ST AN1070 APPLICATION NOTE
AN1070
APPLICATION NOTE
ST7 CHECKSUM SELFCHECKING CAPABILITY
by Microcontroller Division Applications
INTRODUCTION
The goal of this application note is to present a software technique for determining if data and program in FLASH have been corrupted and if so not to run the user program.
The program described in this application note has been written for the ST72F26x family (ST72260G1, ST72262G1, ST72262G2, ST72264G1, ST72264G2) but can be extended to all other ST7 MCUs.
You have to choose your device at the beginning of the program (several “#include” and “#define” statements are provided for this purpose). In this application, we chose to use a ST72264G2.
AN1070/0102 |
1/10 |
ST7 CHECKSUM SELFCHECKING CAPABILITY
1 CHECKSUM CALCULATION
The checksum is calculated by a simple addition of the content of the FLASH. The result is in 3 bytes.
For the ST72F264G2, the checksum is obtained by adding up all the bytes from E003h (beginning of the program stored in FLASH) up to FFFFh. The result is stored in 3 byte variables (CS0, CS1 and CS2) located at the beginning of the FLASH memory area (from E000 to E003): a special segment (‘CHECKSUM’ segment) has been created at this location (see ST72264.asm Mapping file).
|
|
|
|
|
|
|
E000 CS0 |
CS1 |
CS2 |
|
|
checksum |
|
|
||||||
|
|
segment |
||||
|
|
|
|
|
|
|
|
|
|
|
|||
FLASH
(program)
FFE0 |
|
Interrupt |
FFF0 |
|
vectors |
|
||
|
|
It’s very important to check the interrupt vectors because to perform the checksum, the reset vector has to point to the Safe routine and not to the main routine (if FLASH is not checked OK by the Safe routine, then the user program won’t be run).
The routine which calculates the checksum is 27 bytes long. The table below shows the calculation times. The time depends on the chosen device (4k or 8k in this case) and on the value chosen to fill the unused memory area (if the chosen value is $FF for example, there will be more carry to take into account).
Table 1. Checksum Calculation tImes
|
4k |
8k |
|
|
|
Device used |
ST72264G1 |
ST72264G2 |
|
|
|
time (ms) |
13.7 |
27.5 |
|
|
|
The above results have been obtained in the worst case (unused memory part filled with $FF) with fcpu=8MHz.
2/10
ST7 CHECKSUM SELFCHECKING CAPABILITY
Note: There are some unused opcodes in the ST7 instruction set opcode map which can be used to make the application more secure. If an unused opcode is put into the unused part of memory, wrong code won’t be executed if a problem occurs ($AF for instance).
You can also fill the unused memory with 0, the opcode of the NOP instruction or whatever you want.
But what ST advises and what we do in our application, is to fill the unused part of memory with the opcode corresponding to the trap execution ($83) allowing recovery through the trap interrupt routine (which can contain a software reset caused by writing the appropriate value in the watchdog register for instance). See also AN1015: “Software techniques for improving Microcontroller EMC performance”.
3/10
Loading...