ST AN1070 APPLICATION NOTE

AN1070

APPLICATION NOTE

ST7 CHECKSUM SELFCHECKING CAPABILITY

by Microcontroller Division Applications

INTRODUCTION

The goal of this application note is to present a software technique for determining if data and
program in FLASH have been corrupted and if so not to run the user program.

The program described in this application note has been written for the ST72F26x family
(ST72260G1, ST72262G1, ST72262G2, ST72264G1, ST72264G2) but can be extended to all
other ST7 MCUs.

You have to choose your device at the beginning of the program (several “#i nclude” and “#de­fine” statements are provided for this purpose). In this application, we chose to use a
ST72264G2.

AN1070/0102 1/10

1

ST7 CHECKSUM SELFCHECKING CAPABILITY

1 CHECKSUM CALCULATION

The checksum is calculated by a simple addition of the content of the FLASH. The result is in
3 bytes.

For the ST72F264G2, the checksum is obtained by adding up all the bytes from E003h (be­ginning of the program stored in FLASH) up to FFFFh. The result is stored in 3 byte variables
(CS0, CS1 and CS2) located at the beginning of the FLASH memory area (from E000 to
E003): a special segment (‘CHECKSUM’ segment) has been created at this location (see
ST72264.asm Mapping file).

E000

CS0 CS1 CS2

checksum

segment

FLASH

(program)

FFE0

FFF0

Interrupt

vectors

It’s very important to chec k the interrupt vectors because to perform the chec ksu m , the reset
vector has to point to the Safe routine and not to the main routine (if FLASH is not checked OK
by the Safe routine, then the user program won’t be run).

The routine which calculates the checksum i s 27 bytes long. The table below shows the cal­culation times. The time depends on the chosen device (4k or 8k in this case) and on the value
chosen to fill the unus ed me mory a rea ( if the c hosen v alue is $F F for example, ther e will be
more carry to take into account).

Table 1. Checksum Calculation tImes

4k 8k

Device used ST72264G1 ST72264G2

time (ms) 13.7 27.5

The above results have been obtained in the worst case (unused memory part filled with $FF)
with fcpu=8MHz.

2/10

2

ST7 CHECKSUM SELFCHECKING CAPABILITY

Note: There are s ome unused op codes in the ST7 instruction set opcode map which can be

used to make the application more secure. If an unused opcode is put into the unused part of
memory, wrong code won’t be executed if a problem occurs ($AF for instance).

You can also fill the unu sed memory with 0, the opcod e of the NOP ins truction or wh atever
you want.

But what S T ad vis es an d wh at we d o i n our applica tion, is t o fill th e u nus ed par t of m em ory
with the opcode corresponding to the trap execution ($83) allowing recovery through the trap
interrupt routine (which can contain a software reset caused by writi ng the appropriate value in
the watchdog register for instance). See also AN1015: “Software techniques for improving Mi­crocontroller EMC performance”.

3/10