Application Note Please read the Important Notice and Warnings at the end of this document 002-29058 Rev. *A
www.infineon.com page 1 of 36 2021-02-24
AN229058
Secure Firmware Over-The-Air (FOTA) Update in
Traveo II
About this document
Scope and purpose
AN229058 explains the different steps involved in developing a secure and reliable Firmware Over-The-Air
(FOTA) update in Traveo™ II MCU. Note that this document does not explain the setting up of a wireless
interface to perform an update over the air, rather explains how a logical flash bank in the Traveo II MCU can be
updated with the new image and how reliably (using Traveo II MCU’s Secure Boot Mechanisms) the boot code
can jump to the new image if successfully authenticated.
Table of contents
About this document ....................................................................................................................... 1
Table of contents ............................................................................................................................ 1
1 Introduction .......................................................................................................................... 3
2 Introduction to FOTA .............................................................................................................. 4
2.1 Challenges with Conventional FOTA (without Secure Boot) ................................................................. 4
3 Bank Switching Mechanism in Traveo II .................................................................................... 6
4 Introduction to Secure Boot .................................................................................................... 7
4.1 Secure Boot Mechanism for Secure FOTA .............................................................................................. 7
4.1.1 Dual Bank Manager ............................................................................................................................ 8
4.1.2 ROM Boot Functions for FOTA ........................................................................................................... 8
4.1.3 Flash Boot Functions for FOTA .......................................................................................................... 8
4.1.4 Dual Bank Manager Functions for FOTA ............................................................................................ 8
4.1.5 CM0+ Application Functions for FOTA ............................................................................................... 8
4.1.6 Chain of Trust (CoT) for Secure FOTA ................................................................................................ 9
4.1.7 Work Flash Marker .............................................................................................................................. 9
5 Dual Bank Manager ................................................................................................................ 11
5.1 Disabling Interrupts ............................................................................................................................... 12
5.2 Updating VTOR ...................................................................................................................................... 12
5.3 Disabling SRAM ECC Check ................................................................................................................... 12
5.4 Initializing Stack .................................................................................................................................... 13
5.5 Initializing SRAM Function Memory Region and Enabling ECC Check ................................................ 13
5.6 Disabling Work Flash Bus Error ............................................................................................................. 14
5.7 Pseudo Code .......................................................................................................................................... 14
5.7.1 Magic Word Check ............................................................................................................................ 16
5.7.2 Authentication Check ....................................................................................................................... 16
5.7.3 Authentication Failure ..................................................................................................................... 18
5.7.4 SFlash to SRAM Copy ........................................................................................................................ 18
5.8 Digital Signature Verification Function ................................................................................................ 19
6 SRAM Function for Flash Bank Management ............................................................................. 21
6.1 Configure Flash as Dual Bank ............................................................................................................... 21
6.2 Configure Flash Map .............................................................................................................................. 22
Application Note 2 of 36 002-29058 Rev. *A
2021-02-24
Secure Firmware Over-The-Air (FOTA) Update in Traveo II
Table of contents
6.3 Memory Barrier Operations and Cache Invalidation ........................................................................... 22
6.4 Branch to CM0+ Application .................................................................................................................. 23
7 Summary ............................................................................................................................. 24
8 Appendix - Dual Bank Manager: Dependencies .......................................................................... 25
8.1 Constants ............................................................................................................................................... 25
8.2 Dual Bank Manager Vector Table .......................................................................................................... 26
8.3 SRAM Function Space Reservation ....................................................................................................... 27
8.4 Macros .................................................................................................................................................... 28
8.4.1 flashmarkers ..................................................................................................................................... 28
8.4.2 addrmarker ....................................................................................................................................... 28
8.4.3 ramdatamarker ................................................................................................................................ 28
8.5 CySAF ..................................................................................................................................................... 29
8.6 TOC2 Details .......................................................................................................................................... 29
8.7 Transition to Secure .............................................................................................................................. 31
8.8 Required Tools ...................................................................................................................................... 32
Glossary ....................................................................................................................................... 33
Related Documents ........................................................................................................................ 34
Revision history............................................................................................................................. 35
Application Note 3 of 36 002-29058 Rev. *A
2021-02-24
Secure Firmware Over-The-Air (FOTA) Update in Traveo II
Introduction
1 Introduction
This application note describes how FOTA (Firmware Over-The-Air) updates can be securely performed in
Cypress Traveo™ II MCUs. The series includes Arm® Cortex®-M CPUs with enhanced secure hardware extension
(eSHE) or Hardware Security Module (HSM), CAN FD, memory, and analog and digital peripheral functions in a
single chip.
In the Automotive embedded systems, FOTA update is a remote software management technology that helps
to perform wireless firmware upgrade on the device. Upgrading the device firmware once it is on the field might
be essential especially when the system demands critical bug fixes, addition of a new feature, removal of an
existing feature, and so on.
The complete implementation of FOTA is highly dependent on the device architecture (here Traveo II device).
Traveo II MCU’s internal Code Flash architecture supports Dual Bank Modes, which are mainly targeted for
FOTA applications. This architecture ensures that the existing application is uninterrupted while a FOTA update
happens and the new application is launched securely. The FOTA update should also mandate a roll-back
mechanism to the old firmware if the new update is corrupted or interrupted for any reason.
This application note mainly focuses on the development of a Dual Bank Manager code, which helps you to
check the validity of the new application image (using Cryptographic authentication functions) and then ensure
that the validated image is launched by correctly modifying the Flash Bank and Remap registers.
Note that this is an advanced application note. See the following application notes before proceeding:
• AN220242 - Flash Rewriting Procedure for Traveo II Family
• AN228680 - Secure System Configuration in Traveo II Family
Application Note 4 of 36 002-29058 Rev. *A
2021-02-24
Secure Firmware Over-The-Air (FOTA) Update in Traveo II
Introduction to FOTA
2 Introduction to FOTA
Figure 1 illustrates a typical example for a FOTA system in the automotive network.
Figure 1 Typical FOTA System
The master Electronic Control Unit (ECU) communicates with the Cloud to receive the new image. It can then
implement a Gateway (based on CAN-FD for example) to update the images of the other Traveo II subsystems
like the HVAC system and the Body Control Module. This communication can also be made secured using
Crypto encryption and decryption and by using Protection Units (for example, Software Protection Units
(SWPUs)), which allows only those ECUs with privileges for Flash Writes to perform flash upgrades.
Traveo II device supports True FOTA. This means that the:
• Update of the software image happens in the background. There is no interruption of application service.
• Update can be rolled back if there is a failure or as needed by the application.
This True FOTA is possible with Traveo II device as it supports:
• Dual bank Flash
• Read-while-write memory, allowing execution of software (read) while programming (write)
• Multiple levels of security and secure boot
2.1 Challenges with Conventional FOTA (without Secure Boot)
Figure 2 shows the Code Flash memory mapping for an 8-MB memory in Traveo II device.
Application Note 5 of 36 002-29058 Rev. *A
2021-02-24
Secure Firmware Over-The-Air (FOTA) Update in Traveo II
Introduction to FOTA
Figure 2 Code Flash Memory Mapping for 8-MB Code Flash
FOTA architecture uses Dual Bank Mode. If there is a power failure or any other hardware issues during the
FOTA upgrade, Traveo II device might enter a corrupted state. For instance, if there is a FOTA request while the
application is executing code in Mapping B, the new image must be written to Logical Flash Bank 0. Now, if
there is a power failure or corruption while the first few sectors were getting updated, Traveo II device could
enter into a lock-up or corrupted state after the next reset because Flash boot always executes in Single Bank
mode and by default jumps to the address specified by the Address of First User Application Object (that has
the vector table, which is now corrupted) in TOC2 (see section 8.6). Implementing a secure boot mechanism
based on the techniques discussed in this application note will help mitigate this issue.
Application Note 6 of 36 002-29058 Rev. *A
2021-02-24
Secure Firmware Over-The-Air (FOTA) Update in Traveo II
Bank Switching Mechanism in Traveo II
3 Bank Switching Mechanism in Traveo II
In Traveo II family MCUs, OTA functionality is handled by two separate bits in the FLASHC_FLASH_CTL register.
The MAIN_BANK_MODE bit is used to configure flash bank mode between Single and Dual Banks. MAIN_MAP bit
is used to configure flash region between Mapping A and Mapping B. Both these bits are cleared by reset. ROM
boot and Flash boot do not touch these configurations. In other words, Traveo II family MCU always boots up in
Single Bank mode before the Arm Cortex-M0+ program starts. The application needs to configure dual bank
and remap function as required.
Note: The MAIN_BANK_MODE bit is part of the FLASHC_FLASH_CTL register. Dual Bank mode is enabled
if FLASHC_FLASH_CTL.MAIN_BANK_MODE = 1.
Note: The MAIN_MAP bit is also part of the FLASHC_FLASH_CTL register. Mapping A is used if this bit is “0”
and Mapping B is used if this bit is “1”.
For more details on FLASHC_FLASH_CTL register, see the Registers Technical Reference Manual (TRM).
Note that the Dual Bank Manager software which is intensively discussed in the application note configures the
Bank Mode and Mapping registers based on certain criteria. This Dual Bank Manager software is programmed
to the user SFlash memory and is triggered by CM0+ after the normal Flash Boot operations.
For more details on Bank switching, see AN220242 - Flash Rewriting Procedure for Traveo II Family.
Also, note that the bits MAIN_BANK_MODE and MAIN_MAP must not be modified by any code executed from the
Code Flash or SFlash as this involves sudden changes in the Flash geometry. In the implementation described
in this application note, Dual Bank Manager copies a code from SFlash to SRAM, and this code which is
executed out of SRAM configures these bits.
Application Note 7 of 36 002-29058 Rev. *A
2021-02-24
Secure Firmware Over-The-Air (FOTA) Update in Traveo II
Introduction to Secure Boot
4 Introduction to Secure Boot
This section introduces Traveo II MCU’s boot sequence. For a detailed description of Traveo II MCU’s security
features, different lifecycle stages, and implementation of secure boot sequence, see AN228680 - Secure
System Configuration in Traveo II Family.
Traveo II MCU’s boot sequence (Figure 3) is based on the ROM boot code and flash boot code implemented for
different lifecycle stages. Figure 3 shows how the CM0+ operation starts from reset. After reset, CM0+ starts
executing from ROM boot. ROM boot validates SFlash. After validation of SFlash is complete, execution jumps
to flash boot and configures the DAP as needed by the protection state. Notice the color coding that depicts the
memory type where data and code reside.
SFlash Validation
(HASH Calculation)
Data
System Reset
FACTORY_HASH (Normal)
SECURE_HASH (Secure)
Data pointed to in TOC (1 & 2)
* Trim Values
* Unique ID
* Flash Boot Code
* Public Key (Secure Only)
HASH Valid?
Validate Secure Image
(Validate Digital Signature,
default is RSA-2048 )
Valid
Signature?
Public Key
Secure Image
Digital Signature
Secure Image Code
Jump to Flash Boot
Execute Secure Image
Error
(Idle Loop)
Error
(Idle Loop)
Valid
Invalid
Invalid
Valid
Note:
In Normal Protection State, the
FACTORY_HASH is used to Verify.
In Secure Protection State, the
SECURE_HASH is used to Verify.
Data
Data
Data
Note:
Generate or Edit the following Fields:
* Secure Image with Digital Signature
* Public Key
* TOC2
: Data or code is located in ROM.
: Data or code is located in Sflash memory.
: Data or code is located in Flash memory.
: Data or code is located in eFuse.
Figure 3 Traveo II Boot Sequence
The flash boot then validates the first application listed in TOC2 and jumps to its entry point, if validated. This
image is the secure image. If the secure image is found to be invalid or corrupted, the CPU will jump to an idle
loop and stay in the idle loop until the device is reset.
4.1 Secure Boot Mechanism for Secure FOTA
The Secure FOTA architecture and sample codes proposed with this application note uses a slightly different
mechanism for the secure boot process. The proposed architecture and software assume that you transition
the Traveo II device lifecycle stage to Secure or Secure with Debug after the following updates are done:
• User SFlash rows (Row 4 to Row 7) are programmed with the Dual Bank Manager code. For more details on
SFlash rows, see the Traveo II MCU Programming Specifications document.
Application Note 8 of 36 002-29058 Rev. *A
2021-02-24
Secure Firmware Over-The-Air (FOTA) Update in Traveo II
Introduction to Secure Boot
• Public key is programmed to the SFlash Rows (Row 45 to Row 50).
• TOC2 is programmed to SFlash Row 62.
Note that when Traveo II device transitions to secure lifecycle stage, the SFlash rows can no longer be
programmed. Also, the transition to secure lifecycle stage will compute the Secure Hash and blow the
associated E-Fuse bits.
4.1.1 Dual Bank Manager
This application note majorly focusses on the development of a Dual Bank Manager code, which helps in
validating the CM0+ application image and accordingly updates the Flash Bank and Remap registers to execute
code from the correct Flash Bank. For software details and complete implementation of this Dual Bank
Manager, see Dual Bank Manager. Note that this Dual Bank Manager code is implemented in the User SFlash
rows as part of SFlash (SFlash Row 4 to SFlash Row 7).
Dual Bank Manager is developed according to the Cypress Secure Application Format (CySAF), but with no
added digital signatures or space restricted for digital signatures. This provides additional advantage of storing
any other user-specific data in the available SFlash user rows. This Dual Bank Manager code is then added as an
additional object in TOC2 and will be authenticated by the ROM boot. To know more about the TOC2 structure,
see section 8.6.
4.1.2 ROM Boot Functions for FOTA
When Traveo II device is in the Secure Lifecycle stage, the ROM boot also validates the contents of TOC2 against
the SECURE_HASH in E-Fuse. Since the Dual Bank Manager code is added as an additional object in the TOC2,
its authenticity is also automatically validated by the ROM boot code. Since the Dual Bank Manager code is part
of SFlash memory, which is no longer programmable beyond Secure Lifecycle stage, the probability of any
corruption in the Dual Bank Manager is also minimal. Once the ROM boot has successfully validated all
necessary objects, ROM boot code jumps to the Flash Boot Code.
4.1.3 Flash Boot Functions for FOTA
In the proposed architecture in this application note, Application Authentication Control by the Flash Boot is
disabled. This means TOC2_FLAGS. APP_AUTH_CTL = 1. Also, the Dual Bank Manager address is provided as the
CM0+ First Application Object in TOC2. Hence, the Flash boot code directly jumps to the Dual Bank Manager.
There is no risk involved even if the authentication is disabled since the Dual Bank Manager code was already
authenticated by the ROM boot.
4.1.4 Dual Bank Manager Functions for FOTA
In the proposed architecture in this application note, CM0+ image is built according to CySAF. This means that
there is a digital signature (encrypted using Private Key) associated with this image and associated public keys
in the SFlash. The Dual Bank Manager checks the validity of this secure image. It first checks the validity of the
latest image, which is updated over FOTA. If the new image is invalid, it checks the validity of the old image. The
Dual Bank Manager then updates the Flash bank and Remap registers to set the correct logical bank/mapping,
and then jumps to the CM0+ application image. If both images are invalid, the Dual Bank Manager will be in an
infinite loop.
4.1.5 CM0+ Application Functions for FOTA
CM0+ image which is now authenticated by the Dual Bank Manager can additionally authenticate the CM4 or
CM7 application image. This should be done by the CM0+ application image and is not automatically done by
Traveo II Boot code or by the Dual Bank Manager.
Application Note 9 of 36 002-29058 Rev. *A
2021-02-24
Secure Firmware Over-The-Air (FOTA) Update in Traveo II
Introduction to Secure Boot
4.1.6 Chain of Trust (CoT) for Secure FOTA
Summarizing steps 4.1.2 to 4.1.5, the CoT during the device boot happens in the following order in the SECURE
protection state.
ROM BOOT FLASH BOOT
DUAL BANK
MANAGER
CM0+ IMAGE CM4/CM7 IMAGE
Table 1 summarizes the protection mechanism for each component involved in the boot flow in secure FOTA.
Table 1 Components Involved in Secure FOTA
Boot Component
Launched By
Protection Mechanism
Function
ROM Boot
Reset
Inherit (This is fixed by design)
ROM boot authenticates the
Flash boot and the Dual Bank
Manager code (which is added
as an extra object in TOC2) and
jumps to Flash boot.
Flash Boot
ROM Boot
SECURE_HASH check which is
performed by the ROM Boot
Flash boot triggers the Dual
Bank Manager function.
Dual Bank Manager
Flash Boot
SECURE_HASH check which is
performed by ROM Boot since this
code is added as an additional
object in TOC2
Dual Bank Manager validates
the new CM0+ image over FOTA
and updates the Flash
Bank/Mapping registers
accordingly. Dual Bank
Manager then jumps to the
CM0+ image.
CM0+ Image
Dual Bank
Manager
Dual Bank Manager checks the
digital signature authentication of
the CM0+ image using the public
keys that are programmed to
SFlash
CM0+ image can validate the
authenticity of the CM4/CM7
application image and can
jump to it if valid.
CM4/CM7 Image
CM0+ Image
CM0+ image checks the digital
signature authentication of the
CM4/CM7image using the public
keys that are programmed to
SFlash.
CM4/CM7 image is the main
application image.
4.1.7 Work Flash Marker
Since MAIN_BANK_MODE and MAIN_MAP bits of FLASHC_FLASH_CTL register are volatile, the values on these
bits will not be retained across resets. Hence, to update this register in the Dual Bank Manager, the support of
some nonvolatile memory is required. Small sector of the Work Flash (128 Bytes) is a suitable memory for this
purpose.
In the implementation described in this application note, first small sector of the Work Flash is used. Note that
this sector is reserved for FOTA and no other information will be stored in this sector as it will be erased and
written after every successful FOTA update. It is recommended to configure a SWPU object to protect this
sector from any unintended erase or program. If FOTA is completed in Map A, the first 32 bits of this Work Flash
sector is updated to 0xAAAAAAAA (Magic Word) and if FOTA is completed in Map B, it is updated to 0xFFFFFFFF.
Application Note 10 of 36 002-29058 Rev. *A
2021-02-24
Secure Firmware Over-The-Air (FOTA) Update in Traveo II
Introduction to Secure Boot
There is a probability that the FOTA update might be interrupted during the Work Flash update and the Work
Flash sector gets erased. The contents of an erased Work Flash sector are unpredictable. To avoid any ECC
errors and associated Bus Faults while reading Work Flash in erased state, the FLASHC_FLASH_CTL.
WORK_ERR_SILENT is set in the Dual Bank Manager before reading the Work Flash. Note that this bit will be
enabled later in the application.
Note: This Work Flash marker only indicates which Mapping will be applied to MAIN_MAP bit of
FLASHC_FLASH_CTL register. The start addresses of the applications (for authentication checks)
are stored in SFlash. The addresses are CY_APP_START_ADDR_LB and CY_APP_START_ADDR_UB.
See section 8.1.
Application Note 11 of 36 002-29058 Rev. *A
2021-02-24
Secure Firmware Over-The-Air (FOTA) Update in Traveo II
Dual Bank Manager
5 Dual Bank Manager
Figure 4 shows the flowchart for the Dual Bank Manager. For details on flashmarkers, see section 8.4.1.
Note that the Dual Bank Manager must be developed according to CySAF format and placed at the SFlash
location 0x17000800. This can be done with the support of necessary linker scripts.
Reset
Launch
Dual Bank Manager
Disable CM0+ Interrupts
Update CM0+ VTOR
Disable SRAM ECC Check *
Initialize Stack Memory and
SRAM Memory used by SRAM
Function for Flash Bank
Management *
Enable SRAM ECC Check *
Set
FLASHC_FLASH_CTL.WORK
_ERR_SILENT
Is Marker in
WorkFlash = Magic
Word?
Is Authentication
Flag DISABLED?
Is
Authentication
Flag
DISABLED?
Is
Upper Bank
Valid?
Is Lower
Bank
Valid?
Is
Lower Bank
Valid?
Is
Upper Bank
Valid?
Set Register R6 Clear Register R6
Copy the Flash Bank
Management Function to
SRAM
Invalid
Image
Yes
Yes
Yes
No
No
No
No
Yes
Yes
No No
* This is only applicable for Traveo II devices with 64-bit based ECC SRAM.
No
Yes
Yes
Figure 4 Dual Bank Manager Flow Chart
Application Note 12 of 36 002-29058 Rev. *A
2021-02-24
Secure Firmware Over-The-Air (FOTA) Update in Traveo II
Dual Bank Manager
5.1 Disabling Interrupts
First, the global interrupts are disabled.
; Disable global interrupts
CPSID I
5.2 Updating VTOR
The Vector Table Offset Register (VTOR) of CM0+ is updated to the Dual Bank Manager vector table address.
Since the interrupts are disabled, this will help in catching any Hard Fault occurrences during the execution of
Dual Bank Manager. Other interrupt/exception handlers are fixed to zero in the vector table. See section 8.2 for
the vector table.
; Update Vector Table Offset Register with address of SFlash vector table
LDR r0, =__sflashvector_table
LDR r1, =VTOR
STR r0, [r1]
DSB
5.3 Disabling SRAM ECC Check
The stack region used by the Dual Bank Manager is initialized before any function calls. Since the initialization
of this region is done by CM0+ that allows only 32-bit writes, the Traveo II devices with SRAM based on 64-bit
ECC will perform a read-modify-write operation. So, the ECC check is temporarily disabled for the SRAM.
; CM0+ bus width is 32-bit, but SRAM is built with 64-bit based ECC on Traveo
II parts with CM7 core
; Set CPUSS->RAMx_CTL0.ECC_CHECK_DIS bits to avoid causing unintentional ECC
faults during startup while SRAM ECC has not been initialized yet
; Done for all SRAM macros as the stack/function could be placed any where
based on linker script; this could also be modified only to specific SRAM
macros
#if (defined (tviibh4m) || defined (tviibh8m) || defined (tviic2d6m) ||
defined (tviic2d4m))
MOVS r4, #1
LSLS r4, r4, #19
LDR r1, =CPUSS_RAM0_CTL0
LDR r2, [r1]
ORRS r2, r4
STR r2, [r1]
LDR r1, =CPUSS_RAM1_CTL0
LDR r2, [r1]
ORRS r2, r4
STR r2, [r1]
LDR r1, =CPUSS_RAM2_CTL0
Application Note 13 of 36 002-29058 Rev. *A
2021-02-24
Secure Firmware Over-The-Air (FOTA) Update in Traveo II
Dual Bank Manager
LDR r2, [r1]
ORRS r2, r4
STR r2, [r1]
#endif
5.4 Initializing Stack
The stack memory is initialized to zero. Size of the stack is configured by the
STARTUP_STACK_SIZE_DOUBLE_WORDS macro (See section 8.1).
; Initialize ECC of startup stack
MOVS r0, #0 ; clear value
MOVS r1, #0 ; clear value
LDR r2, flashmarkers+28
startup_stack_ecc_init_loop:
STM r2!, {r0, r1}
CMP r2, sp
BNE startup_stack_ecc_init_loop
5.5 Initializing SRAM Function Memory Region and Enabling ECC Check
The Dual Bank Manager function copies necessary code to SRAM for configuring the Flash banks. The copy
happens in 32 bit writes, so this region is also initialized to zero for Traveo II devices with SRAM based on 64-bit
ECC. ECC check is then enabled again.
; For Traveo II devices with 64-bit based ECC SRAM, initialize ECC of the
region where SRAM function shall be copied later from SFlash
#if (defined (tviibh4m) || defined (tviibh8m) || defined (tviic2d6m) ||
defined (tviic2d4m))
LDR r2, flashmarkers
; Subtract 1 from R2 due to Thumb alignment
SUBS r2, 1
LDR r3, flashmarkers+4
; loop to clear the SRAM
SRAM_function_ecc_init_loop:
STR r1, [r2,r0]
ADDS r0, #8
CMP r0, r3
BCC SRAM_function_ecc_init_loop
Application Note 14 of 36 002-29058 Rev. *A
2021-02-24
Secure Firmware Over-The-Air (FOTA) Update in Traveo II
Dual Bank Manager
; Clear CPUSS->RAMx_CTL0.ECC_CHECK_DIS bits to enable ECC check/correction;
r4 already has the bit position.
LDR r1, =CPUSS_RAM0_CTL0
LDR r2, [r1]
BICS r2, r4
STR r2, [r1]
LDR r1, =CPUSS_RAM1_CTL0
LDR r2, [r1]
BICS r2, r4
STR r2, [r1]
LDR r1, =CPUSS_RAM2_CTL0
LDR r2, [r1]
BICS r2, r4
STR r2, [r1]
#endif
5.6 Disabling Work Flash Bus Error
For more details, see Work Flash Marker.
; Load the address for FLASHC_FLASH_CTL
LDR r4, flashmarkers+8
; Set FLASHC_FLASH_CTL.WORK_ERR_SILENT
; Reading the Work Flash in erased state can cause bus fault when
FLASHC_FLASH_CTL.WORK_ERR_SILENT is 0
MOVS r1, #1
LSLS r1, r1, #22
ORRS r0, r1
STR r0, [r4]
LDR r0, [r4]
5.7 Pseudo Code
The following is the pseudo code for the next steps performed by Dual Bank Manager. Note that the
Authentication_Flag in the pseudo code is the AUTHENTICATION_CHECK macro listed in section 8.1, and is
different from TOC2_FLAGS.APP_AUTH_CTL.
if (WorkFlash_Marker == MAGIC_WORD)
{
if (Authentication_Flag == DISABLE)
{
Application Note 15 of 36 002-29058 Rev. *A
2021-02-24
Secure Firmware Over-The-Air (FOTA) Update in Traveo II
Dual Bank Manager
set reg
RAM func (MAP_B)
}
else
{
if (UpperImage == VALID)
{
set reg
RAM func (MAP_B)
}
else if (LowerImage == VALID)
{
clear reg
RAM func(MAP_A)
}
else
ImageInvalid
}
}
else
{
if (Authentication_Flag == DISABLE)
{
clear reg
RAM func(MAP_A)
}
else
{
if (LowerImage == VALID)
{
clear reg
RAM func(MAP_A)
}
else if (UpperImage == VALID)
{
set reg
RAM func (MAP_B)
}
else
ImageInvalid
Application Note 16 of 36 002-29058 Rev. *A
2021-02-24
Secure Firmware Over-The-Air (FOTA) Update in Traveo II
Dual Bank Manager
}
}
5.7.1 Magic Word Check
Read the Work Flash address and check if it has the magic word.
MagicWordCheck:
; Check if the magic word is present in Work Flash address and branch to
appropriate label
LDR r2, flashmarkers+12 ; Load the address of WorkFlash marker
LDR r0, [r2] ; Load the marker value to r0
LDR r1, flashmarkers+16 ; Load the magic word
LDR r3, flashmarkers+20 ; Load the flag for authentication check
LDR r4, flashmarkers+24 ; Load the AUTHENTICATION_DISABLE for
comparison
CMP r0, r1
BNE Check_MapA_LB
5.7.2 Authentication Check
If the authentication flag is enabled (see 8.4.1), check if the Map A or Map B application has valid digital
signature using the Cy_FB_VerifyApplication function. For details on the _checkLB and _checkUB
functions, see Digital Signature Verification Function.
Check_MapB_UB:
; Check if the authentication check is disabled. If disabled directly jump to
Auth_Skip_MapB. If enabled, perform the authentication.
CMP r3, r4
BEQ Auth_Skip_MapB
; Check if the result of authentication of upper bank image is successful, if
not jump to Check_MapB_LB and check lower bank
BL _checkUB
CMP r0, #1
BNE Check_MapB_LB
Auth_Skip_MapB:
; Jump to the FlashtoRAM_copy function with register r6 set
MOVS r6, #1
B FlashtoRAM_copy
Application Note 17 of 36 002-29058 Rev. *A
2021-02-24
Secure Firmware Over-The-Air (FOTA) Update in Traveo II
Dual Bank Manager
Check_MapB_LB:
; Check if the result of authentication of lower bank image is successful, if
not jump to ImageInvalid, and no application is launched.
BL _checkLB
CMP r0, #1
BNE ImageInvalid
; Jump to the FlashtoRAM_copy copy function with register r6 cleared
MOVS r6, #0
B FlashtoRAM_copy
Check_MapA_LB:
; Check if the authentication check is disabled. If disabled directly jump to
Auth_Skip_MapA. If enabled, perform the authentication.
CMP r3, r4
BEQ Auth_Skip_MapA
; Check if the result of authentication of lower bank image is successful, if
not jump to Check_MapA_UB and check upper bank
BL _checkLB
CMP r0, #1
BNE Check_MapA_UB
Auth_Skip_MapA:
; Jump to the FlashtoRAM_copy function with register r6 cleared
MOVS r6, #0
B FlashtoRAM_copy
Check_MapA_UB:
; Check if the result of authentication of upper bank image is successful, if
not jump to ImageInvalid, no application is launched.
BL _checkUB
CMP r0, #1
BNE ImageInvalid
; Jump to the FlashtoRAM_copy function with register r6 set
MOVS r6, #1
B FlashtoRAM_copy
Application Note 18 of 36 002-29058 Rev. *A
2021-02-24
Secure Firmware Over-The-Air (FOTA) Update in Traveo II
Dual Bank Manager
5.7.3 Authentication Failure
If the authentication of the image in one bank fails, Dual Bank Manager checks the image in the alternate bank.
If both images are invalid, the Dual Bank Manager enters a dead state in an infinite loop.
; Enters this handler when both banks have invalid images
ImageInvalid:
B ImageInvalid
5.7.4 SFlash to SRAM Copy
If a valid image is available in any of the Flash Banks or if the authentication flag is disabled, the
_flashbankswitch function is copied from SFlash to SRAM and the Dual Bank Manager jumps to this SRAM
function.
FlashtoRAM_copy:
; Copy the _flashbankswitch function to SRAM and Dual Bank Manager jumps to
SRAM where the dual bank configuration is done
; Load the register with the source address, destination address and size
ADR r3, _flashbankswitch
LDR r2, flashmarkers
LDR r1, flashmarkers+4
; Subtract 1 from R2 due to Thumb alignment
SUBS r2, #1
; R0 is used for compare operation
MOVS r0, #0
B compare
; loop to copy the complete SFlash function to SRAM
copyloop:
LDR r4, [r3,r0]
STR r4, [r2,r0]
ADDS r0, #4
compare:
CMP r0, r1
BCC copyloop
; Jump to the _flashbankswitch copy function in SRAM with valid r6
Application Note 19 of 36 002-29058 Rev. *A
2021-02-24
Secure Firmware Over-The-Air (FOTA) Update in Traveo II
Dual Bank Manager
LDR r7, flashmarkers
BX r7
5.8 Digital Signature Verification Function
The Dual Bank Manager uses the LowerBankCheck and UpperBankCheck functions to check the
authentication of the Code Flash application. Following is the code for LowerBankCheck.
; Performs authentication of the lower Bank
LowerBankCheck:
.align 4
_checkLB:
PUSH {LR}
; Check if the Application is valid with Cy_FB_VerifyApplication()
; Load the registers with the lower bank parameters for
Cy_FB_VerifyApplication() function
LDR r0, addrmarker+4 ; address of the lower bank image
LDR r1, [r0] ; length of the lower bank image
ADDS r2, r0, r1 ; address of the digital signature
BCS skip_LB_check ; carry bit detected, boundary violation
LDR r4, addrmarker+16 ; end address for the lower bank
CMP r2, r4 ; boundary condition check
BHI skip_LB_check ; skip Cy_FB_VerifyApplication
LDR r3, addrmarker+8 ; address of the public key
; Get the address of Cy_FB_VerifyApplication() from SFlash marker
LDR r4, addrmarker
LDR r7, [r4]
; Call Cy_FB_VerifyApplication() function
BLX r7
skip_LB_check:
POP {PC}
.endf _checkLB
; Performs authentication of the upper Bank
UpperBankCheck:
Application Note 20 of 36 002-29058 Rev. *A
2021-02-24
Secure Firmware Over-The-Air (FOTA) Update in Traveo II
Dual Bank Manager
.align 4
_checkUB:
PUSH {LR}
; Check if the Application is valid with Cy_FB_VerifyApplication()
; Load the registers with the upper bank parameters for
Cy_FB_VerifyApplication() function
LDR r0, addrmarker+12 ; address of the upper bank image
LDR r1, [r0] ; length of the upper bank image
ADDS r2, r0, r1 ; address of the digital signature
BCS skip_UB_check ; carry bit detected, boundary violation
LDR r4, addrmarker+20 ; end address for the upper bank
CMP r2, r4 ; boundary condition check
BHI skip_UB_check ; skip Cy_FB_VerifyApplication
LDR r3, addrmarker+8 ; address of the public key
; Get the address of Cy_FB_VerifyApplication() from SFlash marker
LDR r4, addrmarker
LDR r7, [r4]
; Call Cy_FB_VerifyApplication() function
BLX r7
skip_UB_check:
POP {PC}
.endf _checkUB
Note that UpperBankCheck also uses a similar concept for the Upper bank. This function internally uses the
Cy_FB_VerifyApplication function present in SFlash. The parameters of this function are checked and then
loaded to registers r0-r3. The address of the function is loaded to register r4 and then a jump is performed using
BLX. The boundary conditions for Code Flash memory is also checked within a bank before
Cy_FB_VerifyApplication is called. If the boundary conditions are violated, then
Cy_FB_VerifyApplication is not called and authentication fails. If the digital signature of the Code Flash
application is valid, register r0 will be set to 1; else it will be 0. For details on addrmarker, see section 8.4.2.
Application Note 21 of 36 002-29058 Rev. *A
2021-02-24
Secure Firmware Over-The-Air (FOTA) Update in Traveo II
SRAM Function for Flash Bank Management
6 SRAM Function for Flash Bank Management
As mentioned in Bank Switching Mechanism in Traveo II, the flash bank management operation is executed
out of SRAM memory. This is the copy of the _flashbankswitch function available in SFlash. Figure 5
shows the implementation of this function. For details on ramdatamarker, see section 8.4.3.
Flash Bank Management
Function in SRAM
Set
FLASHC_FLASH_CTL.MAIN_BANK_
MODE
Is Register
R6 Set?
Set
FLASHC_FLASH_CTL.MAIN_MAP
Clear
FLASHC_FLASH_CTL.MAIN_MAP
Perform Memory Barrier Operations
Invalidate Cache
Jump to Reset Handler of
CM0+ Application
Yes No
Figure 5 SRAM Function Flow Chart
6.1 Configure Flash as Dual Bank
Set the FLASHC_FLASH_CTL.MAIN_BANK_MODE bit to configure dual bank mode.
; Load the address for FLASHC_FLASH_CTL
LDR r4, ramdatamarker
; Set FLASHC_FLASH_CTL.MAIN_BANK_MODE for dual bank mode
LDR r0, [r4]
MOVS r1, #1
LSLS r1, r1, #12
ORRS r0, r1
STR r0, [r4]
LDR r0, [r4]
Application Note 22 of 36 002-29058 Rev. *A
2021-02-24
Secure Firmware Over-The-Air (FOTA) Update in Traveo II
SRAM Function for Flash Bank Management
6.2 Configure Flash Map
Based on the Magic word and authentication check done earlier, configure FLASHC_FLASH_CTL.MAIN_MAP to
operate in Map A or Map B.
; Set '1' for bit corresponding to FLASHC_FLASH_CTL.MAIN_MAP in register R1
MOVS r1, #1
ADDS r1, #255
; Check if register R6 is set
CMP r6, #1
BNE MapA
; Map B is valid, set the bit corresponding to FLASHC_FLASH_CTL.MAIN_MAP
MapB:
ORRS r0, r1
B common
; Map A is valid, clear the bit corresponding to FLASHC_FLASH_CTL.MAIN_MAP
MapA:
BICS r0, r1
common:
; configure FLASHC_FLASH_CTL.MAIN_MAP
STR r0, [r4]
; read back FLASHC_FLASH_CTL
LDR r0, [r4]
6.3 Memory Barrier Operations and Cache Invalidation
Issue a memory barrier instruction and then invalidate the cache and buffer.
; instruction barrier operation
ISB SY
; invalidate cache and buffers
LDR r0, [r4,8]
MOVS r1, #1
ORRS r0, r1
STR r0, [r4,8]
Application Note 23 of 36 002-29058 Rev. *A
2021-02-24
Secure Firmware Over-The-Air (FOTA) Update in Traveo II
SRAM Function for Flash Bank Management
; wait till cache and buffers are invalidated
cache_clearloop:
LDR r0, [r4,8]
LSLS r0, r0, #31
BMI cache_clearloop
6.4 Branch to CM0+ Application
Branch to the reset handler of the Code Flash application identified using CySAF format and jump to it.
; jump to the _startcontd function which is the reset handler of the CM0+
application placed at 0x10000000 based on CySAF
LDR r5, ramdatamarker+4 ; Load the starting address of CySAF
LDR r1, [r5,16]
ADDS r1, #16
ADDS r5, r1
LDR r7, [r5,4]
BX r7
.endf _flashbankswitch
Application Note 24 of 36 002-29058 Rev. *A
2021-02-24
Secure Firmware Over-The-Air (FOTA) Update in Traveo II
Summary
7 Summary
This application note explained the different steps involved in the design of secure FOTA update. Note that the
focus was on launching the CM0+ application securely after a FOTA update. This CM0+ application can
additionally authenticate the host application which is based on CM4 or CM7.
Application Note 25 of 36 002-29058 Rev. *A
2021-02-24
Secure Firmware Over-The-Air (FOTA) Update in Traveo II
Appendix - Dual Bank Manager: Dependencies
8 Appendix - Dual Bank Manager: Dependencies
This section describes the additional dependencies involved in the development of a project involving secure
FOTA. It also describes the necessary constants, macros, vector table configurations, and so on, which are
typically used by the Dual Bank Manager.
8.1 Constants
STARTUP_STACK_SIZE_DOUBLE_WORDS .equ 128
VTOR .equ 0xe000ed08
CPUSS_RAM0_CTL0 .equ 0x40201300
CPUSS_RAM1_CTL0 .equ 0x40201380
CPUSS_RAM2_CTL0 .equ 0x402013a0
; Macros used for flash configurations
MAGIC_WORD .equ 0xAAAAAAAA
ADDR_MAKER_ON_WORK .equ 0x14012000
FLASHC_FLASH_CTL .equ 0x40240000
; Macros used for application authentication
CY_FB_VERIFYAPP_ADDR .equ 0x17002040
CY_PUBLIC_KEY_ADDR .equ 0x17006408
CY_APP_START_ADDR_LB .equ 0x10000000
; Macro to enable application authentication by Dual Bank Manager
AUTHENTICATION_ENABLE .equ 0x00000001
; Macro to disable application authentication by Dual Bank Manager
AUTHENTICATION_DISABLE .equ 0x55555555
; The following macros should be set by user based on the device and
requirement
; Set AUTHENTICATION_CHECK to AUTHENTICATION_ENABLE or AUTHENTICATION_DISABLE
AUTHENTICATION_CHECK .equ AUTHENTICATION_ENABLE
; Mid-Point of the Large sectors in single bank mode for Traveo II 1M device.
This value shall be modified based on the Target Device. Application intended
to be executed out of Map B shall be placed at this starting address.
Application Note 26 of 36 002-29058 Rev. *A
2021-02-24
Secure Firmware Over-The-Air (FOTA) Update in Traveo II
Appendix - Dual Bank Manager: Dependencies
CY_APP_START_ADDR_UB .equ 0x10078000
; Macro used for the flash boundary check. This macro has the value ( Map A/B
Large sector end address in single bank mode - size of the digital signature
(256 bytes)) for Traveo II 1M device. These values shall be modified based on
the Target Device
CY_APP_END_ADDR_LB .equ 0x10077F00 ; 0x10078000 -
0x100
CY_APP_END_ADDR_UB .equ 0x100EFF00 ; 0x100F0000 -
0x100
; For CYT2B78CAE the user reset handler is _startcontd which is continuation
of the SFlash _start
User_Reset_Handler .equ _startcontd
8.2 Dual Bank Manager Vector Table
; This is the vector table required for CySAF of the Dual Bank Manager. Only
the first 4 entries are used, others are filled with zero.
.section ".sflashintvec", "a"
; align to 256 bytes, because CM0_VECTOR_TABLE_BASE register only
supports address bits [31:8]
.align 256
__sflashvector_table:
DCD __ghsend_stack
DCD _start
DCD Exception_handler
DCD Exception_handler
DCD 0
DCD 0
DCD 0
__sflashvector_table_0x1c:
DCD 0
DCD 0
DCD 0
DCD 0
DCD 0
DCD 0
DCD 0
Application Note 27 of 36 002-29058 Rev. *A
2021-02-24
Secure Firmware Over-The-Air (FOTA) Update in Traveo II
Appendix - Dual Bank Manager: Dependencies
DCD 0
DCD 0
; External interrupts PowerMode Description
DCD 0 ; DeepSleep CPU User Interrupt #0
DCD 0 ; DeepSleep CPU User Interrupt #1
DCD 0 ; DeepSleep CPU User Interrupt #2
DCD 0 ; DeepSleep CPU User Interrupt #3
DCD 0 ; DeepSleep CPU User Interrupt #4
DCD 0 ; DeepSleep CPU User Interrupt #5
DCD 0 ; DeepSleep CPU User Interrupt #6
DCD 0 ; DeepSleep CPU User Interrupt #7
; These IRQs can only be triggered by SW via NVIC regs
DCD 0 ; Active CPU User Interrupt #8
DCD 0 ; Active CPU User Interrupt #9
DCD 0 ; Active CPU User Interrupt #10
DCD 0 ; Active CPU User Interrupt #11
DCD 0 ; Active CPU User Interrupt #12
DCD 0 ; Active CPU User Interrupt #13
DCD 0 ; Active CPU User Interrupt #14
DCD 0 ; Active CPU User Interrupt #15
.endo __sflashvector_table
8.3 SRAM Function Space Reservation
; SRAM section to reserve space for SRAM function needed for flash bank
configurations
.section ".ramprog", "awx"
.align 8
; number of bytes for to allocated in ramprog for _flashbankswitchramcopy
_flashbankswitchsize .equ (_flashbankswitchend - _flashbankswitch)
_flashbankswitchramcopy:
.space _flashbankswitchsize
#endif
Application Note 28 of 36 002-29058 Rev. *A
2021-02-24
Secure Firmware Over-The-Air (FOTA) Update in Traveo II
Appendix - Dual Bank Manager: Dependencies
8.4 Macros
8.4.1 flashmarkers
; Markers for flash copy operation
.align 4
flashmarkers:
DCD _flashbankswitchramcopy ; flashmarkers
DCD _flashbankswitchsize ; flashmarkers+4
DCD FLASHC_FLASH_CTL ; flashmarkers+8
DCD ADDR_MAKER_ON_WORK ; flashmarkers+12
DCD MAGIC_WORD ; flashmarkers+16
DCD AUTHENTICATION_CHECK ; flashmarkers+20
DCD AUTHENTICATION_DISABLE ; flashmarkers+24
DCD (__ghsend_stack - (#STARTUP_STACK_SIZE_DOUBLE_WORDS * 8));
flashmarkers+28
.endo flashmarkers
8.4.2 addrmarker
; Markers used by the LowerBankCheck and UpperBankCheck functions
.align 4
addrmarker:
DCD CY_FB_VERIFYAPP_ADDR ; addrmarker
DCD CY_APP_START_ADDR_LB ; addrmarker+4
DCD CY_PUBLIC_KEY_ADDR ; addrmarker+8
DCD CY_APP_START_ADDR_UB ; addrmarker+12
DCD CY_APP_END_ADDR_LB ; addrmarker+16
DCD CY_APP_END_ADDR_UB ; addrmarker+20
.endo addrmarker
8.4.3 ramdatamarker
; Markers used by the RAM function
.align 4
ramdatamarker:
DCD FLASHC_FLASH_CTL ; ramdatamarker
DCD CY_APP_START_ADDR_LB ; ramdatamarker+4
.endo ramdatamarker
Application Note 29 of 36 002-29058 Rev. *A
2021-02-24
Secure Firmware Over-The-Air (FOTA) Update in Traveo II
Appendix - Dual Bank Manager: Dependencies
8.5 CySAF
When the Traveo II device is in SECURE protection state, Flash boot can launch an application based on CySAF
format only. For details on the format used by CySAF, see the Application Formats section of the Architecture
TRM.
The Dual Bank Manager launched by Flash Boot will be based on CySAF format.
8.6 TOC2 Details
ROM Boot and Flash Boot uses the contents present in TOC2 for various operations. Table 2 shows the
modifications done to TOC2 as part of secure FOTA.
Table 2 TOC2 for Secure FOTA
Offset
Purpose
Default
Value
Modified
Value
Comments
0x00
Object size in bytes for CRC calculation starting
from offset 0x00
0x00001FC
0x04
Magic number (Fixed: 0x01211220)
0x01211220
0x08
Null-terminated table of pointers representing
the SMIF configuration structure
0x00000000
0x0C
Address of First User Application Object
0x10000000
0x17000800
Dual Bank
Manager which
is launched by
Flash Boot
0x10
Format of First User Application Object.
0: Basic, 1: Cypress standard, 2: Simplified
0x00000000
0x1
CySAF format
has to be used in
SECURE
protection state
0x14
Address of Second User Application Object
Second user application is validated if the first
application validation failed
0x00000000
0x18
Format of Second User Application Object.
0: Basic, 1: Cypress standard, 2: Simplified
0x00000000
0x1C
Address of First CM4 or CM7 core1 User
Application Object
0x00000000
0x20
Address of Second CM4 or CM7 core1 User
Application Object
0x00000000
0x24
Address of First CM4 or CM7 core2 User
Application Object
0x00000000
0x28
Address of Second CM4 or CM7 core2 User
Application Object
0x00000000
0x100
Number of additional objects to be verified
for SECURE_HASH
0x00000003
4
Dual Bank
Manager is
added as an
additional
object
Application Note 30 of 36 002-29058 Rev. *A
2021-02-24
Secure Firmware Over-The-Air (FOTA) Update in Traveo II
Appendix - Dual Bank Manager: Dependencies
Offset
Purpose
Default
Value
Modified
Value
Comments
0x104
Address of signature verification key (0 if
none).
The object is signature specific key. It is the
public key in case of RSA.
0x00000000
0x17006400
Address where
the public key
which is used for
signature
authentication
(this is not used
when
APP_AUTH_CTL
is disabled) is
available
0x108
Address of Application Protection
0x17007600
This area shall
not be modified
0x10C
Reserved
0x00000000
This area shall
not be modified
0x110
Additional object
0x00000000
0x17000800
Dual Bank
Manager
0x1140x1F0
Additional objects if needed, or 0s if none
0x00000000
0x1F4
TOC2 REVISION
-
0x1F8
Controls default configuration
Bits [1:0]: CLOCK_CONFIG
Flag to indicate clock frequency configuration.
The clock should stay the same after flash boot
execution.
Value
[1:0]
Description
0x0
8 MHz, IMO, no FLL
0x1
25 MHz, IMO + FLL
0x2
50MHz, IMO + FLL (Default)
0x3
Use ROM boot clocks
configuration (100 MHz)
Bits [4:2]: LISTEN_WINDOW
Flag to determine the Listen window to allow
sufficient time to acquire debug port.
Value
[4:2]
Description
0x0
20 ms (Default)
0x1
10 ms
0x2
1 ms
0x3
0 ms (No Listen window)
0x4
100 ms
Others
Reserved
Bits [6:5]: SWJ_PINS_CTL
0x00000242
0x000002C2
Authentication
by Flash Boot is
disabled (bits
[8:7] is 0x1)
Application Note 31 of 36 002-29058 Rev. *A
2021-02-24
Secure Firmware Over-The-Air (FOTA) Update in Traveo II
Appendix - Dual Bank Manager: Dependencies
Offset
Purpose
Default
Value
Modified
Value
Comments
Flag to determine if SWJ pins are configured in
SWJ mode by flash boot. Note: SWJ pins may be
enabled later in the user code.
Value
[6:5]
Description
0x0
Do not enable SWJ pins in Flash
boot. Listen window is skipped.
0x1
Do not enable SWJ pins in Flash
boot. Listen window is skipped.
0x2
Enable SWJ pins in Flash boot
(default)
0x3
Do not enable SWJ pins in Flash
boot. Listen window is skipped.
Bits [8:7]: APP_AUTH_CTL
Flag to determine if the application image
digital signature verification (authentication) is
performed:
Value
[8:7]
Description
0x0
Authentication is enabled
(default).
0x1
Authentication is disabled.
0x2
Authentication is enabled
(recommended).
0x3
Authentication is enabled.
Bits [10:9]: FB_BOOTLOADER_CTL
Flag to determine if the internal bootloader in
flash boot is disabled:
Value [9]
Description
0x0
Internal bootloader is disabled.
0x1
Internal bootloader is launched if
other bootloader conditions are
met (default).
0x2
Internal bootloader is disabled.
0x3
Internal bootloader is disabled.
8.7 Transition to Secure
Traveo II devices are shipped to customers in NORMAL_PROVISIONED lifecycle state. Transition to Secure
system call is used to transition to SECURE lifecycle state. Note that the SFlash memory must be correctly
programmed before transitioning to SECURE state since SFlash writes are not allowed after transitioning to
SECURE.
Application Note 32 of 36 002-29058 Rev. *A
2021-02-24
Secure Firmware Over-The-Air (FOTA) Update in Traveo II
Appendix - Dual Bank Manager: Dependencies
For more details, see the Transition to Secure section of the Architecture TRM. During the transition to secure
lifecycle stage, the SECURE_HASH will be calculated for all necessary objects including the Dual Bank Manager
as it is added as an additional object in TOC2.
8.8 Required Tools
Following are some tools that might be required to support various operations:
• OpenSSL
• Cypress Auto Flash Utility 1.0
• cymcuelftool
• Python 3
For example, Cypress Auto Flash Utility 1.0 supports SFlash programming. It can be used for programming Dual
Bank Manager and TOC2. OpenSSL can be used for generating Private and Public keys, while cymcuelftool
supports generation of digital signature for an application. Note that these tools are only for demonstration
purposes and may not be used for production designs.
For more details on these tools, see AN228680 - Secure System Configuration in Traveo II Family.
Application Note 33 of 36 002-29058 Rev. *A
2021-02-24
Secure Firmware Over-The-Air (FOTA) Update in Traveo II
Glossary
Glossary
Terms
Description
CPU
Central Processing Unit
NVIC
Nested vectored interrupt controller
NMI
Non-maskable interrupt
IRQ
Interrupt request
FOTA
Firmware Over The Air
OTA
Over The Air
SWPU
Software Protection Unit
ECC
Error Correction Code
ROM
Read Only Memory
SFlash
Supervisory Flash
SRAM
Static Random-Access Memory
TOC
Table Of Contents
CySAF
Cypress Secure Application Format
Application Note 34 of 36 002-29058 Rev. *A
2021-02-24
Secure Firmware Over-The-Air (FOTA) Update in Traveo II
Related Documents
Related Documents
The following are the Traveo II family series datasheets and Technical Reference Manuals. Contact Technical
Support to obtain these documents.
[1] Device datasheet
− CYT2B7 Datasheet 32-Bit Arm
®
Cortex®-M4F Microcontroller Traveo™ II Family
− CYT2B9 Datasheet 32-Bit Arm
®
Cortex®-M4F Microcontroller Traveo™ II Family
− CYT4BF Datasheet 32-Bit Arm
®
Cortex®-M7 Microcontroller Traveo™ II Family
− CYT4DN Datasheet 32-Bit Arm
®
Cortex®-M7 Microcontroller Traveo™ II Family
− CYT3BB/4BB Datasheet 32-Bit Arm
®
Cortex®-M7 Microcontroller Traveo™ II Family
[2] Body Controller Entry Family
− Traveo™ II Automotive Body Controller Entry Family Architecture Technical Reference Manual (TRM)
− Traveo™ II Automotive Body Controller Entry Registers Technical Reference Manual (TRM) for CYT2B7
− Traveo™ II Automotive Body Controller Entry Registers Technical Reference Manual (TRM) for CYT2B9
[3] Body Controller High Family
− Traveo™ II Automotive Body Controller High Family Architecture Technical Reference Manual (TRM)
− Traveo™ II Automotive Body Controller High Registers Technical Reference Manual (TRM) for CYT4BF
− Traveo™ II Automotive Body Controller High Registers Technical Reference Manual (TRM) for CYT3BB/4BB
[4] Cluster 2D Family
− Traveo™ II Automotive Cluster 2D Family Architecture Technical Reference Manual (TRM)
− Traveo™ II Automotive Cluster 2D Registers Technical Reference Manual (TRM)
[5] Application Notes
− AN228680 - Secure System Configuration in Traveo™ II Family
− AN220242 - Flash Rewriting Procedure for Traveo™ II Family
Application Note 35 of 36 002-29058 Rev. *A
2021-02-24
Secure Firmware Over-The-Air (FOTA) Update in Traveo II
Revision history
Revision history
Document
version
Date of release
Description of changes
**
2020-06-03
New Application Note.
*A
2021-02-24
Migrated to Infineon template
Trademarks
All referenced product or service names and trademarks are the property of their respective owners.
Edition 2021-02-24
Published by
Infineon Technologies AG
81726 Munich, Germany
© 2021 Infineon Technologies AG.
All Rights Reserved.
Do you have a question about this
document?
Go to www.cypress.com/support
Document reference
002-29058 Rev. *A
IMPORTANT NOTICE
The information contained in this application note is
given as a hint for the implementation of the product
only and shall in no event be regarded as a
description or warranty of a certain functionality,
condition or quality of the product. Before
implementation of the product, the recipient of this
application note must verify any function and other
technical information given herein in the real
application. Infineon Technologies hereby disclaims
any and all warranties and liabilities of any kind
(including without limitation warranties of noninfringement of intellectual property rights of any
third party) with respect to any and all information
given in this application note.
The data contained in this document is exclusively
intended for technically trained staff. It is the
responsibility of customer’s technical departments
to evaluate the suitability of the product for the
intended application and the completeness of the
product information given in this document with
respect to such application.
For further information on the product, technology,
delivery terms and conditions and prices please
contact your nearest Infineon Technologies office
(www.infineon.com).
WARNINGS
Due to technical requirements products may contain
dangerous substances. For information on the types
in question please contact your nearest Infineon
Technologies office.
Except as otherwise explicitly approved by Infineon
Technologies in a written document signed by
authorized representatives of Infineon
Technologies, Infineon Technologies’ products may
not be used in any applications where a failure of the
product or any consequences of the use thereof can
reasonably be expected to result in personal injury.
Loading...