Among the many features built into Microchip’s
Enhanced FLASH Microcontroller devices is the capability of the program memory to self-program. This very
useful feature has been deliberately included to give
the user the ability to perform bootloading operations.
Devices like the PIC18F452 are designed with a designated “boot block”, a small section of protectable program memory allocated specifically for bootload
firmware.
This application note demonstrates a very powerful
bootloader implementation for the PIC16F87XA and
PIC18F families of microcontrollers. The coding for the
two device families is slightly different; however, the
functionality is essentially the same. The goals of this
implementation stress a maximum performance and
functionality, while requiring a minimum of code space.
FIRMWARE
Basic Operation
Figure 1 summarizes the essential firmware design of
the bootloader. Data is received through the USART
module, configured in Asynchronous mode for compatibility with RS-232 and passed through the
transmit/receive engine. The engine filters and parses
the data, storing the information into a data buffer in
RAM. The command interpreter evaluates the command information within the buffer to determine what
should be done (i.e., Is the data written into a memory
unit? Is data read from a memory unit? Does the firmware version need to be read?). Once the operation is
performed, data is passed back to the transmit/receive
engine to be transmitted back to the source, closing the
software flow control loop.
FIGURE 1:BOOTLOADER FUNCTIONAL
BLOCK DIAGRAM
Bootloader
TXRX
USART
FLASH
Program
Memory
Data Bus
EE
Data
Memory
Configuration
Registers
Control
Firmware
Transmit/Receive
Engine
RAM
Buffer
Command
Interpreter
COMMUNICATIONS
The microcontroller’s USART module is used to
receive and transmit data; it is configured as a UART to
be compatible with RS-232 communications. The
device can be set up in an application to bootload from
a computer through its standard serial interface. The
following communications settings are used:
• 8 data bits
•No parity
•1 STOP bit
The baud rate setting is variable depending on the
application. Baud rate selection is discussed later.
ã 2002 Microchip Technology Inc.DS00851B-page 1
AN851
THE RECEIVE/TRANSMIT BUFFER
All data is moved through a buffer (referred to as the
Receive/Transmit Buffer). The buffer is a maximum of
255 bytes deep. This is the maximum packet length
supported by the protocol. However, some devices
may not support the largest packet size due to memory
limitations. Figure 2 shows an example of the mapping
of the buffer within the PIC18F452.
Note:The actual packet length supported by a
particular device depends on the size of its
data memory.
A useful feature of the receive/transmit buffer is that it
retains its memory between packets, thus allowing very
fast repeat and replication operations. That is, if an
empty packet is sent, the data currently in memory will
be executed as if it were just received.
FIGURE 2:DATA MEMORY USAGE ON
THE PIC18F452
Bootloader
Work Area
Receive/Transmit
Buffer
000h
008h
Memory Organization
PROGRAM MEMORY USAGE
Currently, PIC18F devices reserve the first 512 bytes of
Program Memory as the boot block. Future devices
may expand this, depending on application requirements for these devices. However, this bootloader is
designed to occupy the current designated boot block
of 512 bytes (or 256 words) of memory. Figure 3 shows
a memory map of the PIC18F452. The boot area can
be code protected to prevent accidental overwriting of
the boot program.
FIGURE 3:PROGRAM MEMORY MAP OF
THE PIC18F452
Boot Program
RESET Vector
High Priority Interrupt Vector
Low Priority Interrupt Vector
0200h
0208h
0218h
107h
Unused
SFRs
FFFh
COMMAND INTERPRETER
The command interpreter decodes and executes ten
different commands, seven base commands and three
special commands. A complete list of the commands is
provided in Appendix A. The base commands allow for
read, write, and erase operations on all types of
non-volatile memory. The other three commands are for
special operations, such as repeating the last
command, replicating the data, and resetting the device.
Note that the PIC18F devices have greater access to,
and control of, memory than PIC16F devices. For
example, PIC16F devices do not have access to the
configuration memory, thus they do not use the configuration commands. Therefore, not all instructions are
available in the PIC16F bootloader.
Program Memory
User Memory Space
7FFFh
Note:Memory areas not shown to scale.
PIC16F87XA enhanced microcontrollers are designed
to use the first 256 words of program memory. Figure 4
shows the memory map of the PIC16F877A. Like the
PIC18F452 and other PIC18F devices, the boot area
can be write protected to prevent accidental overwriting
of the boot program.
DS00851B-page 2ã 2002 Microchip Technology Inc.
AN851
FIGURE 4:PROGRAM MEMORY MAP OF
THE PIC16F877A
Boot Program
RESET Vector
Interrupt Vector
Program Memory
Note:Memory areas not shown to scale.
0100h
0104h
User Memory Space
3FFFh
REMAPPED VECTORS
Since the hardware RESET and interrupt vectors lie
within the boot area and cannot be edited if the block is
protected, they are remapped through software to the
nearest parallel location outside the boot block.
Remapping is simply a branch for interrupts, so PIC18F
users should note an additional latency of 2 instruction
cycles to handle interrupts. Upon RESET, there are
some boot condition checks, so the RESET latency is
an additional 10 instruction cycles (as seen in the
example source code).
For PIC16F87XA devices, the interrupt latency is an
additional 9 instruction cycles on top of the 3 to 4 normally experienced; the RESET latency is 18 instruction
cycles. This additional latency comes from saving
device context data in shared memory. The example
code uses locations 7Dh, 7Eh, and 7Fh to store the
PCLATH, STATUS, and W registers, respectively. The
source code can be changed, but the saved data must
remain in the shared memory area.
DATA MEMORY USAGE
The last location in data memory of the device
(Figure 5) is reserved as a non-volatile Boot mode flag.
This location contains FFh by default, which indicates
Boot mode. Any other value in this location indicates
normal Execution mode.
FIGURE 5:DATA MEMORY MAP
000h
EE Data
Memory
Boot Control Byte
XXXh
Communication Protocol
The bootloader employs a basic communication
protocol that is robust, simple to use, and easy to
implement.
PACKET FORMAT
All data that is transmitted to or from the device follows
the basic packet format:
<STX><STX>[<DATA><DATA>...]<CHKSUM><ETX>
where each <...> represents a byte and [...]
represents the data field.
The start of a packet is indicated by two ‘Start of TeXt’
control characters (<STX>), and is terminated by a single ‘End of TeXt’ control character (<ETX>). The last
byte before the <ETX> is always a checksum, which is
the two’s complement of the Least Significant Byte of
the sum of all data bytes.
The data field is limited to 255 data bytes. If more bytes
are received, then the packet is ignored until the next
<STX> pair is received.
Note:Although the protocol supports 255 bytes of
data, the specific device that contains the
bootloader firmware may have a sufficiently
large data memory to support the largest
packet size. Refer to the data sheet for the
particular device for more information.
CONTROL CHARACTERS
There are three control characters that have special
meaning. Two of them, <STX> and <ETX>, are introduced above. The last character not shown is the ‘Data
Link Escape’, <DLE>. Table 1 provides a summary of
the three control characters.
TABLE 1:CONTROL CHARACTERS
ControlValueDescription
<STX>0FhStart of TeXt
<ETX>04hEnd of TeXt
<DLE>05hData Link Escape
ã 2002 Microchip Technology Inc.DS00851B-page 3
AN851
The <DLE> is used to identify a value that could be
interpreted in the data field as a control character.
Within the data field, the bootloader will always accept
the byte following a <DLE> as data, and will always
send a <DLE> before any of the three control characters. For example, if a byte of value 0Fh is transmitted
as part of the data field, rather than as the <STX> con-
trol character, the <DLE> character is inserted before
the <STX>. This is called “byte stuffing”.
Note:Control characters are not considered data
and are not included in the checksum.
COMMANDS
The data field for each packet contains one command
and its associated data. The commands are detailed in
Appendix A.
COMMAND RESPONSE LATENCY
Flow control is built into the protocol. Thus, for every
received command (except RESET), there is a
response. If there is no response, then one (or more) of
the following has happened:
• the data was corrupted (bad checksum)
• the packet was never received
• the data field was too long
• RESET was executed
So how long do you wait before deciding a problem has
occurred? The response latency (shown in Figure 6) is
dependent on the amount of data sent, the command
being executed, and the clock frequency.
For read commands, the latency is highly dependent
on the clock frequency, and the size of the packet. For
a small packet at high frequency, the response is
almost immediate, typically on the order of a few microseconds. For large packets, the latency could be on the
order of hundreds of microseconds.
In general, read commands require very little time compared to write commands. Write commands are mostly
dependent on internally timed write cycles. For example, the typical write time required for a single
EEPROM location is 4 ms. If the maximum packet size
(250 bytes of writable data) was sent, the receive to
transmit latency would be about 1 second.
FIGURE 6:RECEIVE TO TRANSMIT
LATENCY
RX
TX
Delay
Automatic Baud Rate Detection
The bootloader is provided with an automatic baud rate
detection algorithm that will detect most baud rates for
most input clock frequencies (F
determines the best value for the Baud Rate Generator
and then loads the SPBRG register on the
microcontroller with the determined value.
Note:Refer to the specific device data sheet for
information about the USART module and
its associated registers.
OSC). The algorithm
SYNCHRONIZING
The first <STX> in the protocol is the synchronization
byte. It is used to match the device’s baud rate to the
source’s baud rate. Thus, the device is synchronized to
the source on every new packet.
Note:If a ‘Start of TeXt’ condition is received
during the reception of a packet, then no
synchronization occurs.
SELECTING FOSC AND BAUD RATE
The recommended baud rate for this application is
9600 bps. This is the ideal rate for a device operating
from 4 MHz, to the device’s maximum operating frequency (40 MHz in most cases). Higher baud rates are
possible, but degenerate conditions can occur.
There are a few clock frequency/standard baud rate
combinations that lead to a degenerate baud rate
selection during synchronization; under such conditions, the device will never synchronize to the source.
Clock frequencies that avoid such degenerate
conditions are given by the equation:
FOSC = (1 ± E)(X + 1)(16)(B)
where E is the error (typically 2%), X is the value for the
SPBRG register, and B is the baud rate. A table of calculated clock oscillator ranges for most of the common
baud rates is provided in Appendix B for quick
reference.
BOOTING A DEVICE
Entering and Leaving Boot Mode
With the bootloader firmware loaded, there are two distinct modes of operation: Boot Mode and User Mode.
The bootloader uses the last location of data memory
to determine which mode to run in. A value of FFh indicates Boot mode. Any other value indicates User
mode. Thus, a new part with its data memory not
initialized will automatically enter Boot mode the first
time.
DS00851B-page 4ã 2002 Microchip Technology Inc.
AN851
To leave Boot mode, the last location must be changed
to some value other than FFh. Then, a device RESET
(hardware or software) is initiated. For PIC18F devices,
the RESET command actually generates a true RESET
via the RESET instruction (same as MCLR
tying a port pin to MCLR
in firmware on PIC16F87XA devices. Although the
RESET command is supported, it only causes the
PIC16F device to jump to the RESET vector; the registers used to perform bootload operations are not
changed to their RESET states.
, a true RESET is not possible
). Other than
Reading/Writing/Erasing Program
Memory
PIC18F
For the PIC18F devices, commands 1 through 3 support operations to FLASH program memory. Read
operations occur at the byte level. Write operations are
performed on multiples of 8 bytes (one block). Erase
operations are performed on 64 bytes (one row).
When writing program memory on a PIC18F device,
the memory should be erased. The default operation is:
bits can only be cleared when written to. An erase operation is the only action that can be used to set bits in
program memory. Thus, if the bootloader protection
bits are not setup in the configuration bytes, operations
on memory from 000h to 1FFh could partially, or
completely disable the bootloader firmware.
User IDs (starting at address 200000h) are considered
to be part of program memory and are written and
erased like normal FLASH program memory. The
Device ID (addresses 3FFFFEh and 3FFFFFh) is also
considered program memory. While they can be
accessed, however, they are read only and cannot be
altered.
PIC16F
The PIC16F87XA devices support reading and writing
to program memory. Commands 1 and 2 support operations to FLASH program memory. Read operations
occur at the word level (2 bytes). Write operations are
performed on multiples of 4 words (8 bytes). Since
write operations are erase-before-write, the erase command is not supported. The bootloader area, from 000h
to 0FFh, should be write protected to prevent
overwriting itself.
Neither the User ID nor the Device ID locations are
accessible during normal operation on the PIC16 architecture; therefore, these areas can neither be read nor
written.
Reading/Writing Data Memory
Data memory is read or written one byte at a time,
through commands 4 and 5. Since it is not actually
mapped to the normal FLASH memory space, the
address starts at 000h and continues to the end of
EEDATA memory.
Note that the last location of the data memory is used
as a boot flag. Writing anything other than FFh to the
last location indicates normal code execution.
Configuration Bits
PIC18F
PIC18F devices allow access to the device configuration bits (addresses starting at 300000h) during normal
operation. In the bootloader, commands 6 and 7 provide this access. Data is read one byte at a time and,
unlike program memory, is written one byte at a time.
Since configuration bits are automatically erased
before being written, there is no erase command for
configuration memory.
Having access to configuration settings is very powerful; it is also potentially very dangerous. For example,
assume that the system is designed to run in HS mode,
with a 20 MHz crystal. If the bootloader changes the
oscillator setting to LP mode, the system will cease to
function — including the bootloader! Basically, the
system has been killed by improperly changing one bit.
It is also important to note some configuration bits are
single direction bits in Normal mode; they can only be
changed to one state, and cannot be changed back.
The code protection bits in Configuration Registers 5L
and 5H are a good example. If any type of code protection is enabled for a block, it cannot be disabled without
a device programmer. Essentially, the bootloader
cannot reverse code protection.
PIC16F
The configuration memory is not accessible during normal operation on the PIC16 architecture; therefore, this
area can neither be read nor written.
ã 2002 Microchip Technology Inc.DS00851B-page 5
AN851
WRITING CODE
The bootloader operates as a separate entity, which
means that an application can be developed with very
little concern about what the bootloader is doing. This
is as it should be; the bootloader should be dormant
code until an event initiates a boot operation. Under
ideal circumstances, bootloader code should never be
running during an application’s intended normal
operation.
When developing an application with a resident
bootloader, some basic principles must be kept in
mind:
Writing in Assembly
When writing in assembly, the boot block and new vectors must be considered. For modular code, this is generally just a matter of changing the linker script file for
the project. An example is given in Appendix D. If an
absolute address is assigned to a code section, the
address must point somewhere above the boot block.
For those who write absolute assembly, all that is necessary is to remember that for PIC18F devices, the
new RESET vector is at 200h, and the interrupt vectors
are at 208h and 218h. For PIC16F87XA devices, the
RESET vector is at 100h and the interrupt vector is at
104h. No code, except the bootloader, should reside in
the boot block.
Writing in C
When using the MPLAB® C18 C compiler to develop
PIC18F firmware for an application, the standard
start-up object (c018.o or c018i.o) must be rebuilt
with the new RESET vector. Like modular assembly,
the linker file must be changed to incorporate the protected boot block and new vectors. Appendix D shows
an example linker file.
For users of other compilers, for either PIC16F87XA or
PIC18F devices, check with the compiler’s software
user guide to determine how to change the start-up
code and vectors.
Bootloader Re-Entry
If the need exists to re-enter Boot mode from the application (and it usually does), the last location of the data
memory must be set to FFh. The code in Example 1
demonstrates how this might be done in an application
on a PIC18F device. Since the bootloader assumes
RESET conditions, a RESET instruction should be
initiated after setting the last location.
EXAMPLE 1:SETTING THE LAST
LOCATION OF THE DATA
MEMORY
setfEEADR; Point to the last byte
setfEEADRH
setfEEDATA ; Bootmode control byte
movlwb'00000100 ; Setup for EEData
movwfEECON1
movlw0x55; Unlock
movwfEECON2
movlw0xAA
movwfEECON2
bsfEECON1, WR ; Start the write
nop
btfscEECON1, WR ; Wait
bra$ - 2
reset
Debugging
For most situations, it is not necessary to have the
bootloader firmware in memory to do debugging of an
application with either the MPLAB ICD 2 or ICE
devices. However, branch statements must be inserted
at the hardware vectors to get to the new designated
vectors. It may also be useful to have the start-up timing match exactly to the bootloader entry. When development of the application is finished, either remove the
branches and rebuild the project, or export only the
memory above the boot block. This code can then be
distributed to those who are updating their firmware.
DS00851B-page 6ã 2002 Microchip Technology Inc.
AN851
EXAMPLE SOFTWARE
The Microchip PIC16/PIC18 Quick Programmer is a
simple application designed to run on IBM
desktop computers; it is provided with the FLASH bootloader to perform basic programming operations. The
Quick Programmer should be used as a starting point
for users to create their own programming applications.
Selecting a Device
The first thing to appear after launching P1618QP.EXE
is the device selection dialog box (Figure 7). This floating box gives the user the option to manually select a
device to communicate with, from a drop-down menu.
For PIC18F devices, the automatic detection feature is
available. PIC16F devices must be manually selected.
FIGURE 7:DEVICE SELECTION
The Main Toolbar
The main program menu (Figure 8) appears as a floating toolbar over any other running applications, and not
as its own window. It provides some basic commands,
as well as information from the device.
CONNECTING TO A DEVICE
Before anything can happen, communications to the
attached device must be opened. This is done with the
Connect to Device button. If automatic detection was
selected, then the software will read the device ID and
try to match it with device information provided in the
P1618QP.INI. If a device is manually selected, then
®
compatible
the settings for that particular device are forced. In
either event, the device identity is shown in the Device
Identifier area.
Note that PIC16F devices cannot access device ID
memory during normal execution; thus, PIC16F
devices must be manually selected.
READING/WRITING/ERASING
The Read Device, Write To Device and Erase Device
buttons are used for reading, writing, and erasing the
attached device. The Read Device button tells the program to read the entire device. The Write to Device button writes only the data imported from a HEX file. The
Erase Device button erases the entire device; the
command is not available for PIC16F devices.
IMPORTING/EXPORTING HEX FILES
Basic file import and export operations are available.
The Microchip PIC16/PIC18 Quick Programmer uses
formatted text files to store data, rather than large
chunks of memory. Importing converts the HEX file into
a formatted text file; exporting does the opposite. The
program uses the formatted text file for storage and
display.
When importing a file, always be certain that the HEX
file is padded and aligned to a 16-byte boundary.
MPLAB IDE automatically pads to 16 bytes when an
integer multiple of 16 bytes of data is selected on a
16-byte boundary when using the Export feature.
VIEWING/CLEARING MEMORY
The View Data and Clear Data buttons allow the user
to view or clear the data that was imported, or read from
the device. The program does not include any type of
text viewer, and uses the viewer specified in the
PIC1618QP.INI file. By default, the viewer used in
Windows
®
is Notepad.
RUN MODE
When the desired data is loaded onto the device,
selecting this button will put the device into User mode,
by writing 00h to the last location of the data memory.
FIGURE 8:QUICK PROGRAMMER TOOL BAR
End Current Operation
View Imported File
Clear Imported File from Memory
Export HEX File
Import HEX File
Status Message
Revision Level
ã 2002 Microchip Technology Inc.DS00851B-page 7
Connect to Device
Read Program Memory
Write to Program Memory
Erase Device
Run Program on Device
Baud Rate Identifier
Port Identifier
Device Identifier
AN851
PORT AND BAUD RATE SELECTION
The default serial port and its baud rate (COM1, 9600)
are specified in the PIC1618QP.INI file. The user
may change these settings while the application is running by right-click on either the port, or baud rate identifier. A menu of valid options that the user may select
from (COM ports or baud rates) will appear.
Menu Options
Right-clicking on the status or the toolbar displays a
pop-up menu that gives access to some settings and
advanced operations. Figure 9 shows the menu
options available.
FIGURE 9:MENU OPTIONS
DEVICE SELECTOR
This menu option gives the user the ability to re-select
a device, or select a new device (see “Selecting a
Device” and Figure 7).
MEMORY ACCESS
The memory types are either checked or unchecked to
determine access. As an example, Figure 9 shows
access to FLASH program memory and data memory,
while access to CONFIG memory and User ID memory
is ignored. Since normal access to CONFIG and User
ID memory is not allowed in PIC16F devices, these
options are not available when a PIC16F device is
selected.
SEND CONFIG
The check access for CONFIG in Figure 9 is for read
operations only, due to the danger imposed by writing
all configuration bits sequentially. The “Send Config
Settings” dialog box (Figure 10) is used to actually write
configuration register settings.
FIGURE 10:SETTING CONFIG BITS
Selecting a configuration register label from the
Address list box will automatically load the current data
at that address. The value in the Data field can be
edited, then written back to the device by clicking on
the Send button.
DIFFERENCES BETWEEN THE
PIC16F87XA AND PIC18F
BOOTLOADERS
Because of architectural enhancements in PIC18F
devices, there are two main differences between the
PIC16F87XA and PIC18F bootloaders.
1.The PIC16F87XA bootloader does not support
the following commands:
• Erase FLASH
• Read CONFIG
• Write CONFIG
2.The RESET command is only partially supported. When the microcontroller receives a
RESET command, it executes a goto 0x0000.
This is not a true RESET of the microcontroller.
The following registers are not set to their
default RESET states on execution of the
command:
• EEADR
• EEADRH
• EECON1
• OPTION_REG
• RCSTA
•STATUS
• TXSTA
• EEDATA
• EEDATH
•FSR
•PIR1
• SPBRG
•TRISC
This is particularly important when leaving Boot
mode via a software RESET. The application software must be prepared to accept non RESET values in the registers listed above. If RESET
conditions are necessary, then the listed registers
should be initialized in the application code. The
alternative is to always perform a hardware
RESET (MCLR
operation.
) after completing a bootload
DS00851B-page 8ã 2002 Microchip Technology Inc.
APPENDIX A:BOOTLOADER COMMANDS
TABLE A-1:BOOTLOADER COMMANDS
AN851
NameNumberDescription
RESETANYReset the Device[<COM><0x00>]noneXX
RD_VER00hRead Bootloader
Version Information
RD_FLASH01hRead <LEN> bytes
from Program
Memory
WT_FLASH02hWrite <LEN> blocks to
Program Memory
ER_FLASH03hErase <LEN> rows of
Program Memory
RD_EEDATA 04hRead <LEN> bytes
from EE Data Memory
WT_EEDATA05hWrite <LEN> bytes to
EE Data Memory
RD_CONFIG 06hRead <LEN> bytes
from Configuration
Memory
WT_CONFIG 07hWrite <LEN> bytes to
Configuration Memory
REPEATCOMRepeat last Command [Empty data field] Refer to the appropriate
REPLICATE COMWrite old Buffer Data
to another area
Command Device
[data field]
[<0x00><0x02>][<0x00><0x02><VERL
[<0x01><LEN><ADDRL
><ADDRH><ADDRU>]
[<0x02><LEN><ADDRL
><ADDRH><ADDRU>...
LEN bytes of Data
...]
[<0x03><LEN><ADDRL
><ADDRH><ADDRU>]
[<0x04><LEN><ADDRL
><ADDRH><0x00>]
[<0x05><LEN><ADDRL
><ADDRH><0x00>...
LEN bytes of Data
...]
[<0x06><LEN><ADDRL
><0x00><0x30>]
[<0x07><LEN><ADDRL
><0x00><0x30>...
LEN bytes of Data
...]
[<COM><LEN><ADDRL>
<ADDRH><ADDRU>]
where <COM> is any write
command
Response
[data field]
><VERH>]
[<0x01><LEN><ADDRL
><ADDRH><ADDRU>...
LEN bytes of Data
...]
[<0x02>]XX
[<0x03>]X
[<0x04><LEN><ADDRL
><ADDRH><0x00>...
LEN bytes of Data
...]
[<0x05>]XX
[<0x06><LEN><ADDRL
><0x00><0x30>...
LEN bytes of Data
...]
[<0x07>]X
command response for
the last command sent
[<COM>]XX
PIC18F PIC16F
XX
XX
XX
X
XX
ã 2002 Microchip Technology Inc.DS00851B-page 9
AN851
APPENDIX B:FOSC vs. BAUD RATE FOR AUTO BAUD DETECTION
TABL E B -1:FOSC (MHZ) FOR VARIOUS BAUD RATES (F(X,B), FOR ±2% ERROR)