FreeCalypso > hg > freecalypso-tools
comparison doc/Flash-write-protection @ 997:67513b9446da
doc/Flash-write-protection: new article
| author | Mychaela Falconia <falcon@freecalypso.org> |
|---|---|
| date | Mon, 04 Dec 2023 01:42:35 +0000 |
| parents | |
| children | 30fad2b3afd2 |
comparison
equal
deleted
inserted
replaced
| 996:162d2cf394e2 | 997:67513b9446da |
|---|---|
| 1 Some Calypso-based GSM MS designs (phones, modems, development boards) use | |
| 2 AMD-style (Spansion or Samsung) flash chips, while others use Intel flash. | |
| 3 In the case of Calypso devices that use Spansion or Samsung flash chips, all of | |
| 4 those chips support a rarely used feature: an ability to write-protect selected | |
| 5 flash sectors, disallowing erase and program operations in those areas. With | |
| 6 earlier AMD-style flash chips (actual AMD-branded ones prior to introduction of | |
| 7 Spansion brand, as well as Samsung K5A32xx used in Openmoko devices) this | |
| 8 sector-level write protection can only be applied or lifted by way of external | |
| 9 programming equipment, executing special commands with a high voltage applied | |
| 10 to one of the pins - hence when the chip resides on a product board, no new | |
| 11 sector locks can be applied. (We are not aware of any Calypso GSM device manuf | |
| 12 who locked some flash sectors and then populated the chip onto the board in | |
| 13 that state.) | |
| 14 | |
| 15 With newer Spansion and Samsung flash families, however, sector locks became | |
| 16 more easily accessible: they have Persistent Protection Bits (PPBs) which can | |
| 17 be programmed (locking a sector or a group of sectors) and erased (removing all | |
| 18 such locks) in-system under normal operating conditions, using only special | |
| 19 software commands. These flash chips also have "hard" locking modes: a Password | |
| 20 Sector Protection mode in which PPBs can only be modified after feeding a | |
| 21 matching 64-bit key to the chip, and an OTP "master lock" mode in which the | |
| 22 ability to erase PPBs is irreversibly disabled, locking all write-protected | |
| 23 sectors forever - but so far we (FreeCalypso community) have not yet encountered | |
| 24 any devices in which any of these "hard" locks have been activated. There is, | |
| 25 however, at least one Calypso-based phone out there (Sony Ericsson K2x0 family) | |
| 26 in which the shipping state of the device includes some flash sector locks - | |
| 27 but these locks are of the "soft" kind, removable by performing a PPB erase | |
| 28 operation which is not further blocked. | |
| 29 | |
| 30 As of fc-host-tools-r21, fc-loadtool provides support for programming and | |
| 31 erasing PPBs on select Spansion and Samsung flash chips, primarily aimed at | |
| 32 unlocking flash regions that have been write-protected by previous parties. | |
| 33 It is very helpful, however, to understand some theory before using these | |
| 34 commands, which the present document aims to explain. | |
| 35 | |
| 36 Spansion and Samsung flash chips that feature PPBs have one PPB per sector or | |
| 37 per sector group - some sectors are aggregated into groups (of 4 sectors max) | |
| 38 for the purpose of write protection control. All of these PPBs are contained | |
| 39 in one special-purpose non-volatile memory element inside the flash chip, and | |
| 40 this NV memory element behaves like a little flash sector of its own: it has a | |
| 41 program operation, affecting each PPB individually, and an erase operation that | |
| 42 affects all PPBs across the chip at once. (See How-flash-really-works article | |
| 43 for an explanation of program and erase operations.) The programmed state of a | |
| 44 PPB corresponds to the associated flash sector or sector group being locked | |
| 45 (write-protected), and the erased state of a PPB corresponds to the flash | |
| 46 location being unlocked (free to erase and program at will). | |
| 47 | |
| 48 fc-loadtool commands for manipulating PPBs are flash ppb-program and flash | |
| 49 ppb-erase-all; they are named in this manner (as opposed to a naming scheme | |
| 50 based on "lock/unlock" or "protect/unprotect") to emphasize the physical nature | |
| 51 of what they actually do in the flash chip. flash ppb-program command (or | |
| 52 flash2 ppb-program for the second bank of 16 MiB flash chips) addresses a | |
| 53 specific sector and programs that sector's PPB, causing the sector to become | |
| 54 write-protected; flash ppb-erase-all erases all PPBs across the flash chip, | |
| 55 causing the entire main flash array to become unlocked for write operations. | |
| 56 | |
| 57 The internal implementation of these PPB manipulation commands is very different | |
| 58 between PL-J and PL-N flash types, as required by the respective flash chip | |
| 59 families presenting a very different type of command interface for PPB | |
| 60 operations. The command interface implemented on Spansion PL-J family and at | |
| 61 least some Samsung flash chips (K5L29xx in particular) exposes the raw physics | |
| 62 of the flash (see How-flash-really-works article) to the user for PPB | |
| 63 operations, requiring flashing software tool developers to understand all of | |
| 64 that theory and implement it in practice. OTOH, the command interface for PPB | |
| 65 program and erase operations implemented on Spansion PL-N family (of which only | |
| 66 PL129N is usable with Calypso) brings these special operations into harmony with | |
| 67 ordinary flash programming and erasure procedures. We don't know (and may never | |
| 68 know) if Spansion aimed to simplify life for flash low-level driver implementors | |
| 69 or if internal advancements from PL-J to PL-N flash necessitated some changes | |
| 70 in physics-level program/erase algorithms and Spansion didn't feel like exposing | |
| 71 the internal details of their newer flash - but the practical implication for us | |
| 72 is that we had to implement two different code paths to support both ways of | |
| 73 performing these operations, as we need to support all flash chip types that are | |
| 74 found in Calypso GSM devices of different ages. | |
| 75 | |
| 76 It also needs to be noted that at least in Spansion PL-J and Samsung flash chips | |
| 77 the special non-volatile memory element that holds PPBs has a *very* limited | |
| 78 number of program-erase cycles: the datasheets we were able to find give a limit | |
| 79 of 100 (1e2) cycles for this special NV memory element, compared to 1e5 cycles | |
| 80 promised by the same datasheets for the main flash array. So please beware, | |
| 81 and avoid needlessly cycling these write protection bits. |