104 number of program-erase cycles: the datasheets we were able to find give a limit
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
105 of 100 (1e2) cycles for this special NV memory element, compared to 1e5 cycles
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
106 promised by the same datasheets for the main flash array. So please beware,
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
107 and avoid needlessly cycling these write protection bits.