using BDI2000 to access Secured Silicon Sector on Spansion Flash (CFI commandset 0002)

Peter Vollmer pvollmer-linux-mtd at
Wed Mar 4 07:49:18 EST 2009

Hi all,

I'm sorry if this is slightly off-topic, but I hope to reach somebody with  
experience using the BDI2000 (or other jtag tools) to run cfi commands  
(command set 0002) directly, i.e without booting the linux kernel.

I want to access the secured silicon sector of a s29gl128n flash chip,  
namely to program a unique device id and lock this sector. The board I use  
has a MPC8343 CPU and two of these flash chips in parallel on the local  
address bus, each delivering 16 data bits to the databus lines 0-15 and   
16-31 respectively.

The 32 MB of flash are mapped to 0xfe000000..0xffffffff (see bdi2000  
configuraton below)

After pwering on the target I try to follow the cfi command sequence to  
enter the secured silicon sector as described in the datasheet  
( :

-> enter secured sector
write 0xAA to addr 0x555
write 0x55 to addr 0x2AA
write 0x88 to addr 0x555

->read secured sector content in address range 0x00..0xff

-> leave secured sector
write 0xAA to addr 0x555
write 0x55 to addr 0x2AA
write 0x90 to addr 0x555
write 0x00 to addr 0x2AA (addr is defined as "do not care" for this step)

so what I try on the bdi2000 after resetting the target is the following  
(I try to access both chips simultaneously using 32 bit data access, but I  
also tried writing 16 bit words instead)

SEC>mm 0xfe000555 0x00AA00AA; mm 0xfe0002AA 0x00550055; mm 0xfe000555  
0x00880088; md 0xfe000000

What I see each time is only the start of my bootloader code in flash. Do  
I miss something important when trying it like this ? I would very much  
appreciate if someone could give a short example of executing cfi commands  
on the flash only using jtag access.

I'm using linux (CONFIG_MTD_CFI_AMDSTD=y), the flash gets  
detected as CFI_ID 0x2101 and uses cfi command set 0002 . I tried to  
activate the fixup function fixup_use_secsi() for this chip id, and I  
think I can read the secured sector when reading from /dev/mtd/0 after  
doing the following ioctl to its file descriptor:


But I can only read 16 bytes (all 0xFF's - maybe because the chips are not  
pre-serialized in the factory), and writing to the sector does not change  
the content.

Thanks very much for your help

Peter Vollmer
Innominate Security Technologies AG
Berlin / Germany

My simplified bdi configuration for the direct access attempt looks as  

; init core register
WREG    MSR             0x00001002      ;MSR  : ME,RI
WM32    0xFF400000      0xE0000000 	;IMMR

; System configuration
WM32	0xE0000114	0x80000000      ; SICRL
WM32	0xE0000118	0x00000002      ; SICRH

WM32    0xE00050D4      0x80000008 	;LCRR : DLL bypass, freq ratio 1:8 ,  
33 MHz

WM32    0xE0000020      0xFE000000      ;LBLAWBAR0: Flash
WM32    0xE0000024      0x80000018      ;LBLAWAR0   32MB

; WINDOW 1 - bootrom
WM32	0xE0000028	0xFFF00000	;LBLAWBAR1  - begining at 0xfff00000
WM32	0xE000002C	0x8000001E 	;LBLAWAR1   - enabled, size = 2GB

; WINDOW 2 - board BCSRs
WM32    0xE0000030      0xB0000000      ;LBLAWBAR2: CPLD
WM32    0xE0000034      0x8000000B      ;LBLAWAR2 : 4kB

; PCI Local Access Windows
WM32	0XE0000060	0x80000000	;PCILAWBAR0 - begining at 0x80000000
WM32    0XE0000064	0x8000001B	;PCILAWAR0  - enable, size = 256MB

WM32    0XE0000068      0x90000000      ;PCILAWBAR1 - begining at  
WM32    0XE000006C      0x8000001B      ;PCILAWAR1  - enable, size = 256MB

CPUTYPE     8343
JTAGCLOCK   0           ;16 MHz JTAG clock
POWERUP     2000	;start delay after power-up detected in ms
WAKEUP      500		;give reset time to complete
STARTUP     RESET	;halt immediately at the boot vector
SCANSUCC    2 21

BOOTADDR    0x00000100

CHIPSIZE    0x1000000   ;The size of one flash chip in bytes
BUSWIDTH    32          ;The width of the flash memory bus in bits
                         ; (8 | 16 | 32 | 64)
WORKSPACE   0x1000      ;workspace in DDR RAM

FILE        $reg8349e.def

More information about the linux-mtd mailing list