annotate doc/How-flash-really-works @ 1011:6d9b10633f10

etmsync Pirelli IMEI retrieval: fix poor use of printf() Bug reported by Vadim Yanitskiy <fixeria@osmocom.org>: the construct where a static-allocated string was passed to printf() without any format arguments causes newer compilers to report a security problem. Given that formatted output is not needed here, just fixed string output, change printf() to fputs(), and direct the error message to stderr while at it.
author Mychaela Falconia <falcon@freecalypso.org>
date Thu, 23 May 2024 17:29:57 +0000
parents 39a6090a052a
children
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
1000
39a6090a052a doc/How-flash-really-works: article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
1 How NOR flash memory really works
39a6090a052a doc/How-flash-really-works: article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
2 =================================
39a6090a052a doc/How-flash-really-works: article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
3
39a6090a052a doc/How-flash-really-works: article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
4 The type of flash memory used in Calypso GSM devices is formally known as NOR
39a6090a052a doc/How-flash-really-works: article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
5 flash. Most embedded software programmers and tinkerers know the fundamental
39a6090a052a doc/How-flash-really-works: article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
6 principle of how NOR flash works: any bit can be transitioned from a '1' to a
39a6090a052a doc/How-flash-really-works: article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
7 '0' at any time in any combination (an operation called programming), but the
39a6090a052a doc/How-flash-really-works: article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
8 opposite transition (from '0' to '1' bits, an operation called erasure) can only
39a6090a052a doc/How-flash-really-works: article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
9 be done on fairly large sectors - you can erase a sector and make it all 1s,
39a6090a052a doc/How-flash-really-works: article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
10 but changing bits from 0 to 1 individually or in any smaller granularity
39a6090a052a doc/How-flash-really-works: article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
11 (smaller than a sector) is impossible.
39a6090a052a doc/How-flash-really-works: article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
12
39a6090a052a doc/How-flash-really-works: article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
13 What many "software-minded" programmers and tinkerers don't realize, however,
39a6090a052a doc/How-flash-really-works: article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
14 is that sector erasure is not an elementary or atomic operation that magically
39a6090a052a doc/How-flash-really-works: article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
15 "makes all bits 1s" in one motion. Instead it is a complex process with two or
39a6090a052a doc/How-flash-really-works: article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
16 three substeps:
39a6090a052a doc/How-flash-really-works: article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
17
39a6090a052a doc/How-flash-really-works: article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
18 1) Before starting the physical process of erasure, one has to go through all
39a6090a052a doc/How-flash-really-works: article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
19 bits in the to-be-erased sector and make them all 0s. Any bits that are in
39a6090a052a doc/How-flash-really-works: article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
20 '1' state when the sector erase operation is commanded MUST be programmed to
39a6090a052a doc/How-flash-really-works: article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
21 '0' state before the actual erasure begins! In the language of flash chip
39a6090a052a doc/How-flash-really-works: article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
22 industry, this step is called preprogramming. In the case of flash chips
39a6090a052a doc/How-flash-really-works: article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
23 that are used in Calypso GSM devices (all known ones), this preprogramming
39a6090a052a doc/How-flash-really-works: article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
24 step is done internally by the chip, so that you as the user or software
39a6090a052a doc/How-flash-really-works: article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
25 developer are not aware of it - but it is there nonetheless. The chip does
39a6090a052a doc/How-flash-really-works: article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
26 NOT magically "wave" all bits in the sector into '1' state, instead it first
39a6090a052a doc/How-flash-really-works: article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
27 makes them all '0' internally, and only then erases.
39a6090a052a doc/How-flash-really-works: article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
28
39a6090a052a doc/How-flash-really-works: article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
29 2) Once every bit in the sector is in '0' state, the real physics of erasure
39a6090a052a doc/How-flash-really-works: article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
30 begins. All bit cells in the sector are physically acted upon at once in
39a6090a052a doc/How-flash-really-works: article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
31 this step, and because it is a probabilistic process involving a Gaussian
39a6090a052a doc/How-flash-really-works: article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
32 distribution, all bit cells need to be in the fully programmed state before
39a6090a052a doc/How-flash-really-works: article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
33 they begin their shared journey toward the erased state.
39a6090a052a doc/How-flash-really-works: article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
34
39a6090a052a doc/How-flash-really-works: article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
35 3) The step of preprogramming every bit to 0 prior to erasure prevents the
39a6090a052a doc/How-flash-really-works: article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
36 absolutely unacceptable condition of gross overerasure - but given the
39a6090a052a doc/How-flash-really-works: article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
37 Gaussian distribution, some bit cells may still get a little overerased.
39a6090a052a doc/How-flash-really-works: article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
38 Many (most? all? not sure) flash chips therefore implement a third internal
39a6090a052a doc/How-flash-really-works: article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
39 step before the software-visible "erase" operation is declared complete:
39a6090a052a doc/How-flash-really-works: article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
40 they go through all bit cells in the just-erased sector, check for
39a6090a052a doc/How-flash-really-works: article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
41 overerasure, and "soft-program" (move slightly to the right in the Vt
39a6090a052a doc/How-flash-really-works: article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
42 distribution) any overerased cells. This step is called post-erase
39a6090a052a doc/How-flash-really-works: article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
43 conditioning or recovery.
39a6090a052a doc/How-flash-really-works: article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
44
39a6090a052a doc/How-flash-really-works: article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
45 The above process was originally explained to me (Mother Mychaela) some years
39a6090a052a doc/How-flash-really-works: article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
46 ago (around 2008, IIRC) by a Spansion support engineer on a conference call at
39a6090a052a doc/How-flash-really-works: article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
47 my then day job - it was a project for a customer who was big and powerful
39a6090a052a doc/How-flash-really-works: article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
48 enough to get top-tier support from chip vendors. More recently, however, some
39a6090a052a doc/How-flash-really-works: article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
49 other flash vendors have posted public documents that provide the same
39a6090a052a doc/How-flash-really-works: article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
50 explanation - here is one from Renesas/Adesto:
39a6090a052a doc/How-flash-really-works: article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
51
39a6090a052a doc/How-flash-really-works: article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
52 https://www.freecalypso.org/pub/embedded/flash/REN_an500_APN_20210702_1.pdf
39a6090a052a doc/How-flash-really-works: article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
53
39a6090a052a doc/How-flash-really-works: article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
54 Even though the above document was written by Renesas (or more precisely, the
39a6090a052a doc/How-flash-really-works: article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
55 part that was originally Adesto), the theory described therein applies just as
39a6090a052a doc/How-flash-really-works: article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
56 well to Intel, Spansion and Samsung flash chips that are used in Calypso GSM
39a6090a052a doc/How-flash-really-works: article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
57 devices. For anyone who wishes to know how NOR flash memory really works, I
39a6090a052a doc/How-flash-really-works: article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
58 strongly recommend reading that Renesas appnote - it is a good description.
39a6090a052a doc/How-flash-really-works: article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
59
39a6090a052a doc/How-flash-really-works: article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
60 Additional note on terminology: describing the two states of a flash memory cell
39a6090a052a doc/How-flash-really-works: article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
61 as '0' and '1', like I did above, is only a convenience for software-minded
39a6090a052a doc/How-flash-really-works: article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
62 people. A more proper view is to think in terms of a "programmed state" and an
39a6090a052a doc/How-flash-really-works: article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
63 "erased state" for each bit cell. History and tradition are such that flash
39a6090a052a doc/How-flash-really-works: article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
64 chips return '0' on read in the programmed state and '1' in the erased state
39a6090a052a doc/How-flash-really-works: article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
65 (this tradition probably originates from the fact that the actual NV storage
39a6090a052a doc/How-flash-really-works: article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
66 element, a transistor, conducts read current in the erased state), at least for
39a6090a052a doc/How-flash-really-works: article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
67 the main flash array - however, when flash memory elements are used for
39a6090a052a doc/How-flash-really-works: article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
68 additional purposes such as write protection controls, it is best to think
39a6090a052a doc/How-flash-really-works: article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
69 natively in terms of programmed and erased states. For the latter kind of
39a6090a052a doc/How-flash-really-works: article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
70 special applications, an opposite polarity may be applied in read-bit values.
39a6090a052a doc/How-flash-really-works: article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
71
39a6090a052a doc/How-flash-really-works: article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
72 One straightforward take-away from this theory is that flash endurance is really
39a6090a052a doc/How-flash-really-works: article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
73 about program-erase cycles, rather than number of program or number of erase
39a6090a052a doc/How-flash-really-works: article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
74 operations. Every time you give a sector erase command, every bit in that
39a6090a052a doc/How-flash-really-works: article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
75 sector cycles through the fully programmed (0) state first before becoming
39a6090a052a doc/How-flash-really-works: article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
76 erased (1), irrespective of whether or not you programmed into it on your own!
39a6090a052a doc/How-flash-really-works: article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
77 Hence every bit-cell of the affected sector always goes through a full
39a6090a052a doc/How-flash-really-works: article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
78 program-erase cycle, and all bits in a given sector are always cycled equally,
39a6090a052a doc/How-flash-really-works: article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
79 irrespective of whether they get written with mostly-0s or mostly-1s in between
39a6090a052a doc/How-flash-really-works: article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
80 erase cycles.
39a6090a052a doc/How-flash-really-works: article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
81
39a6090a052a doc/How-flash-really-works: article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
82 Another situation where this raw physics gets exposed to the user is the case
39a6090a052a doc/How-flash-really-works: article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
83 of special-purpose non-volatile bits in flash chips outside of the main flash
39a6090a052a doc/How-flash-really-works: article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
84 memory array - for example, Persistent Protection Bits (PPBs) in some Spansion
39a6090a052a doc/How-flash-really-works: article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
85 and Samsung flash chips. While program and erase commands for the main flash
39a6090a052a doc/How-flash-really-works: article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
86 array invoke chip-internal mechanisms that take care of everything and present
39a6090a052a doc/How-flash-really-works: article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
87 a sane model of 0s and 1s to software, Spansion PL-J PPB program and erase
39a6090a052a doc/How-flash-really-works: article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
88 commands expose raw guts: there is a command that applies a raw program pulse
39a6090a052a doc/How-flash-really-works: article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
89 to a single PPB, and there is a command that applies a raw erase pulse to the
39a6090a052a doc/How-flash-really-works: article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
90 NV memory element (like a little sector of its own) that holds all PPBs.
39a6090a052a doc/How-flash-really-works: article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
91 Applying the erase pulse without preprogramming every PPB first would be very
39a6090a052a doc/How-flash-really-works: article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
92 bad (see Renesas appnote about the badness of overerasure) - hence in a seeming
39a6090a052a doc/How-flash-really-works: article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
93 paradox, one has to explicitly lock every sector before applying PPB erase
39a6090a052a doc/How-flash-really-works: article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
94 pulses that will eventually unlock everything!
39a6090a052a doc/How-flash-really-works: article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
95
39a6090a052a doc/How-flash-really-works: article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
96 Our flash ppb-erase-all command does implement the preprogramming step before
39a6090a052a doc/How-flash-really-works: article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
97 actual erasure, and the present document (hopefully) explains why.