SLAU320AJ July   2010  – May 2021

 

  1.   Trademarks
  2. 1Introduction
    1. 1.1 About This Document
    2. 1.2 Organization of This Document
  3. 2Programming Using the JTAG Interface
    1. 2.1 Introduction
      1. 2.1.1 MSP430 JTAG Restrictions (Noncompliance With IEEE Std 1149.1)
      2. 2.1.2 TAP Controller State Machine
    2. 2.2 Interface and Instructions
      1. 2.2.1 JTAG Interface Signals
        1. 2.2.1.1 Pros and Cons of 2-Wire Spy-Bi-Wire and 4-Wire JTAG
        2. 2.2.1.2 4-Wire JTAG Interface
        3. 2.2.1.3 2-Wire Spy-Bi-Wire (SBW) JTAG Interface
      2. 2.2.2 JTAG Access Macros
        1. 2.2.2.1 Macros for 4-Wire JTAG Interface
          1. 2.2.2.1.1 IR_SHIFT (8-Bit Instruction)
          2. 2.2.2.1.2 DR_SHIFT16 (16-Bit Data)
          3. 2.2.2.1.3 DR_SHIFT20 (20-Bit Address) (Applies Only to MSP430X Devices)
          4. 2.2.2.1.4 MsDelay (Time)
          5. 2.2.2.1.5 SetTCLK
          6. 2.2.2.1.6 ClrTCLK
        2. 2.2.2.2 Macros for Spy-Bi-Wire (SBW) Interface
      3. 2.2.3 Spy-Bi-Wire (SBW) Timing and Control
        1. 2.2.3.1 Basic Timing
        2. 2.2.3.2 TMS Slot
          1. 2.2.3.2.1 TMSH Macro
          2. 2.2.3.2.2 TMSL Macro
          3. 2.2.3.2.3 TMSLDH Macro
        3. 2.2.3.3 TDI Slot
          1. 2.2.3.3.1 TDIH Macro
          2. 2.2.3.3.2 TDIL Macro
        4. 2.2.3.4 TDO Slot
          1. 2.2.3.4.1 TDO_RD Macro
          2. 2.2.3.4.2 TDOsbw Macro (No Read)
        5. 2.2.3.5 TCLK Handling in Spy-Bi-Wire (SBW) Mode
          1. 2.2.3.5.1 SetTCLK and ClrTCLK
          2. 2.2.3.5.2 TCLK Strobes
      4. 2.2.4 JTAG Communication Instructions
        1. 2.2.4.1 Controlling the Memory Address Bus (MAB)
          1. 2.2.4.1.1 IR_ADDR_16BIT
          2. 2.2.4.1.2 IR_ADDR_CAPTURE
        2. 2.2.4.2 Controlling the Memory Data Bus (MDB)
          1. 2.2.4.2.1 IR_DATA_TO_ADDR
          2. 2.2.4.2.2 IR_DATA_16BIT
          3. 2.2.4.2.3 IR_DATA_QUICK
          4. 2.2.4.2.4 IR_BYPASS
        3. 2.2.4.3 Controlling the CPU
          1. 2.2.4.3.1 IR_CNTRL_SIG_16BIT
          2. 2.2.4.3.2 IR_CNTRL_SIG_CAPTURE
          3. 2.2.4.3.3 IR_CNTRL_SIG_RELEASE
        4. 2.2.4.4 Memory Verification by Pseudo Signature Analysis (PSA)
          1. 2.2.4.4.1 IR_DATA_PSA
          2. 2.2.4.4.2 IR_SHIFT_OUT_PSA
        5. 2.2.4.5 JTAG Access Security Fuse Programming
          1. 2.2.4.5.1 IR_PREPARE_BLOW
          2. 2.2.4.5.2 IR_EX_BLOW
    3. 2.3 Memory Programming Control Sequences
      1. 2.3.1 Start-Up
        1. 2.3.1.1 Enable JTAG Access
        2. 2.3.1.2 Fuse Check and Reset of the JTAG State Machine (TAP Controller)
      2. 2.3.2 General Device (CPU) Control Functions
        1. 2.3.2.1 Function Reference for 1xx, 2xx, 4xx Families
          1. 2.3.2.1.1 Taking the CPU Under JTAG Control
          2. 2.3.2.1.2 Set CPU to Instruction-Fetch
          3. 2.3.2.1.3 Setting the Target CPU Program Counter (PC)
          4. 2.3.2.1.4 Controlled Stop or Start of the Target CPU
          5. 2.3.2.1.5 Resetting the CPU While Under JTAG Control
          6. 2.3.2.1.6 Release Device From JTAG Control
        2. 2.3.2.2 Function Reference for 5xx and 6xx Families
          1. 2.3.2.2.1 Taking the CPU Under JTAG Control
          2. 2.3.2.2.2 Setting the Target CPU Program Counter (PC)
          3. 2.3.2.2.3 Resetting the CPU While Under JTAG Control
          4. 2.3.2.2.4 Release Device From JTAG Control
          5. 2.3.2.2.5 74
      3. 2.3.3 Accessing Non-Flash Memory Locations With JTAG
        1. 2.3.3.1 Read Access
        2. 2.3.3.2 Write Access
        3. 2.3.3.3 Quick Access of Memory Arrays
          1. 2.3.3.3.1 Flow for Quick Read (All Memory Locations)
          2. 2.3.3.3.2 Flow for Quick Write
      4. 2.3.4 Programming the Flash Memory (Using the Onboard Flash Controller)
        1. 2.3.4.1 Function Reference for 1xx, 2xx, 4xx Families
        2. 2.3.4.2 Function Reference for 5xx and 6xx Families
      5. 2.3.5 Erasing the Flash Memory (Using the Onboard Flash Controller)
        1. 2.3.5.1 Function Reference for 1xx, 2xx, 4xx Families
          1. 2.3.5.1.1 Flow to Erase a Flash Memory Segment
          2. 2.3.5.1.2 Flow to Erase the Entire Flash Address Space (Mass Erase)
        2. 2.3.5.2 Function Reference for 5xx and 6xx Families
      6. 2.3.6 Reading From Flash Memory
      7. 2.3.7 Verifying the Target Memory
      8. 2.3.8 FRAM Memory Technology
        1. 2.3.8.1 Writing and Reading FRAM
        2. 2.3.8.2 Erasing FRAM
    4. 2.4 JTAG Access Protection
      1. 2.4.1 Burning the JTAG Fuse - Function Reference for 1xx, 2xx, 4xx Families
        1. 2.4.1.1 Standard 4-Wire JTAG
          1. 2.4.1.1.1 Fuse-Programming Voltage on TDI Pin (Dedicated JTAG Pin Devices Only)
          2. 2.4.1.1.2 Fuse-Programming Voltage On TEST Pin
        2. 2.4.1.2 Fuse-Programming Voltage Using SBW
      2. 2.4.2 Programming the JTAG Lock Key - Function Reference for 5xx, 6xx, and FRxx Families
        1. 2.4.2.1 Flash Memory Devices
        2. 2.4.2.2 FRAM Memory Devices
      3. 2.4.3 Testing for a Successfully Protected Device
      4. 2.4.4 Unlocking an FRAM Device in Protected and Secured Modes
        1. 2.4.4.1 FR5xx and FR6xx Devices
        2. 2.4.4.2 FR4xx and FR2xx Devices
      5. 2.4.5 Memory Protection Unit Handling
      6. 2.4.6 Intellectual Property Encapsulation (IPE)
      7. 2.4.7 FRAM Write Protection
    5. 2.5 JTAG Function Prototypes
      1. 2.5.1 Low-Level JTAG Functions
      2. 2.5.2 High-Level JTAG Routines
    6. 2.6 JTAG Features Across Device Families
    7. 2.7 References
  4. 3JTAG Programming Hardware and Software Implementation
    1. 3.1 Implementation History
    2. 3.2 Implementation Overview
    3. 3.3 Software Operation
    4. 3.4 Software Structure
      1. 3.4.1 Programmer Firmware
      2. 3.4.2 Target Code
        1. 3.4.2.1 Target Code Download for Replicator430, Replicator430X, and Replicator430Xv2
        2. 3.4.2.2 Target Code Download for Replicator430FR (FRAM)
    5. 3.5 Hardware Setup
      1. 3.5.1 Host Controller
      2. 3.5.2 Target Connection
      3. 3.5.3 Host Controller or Programmer Power Supply
      4. 3.5.4 Third-Party Support
  5. 4Errata and Revision Information
    1. 4.1 Known Issues
    2. 4.2 Revisions and Errata From Previous Documents
  6. 5Revision History

2.4 JTAG Access Protection

There are various ways of protecting memory access to an MSP device.Table 2-11 is an overview of all available methods and the applicable device families. All mechanisms directly related to the JTAG interface are described in the referenced sections.

For the sake of completeness, this list also includes the lock mechanisms of the BSL interface. See the documents listed in the Reference column for a detailed description of these features and instructions for their use.

Table 2-11 Overview Of Memory Protection Mechanisms
Protection ModeApplicable DevicesPermanently LockedDescriptionUnlocking MethodReference
JTAG fuseFlash 1xx, 2xx, and 4xx families (except FRxx and i20xx devices)YesApplying a high voltage to the TEST pin (TDI pin for devices without TEST pin) blows an actual physical polyfuse and renders the JTAG interface unusablenoneSection 2.4.1
Combination of JTAG "soft"-fuse (e-fuse) and disabling BSL5xx, 6xx, and FRxx familiesYesTo prevent unlocking the target memory by either JTAG or BSL interface, both must be disabled.noneSection 2.4.2.1, Section 2.4.2.2, and MSP430™ Flash Devices Bootloader (BSL) User's Guide
JTAG lock without passwordFlash 5xx and 6xx familiesNoWriting a pattern other than 0x00000000 or 0xFFFFFFFF at the address 0x17FC locks the JTAG interfaceResetting the lock key in BSL memory using the BSL interfaceSection 2.4.2.1
FR2xx and FR4xx devicesNoWriting the pattern 0x55555555 at the address 0xFF80 locks the JTAG interface (solution implemented in the REP430FR firmware).
Note: NOTE: For FR2xx and FR4xx devices, it is also possible to lock the JTAG access by writing a pattern other than 0x00000000 and 0xFFFFFFFF at the address 0xFF80
1. Using the BSL to erase the main memory
2. Using a special erase command (User_Code_Erase 01A1A) applied through the JTAG mailbox. The function to use in the REP430FR firmware is EraseFRAMViaBootCode_430Xv2().		Section 2.4.2.2
FR5xx and FR6xx devicesNoUsing the BSL to erase the main memory.
JTAG lock with passwordFR5xx and FR6xx devicesNoWriting a JTAG lock signature (0xAAAA), password length and the password itself to 0xFF80 and the following memory segment (password might extend up to the reset vector at 0xFFFE) locks the JTAG interfaceUsing the JTAG mailbox in combination with the device BootCode, the given password is compared to the applied password.See the device family user's guide for details on how to set the password.
Unlocking: Section 2.4.4.1
Memory Protection Unit (MPU)FRxx devicesNoUser can specify up to three memory segments with different access rights (read, write, execute)Brown-Out-Reset (BOR) will reset all MPU settingsSee the device family user's guide for details on how to set up the MPU.
Unlocking: Section 2.4.5
IP-EncapsulationFR5xx and FR6xx families (except FR57xx) devicesNoUser can specify start and end address of one memory segment to be protected from any read, write, or execute accessPerforming a "total erase" ("erase main, information and IP-protected area on connect" in CCS) will erase the entire memory and reset IPE settingsSee the device family user's guide for details on how to set up the IP Encapsulation.
Unlocking: Section 2.4.6
BSL Password protectionAll devices with BSLNoBSL is protected by default against reading and writingBSL password equals interrupt vector table content – can be provided by reduced BSL command-set in locked modeMSP430™ Flash Devices Bootloader (BSL) User's Guide
Disable BSLFlash 1xx, 2xx, and 4xx familiesNoBSL interface is disabled by writing a lock signature to a certain address (depending on BSL implementation)Can be unlocked using JTAG interface (see device family user guides for details)MSP430™ Flash Devices Bootloader (BSL) User's Guide
Flash 5xx and 6xx familiesNoBSL interface is locked by clearing certain signatures at the end of the BSL memory (0x17F6 and 0x17F4)Signatures can be restored by erasing and reprogramming the Flash segment containing it using the JTAG interfaceMSP430F5xx and MSP430F6xx Family User's Guide
FRxx devicesNoBSL interface is locked by writing a given BSL lock signature at 0xFF84 and 0xFF86 in the main memoryAccess to the BSL interface can be re-enabled by overwriting the lock signature using the JTAG interfaceMSP430FR58xx, MSP430FR59xx, and MSP430FR6xx Family User's Guide
Memory protection by customer-written startup code (SUC)MSP430i20xx family (MSP430i2040)Depends on SUC implementationUser can write startup code to set up JTAG access protectionDepends on SUC implementationSee theMSP430i2xx Family User's Guide for details