Texas instruments MSP430 User Manual

SLAU319S–July 2010–Revised April 2018

MSP430™ Flash Device Bootloader (BSL)

The MSP430™ bootloader (BSL) (formerly known as the bootstrap loader) allows users to communicate with embedded memory in the MSP430 microcontroller (MCU) during the prototyping phase, final production, and in service. Both the programmable memory (flash memory) and the data memory (RAM) can be modified as required. Do not confuse the bootloader with the bootstrap loader programs found in some digital signal processors (DSPs) that automatically load program code (and data) from external memory to the internal memory of the DSP.

To use the bootloader, a specific BSL entry sequence must be applied. An added sequence of commands initiates the desired function. A bootloading session can be exited by continuing operation at a defined user program address or by the reset condition.

If the device is secured by disabling JTAG, it is still possible to use the BSL. Access to the MSP430 MCU memory through the BSL is protected against misuse by the BSL password. The BSL password is equal to the content of Interrupt Vector table on the device.

Contents

1 Introduction ................................................................................................................... 3

1.1 Supplementary Online Information ............................................................................... 3

1.2 Overview of BSL Features......................................................................................... 4

1.3 Standard RESET and BSL Entry Sequence .................................................................... 5

1.4 UART Protocol ...................................................................................................... 6

1.5 USB Protocol........................................................................................................ 7

2 Bootloader Protocol – 1xx, 2xx, and 4xx Families....................................................................... 8

2.1 Synchronization Sequence ........................................................................................ 8

2.2 Commands .......................................................................................................... 8

2.3 Programming Flow.................................................................................................. 8

2.4 Data Frame.......................................................................................................... 9

2.5 Loadable BSL...................................................................................................... 14

2.6 Exiting the BSL .................................................................................................... 15

2.7 Password Protection.............................................................................................. 15

2.8 Code Protection Fuse............................................................................................. 15

2.9 BSL Internal Settings and Resources .......................................................................... 16

3 Bootloader Protocol – F5xx and F6xx Families ........................................................................ 19

3.1 BSL Data Packet .................................................................................................. 19

3.2 UART Peripheral Interface (PI).................................................................................. 19

3.3 I

3.4 USB Peripheral Interface......................................................................................... 22

3.5 BSL Core Command Structure .................................................................................. 22

3.6 BSL Security ....................................................................................................... 24

3.7 BSL Core Responses............................................................................................. 25

3.8 BSL Public Functions and Z-Area............................................................................... 27

4 Bootloader Hardware ...................................................................................................... 29

4.1 Hardware Description............................................................................................. 29

5 Differences Between Devices and Bootloader Versions.............................................................. 33

5.1 1xx, 2xx, and 4xx BSL Versions................................................................................. 33

5.2 Special Consideration for ROM BSL Version 1.10 ........................................................... 40

5.3 1xx, 2xx, and 4xx BSL Known Issues .......................................................................... 41

5.4 Special Note on the MSP430F14x Device Family BSL ...................................................... 41

C Peripheral Interface........................................................................................... 20

User's Guide

SLAU319S–July 2010–Revised April 2018

Submit Documentation Feedback

MSP430™ Flash Device Bootloader (BSL)

6 Bootloader PCB Layout Suggestion ..................................................................................... 48

1 Standard RESET Sequence ............................................................................................... 5

2 BSL Entry Sequence at Shared JTAG Pins.............................................................................. 5

3 BSL Entry Sequence at Dedicated JTAG Pins .......................................................................... 6

4 Basic Protocol - Byte Level ACK......................................................................................... 20

5 Byte Level ACK............................................................................................................. 21

6 Bootloader Interface Schematic.......................................................................................... 29

7 Universal BSL Interface PCB Layout, Top.............................................................................. 48

8 Universal BSL Interface PCB Layout, Bottom.......................................................................... 48

9 Universal BSL Interface Component Placement....................................................................... 49

10 Universal BSL Interface Component Placement....................................................................... 50

Trademarks

MSP430, E2E are trademarks of Texas Instruments. All other trademarks are the property of their respective owners.

www.ti.com

5.5 F5xx and F6xx Flash-Based BSL Versions.................................................................... 42

List of Figures

MSP430™ Flash Device Bootloader (BSL)

SLAU319S–July 2010–Revised April 2018

Submit Documentation Feedback

www.ti.com

1 Introduction

The bootloader provides a method to program the flash memory during MSP430 project development and updates. It can be activated by a utility that sends commands using the UART protocol. The BSL enables the user to control the activity of the MSP430 MCU and to exchange data using a personal computer or other device.

To avoid accidental overwriting of the BSL code, this code is stored in a secure memory location, either ROM or specially protected flash. To prevent unwanted source readout, any BSL command that directly or indirectly allows data reading is password protected.

To invoke the bootloader, a BSL entry sequence must be applied to dedicated pins. After that, a synchronization character, followed by the data frame of a specific command, initiates the desired function.

1.1 Supplementary Online Information

As a compliment to this document, visit Bootloader (BSL) for MSP low-power microcontrollers. This page contains links to additional BSL user's guides, source code, firmware images, and the BSL scripter with documentation and code examples.

Additional support is provided by the TI E2E™ Community.

Introduction

SLAU319S–July 2010–Revised April 2018

Submit Documentation Feedback

MSP430™ Flash Device Bootloader (BSL)

Introduction

1.2 Overview of BSL Features

Table 1 summarizes the BSL features of the MSP devices, organized by device family.

Table 1. BSL Overview

MSP430 MSP432

G2xx0, G2xx1, G2xx2,

I20xx

F1xx, F2xx, F4xx,

G2xx3

BSL memory type No BSL ROM Flash BSL memory size N/A 1 KB 2 KB 2 KB 2 KB 4 KB 3 KB 1 KB 8 KB Peripheral configured by TLV ✔ ✔ ✔ User configuration ✔ UART ✔ ✔ ✔ ✔ ✔ ✔ ✔

General

I2C SPI ✔ USB ✔ '1xx, 2xx, 4xx' protocol ✔

'5xx, 6xx' protocol ✔ ✔ ✔ ✔ ✔ ✔ ✔

Protocol

Sequence on TEST/RST ✔ ✔ ✔ ✔ ✔ ✔ Entry sequence on I/Os

PUR pin tied to V

USB

Sequence on defined I/O ✔ ✔ Empty reset vector invokes BSL ✔ ✔ ✔ ✔ Calling BSL from software application ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔

Invoke mechanism

Invalid or incomplete application ✔

MSP-BSL 'Rocket' ✔ ✔ ✔ ✔ ✔ ✔ ✔ Hardware

MSP-FET ✔ ✔ ✔ ✔ ✔ ✔ ✔

USB cable ✔

BSL Scripter ✔ ✔ ✔ ✔ ✔ ✔ ✔

BSLDEMO ✔

(1)

Software

Tools Support

MSPBSL library ✔ Password protection 32 byte 32 byte

Mass erase on incorrect password

(5)

✔ ✔ ✔ ✔ ✔ ✔ ✔

Completely disable the BSL using signature or erasing the BSL

BSL payload encryption ✔ ✔

Security

Update of IP protected regions through boot code

Authenticated encryption ✔ Additional security ✔

F5xx, F6xx FR5xx, FR6xx

NonUSB

USB Factory

(2)

Flash

(1)

FR2x33,

FR231x

Crypto-

Boot-

loader

(2)

ROM FRAM ROM ROM Flash

FR413x,

FR211x

✔ ✔ ✔ ✔ ✔

✔

UART

only

(4)

32 byte 32 byte 32 byte 32 byte 256 byte

UART

✔

only

✔ ✔ ✔ ✔ ✔ ✔ ✔

(7)

www.ti.com

P401R

(2)

(3)

✔

(6)

✔

(1)

All BSL software collateral (application, examples, source code, and firmware images) is available in the BSL tool folder. The MSP430 USB developers package includes additional USB BSL sample applications.

(2)

BSL in flash memory allows to replace the BSL with a custom version.

(3)

MSP-FET supports UART and I2C BSL communication only.

(4)

F543x (non A) has a 16-byte password.

(5)

Some devices can disable mass erase on incorrect password. See the device family user's guide.

(6)

The decryption of the payload is performed by the device bootcode.

(7)

Firmware validation through CRC.

MSP430™ Flash Device Bootloader (BSL)

SLAU319S–July 2010–Revised April 2018

Submit Documentation Feedback

Bootloader Starts

RST DTR/NMI ( )

TEST ( )RTS

SBW,en

RST DTR/NMI ( )

TEST ( )RTS

User Program Starts

www.ti.com

1.3 Standard RESET and BSL Entry Sequence

1.3.1 MSP430 Devices With Shared JTAG Pins

Applying an appropriate entry sequence on the RST/NMI and TEST pins forces the MSP430 MCU to start program execution at the BSL RESET vector instead of at the RESET vector located at address FFFEh.

If the application interfaces with a computer UART, these two pins may be driven by the DTR and RTS signals of the serial communication port (RS232) after passing level shifters. Detailed descriptions of the hardware and related considerations can be found in Section 4. The normal user reset vector at FFFEh is used if TEST is kept low while RST/NMI rises from low to high (standard method, see Figure 1).

Figure 1. Standard RESET Sequence

The BSL program execution starts when the TEST pin has received a minimum of two positive transitions and if TEST is high while RST/NMI rises from low to high (BSL entry method, see Figure 2). This level transition triggering improves BSL start-up reliability. The first high level of the TEST pin must be at least t

(see device-specific data sheet for t

SBW, En

Introduction

parameter).

Figure 2. BSL Entry Sequence at Shared JTAG Pins

NOTE: The recommended minimum time for pin states is 250 ns. See the device-specific errata for

any differences, because some 5xx and 6xx device revisions require specific entry

sequences.

The TEST signal is normally used to switch the port pins between their application function and the JTAG function. In devices with BSL functionality, the TEST and RST/NMI pins are also used to invoke the BSL. To invoke the BSL, the RST/NMI pin must be configured as RST and must be kept low while pulling the TEST pin high and while applying the next two edges (falling, rising) on the TEST pin. The BSL is started after the TEST pin is held low after the RST/NMI pin is released (see Figure 2).

1.3.1.1 Factors That Prevent BSL Invocation With Shared JTAG Pins

The BSL is not started by the BSL RESET vector if:

• There are fewer than two positive edges at the TEST pin while RST/NMI is low.

• JTAG has control over the MSP430 MCU resources.

• The supply voltage, VCC, drops below its threshold, and a power-on reset (POR) is executed.

• The RST/NMI pin is configured for NMI functionality (the NMI bit is set).

SLAU319S–July 2010–Revised April 2018

Submit Documentation Feedback

MSP430™ Flash Device Bootloader (BSL)

RST DTR/NMI ( )

TCK ( )RTS

Bootloader Starts

Introduction

1.3.2 MSP430 Flash Devices With Dedicated JTAG Pins

Devices with dedicated JTAG pins use the TCK pin instead of the TEST pin. The BSL program execution starts whenever the TCK pin has received a minimum of two negative

transitions and TCK is low while RST/NMI rises from low to high (BSL entry method, see Figure 3). This level transition triggering improves BSL start-up reliability.

Figure 3. BSL Entry Sequence at Dedicated JTAG Pins

NOTE: The recommended minimum time for pin states is 250 ns. See the device-specific errata for

any differences, because some 5xx and 6xx device revisions have specific entry sequence

requirements.

1.3.2.1 Factors That Prevent BSL Invocation With Dedicated JTAG Pins

The BSL is not started by the BSL RESET vector if:

• There are fewer than two negative edges at the TCK pin while RST/NMI is low.

• TCK is high if RST/NMI rises from low to high.

• JTAG has control over the MSP430 MCU resources.

• The supply voltage, VCC, drops below its threshold, and a power-on reset (POR) is executed.

• The RST/NMI pin is configured for NMI functionality (the NMI bit is set).

www.ti.com

1.3.3 Devices With USB

Devices with USB are invoked when either of the following two conditions are met while the device is powered by VBUS:

• The device is powered up by USB and the reset vector is blank.

• The device powers up with the PUR pin tied to V

1.4 UART Protocol

The UART protocol applied here is defined as:

• Baud rate is fixed to 9600 baud in half-duplex mode (one sender at a time).

• Start bit, 8 data bits (LSB first), an even parity bit, 1 stop bit.

• Handshake is performed by an acknowledge character.

• Minimum time delay before sending new characters after characters have been received from the MSP430 BSL: 1.2 ms

NOTE: Applying baud rates other than 9600 baud at initialization results in communication problems

or violates the flash memory write timing specification. The flash memory may be extensively stressed or may react with unreliable program or erase operations.

USB

MSP430™ Flash Device Bootloader (BSL)

SLAU319S–July 2010–Revised April 2018

Submit Documentation Feedback

www.ti.com

1.5 USB Protocol

The USB protocol applied here is defined as:

• HID protocol with one input endpoint and one output endpoint. Each endpoint has a length of 64 bytes.

• VID: 0x2047

• PID: 0x0200

Introduction

SLAU319S–July 2010–Revised April 2018

Submit Documentation Feedback

MSP430™ Flash Device Bootloader (BSL)

Bootloader Protocol – 1xx, 2xx, and 4xx Families

2 Bootloader Protocol – 1xx, 2xx, and 4xx Families

2.1 Synchronization Sequence

Before sending any command to the BSL, a synchronization character (SYNC) with its value of 80h must be sent to the BSL. This character is necessary to calculate all the essential internal parameters, which maintain UART and flash memory program and erase timings. It provides the BSL system time reference. When this is received, an acknowledge DATA_ACK = 90h is sent back by the BSL to confirm successful reception.

This sequence must be done before every command that is sent to the BSL.

NOTE: The synchronization character is not part of the Data Frame described in Section 2.4.

2.2 Commands

Two categories of commands are available: commands that require a password and commands that do not require a password. The password protection safeguards every command that potentially allows direct or indirect data access.

2.2.1 Unprotected Commands

• Receive password

• Mass erase (erase entire flash memory, main as well as information memory)

• Transmit BSL version (V1.50 or higher or in loadable BL_150S_14x.txt but not V2.x BSLs)

• Change baud rate (V1.60 or V1.61 or V2.0x or in loadable BL_150S_14x.txt)

www.ti.com

2.2.2 Password Protected Commands

• Receive data block to program flash memory, RAM, or peripherals

• Transmit data block

• Erase segment

• Erase check (present in V1.60 or higher or in loadable BL_150S_14x.txt)

• Set Memory Offset (present in V2.12 or higher)

• Load program counter and start user program

• Change baud rate (BSL versions lower than V1.60 and higher than V2.10)

2.3 Programming Flow

The write access (RX data block command) to the flash memory, RAM, or peripheral modules area is executed online. That means a data byte or word is processed immediately after receipt, and the write cycle is finished before a following byte or word has completely arrived. Therefore, the entire write time is determined by the baud rate, and no buffering mechanism is necessary.

Data sections located below the flash memory area address are assumed to be loaded into the RAM or peripheral module area and, thus, no specific flash control bits are affected.

NOTE: If control over the UART protocol is lost, either by line faults or by violating the data frame

conventions, the only way to recover is to rerun the BSL entry sequence to initiate another BSL session.

MSP430™ Flash Device Bootloader (BSL)

SLAU319S–July 2010–Revised April 2018

Submit Documentation Feedback

www.ti.com

2.4 Data Frame

To ensure high data security during the data transmission, a data frame protocol called serial standard protocol (SSP) is used. The BSL is considered the receiver in Table 2.

2.4.1 Data-Stream Structure

• The first eight bytes (HDR through LH) are mandatory (xx represents dummy data).

• Data bytes D1 to Dn are optional.

• Two bytes (CKL and CKH) for checksum are mandatory.

• Acknowledge done by the BSL is mandatory, except with the TX data block and TX BSL version commands.

Bootloader Protocol – 1xx, 2xx, and 4xx Families

Table 2. Data Frame of BSL Commands

Received

BSL

Command

RX data block 80 12 n n AL AH n–4 0 D1 D2 … Dn–4 CKL CKH ACK RX password 80 10 24 24 xx xx xx xx D1 D2 … D20 CKL CKH ACK Erase segment 80 16 04 04 AL AH 02 A5 – – – – CKL CKH ACK Erase main or info 80 16 04 04 AL AH 04 A5 – – – – CKL CKH ACK Mass erase 80 18 04 04 xx xx 06 A5 – – – – CKL CKH ACK Erase check 80 1C 04 04 AL AH LL LH – – – – CKL CKH ACK Change baud rate 80 20 04 04 D1 D2 D3 xx – – – – CKL CKH ACK Set mem offset 80 21 04 04 xx xx AL AH – – – – CKL CKH ACK Load PC 80 1A 04 04 AL AH xx xx – – – – CKL CKH ACK TX data block 80 14 04 04 AL AH n 0 – – – – CKL CKH –

BSL responds 80 xx n n D1 D2 ... ... … ... … Dn CKL CKH –

TX BSL version 80 1E 04 04 xx xx xx xx – – – – CKL CKH –

BSL responds 80 xx 10 10 D1 D2 ... ... … … … D10 CKL CKH –

(1)

All numbers are bytes in hexadecimal notation.

(2)

ACK is sent back by the BSL.

(3)

The synchronization sequence is not part of the data frame.

(4)

The erase check and TX BSL version commands are members of the standard command set in BSLs V1.50 or higher but excluding 2.x BSLs.

(5)

The change baud rate command is not a member of the standard command set (it is available in V1.60 or higher or in loadable BL_150S_14x.txt).

(6)

Abbreviations:

HDR: Header. Any value between 80h and 8Fh (normally 80h). CMD: Command identification L1, L2: Number of bytes consisting of AL through Dn. Restrictions: L1 = L2, L1 < 255, L1 even AL, AH: Block start address or erase (check) address or jump address LO or HI byte LL, LH: Number of pure data bytes (250 max) or erase information LO or HI byte or block length of erase check (FFFFh max) D1 … Dn: Data bytes CKL, CKH: 16-bit checksum LO or HI byte xx: Can be any data –: No character (data byte) received or transmitted ACK: The acknowledge character returned by the BSL. Can be either DATA_ACK = 90h: Frame was received correctly,

command was executed successfully, or DATA_NAK = A0h: Frame not valid (for example, wrong checksum, L1 ≠ L2), command is not defined, is not allowed, or was executed unsuccessfully.

n: Number of bytes consisting of AL through Dn

HDR CMD L1 L2 AL AH LL LH D1 D2…Dn CKL CKH ACK

(1)(2)(3) (4)(5)(6)

SLAU319S–July 2010–Revised April 2018

Submit Documentation Feedback

MSP430™ Flash Device Bootloader (BSL)

Bootloader Protocol – 1xx, 2xx, and 4xx Families

2.4.2 Checksum

The 16-bit (2-byte) checksum is calculated over all received or transmitted bytes B1 to Bn in the data frame, except the checksum bytes themselves, by XORing words (two successive bytes) and inverting the result.

This means that B1 is always the HDR byte and Bn is the last data byte just before the CKL byte.

Formula

CHECKSUM = INV [ (B1 + 256 × B2) XOR (B3 + 256 × B4) XOR … XOR (Bn–1 + 256 × Bn) ] or CKL = INV [ B1 XOR B3 XOR … XOR Bn–1 ] CKH = INV [ B2 XOR B4 XOR … XOR Bn ]

2.4.3 Example Sequence

The following example shows a request to read the memory of the MSP430 MCU from location 0x0F00. All values shown below are represented in hexadecimal format.

TO BSL: 80

(Synchronization character sent to the BSL)

FROM BSL: 90

(Acknowledge from BSL)

TO BSL: 80 14 04 04 00 0F 0E 00 75 E0

(Send Command to read memory from 0x0F00, length 0x000E)

FROM BSL: 80 00 0E 0E F2 13 40 40 00 00 00 00 00 00 02 01 01 01 C0 A2

(Returned values from BSL)

www.ti.com

2.4.4 Commands – Detailed Description

See Table 2.

2.4.4.1 General

Following the header byte HDR (80h) and the command identification CMD, the frame length bytes L1 and L2 (which must be equal) hold the number of bytes following L2, excluding the checksum bytes CKL and CKH.

Bytes AL, AH, LL, LH, D1...Dn are command-specific. However, the checksum bytes CKL (low byte) and CKH (high byte) are mandatory.

If the data frame has been received correctly and the command execution was successful, an acknowledge character DATA_ACK = 90h is sent back by the BSL. Incorrectly received data frames, unsuccessful operations, and commands that are locked or not defined are confirmed with a DATA_NAK = A0h.

NOTE: BSL versions lower than V1.30 support only byte-access operations. Therefore, the

peripheral module addresses at 0100h to 01FFh cannot be accessed correctly, because they are word-oriented. In version V1.30 and higher, addresses 0000h to 00FFh are accessed in byte mode; all others are accessed in word mode.

2.4.4.2 RX Data Block

The receive data block command is used for any write access to the flash memory, RAM, or peripheral module control registers at 0000h to 01FFh. It is password protected.

The 16-bit even-numbered block start address is defined in AL (low byte) and AH (high byte). The 16-bit even-numbered block length is defined in LL (low byte) and LH (high byte). Because pure data bytes are limited to a maximum of 250, LH is always 0.

MSP430™ Flash Device Bootloader (BSL)

SLAU319S–July 2010–Revised April 2018

Submit Documentation Feedback

www.ti.com

The following data bytes are succeeded by the checksum bytes CKL (low byte) and CKH (high byte). If the receipt and programming of the appropriate data block was successful, an acknowledge character DATA_ACK is sent back by the BSL. Otherwise, the BSL confirms with a DATA_NAK.

NOTE: BSL versions V1.40 and higher support online verification inside the MSP430 MCU for

addresses 0200h to FFFFh, which reduces programming and verification time by 50%. Online verification means that the data is immediately verified with the data that is written into the flash without transmitting it again. In case of an error, the loadable bootloader BL_150S_14x.txt additionally stores the first incorrectly written location address+3 into the error address buffer in the RAM at address 0200h (021Eh for F14x devices).

2.4.4.3 RX Password

The receive password command is used to unlock the password-protected commands, which perform reading, writing, or segment-erasing memory access. It is not password protected.

Neither start address nor block length information is necessary, because the 32-byte password is always located at addresses FFE0h to FFFFh. Data bytes D1 to D20h hold the password information starting with D1 at address FFE0h.

The BSL responds with DATA_ACK when the package from the host is received correctly and has valid content as shown in Table 2. The DATA_ACK does not reflect that the password is correct (that is, it matches the content of FFE0h to FFFFh) or incorrect. If an incorrect password is sent, other commands will respond with DATA_NAK, because the BSL is still locked.

After the protected commands are unlocked, they remain unlocked until another BSL entry is initiated.

Bootloader Protocol – 1xx, 2xx, and 4xx Families

2.4.4.4 Mass Erase

The mass erase command erases the entire flash memory area (main memory plus information memory, see corresponding data sheet). This command is not password protected.

All parameters shown in Table 2 are mandatory. After erasing, an acknowledge character DATA_ACK is sent back by the BSL.

Mass erase initializes the password area to 32 times 0FFh.

NOTE: BSL versions 2.01 and higher support automatic clearing of the LOCKA bit, which protects

information memory. When entering the BSL by cold start (that is, by applying the BSL hardware entry sequence

on the RST and TST pins), the LOCKA bit is automatically unlocked. A mass erase that is executed during BSL communication erases all parts of information memory and also main memory.

When entering the BSL by warm start (that is, by jumping to the BSL application from a software function), the LOCKA bit is not automatically unlocked. A mass erase performed in this state does not erase the information memory. Therefore, when the BSL is called by software, the user application must ensure that LOCKA is cleared before initialization of the BSL, so a mass erase command can erase the information memory.

2.4.4.5 Erase Segment

The erase segment command erases specific flash memory segments. It is password protected. The address bytes AL (low byte) and AH (high byte) select the appropriate segment. Any even-numbered

address within the segment to be erased is valid. After segment erasing, an acknowledge character DATA_ACK is sent back by the BSL (V1.40 or lower).

SLAU319S–July 2010–Revised April 2018

Submit Documentation Feedback

MSP430™ Flash Device Bootloader (BSL)

Bootloader Protocol – 1xx, 2xx, and 4xx Families

BSL versions V1.60 or higher perform a subsequent erase check of the corresponding segment and respond with a DATA_NAK if the erasure was not successful. In this case, the first non-erased location address + 1 is stored in the error address buffer in the RAM at address 0200h (021Eh for F14x devices). In this version, a problem occurs if only one of the information memory segments is erased. In this case, an error is reported, because an automatic erase check over the whole information memory is performed. As a solution, either erase the whole information memory or do a separate erase check after the erase, even if the erase reported an error.

Erase segment 0 clears the password area and, therefore, the remaining password is 32 times 0FFh. When applying LL = 0x04 and LH = 0xA5, a mass erasure of only the main memory is performed. Indeed,

this command must be executed a minimum of 12 times to achieve a total erasure time of >200 ms. No subsequent erase check of the entire main memory is done. Use the erase check command additionally. Check the device data sheet for more information on the cumulative (mass) erase time that must be met and the number of erase cycles required.

2.4.4.6 Erase Main or Info

The erase main or info command erases specific flash memory section. It is password protected. The address bytes AL (low byte) and AH (high byte) select the appropriate section of flash (main or

information). Any even-numbered address within the section to be erased is valid.

2.4.4.7 Erase Check

The erase check command verifies the erasure of flash memory within a certain address range. It is password protected.

The 16-bit block start address is defined in AL (low byte) and AH (high byte). The 16-bit block length is defined in LL (low byte) and LH (high byte). Both can be either even or odd numbered to allow odd boundary checking.

If the erase check of the appropriate data block was successful (all bytes contain 0FFh), an acknowledge character DATA_ACK is sent back by the BSL. Otherwise, the BSL confirms with a DATA_NAK and the first non-erased location address + 1 is stored in the error address buffer at address 0200h (021Eh for F14x devices).

www.ti.com

NOTE: This command is not a member of the standard command set. It is implemented in BSL

version V1.60 and higher or in the loadable bootloader BL_150S_14x.txt.

2.4.4.8 Change Baud Rate

The change baud rate command offers the capability of transmissions at higher baud rates than the default 9600 baud. With faster data transition, shorter programming cycles can be achieved, which is especially important with large flash memory devices. This command is not password protected.

Three control bytes (D1 to D3) determine the selected baud rate. D1 and D2 set the processor frequency (f ≥ f

), D3 indirectly sets the flash timing generator frequency (f

min

D1: F1xx: Basic clock module control register DCOCTL (DCO.2 to DCO.0)

F2xx: Basic clock module control register DCOCTL (DCO.2 to DCO.0) F4xx: FLL+ system clock control register SCFI0 (D, FN_8 to FN_2)

D2: F1xx: basic clock module control register BCSCTL1 (XT2Off, Rsel.2 to Rsel.0)

F2xx: basic clock module control register BCSCTL1 (XT2Off, Rsel.2 to Rsel.0) F4xx: FLL+ system clock control register SCFI1 (N

D3 0: 9600 baud

1: 19200 baud 2: 38400 baud

MSP430™ Flash Device Bootloader (BSL)

FTGmin

)

DCO

≤ f

FTG

SLAU319S–July 2010–Revised April 2018

). In detail:

FTGmax

Submit Documentation Feedback

www.ti.com

After receiving the data frame, an acknowledge character DATA_ACK is sent back, and the BSL becomes prepared for the selected baud rate. TI recommends that the BSL communication program wait approximately 10 ms between baud rate alteration and the next data transmission to give the BSL clock system time to stabilize.

Bootloader Protocol – 1xx, 2xx, and 4xx Families

NOTE: The highest achievable baud rate depends on various system and environment parameters

like supply voltage, temperature range, and minimum and maximum processor frequency. See the device-specific data sheet.

NOTE: This command is implemented on BSL versions V1.60 or higher or available in the loadable

bootloader BL_150S_14x.txt.

(1)

Program and Verify 60 KB

(4)

(sec)

Baud Rate (baud)

Table 3. Recommendations for MSP430F149 [MSP430F449]

Processor Frequency, f

(2)

(MHz)

(TA= 25°C, VCC= 3.0 V, f

D1 DCOCTL

min

[SCFI0]

(3)

D2 BCSCTL1 [SCFI1]

= 6.7 MHz)

max

(3)

9600 (init) 1.05 0x80 [00] 0x85 [98] 00 [00] 78 + 3.7 [0.0] 19200 2.1 0xE0 [00] 0x86 [B0] 01 [01] 39 + 3.7 [2.4] 38400 4.2 0xE0 [00] 0x87 [C8] 02 [02] 20 + 3.7 [2.4]

(1)

Values in brackets [ ] apply to MSP430F449.

(2)

The minimum processor frequency is lower than in the standard ROM BSL (see Section 2.9.3, Initialization Status).

(3)

D1 to D3 are bytes in hexadecimal notation.

(4)

Additional 3.7 [2.4] seconds result from loading, verifying, and launching the loadable BSL.

Baud Rate (baud)

Processor Frequency, f

(2)

(MHz)

Table 4. Recommendations for MSP430F2131

(TA= 25°C, VCC= 3.0 V, f

D1 DCOCTL

min

[SCFI0]

(3)

D2 BCSCTL1 [SCFI1]

= 6.7 MHz)

max

(3)

(1)

(3)

Program and Verify 60 KB (sec)

9600 (init) 1.05 0x80 0x85 00 78 19200 2.1 0x00 0x8B 01 39 38400 4.2 0x80 0x8C 02 20

(1)

Values in brackets [ ] are related to MSP430F449.

(2)

The minimum processor frequency is lower than in the standard ROM BSL (see Section 2.9.3, Initialization Status).

(3)

D1 to D3 are bytes in hexadecimal notation.

2.4.4.9 Set Memory Offset

An offset for the memory pointer can be set for devices that have more than 64KB of memory, specifically MSP430X architecture devices. The value for the memory offset is used as the memory pointer’s upper word.

Memory Address = Offset Value << 16 + Actual Address

NOTE: This command is implemented on BSL versions V2.12 and higher.

2.4.4.10 Load PC

The load program counter command directs the program counter (register R0) to any location within the entire address range. It is password protected.

After receiving the data frame, an acknowledge character (DATA_ACK) is sent back by the BSL. Then the selected address is moved into the program counter. The program flow continues operation there, and the BSL session is terminated.

SLAU319S–July 2010–Revised April 2018

Submit Documentation Feedback

MSP430™ Flash Device Bootloader (BSL)

Bootloader Protocol – 1xx, 2xx, and 4xx Families

Be aware that password protection is not active at this time. Jumping to the user application does not reset the device and, therefore, the register configuration from the BSL application is kept. This might cause unexpected behavior in the user application. One example is the blink LED application, which does not have any clock module configuration (so it uses the default 1-MHz clock) and will blink faster, because the clock module is set by the BSL application to run at 8 MHz.

2.4.4.11 TX Data Block

The transmit data block command is used for any read access to the flash memory, RAM, or peripheral module control registers at 0000h to 01FFh. It is password protected.

The 16-bit block start address is defined in AL (low byte) and AH (high byte). The 16-bit block length is defined in LL (low byte) and LH (high byte). Because pure data bytes are limited to a maximum of 250, LH is always 0. The checksum bytes CKL (low byte) and CKH (high byte) immediately follow this information.

Now the BSL responds with the requested data block. After transmitting HDR, dummy CMD, L1 and L2, The BSL sends data bytes D1 through Dn, followed by the checksum bytes CKL (low byte) and CKH (high byte). No acknowledge character is necessary.

2.4.4.12 TX BSL Version

The transmit BSL version command gives the user information about chip identification and bootloader software version. It is not password protected.

The values for AL, AH, LL, and LH can be any data, but must be transmitted to meet the protocol requirements. The checksum bytes CKL (low byte) and CKH (high byte) follow this information.

After that, the BSL responds with a 16-byte data block. After transmitting HDR, dummy CMD, L1 and L2, the BSL sends data bytes D1 through D16 (decimal), followed by the checksum bytes CKL (low byte) and CKH (high byte). No acknowledge character is necessary.

D1, D2 and D11, D12 (decimal) hold the specific information:

• D1: Device family type (high byte)

• D2: Device family type (low byte)

• D11: BSL version (high byte)

• D12: BSL version (low byte)

The remaining 12 bytes are for internal use only.

www.ti.com

2.5 Loadable BSL

For upgrading the BSL functionality, sometimes it is suitable to load a higher version of BSL into the RAM of a device and apply the latest innovations. To do so, use the following BSL commands:

• RX password (unlock password protection for following commands)

• RX data block (code of loadable BSL, code section address ≥ 220h)

• TX data block (for verification)

• RX data block (get start address from first code section address)

• Load program counter PC (with start address of loadable BSL)

• Wait at least 5 ms until the new loaded BSL has executed the initialized routine

• RX password (unlock password protection for loaded BSL)

• Perform any command (with loaded BSL)

The following loadable BSLs are available:

• BL_150S_14x.txt is a complete BSL for the F14x and F13x family with BSL version 1.10. All features of BSL version V1.60 are supported. Because its code size is larger than 1KB, it can be used only in F1x8 and F1x9 devices. The error address buffer address for RX Block, Erase Segment, and Erase Check commands is 021Eh. BL_150S_14x.txt could also be used as a replacement for PATCH.txt.

• BS_150S_14x.txt is a small BSL with reduced command set for the F14x and F13x family with BSL version 1.10. Because its code size is smaller than 512B, it can be used in F1x4 up to F1x9 devices.

MSP430™ Flash Device Bootloader (BSL)

SLAU319S–July 2010–Revised April 2018

Submit Documentation Feedback

www.ti.com

The following commands of BSL version V1.60 are supported: Change Baud Rate, RX Block (with online verification), Erase Check, and Load PC. If a TX Block command (redirected to ROM BSL) is needed (for example, for transmitting error address or standalone Verify), the RAM BSL must be invoked again by the Load PC command. The error address buffer address for RX Block and Erase Check commands is 021Eh. BS_150S_14x.txt could also be used as a partial replacement for PATCH.txt. No password is required, as the RX password command is removed.

For more information on downloading a different bootloader, see Application of Bootstrap Loader in

MSP430 With Flash Hardware and Software Proposal.

Third-party software normally uses loadable BSLs to perform most functions, like online verification, and to improve speed for appropriate devices.

2.6 Exiting the BSL

To exit the BSL mode, two possibilities are provided:

• The microcontroller continues operation at a defined program address invoked by the load program counter command. Be aware that the password protection is not active at this time. In this case, the user application should ensure that the flash is locked, as this is not done by the BSL. Leaving the BSL unlocked increases the risk of erroneously modifying the flash due to system or software errors. On 2xx devices, the correct setting of the LOCKA bit should also be checked.

• Applying the standard RESET sequence (see Figure 1) forces the microcontroller to start with the user reset vector at address 0FFFEh.

2.7 Password Protection

The password protection prohibits every command that potentially allows direct or indirect data access. Only the unprotected commands like mass erase and RX password (optionally, TX BSL version and change baud rate) can be performed without prior receipt of the correct password after BSL entry.

Applying the RX password command for receiving the correct password unlocks the remaining commands.

After it is unlocked, it remains unlocked until initiating another BSL entry. The password itself consists of the 16 interrupt vectors located at addresses FFE0h to FFFFh (256 bits),

starting with the first byte at address FFE0h. After mass erase and with unprogrammed devices, all password bits are logical high (1).

BSL versions 2.00 and higher have enhanced security features. These features are controlled by the flash data word located beneath the interrupt vector table addresses (for example, for the MSP430F2131, address 0xFFDE). If this word contains:

• 0x0000: The flash memory is not erased if an incorrect BSL password has been received by the target.

• 0xAA55: The BSL is disabled. This means that the BSL is not started with the default initialization sequence shown in Section 1.3.

• All other values: If an incorrect password is transmitted, the entire flash memory address space is erased automatically.

Bootloader Protocol – 1xx, 2xx, and 4xx Families

NOTE: The user must take care of password update after modifying the interrupt vectors and

initiating another BSL session. TI strongly recommends initializing unused interrupt vectors to increase data security.

2.8 Code Protection Fuse

After the JTAG fuse (code protection fuse) is blown, no further access to the JTAG test feature is possible. The only way to get any memory read or write access is through the bootloader by applying the correct password.

However, it is not possible for the BSL to blow the JTAG fuse. If fuse blowing is needed, use JTAG programming techniques.

SLAU319S–July 2010–Revised April 2018

Submit Documentation Feedback

MSP430™ Flash Device Bootloader (BSL)

Bootloader Protocol – 1xx, 2xx, and 4xx Families

2.9 BSL Internal Settings and Resources

The following paragraphs describe BSL internal settings and resources. Because the same device may have implemented different BSL versions, it is very important for the BSL communication program to know the settings and resources. Resources could be either device dependent (for example, RX or TX pins) or BSL-version dependent (for example, byte or word access). The following sections describe the possible variations.

2.9.1 Chip Identification and BSL Version

The upper 16 bytes of the boot-ROM (0FF0h to 0FFFh) hold information about the device and BSL version number in BCD representation. This is common for all devices and BSL versions:

• 0FF0h to 0FF1h: Chip identification (for example, F413h for an F41x device).

• 0FFAh to 0FFBh: BSL version number (for example, 0130h for BSL version V1.30).

See the MSP430 device to BSL version assignment in Section 5.

2.9.2 Vectors to Call the BSL Externally

The entry part of the boot ROM holds the calling vectors for BSL access by program:

• 0C00h: Vector for cold start (mnemonic: BR &0C00h) (recommended)

• 0C02h: Vector for warm start (mnemonic: BR &0C02h). V1.30 or higher.

• 0C04h: Vectors for future use. This table is expandable.

www.ti.com

NOTE: A warm start does not modify the stack pointer. Additionally, the status register for the BSL is

not cleared, which could cause a warm started BSL to come up in an unlocked state. Warm start possibility exists only for highly specialized instances where it is absolutely mandatory that a running application be returned to after a BSL session without resetting the device. In almost all cases, it is better to start the BSL from user code by calling the cold start vector.

MSP430™ Flash Device Bootloader (BSL)

SLAU319S–July 2010–Revised April 2018

Submit Documentation Feedback

+ 36 hidden pages