mx51 boot block guide 1.3

System Boot

ELVIS IC User’s Guide, Rev .1.3Freescale Semiconductor Freescale Confidential Proprietary 1-1

NDA Required / Preliminary

Chapter 1 System Boot

1.1 IntroductionThe AP processor on i.MX51 start booting from a power on reset. The boot ROM supports features such as booting from various external memory devices, support for downloading code through a ROM bootloader, capability for device configuration and secure boot. The boot ROM is responsible for reading inputs such as the boot pins and efuses to determine the behavior of the boot flow.

The i.MX51 out-of-reset boot sequence, make use of the High Assurance Boot (HAB) library to provide a secure boot environment. A High Assurance Boot is a combination of hardware and software, with the use of a PKI (Public Key Infrastructure) protocol to protect the system from executing unauthorized images or programs. In order for the HAB to allow user code to run, the code must be signed by the pri-vate key holder which matches with the public key on i.MX51 . The HAB library in the i.MX51 boot ROM, also provide a number of API functions to allow the user to authenticate any defined region and signature at run-time.The i.MX51 also supports a HAB-bypass mode or direct external boot in which the processors can bootdirectly to external memory, such as a traditional microprocessor would do.The ROM also provides a mechanism to download and flash new code via a serial connection. Typically a downloader application is downloaded to RAM which facilitates the flash programming. The download is over either on a High speed USB in Non-stream mode or UART connection.The boot capabilities are substantially different on i.MX51 packages depending on the HAB type security configuration. Full flexibility is supported in the development (or engineering) configuration, but significant limitations are imposed on the production (or secure) configuration. The remainder of this chapter provides the details for booting i.MX51 in of each of the available modes.

1.2 Hardware BlocksThere are various hardware modules which are activated and play a vital role in the boot flow. The MCUconfigure and use the following peripherals during boot:

• SCC v2• RTICv3 • SAHARA v4 LT• CSU • SRTC • EMI (WEIM/NFCv2/ESDCTLv2) - used for boot from external memory • IIM - contains the e-fuses• UART and USB - used for serial download• IOMUX• GPIO - used to choose tests in FSL Test Mode• WDOG• PLL

System Boot

ELVIS IC User’s Guide, Rev .1.3

1-2 Freescale Confidential Proprietary Freescale SemiconductorNDA Required / Preliminary

• CCM • I2C• HS-I2C• eCSPI• eSDHCv2• SRC - stores the value of the BMOD pins

System Boot



1.3 iROM and iRAM memory map

Figure 1-1. iROM and iRAM memory map

0 x 0 0 0 0 0 0 0 0

0 x 0 0 0 0 0 0 4 8

0 x 0 0 0 0 0 0 9 0

0 x 0 0 0 0 0 0 B 0

0 x 0 0 0 0 3 F F F

0 x 0 0 4 0 4 0 0 0

0 x 0 0 4 0 8 F F F

0 x 1 F F E 0 0 0 0

0 x 1 F F E 0 8 0 0

0 x 1 F F E 0 C 0 0

0 x 1 F F E 2 0 0 0

0 x 1 F F F E 0 0 0

0 x 1 F F F F F B 8

0 x 1 F F F F F F F0 x 4 8

E x c e p t io n V e c to r T a b le

S T A C K

IR A M fre e s p a c e(1 1 2 K B )

D A T A

B S S

H A B d a ta

E r ro r L o g g in g

D C D B u f fe r (1 K B )

U S B B u ffe r (2 K B )R e s e t a n d

E x c e p t io n v e c to r T a b le

C o p y R ig h t a n d R O M v e rs io n

H A B A P I V e c to r T a b le

R O M B o o ts tra p

R O M B o o ts tra p

16KB20KB

Approx 8KB

112KB

Within First 8KB

V a r ia b le A d d re s sF ix e d A d d re s s

System Boot



1.4 Boot Options

1.4.1 Boot options and E-fuse settingsThe boot sequence in i.MX51 is determined and controlled by:

1)BMOD[1:0]2)GPIO_BT_SEL• BMOD[1:0] -Type of boot is controlled by the boot mode pins (BOOTMOD[1:0]) value, sampled at exit of reset(stored in “SRC Boot Mode Register - SBMR” register of the System Reset Controller - SRC module). Options are: Internal, FSL Test mode, Internal boot with fuses and serial boot via USB/UART. Refer to Table 1-1 below for details.

Table 1-1. Boot Mode Options

• GPIO_BT_SEL- Additional boot option selection is passed on to the processor, via either programmable e-fuses or pins value sampled at POR de-assertion(applicable only whenBMOD=00). The select between the two options, is done based on the value of “GPIO_BT_SEL” fuse, as follow:

a) In the case “GPIO_BT_SEL” is blown - all boot options are configured by e-fuses, as detailed in Table 1-2 below. Boot ROM software may read the values from the SBMR, or from the e-fuses, via the IIM module.It is the recommended configuration for deployed products and the GPIO mode is essentially for testing purposes.b) In the case “GPIO_BT_SEL” is left un-blown - the various boot options are determinedby sample of dedicated pins at the exit of reset. Every e-fuse option is associated with adedicated pin(s), such that same functionality is available for both boot options. SeeTable 1-5 below for boot option pins. For this case, regardless of fuse values, Boot ROM

code must read the options’ values from SBMR register of the SRC module.

Table 1-2 describes the fuses that affect the boot flow.

BMOD[1:0] Boot Type0 0 Internal Boot

0 1 FSL Test Mode

1 0 Internal boot with fuses

1 1 Serial Boot Loader

System Boot



Table 1-2. Fuse Descriptions

FuseConfigured by

DefinitionSettings:

Intact reads as 0Blown reads as 1

DIR_BT_DIS OEM Direct External Memory Boot Disable.

0 = Direct boot to external memory

is allowed

1 = Direct boot to external memory is not allowed

BT_MEM_CTL[1:0] OEM Boot Memory Control Type used to select EIM(NOR,oneNAND), NAND flash or expansion devices like SD/MMC, EEPROM Flexibility is provided to OEM to select any kind of bootable device to be used in their hardware.

00 - WEIM01 - NAND Flash10 - Reserved 11 - Expansion Device (SD/MMC, support high storage, EEPROMs. See BT_MEM_TYPE[1:0] settings for details).

BT_PAGE_SIZE[1:0] OEM NAND Flash Page Size. This field is used in conjunction with the BT_MEM_CTL[1:0] setting to set page size of NAND flash device

If BT_MEM_CTL = NAND Flash then00 - 512 bytes01 - 2K bytes10 - 4K bytes11 - Reserved

BT_SPARE_SIZE OEM Specifies the size of spare bytes for 4KB page size NAND Flash devices.Note: 512B page devices have 16 bytes spare area size,2KB page devices have 64 bytes spare area size.OEM can choose between 128 byte spare or 218 spare bytes by using this fuse.Also used as a fast boot mode indica-tion for eSD 2.10 protocol.

0 = 128 bytes spare (Samsung)1 = 218 bytes spare (Micron, Toshiba)Note:Applicable to 4KB page size only

If the bootable device is SD then:0 - "FAST_BOOT" bit 29 in ACMD41 argument is 01 - "FAST_BOOT" bit 29 in ACMD41 argument is 1

BT_BUS_WIDTH[1:0] OEM NAND/NOR Bus Width.Note:

OneNAND has only 16 bits,

BT_MEM_CTL[1:0] = NAND Flash00 = 8 bit01 = 16 bitBT_MEM_CTL[1:0] = WEIM (NOR)0 = 16 bit data bus1 = 32 bit data busBT_MEM_CTL[1:0] = Expansion Device (SPI)0 = 2-Address word SPI device (16-bit)1 = 3-Address word SPI device (24-bit)

System Boot



BT_MEM_TYPE[1:0] OEM Boot Memory Type.Interpreted by boot ROM SW according to BT_MEM_CTL setting. Signals could also be interpreted by HW to alter delays and timing in sup-port of direct boot.

If BT_MEM_CTL = WEIM then00 - NOR01 - Reserved10 - OneNand11 - ReservedIf BT_MEM_CTL = NAND Flash00 - 3 address cycles01 - 4 address cycles10 - 5 address cycles11 - reservedIf BT_MEM_CTL = Expansion Card Device00 - SD/MMC/eMMC/eSD01 - Reserved10 = Serial ROM via I2C11 = Serial ROM via SPI

BT_SRC[1:0] OEM Fuse is used to select following devices depending on value of BT_MEM_CTL[1:0]1)esdhc1-42)I2C1-2,HS-I2C3)CSPI,eCSPI1-2

If BT_MEM_CTL[1:0]==11 (Expansion card device) && BT_MEM_TYPE[1:0]=00 (SD/MMC/eMMC/eSD) then00 - eSDHC-101 - eSDHC-210 - eSDHC-311 - eSDHC-4

(eMMC4.3 fastboot is supported in eSDHC3-4)If BT_MEM_CTL[1:0]==11 (Expansion card device) && BT_MEM_TYPE[1:0]=10 (Serial ROM via I2C) then00 - I2C-101 - I2C-210 - HS-I2C11 - ReservedIf BT_MEM_CTL[1:0]==11 (Expansion card device) && BT_MEM_TYPE[1:0]=11 (Serial ROM via SPI) then00 - eCSPI-101 - eCSPI-210 - CSPI11 - Reserved

Table 1-2. Fuse Descriptions (continued)

FuseConfigured by

DefinitionSettings:


System Boot



BT_WEIM_MUXED[1:0] OEM Selects WEIM muxed mode.Have a corresponded GPIO pin.

For BT_MEM_CTL[1:0] = WEIM (Nor)00 = Not muxed, not multiplexed with NAND, 16-bit data (high half) NOR interface.01 = Muxed, not multiplexed with NAND, 16-bit data (low half) NOR interface.10 = muxed, multiplexed with NAND data bus, 16-bit data (low half) NOR interface, .11 = Muxed, multiplexed with NAND data bus, 32-bit data NOR interface.

BT_UART_SRC[1:0] OEM Choosing the specific UART controller for serial downloading .Have a corresponded GPIO pin.

00 - UART-1 01 - UART-210 - UART-311 - Reserved

BT_MLC_SEL OEM SLC/MLC nand device or FAST BOOT enable/dissable for

eMMC device (Due to Hardware issue, this feature of eMMC is

not supported)

If BT_MEM_CTL[1:0] == NAND0-SLC nand device 1-MLC nand device If BT_MEM_CTL[1:0] == Expansion Device && BT_MEM_TYPE[1:0]=00 If the bootable device is MMC then:0 - Don't use eMMC fast boot mode.1 - Use eMMC fast boot mode.

BT_EEPROM_CFG OEM Selects whether EEPROM device is used for load of configuration DCD data, prior to boot from other devices (not applicable when using EEPROM as boot device)

0= Use EEPROM DCD1 = Don’t use EEPROM DCD

BT_USB_SRC OEM USB phy selectionis based on this fuse.

0 = USB OTG Internal PHY(UTMI)1 = USB OTG External ULPI PHY

OSC_FREQ_SEL[1:0] OEM CKIH Frequency Select. It is used by boot code for PLL programming.Have a corresponded GPIO pin.

00 - CKIH Frequency is 26 MHz 01 - CKIH Frequency is 19.2 MHz10 - CKIH Frequency is 27 MHz11 - CKIH Frequency is 24 MHz

GPIO_BT_SEL Freescale GPIO Boot Select. Determines, whether certain boot fuse values will be controlled from GPIO pins or IIM

Note: Applicable only for BMOD=00

0=Certain bits of SBMR is updated by GPIOs.1=Certain bits of SBMR is updated by IIM fuses.


FuseConfigured by

DefinitionSettings:


System Boot



HAB_TYPE[2:0] OEM Security Types as defined in Section 1.6.1.1

Note:In Engineering mode if CSF and SRK is not provided it must set

to NULL in app header.

001 - Engineering (allows any code to be flashed and executed, even if it has no valid signature)100 - Security Disabled (For internal/testing use)Others - Production (Security On)

SRK_HASH[255:0] OEM Most significant byte of 256-bit hash value of super root key

(SRK_HASH)

Varies - used by HAB

HAB_CUS[7:0] OEM HAB Customer Code — Selects customer code, as input to HAB.

Varies - used by HAB

DIE-X-CORDINATE[7:0]

DIE-Y-CORDINATE[7:0]WAFER_NO[4:0]LOT_NO_ENC[42:40]LOT_NO_ENC[39:32]LOT_NO_ENC[31:24]LOT_NO_ENC[23:16]LOT_NO_ENC[15:8]LOT_NO_ENC[7:0]

Freescale Device Unique ID, 64-bit UID. Varies - used by HAB

SRTC_SECMODE[1:0] OEM Security Mode for Secure RTC. Determines the level of security for

Secure Real Time Clock (SRTC) module

00 - Low Security01 - Medium Security10 - High Security11 - Reserved

BT_LPB_FREQ[2:0] OEM LPB ARM core frequency 000-192 MHz (Default,Out of Reset,Refer Sec 1.6.1.2)001-133 Mhz010-55.33 MHz011-200 MHz100-220 MHz101-166 MHz110-266 MHz111-Normal boot frequency(400 MHz)

BT_VIRGIN OEM Indication that BOOT area was not burnt yet

0 - BOOT area is virgin. Boot flow jumps to UART/USB boot loader, in case of BOOT_MODE[1:0]==10.1 - BOOT area is not virgin. Regular boot flow is performed.

BT_LPB[1:0] OEM Options for Low Power Boot mode. 00 - LPB disabled01 - Generic PMIC and one GPIO input (Low battery)10 - Generic PMIC and two GPIO inputs (Low battery and Charger detect)11 - Atlas AP Power Management IC.


FuseConfigured by

DefinitionSettings:


System Boot



The settings required for a secure and non-secure devices during production and engineeringdevelopment phases are shown in Table 1-3

Table 1-3. Required fuse settings

NOTE:Table 1-3 is for FSL internal use only Setting of Page Per Block valuesIn general, the Page Per Block setting, may not have a “one to one” relation to block size. However, mostdevices used, are following the relations listed in Table 1-4

1.4.2 Boot Option fuses and associated PinsTable 1-5 below provides listing of boot options fuse values and associated pins, where applicable. Sev-eral input pins, are also sampled at boot, and can be used to override fuse values, depending on the value of GPIO_BT_SEL fuse. The boot option pins are in effect, when GPIO_BT_SEL is ‘0’ (cleared - case for un-blown fuse.) Also listed are boot mode pins and functionality of other boot related fuses and pins.

Fuse name Non-secure deviceproduction/engineering)

Secure device(engineering)

Secure device(production)

HAB_CUS[7:0] Not required Not required As instructed by freescale

HAB_TYPE[2:0] 100(Security Disabled) 001(Engineering) Other (Production)

SRK_HASH[0:247] Not required As instructed by freescale

As instructed by freescale

DIR_BT_DISABLE 0(External boot is allowed) 0(External boot is allowed)

1(External boot is not allowed)

Table 1-4. Page Per Block settings

Page Size Page per Block

512 Bytes 32

2K Bytes SLC 64

2K Bytes MLC 128

4K Bytes 128

System Boot



Table 1-5. Fuses and associated pins used for boot

1.5 Boot SequenceFigure 1-2 shows the High Level MCU ROM code flow followed in Elvis..

Pin Direction at Boot

E-Fuse Name

Details

BOOT_MODE[1:0] INPUT NA Boot Mode selection

DISP1_DAT[21:20] INPUT BT_MEM_TYPE[1:0]

Boot option pins and also used in FSL Test mode for test selection

DISP1_DAT[19:18] BT_WEIM_MUXED[1:0]

DISP1_DAT[17:16] BT_PAGE_SIZE[1:0]

DISP1_DAT[15] BT_BUS_WIDTH DISP1_DAT[14:13] BT_MEM_CTL[1:0] DISP1_DAT[12] BT_MLC_SEL DISP1_DAT[10] BT_SPARE_SIZE DISP1_DAT[9:8] BT_ SRC[1:0] DISP1_DAT [7] BT_EEPROM_CFG DISP1_DAT [6] BT_USB_SRC[1:0] EIM_A[21:20] BT_UART_SRC[1:0] EIM_A[19:18] BT_TBD23

EIM_A[17:16] OSC_FREQ_SEL[1:0] NANDF_RDY_INT[22] Output NA

Boot Options, Pin value

overrides fuse settings for

GPIO_BT_SEL = ‘0’

“Pulse” Indication on finish of internal system reset(Also indicates exit of ALT7 IOMUX mode),by visibility of any “any_pu_rst” signal. This indication should be enabled by JTAG first.

System Boot



Boot pins and fuses are sampled

Reset ELVIS MCU ROM Code High Level Bootflow

KEY

Boot Pins

E- Fuses

Hardware

Basic Config andObtain base addr

Of boot device

Code BarkerValid?

ExecuteImage

Yes

Yes

No

No

NoYes

Configure NFC controller and

copy initial 4k of data to NFC Buffer

No

BT_MEM_CTL == NAND

FSL TEST MODE(BMOD=1) &&

DIR_BT_DIS=0

BT_MEM_CTL == Expansion Card

Device(SD/MMC / eMMC/eSD/)

No

BT_MEM_ CTL == EIM and

BT_MEM_TYPE == NOR

ConfigureWEIM (CS0) interfaceand Copy initial 1kB of data to

ONENAND RAM

Yes

BT_MEM_ CTL == EIM and

BT_MEM_TYPE == OneNand

Yes

Configure eSDHC1-esdhc4

controller and read initial 2k of data to IRAM

Yes

TEST Selection

GPIO1[4:6]

Enter Debug Mode

Security HW test (SCC key Check)

FSL Test Mode(Test Executive)

BootLoaderflow

FSL Test Mode

Configure SPI/I2CAnd download

initial 2k data to iRAM

Boot Mem ctrlSPI/I2C

WEIM MUX mode selection

BT_WEIM_MUXED[1:0]

HAB checks

(A)

HAB check image is verified ?

HAB_TYPE?

No

yes

ENG

PROD

From B

yes

NO

No

HAB check and Execution Flow

Low Power Boot

LPB

Wait mode

Sleep mode

SCC To failure

Yes

Infinite SCC_RAM test

Infinite GMEM test

USB/UART Bootloader(BMOD=3 ||

(BMOD=2 && BT_VIRGIN =0))

No

Yes

INTERNAL Bootloader(BMOD=0 ||

(BMOD=2 && DIR_BT_DIS=1))

Yes

No

No

System Boot



Figure 1-2. Boot Flow

Note: The size of image for any boot device is not limited to 4kB/2KB size

UART/USB SecureDownload?

(Wait for activity on one of devices)

Initialize USB Driver

Initialize RAMInitialize UARTBT_UART_SR

C[1: 0]

UART

USB

Watchdog Asserted

BT_EEPROM_CFG Blown

Configure IOMUX and PHY

Configure I2CRead ADR/DATA pairs

To iRAM

Execute code (Check address validity)

NO

yes

A

Start WDOG timer

Issue Reset to PMIC

Download image

HAB checks

B

System Boot



1.6 Boot ModesThere are four unique boot modes for the MCU boot ROM. The modes are selected by setting the boot mode pins to one of the combinations listed in Table 1-1 with the path of the MCU boot illustrated in Figure 1-2.

1.6.1 Internal Boot mode (BMOD[1:0] = 00)Internal boot is selected by driving value of ‘00’ on the BMOD[1:0] pins, at device power up. In this mode core boots from internal ROM. The boot code performs HW initialization, application image validation using the HAB library and then jumps to an address derived from the application image. If any error occurs during internal boot the boot code jumps to the UART/USB secure download. Internal boot mode is the only mode in which a secure boot of the i.MX51 is possible.

1.6.1.1 Security SettingsExternal boot modes are considered as non-secure by definition: the software in Flash is executed regardless of its authenticity, and the SCC is automatically put into Non-Secure state so that it cannot be used to decrypt information with the device-unique secret key.Internal boot modes can have one of two security levels:

• Production: This level is intended for use with shipping products. All HAB functions are executed and security hardware is initialized (the SCC enters Secure state), DCD is processed if present, and software in Flash or downloaded to RAM is authenticated by HAB prior to its execution. First error detected will be logged, and the boot flow is aborted with control passing to the download mode. With this level, execution does not leave the internal ROM unless the target executable image has been authenticated.

• Engineering: This level is intended for use during the development phases of a product. All HAB functions are executed as for a production device. security hardware is initialized (except the SCC is left in Non-Secure state), DCD is processed if present, and software in Flash or downloaded to RAM is authenticated by HAB prior to its execution. First error detected will be logged, but have no influence on the boot flow.CSF must be present in this mode even if it could be a wrong one.Therefore, with this level, it is possible to develop software without requiring that each build be signed for HAB authentication, since the device will boot even if the code signatures are missing.

1.6.1.2 Basic InitializationOn reset MCU core has access of all shared peripherals. On reset by default all peripheral clocks are enabled and boot ROM will not change any of the peripheral clock enables.

NORMAL mode:

In normal mode the following frequencies are available as input clock to PLL1-3 modules. Selection of these frequencies is done as follows.

The CLKSS is read and if OSC is selected then further input clock selection is based on the fuse OSC_FREQ_SEL[1:0](Refer to Table 1-6).

System Boot



If the CLKSS is FPM, then 32KHz is selected as input to PLL1-3 module.

Table 1-7 shows the different PLLS used and Table 1-8 shows the various clocks used thier clock sources

Table 1-6. OSC_FREQ_SEL[1:0] values and corresponding frequencies

OSC_FREQ_SEL[1:0] Frequency

00 26 MHz

01 19.2 MHz

10 27 MHz

11 24 MHz

Table 1-7. PLL Configuration

Clock Frequency(MH z)

PLL1 400

PLL2 600

PLL3 216

Table 1-8. Normal Frequency Clocks Configuration

Clock CCM signal Source Frequency(MHz)

ARM core clock arm_clk_root PLL1 400

EMI emi_slow_clk_root PLL2 100

NFCv2 enfc_clk_root PLL2 20

AHB ahb_clk_root PLL2 120

IPG ipg_clk_root PLL2 60

AXI_A axi_a PLL2 150

AXI_B axi_b PLL2 75

USB usboh3_clk_root PLL2 60

UART uart_clk_root PLL3 21.6

eSDHC esdhc1_clk_rootesdhc2_clk_rootesdhc3_clk_root

PLL3 54

CSPI ecspi_clk_root PLL3 54

System Boot



Beside these clocks PERCLK_ROOT is getting generated from lp_apm source of value 50MHz

and CSPI_CLOCK_ROOT is getting generated from IPG_ROOT(60MHz).

Low Power Boot Mode:

In Low power boot(LPB) mode, PLL1 is configured at 266MHz/166MHz and used as source of ARM core clock, serial buses clock (i2c,cspi,esdhc,uart etc), IPG, perclk_root , AHB, AXI bus clocks. PLL2 and PLL3 are disabled in low power boot mode. ROM configures ARM core frequency value based on fuse BT_LPB_FREQ[2:0].

ARM core frequencies in low power boot mode:

0=192 MHz (Default,out of reset)

Note :- This value gets changed based on the OSC_FREQ_SEL[1:0] fuse values as follows:-

1=133 MHz

2=55.33 MHz

3=200 MHz

4=220 MHz

5=166 MHz

6=266 MHz

7=normal boot frequency(400MHz)

Table 1-9 lists the various LPB frequancies(In MHz) used by diifferent clock based on the BT_LPB_FREQ[2:0] value.

Table 1-9. Normal Frequency Clocks Configuration

OSC_FREQ_SEL[1:0] Oscillator Frequency LPB Frequency at BT_LPB_FREQ[2:0] = 0

00 26 208

01 19.2 153.2

10 27 216

11 24 192

System Boot



* This frequency depends on the oscillator frequency selected based on OSC_FREQ_SEL[1:0] fuse, please refer to Table 1-9 for corresponding frequency values.

1.6.1.3 External Device Selection

The i.MX51 will support the following boot flash devices:• NOR flash with WEIM Interface, located on CS0, Bus width of 32 and 16 bits NOR flashdevices.• OneNAND flash with WEIM interface, located on CS0, Bus width of only16 bit OneNAND flash devices.• MLC Nand , SLC Nand and LBA Nand Flash via NFC interface. Page sizes of 512 bytes, 2KB or 4KB, bus width of 8 bit or 16 bit, 4/8-bit ECC (Error Checking)• SD/MMC/eMMC and eSD via eSDHC interface, supporting high capacity cards.• eMMC-4.3 “boot mode (FAST BOOT)” via eSDHC-3 and eSDHC-4 interface.• eSD FAST BOOT mode via all the eSDHC ports.

Table 1-10. LPB Clock Configurations

BT_LPB_FREQ[2:0] 0 1 2 3 4 5 6 7

PLL1 frequency 192* 266 166 200 220 166 266 400

ARM frequency 192* 133 55.33333

200 220 166 266 400

axi_a(div by 4) 48* 66.5 41.5 50 55 41.5 66.5 100

axi_b(div by 8) 24* 33.25 20.75 25 27.5 20.75 33.25 50

emi_slow_clk_root(div by 5)

38.4* 53.2 33.2 40 44 33.2 53.2 80

enfc_clk_root(div by 5) 7.68* 10.64 6.64 8 8.8 6.64 10.64 16

ahb_clk_root(div by 5) 38.4* 53.2 33.2 40 44 33.2 53.2 80

ipg_clk_root(div by 2) 19.2* 26.6 16.6 20 22 16.6 26.6 40

perclk_root(div by 12) 16* 22.1666 13.8333 16.6666 18.3333 13.8333 22.1666 22.2222

uart_clk_root(div by 12) 16* 22.1666 13.8333 16.6666 18.3333 13.8333 22.1666 13.3333

esdhc_clk_root(div by 12) 16* 22.1666 13.8333 16.6666 18.3333 13.8333 22.1666 13.3333

cspi_clk_root(div by 18) 10.6667*

14.7777 9.22222 11.1111 12.2222 9.22222 14.7777 13.3333

i2c_clk_root(div by 12) 16* 22.1666 13.8333 16.6666 18.3333 13.8333 22.1666 33.3333

System Boot



• EEPROM boot via SPI (serial flash) and I2C/HS-I2C (via CSPI, HS-I2C and I2C modules respectively)

The selection of external flash device type is determined by BT_MEM_CTL[1:0] and BT_MEM_TYPE[1:0] efuses. See Table 1-2 for more details.

NOTE:

eMMC “Boot Mode (FAST BOOT)” has been implemented in ROM but due to hardware bug this feature is not supported.

1.6.1.3.1 NOR Flash via WEIM interface

Boot from the WEIM NOR Flash interface is supported for debug purposes. It should be used on specialcases only. The NOR FLASH interface will work in the asynchronous mode, and supports either muxed. Address/Data, or non muxed scheme, based on fuse settings, see Table 1-2 for details.

1.6.1.3.2 NAND Flash Support

A number of MLC/SLC NAND flash devices from different vendors and LBA Nand Flash are supported by the boot ROM. The Error Correction and Control (ECC) module is used to detect the errors.Boot ROM determines the configuration of external NAND flash by following parameters, either pro-vided by e-fuse, or sampled on IO pins, during boot:

• PAGE_SIZE[1:0] - 512B/2KB/4KB• BUS_WIDTH - 8-bit/16-bit• BT_SPARE_SIZE[1:0] - 128 byte / 218 byte• BT_MEM_TYPE[1:0] - 3/4/5 address cycles• BT_MLC_SEL - SLC/MLC flash

To decide page size,bus width,address cycle and ECC select of external NAND device ROM read PAGE_SIZE[1:0],BUS_WIDTH,BT_MEM_TYPE and BT_MLC_SEL bit fields from SBMR register of SRC module.For more details see the Table 1-2.For more details on NAND address cycle section please refer to Appendix-A.On device power on, the copy of first boot block data from NAND flash device to NFC buffer is done byboot ROM. Since in NAND flash devices there are possibility of getting errors while reading first 4k boot data from first block(NAND device Block-0), the user is required to duplicate the first 4k boot code to subsequent block(NAND flash Block-1), to serve as a 2nd copy option.

The boot ROM code, takes advantage of the duplicate boot code, by the following flow:• If no ECC errors are detected in first 4K boot data from NAND device block-0, dcd is per-formed and downloaded 4KB image as well as rest of the image is copied to application destina-tion pointer embedded into image(iRAM) and secure boot is performed.• If ECC Error is detected in first 4k boot data from Block-0, the boot ROM code shall copy the duplicated 4k boot data from the NAND flash block-1.• If an error is detected in the subsequent boot block, boot ROM code will log an error and jumps to USB/UART bootloader. The logged error can be queried via the serial protocol. If there is no error in data copy then boot ROM will perform the secure internal boot.

System Boot



NOTE:The application image length and destination pointer should be specified in image as BootROM reads application image length as well as application destination pointer from image.

1.6.1.3.3 OneNand-Flash Boot Operation

The OneNAND flash devices are available only with 16 bit interface. ROM OneNAND flash driver willget the device page size by issuing a software command to device and collecting the response from device.At system power-up, OneNAND automatically copies 1 Kb data from start of flash array (sector 0 andsector 1, page 0, block 0) to its *Boot RAM i.e. Boot RAM contains the OneNAND flash header. Boot ROM will copy the 1Kb OneNAND *BootRAM contents to application destination pointer (located in the app_dest_ptr entry of application header) and decrement length of the image to be read from OneNAND by 1 K. *Boot RAM area is memory mapped and copying operation will be simple memory copying operation. The length of image to be read from OneNAND device is specified in flash header structure described in Figure 1-8.Any failure of loading data from OneNAND flash for any reason would force MCU Boot ROM to switch to serial download.At system power-up, the voltage detector in the device detects the rising edge of Vcc and releases internalpower-up reset signal which triggers bootcode loading. Bootcode loading means that the boot loader in the OneNAND copies designated sized data(1KB) from the beginning of memory to the *BootRAM. Bootcode copy operation starts 400us later than POR activation and 1K bytes Bootcode copy takes 70us(estimated) from sector0 and sector1/page0/block0 of NAND Flash array to BootRAM. INT bit of Interrupt status register goes ‘Low’ to ‘High’ on the condition of ‘Bootcode-copy done’ and RP rising edge.Boot ROM Implements this in 2 stages:-1. Put GPT timer to introduce a delay of around 500 Micro seconds.2. Wait for INT bit of Interrupt status register to go High.Once INT bit of interrupt status register is set to High, Boot ROM proceeds with OneNAND initialization.

NOTE:* oneNAND internal RAM

NOTE:The application image length and destination pointer should be specified in image as BootROM reads application image length as well as application destination pointer from image.

1.6.1.3.4 Expansion Device Support

Boot procedure is enabled from MMC/eMMC and SD/eSD compliant devices. SD/MMC/eSD/eMMC boot can be performed via either eSDHC-1, eSDHC-2, eSDHC-3 or eSDHC-4 devices, based on BT_SRC fuse value, or it’s associated input pin value at boot. For eMMC-4.3 with BOOT ACK support boot mode, only eSDHC-3 or eSDHC-4 can be used. Refer to Table 1-2 for details.Boot code supports following standards.

• MMCv4.3 or less

System Boot



• eMMCv4.3 or less• SDv2.0 or less• eSDv2.10 rev-0.9, with or without FAST_BOOT.

MMC/SD/eSD/eMMC can be connected to any of eSDHC1-4 module and booting can be done by copying 2KB of data from MMC/SD/eSD/eMMC device to iRAM. After checking barker value(0x000000B1) from boot image, ROM perform DCD check. After successful DCD extraction, rom code extracts destination pointer and length of image to be copied to RAM device from where code execution occurs.

NOTE: The application image length and destination pointer should be specified in image as BootROM reads application image length as well as application destination pointer from image.

1.6.1.3.5 MMC and eMMC

MMC frequency is set to 210.937KHz for the identification phase in Normal boot mode. During identifi-cation phase MMC card voltage validation is performed. During voltage validation, boot code checks with high voltage settings and capacity of card is checked. Boot code supports both high capacity and low capacity MMC/eMMC cards. After initialisation phase is over, boot code switch to a higher frequency, 13.5MHz in Normal boot mode. eMMC is also interfaced via eSDHC and follows same flow as does by MMC. Boot partition can be selected for eMMC-4.3 card after the card initialization has been done. ROM reads the BOOT_PARTITION_ENABLE field in the Ext_CSD[179] to get the boot partition to be set. If there is no boot partition mentioned in BOOT_PARTITION_ENABLE field or the user partition has been mentioned, ROM boots from the user partition. eMMC-4.3 device support special “Boot mode”, which can be initiated by pulling the CMD line low. If BOOT ACK is enabled, the eMMC-4.3 device sends the BOOT ACK via DATA0 and ROM can read the BOOT ACK [S010E] to identify the eMMC-4.3 device. eMMC-4.3 device with “Boot mode” feature can only be supported via eSDHC-3 and eSDHC-4 and with BOOT ACK enabled. ROM waits for 50ms to get the BOOT ACK and if BOOT ACK is received by ROM, then only eMMC-4.3 is booted in “Boot mode”, otherwise eMMC-4.3 boots as a normal MMC card from the selected boot partition. This boot mode can be selected by BT_MCL_SEL fuse. Only 1-bit bus width is used in ROM.

Table 1-11. SD/MMC Frequencies

Frequency NORMAL LPBBT_LPB_FREQ[2:0]

0 1 2 3 4 5 6 7

IDENTIFICATION(KHz) 210.937 83.30 115.41 72.03 86.80 95.48 72.03 115.41 69.44

OPERATING (MHz) 13.5 4.00 5.54 3.45 4.16 4.58 3.45 5.54 3.33

System Boot



Configure CM D line as G PIO

G ot eM M C boot ACK?

Yes

eM M C BO OT ACK

eM M C data read

Set CM D line low

Issue virtual read (CM D17) com m and (50m s tim eout, BC=4, W M L = 1) to get the BO O T

ACK S010E

Issue virtual read (CM D18)com m and to in itiate infin ite

block xfer

W ait for block of boot data to com e in eSDHC buffer by polling the BRR bit

(tim eout = 1s)

G PT tim er expires?

Release CM D line to eSDHC5

6

1

No

Set Identification frequency(Approx 400 KHZ)

M M C/SD Boot Entry

Point

eSDHC Software Reset, Set RSTA

Configure G PT for 1s tim eout

Check for eM M C -4.3 ‘boot m ode’ support

BT_M LC_SEL == 1?

No

Yes

Read 2K data from eSDHC buffer to IRAM

Check BT_SDM M C_SRC fuse for eSDHC port. Accordingly do

the IOM UX config

eSDHC init

Configure operating frequency ~ 20M HzSet Identification frequency

(Approx 400 KHZ)

Release CM D line to eSDHC

Reset the CM D line by setting RSTC

Reset the DATA line by setting RSTD

Got the first block of data

BC = 0xFFFF W M L = 128, BCEN = 0, M SBSEL = 1

BRR set?No

NoYes Yes

eM M C-4.3 ‘boot m ode’ is not selected

eM M C-4.3 ‘Boot O peration M ode’

eM M C Boot M ode is not supported

System Boot



Card S/W Reset(CMD0)

Set INITA to send 80 SDCLK to card

Issue CMD 8 with HV (3.3V)

Command Successful ?

Issue ACMD41


Is Response OCR for HC

Busy Bit == 1

Increment loop counter

Loop Cntr < 3000 and looping period

< 1s

Yes Yes

No

No

Issue CMD55


Card is HC SDCard is LC SD

2

No

No

NoIssue CMD 8 with LV (1.8V) Command

Successful ?No

Card is LC SD ver 1.x

Yes

NoYes

Yes

Set ACMD41 ARG to HV and HC

Set ACMD41 ARG to HV and LC

Card is HC/LC LV SD ver 2.x

Card is HC/LC HV SD ver 2.x

Set ACMD41 ARG to LV and HC

Yes Yes

Get CID from card (Issue CMD2)



Get RCA (Issue CMD3)


No

No

Yes

Yes

1

Send CMD43 to select partition 1


Send CMD13 to read status


Card State == TRANS?

Partition1 set FAILED

Set operating frequency upto

20 MHz

Put card in data Transfer Mode (Issue CMD 7)




5

5

Yes

YesYesNo No

No

Partition1 got selected

Card is eSD

4 CMD13 poll timeout?

No

No

No

YesYes

Yes

Yes

No

Start GPT delay of 1s for ACMD41

FAST_BOOT selected?

Set CMD13 poll timeout to 1S

Set CMD13 poll timeout to 15ms

No

Yes

NOTE: eSD FAST BOOT support is selected by BT_SPARE_SIZE fuse:0 - "FAST_BOOT" bit 29 in ACMD41 argument is 01 - "FAST_BOOT" bit 29 in ACMD41 argument is 1

Set ACMD41 ARG bit 29 for FAST BOOT

FAST_BOOT selected?No

Yes

Device InitializationSD Boot

Boot Partition SetSD Boot

Voltage ValidationSD Boot

System Boot



2

Issue CMD1 with HV


Card is HC MMC

Card is LC MMC

Is Response OCR for HC

Busy Bit == 1

5

Increment loop counter

Loop Cntr < 3000 and looping period

< 1s

No

Yes

No

Yes

No

No

Yes

Yes

Start GPT with 1s delay for CMD1

Get CID from card (Issue CMD2)

Set RCA (Issue CMD3)

Set operating frequency to 20 MHz




Put card in data Transfer Mode (Issue CMD7)



5

No

No

No

No

Yes

Yes

YesYes

Set Strong pull-up for CMD line

Set Weak pull-up for CMD line

Get MMC card CSD (Issue CMD9)

Send CMD6 to select partition





Partition set FAILED

Set CMD13 poll timeout to 100ms

Partition got selected

Card is eMMC-4.3

4CMD13 poll timeout?

Spec ver >= 4.0?No

No

NoNo

No

Yes

Yes

Yes

Yes

Yes

Send CMD8 to get Ext_CSD

Extract the boot partition to set

Got valid partition?

Yes

No

User or no partition set

Device InitMMC Boot

Voltage ValidationMMC Boot

Boot Partition SetMMC Boot

System Boot



1.6.1.3.6 SD and eSD

SD and eSD frequency is set to 210.937KHz for the identification phase in Normal boot mode. During identification phase SD and eSD card voltage validation is performed. During voltage validation, boot code first checks with high voltage settings and if it fails it checks with low voltage settings. Capacity of card is also checked. Boot code supports high capacity and low capacity SD and eSD cards. After voltage validation card initialisation is done. During card initialisation boot, code tries to set boot partition for both SD and eSD device. If it fails, boot code assumes card as normal SD card otherwise as eSD card. After initialisation phase is over, boot code would switch to a higher frequency, 13.5MHz in Normal boot mode. ROM also support FAST_BOOT mode booting from eSD card. This mode can be selected by BT_SPARE_SIZE fuse.The BootROM uses 1-bit access to card. Application code can switch to 4/8-bit mode

Read 512 bytes of data from MMC/SD/eSD/

eMMC Card (CMD17)and copy to IRAM

2K Data Read ? Check for barker

Braker present?

Copy 2k data image data from IRAM to SDRAM

Yes

Yes

No

4

No

5Copy rest of image data from SD/MMC/

eSD/eMMC to SDRAM

Configure the device using DCD

Jump to application code jump vector

5

USB/UART flow(Serial boot)

Card read data

Execute the Image Check for security type

Security dissabled?

Parse valid address range

Address range is valid?

Device configuration

pass?

No

No

No

Yes

Yes

Yes

6

Do HAB verification

System Boot



1.6.1.3.7 Serial ROM support via SPI, I2C and HS-I2C

The i.MX51 supports boot from serial memory devices, such as EEPROM, and Serial Flash via the SPI(CSPI, at chip select #1), HS-I2C(fast mode only) and I2C (I2C-1 and I2C2) interfaces.

Boot ROM determines the type of device, by the following parameters, either provided by e-fuse, orsampled on IO pins, during boot(See Table 1-5 for details):

• BT_MEM_TYPE[1:0] - SPI/I2C select.• BT_SRC[1:0] - I2C1, I2C or HS-I2C select.• BT_SPI_TYPE - defines the type of SPI device (EEPROM / Serial Flash)

The I2C-1/I2C-2/HS-I2C module can be used as boot device using I2C/HS-I2C interface, for serial ROM boot. I2C/HS-I2C interface is configured at speed of 312.5Kbps.

I2C/HS-I2C BootBootROM code reads from fuses HAPI_BT_EEPROM_CONFIG and HAPI_BT_MEM_TYPE to detect EEPROM device. BootROM copies 2K data from EEPROM device to internal RAM. ROM code copies intial 2KB data as well as rest of image directly to application destination extracted from application image.If DCD verification fails ROM code execution log error and jumps to serial downloader.The i.MX51 attempt to boot from EEPROM, using the following Device Select Code / Device Address:

Table 1-12. EEPROM via I2C Device Select Code

These address bits, should be configured at the memory device, to match this ‘000’ value.

Bits

Device Type Identifier7 6 5 4

Chip Enable Address1 3 2 1

RW0

Device Select Code

1

0

1

0

0 0 0 RW

System Boot



I2C Flow chart

I2C device?

Internal Boot

Check the BT_MEM_CTL and

BT_MEM_TYPE

I2C init Check the BT_SRC fuse

HS-I2C selected?HS-I2C init I2C init

Yes No

I2C read

Check the BT_SRC fuse

HS-I2C selected? HS-I2C read

I2C read

Yes

No

Continue internal booting

No

Yes

I2C/Hs-I2C boot

IOMUX configuration, Set the data rate, enable I2C

Set xfer mode to trnasmit

Send start

Send slave address

Send MSB of source address

Send LSB of source address

Send repeat start

Send Slave ADDR with read mode enalbed

Set xfer mode to receive

Read data

NOTE:1. Failure to any of the steps will abort the boot and jump to serial boot flow2. This is the very high level flow diagram of I2C/HS-I2C boot for detail, please see the HS-I2C/I2C module description

System Boot



CSPI BootCSPI interface is configured in Master mode.EEPROM device is connected to CSPI interface as slave. BootROM copies 2K data from EEPROM device to internal RAM.If DCD verification is successful ROM code copies initial 2KB data as well as rest of image directly to application destination extracted from application image.If DCD verification fails ROM code execution log error and jumps to serial downloader.CSPI can read data from EEPROM in 2 or 3 byte addressing and its burst length is 32Bytes.

NOTEThe Serial ROM is required to reside on Chip Select #1 of the CSPI module.

Using SPI as boot device, the i.MX51 supports boot from both Serial EEPROMS, and Serial Flash devices. The boot code should distinguishing between the two, by read of fuse / signal value at boot(See Table 1-5 for details).

Figure 1-3. CSPI Flow chart

Start

Configure CSPI clock divider==success

EEPROM Read data

noEND

yes

Set instruction length address cycle according

to fuses

If read data length greater than( burst length- instruction

length)

Send read instruction to read burst length of

data

Read burst length of data and copy to destination pointer

yes B

Increment destination pointer and reduce length of data read

NO

If read instruction status is CSPI_SUCCESS

yes

Assign MSB as read instruction(0x03) and

other 2/3 byte dest address in data pointer

If read data length > 0

Assign MSB as read instruction(0x03) and other 2/3 byte dest

address in data pointer

Send read instruction to read remaining length

of data

Read remaining length of data and copy to destination pointer

Byes

If read instruction status is CSPI_SUCCESS

NO

NO

END

Disable CSPI

System Boot



1.6.1.4 Flash Header

The flash header is a data structure that the MCU ROM reads from flash which provides information about the application. The location of the flash header must be located at a known fixed address depend-ing on the type of external flash device connected to i.MX51. The required offsets of the flash header for

each device type are mentioned in Table 1-13.

Figure 1-4. Flash Header Example for Devices Other than NOR Flash

The flash header must follow the structure defined below:typedef struct{ UINT32 *app_code_jump_vector; UINT32 app_code_barker;

Table 1-13. Flash header offset

Flash Type Offset from the base address

NOR 4 kbyte = 0x1000 bytes

NAND 1 kbyte = 0x400 bytes

OneNAND 256 bytes = 0x100 bytes

SD/MMC/eSD/eMMC 1 kbyte = 0x400 bytes

I2C/HS-I2C/SPI EEPROM 1 kbyte = 0x400 bytes

*app_code_jump_vectorapp_code_barker*app_code_csf**dcd_ptr_ptr*super_root_key*dcd_ptr

*app_dest_ptr

Flash base

Flash Header offset

application

super root key

certificates and csf data

device configuration data

Flash Memory

External Flash hdr

*app_code_jump_vectorapp_code_barker*app_code_csf**dcd_ptr_ptr*super_root_key*dcd_ptr

*app_dest_ptr

Dest. Memory

Flash Header offset

application

super root key

certificates and csf data

device configuration dataExternal Flash hdr

System Boot



UINT32 *app_code_csf; DCD_T **dcd_ptr_ptr; hab_rsa_public_key *super_root_key; DCD_T *dcd_ptr; UINT32 *app_dest_ptr;} FLASH_HDR_T;

where:UINT32 is a 32 bit unsigned integerDCD_T is a structure that defines the device configuration table (see below for details)hab_rsa_public_key is a structure defines the super root key

• app_code_jump_vector pointer: Points to the address of the first instruction of the application• app_code_barker: A value that the ROM uses to determine that the flash device has been

programmed. For i.MX51 the app_code_barker value must be set to 0x000000B1.• app_code_csf pointer: Points to the certificate and command sequence file data. This data is used

by High Assurance Boot library included in the ROM to verify that the application is authentic. See Section 1.9 for further details.

• dcd_ptr_ptr double pointer: This pointer must be set to point to the dcd_ptr also contained in the flash header structure

• super_root_key: Pointer to the super root key data. The super root key data should conform to the following structure:typedef struct{ UINT8 rsa_exponent[MAX_EXP_SIZE]; /* RSA public exponent */ UINT8 *rsa_modulus; /* RSA modulus pointer */ UINT16 exponent_size; /* Exponent size in bytes */ UINT16 modulus_size; /* Modulus size in bytes */ BOOLEAN init_flag; /* Indicates if key initialized */} hab_rsa_public_key;

where:UINT8 is an 8 bit unsigned integerUINT16 is a 16 bit unsigned integerBOOLEAN is an 8 bit flag indicating TRUE or FALSE

— rsa_exponent: Exponent of the RSA key. The maximum exponent size is 4.— rsa_modulus: Pointer to the RSA key modulus.— exponent size: Exponent size in bytes. Must be less than or equal to the maximum exponent

size.— modulus size: Modulus size in bytes. Must be greater than or equal to 128 and less than or equal

to 256.• dcd_ptr: Points to the Device Configuration Table (DCD) data. See Section 1.4.1.1.5 for further

details on the DCD table.• app_dest_ptr: Is used by the ROM for NAND/MMC/SD/OneNand/I2C/HS-I2C/SPI EEPROM

boot. During boot the ROM copies the application data from boot flash memory to destination RAM. This pointer defines the location of destination memory where the ROM will copy the application.

System Boot



Flash Header for NAND Boot devices

In case of NAND boot case, an additional flash header must be defined as shown in flash header Figure below. The flash header must be located immediately after the DCD table and contains the length of the data to be read from boot device./* Flash Header Structure */ typedef struct { UINT32 length; /* Length of data to be read from nand flash */} FLASH_CFG_PARMS_T;

where: UINT32 is a 32 bit unsigned integer.

length: This parameter is required to determine the length of image to copy to RAM.

Address Cycle Values for NAND Boot Devices

In the case of NAND boot, there will be no software look up table in boot ROM to determine the address cycle value; this value will be determined by the efuses. The various NAND flash configuration parameters are obtained from efuses as described in Table 1-2.

Error Correction and Error Detection

NFC automatically generates ECC code for both main and spare data during NFC data loading/reading to/from NAND Flash, and NFC updates ECC in the ECC status Register. NFC performs error detection and error correction.If ECC errors are not more than allowable limit(For 4 bit ECC,allowable limit is 4 and for 8 bit ecc it is 8) NFC will correct those errors.

On device power on, the copy of first 4k boot data from NAND flash device Block-0 to NFC buffer is done by boot ROM. Since in NAND flash devices there are possibility of getting errors while reading first 4k boot data from first block(NAND device Block-0), the user is required to duplicate the first 4k boot code to subsequent Block-1(NAND device block), to serve as a 2nd copy option.

The boot ROM code, takes advantage of the duplicate boot code, by the following flow:• If no ECC errors are detected in first boot block, boot execution will perform the secure internal

boot.• If ECC Error is detected in first 4K boot data from Block-0(NAND device block), the boot ROM

code would copy the 4k boot data from the block-1(NAND device block): —If no error detected, boot flow will continue performing the secure internal boot.—If an error is detected in the subsequent boot block, boot ROM code will log an error and jumps to USB/UART bootloader. The logged error can be queried via the serial protocol.

System Boot



Figure 1-5. Representation of data in NAND flash device

1.6.1.4.1 Flash Header for SD/eSD/MMC/eMMC Boot devices

In case of SD/MMC/eMMC boot case, an additional header must be defined (similar to that mentioned for NAND) as shown in Figure 1-6 The header must be located immediately after the DCD table and contains the length of the data to be read from boot device. eSDHC automatically generates CRC code during eSDHC data write /read to/from SD/MMC/eMMC, and eSDHC updates CRC in the CRC status Register. Boot-software will perform following operations:

1) Copy the 2k boot block data into IRAM.

2)Check the error using CRC. If no error, jump to address (base address plus the offset mentioned in Table 1-13 for SD/MMC/eMMC) of IRAM to authenticate the application if required. If error occurs, boot ROM code will log an error and jumps to USB/UART bootloader. The logged error can be queried via the serial protocol.

First 4k Boot

Copy of First 4kBoot Data from

Copy of Rest of

Data starts from Block 0

Block 1

Rest of Image

BLOCK 2- n

BLOCK 0

BLOCK 1 of NAND

of NAND

Image Block 1

System Boot



Note: Boot block mentioned here is different from the SD/MMC block.Boot block size is fixed to 2kB.

Figure 1-6. Representation of data in SD/MMC card

Rest of Image

2K Boot Block DataStarts from BLOCK 0

System Boot



1.6.1.4.2 Flash Header for I2C/HS-I2C/CSPI EEPROM Boot devices

In case of I2C/HS-I2C/CSPI EEPROM boot case, an additional header must be defined (similar to that mentioned for NAND) as shown in Figure 1-4. The header must be located immediately after the DCD table and contains the length of the data to be read from boot device. Representation of image data in I2C/HS-I2C/CSPI EEPROM would be as shown in Figure 1-7. Boot-software will perform following operations:

1) Copy the 2k boot block data into IRAM.

2)Check the error using barker value. If no error, jump to address (base address plus the offset mentioned in Table 1-13 for I2C/HS-I2C/CSPI EEPROM) of IRAM to authenticate the application if required. If error occurs, boot ROM code will log an error and jumps to USB/UART bootloader. The logged error can be queried via the serial protocol.

Note: Boot block mentioned here is different from the I2C/HS-I2C/CSPI EEPROM block.Boot block size is fixed to 2kB.

Figure 1-7. Representation of data in I2C/CSPI EEPROM

1.6.1.4.3 Flash Header for OneNand Boot device

In case of OneNand boot case, an additional header must be defined (similar to that mentioned for NAND) as shown in Figure 1-4. The header must be located immediately after the DCD table and contains the length of the data to be read from boot device.At system power-up, OneNAND automatically copies 1 Kb data from start of flash array (sector 0 and sector 1, page 0, block 0) to its Boot RAM i.e. Boot RAM contains the OneNAND flash header.Boot ROM will copy the 1Kb OneNAND boot RAM contents to

Rest of Image


System Boot



destination address (located in the app_dest_ptr entry of application header) and decrement length of the image to be read from OneNAND by 1 K. Boot RAM area is memory mapped and copying operation will be simple memory copying operation. The length of image to be read from OneNAND device is specified in flash header structure described in Figure 1-8 below.Any failure of loading data from OneNAND flash for any reason would force MCU Boot ROM to switch to serial download.

Figure 1-8. Representation of data in OneNand Flash

1.6.1.4.4 Device Configuration Data (DCD)

Some peripherals need to be configured before making use/ efficient use of it. The corresponding device specific configuration data is termed as DCD. Upon reset, the i.MX51 uses the default register values for all peripherals in the system. These settings typically are not ideal for achieving optimal system performance. For example, the EIM default settings allow core to interface to a NOR flash device immediately out of reset. This allows to interface with any NOR flash device, but has the cost of slow performance. Besides some peripherals like SDRAM etc. might require some sequence of register programming as part of configuration before it’s ready to be used. It is assumed that EIM registers and ESDCTL registers will be set up via DCD. ROM bootstrap has a provision for accommodating solutions to above scenarios. To allow users to configure for better performance, the ROM reads a DCD table from the flash device. The ROM determines the location of the DCD table based on information located in the flash header shown in Figure 1-4 above. This DCD table is an array of (access type, address and value) pairs preceded by a barker code and length field. The number of DCD entries is limited to 60.

Table 1-14. DCD block

Rest of Image


System Boot



Note: The DCD is read as 32-bit words, and must therefore be aligned on a word boundary.

The set of registers programmable with DCD must be restricted for security. Since the device configuration block is only post-authenticated (i.e. after it has already been used), the restriction has to be very tight. ROM bootstrap performs boundary checking of DCD-address in the device configuration block against the valid range of addresses. The allowed register sets by the device configuration block are defined in the table below:

Table 1-15. DCD valid modules

ROM bootstrap maintains an array of lower and upper addresses for each module allowed to be programmable through DCD. This array is utilized for verifying any attempt to configure a register other than that are allowed. ROM bootstrap determines the size of the block by reading DCD-block-length and copies it into IRAM. It is considered to be an error if

• Any register address is outside the pre-defined range.

Field Name Description Size (bytes)

Value

DCD-barker Barker for sanity check 4 0xE91972B1DCD-block-length The total length in bytes of theDCD block

(excluding this length field as well as the barker code)

4

Followed by an array of structures with following fields

DCD-address-type Type of pointer (byte, halfword, word, wait/read) in the following field

4

DCD-address The absolute address of the register to be programmed

4

DCD-value The value to be programmed at above address

4

Valid list of modulesClock Controller ModuleUniversal Asynchronous Receiver/Transmitter-1/2/3Universal Synchronous Bus(USBOH3)IOMUX (only for pad drive strength registers SW_PAD_CTL)PLL(1,2,3) RegistersWatchdog(1)NAND Flash Controller(NFC)Enhanced Synchronous Dynamic RAM ControllerWireless External Interface ModuleEnhanced SD Host Controller(eSDHC1,2,3,4)External Interface ModuleInter IC 1/2, HS-I2CMulti Master Memory Interface moduleenhanced Configurable serial peripheral interface 1/2Chip Select 0 - Chip Select 4CSD0 - CSD1

System Boot



• The length of the DCD exceeds the maximum acceptable size. That is MAX_HW_CFG_SIZE (in bytes). Assuming maximum of sixty elements for the array it amounts to seven hundred and twenty bytes.

• Any other failure.

If successful, it configures the HW registers and failure would lead to non-initialization of intended modules. DCD error (e.g. writing to a non-supported address say like ROMPATCH) causes the ROM boot code to enter the boot loader (serial download).

The DCD table must follow the structure below:

typedef struct {

DCD_PREAMBLE_T preamble; /* Preamble */ /* Type / Address / data elements */DCD_TYPE_ADDR_DATA_T type_addr_data[count]; /*where count would be some hardcoded value less than 60*/

} DCD_T;

Where: typedef struct {

UINT32 barker; /* Barker for sanity check */ UINT32 length; /* Device configuration structure length (not including preamble) */

} DCD_PREAMBLE_T;

typedef struct {

UINT32 type; /* Type of pointer (byte, halfword, word, wait/read) */ UINT32 *addr; /* Address to write to */ UINT32 data; /* Data to write */

} DCD_TYPE_ADDR_DATA_T;

DCD_T typically contains the configuration data for Watchdog, SDRAM, and EIM etc.

System Boot



Example code:

DCD_T device_config_data = { { IROM_DCD_BARKER, // assuming this is pre-defined as macro (18 * sizeof(DCD_TYPE_ADDR_DATA_T)) },

{ {0x00000002, (UINT32 *)0x53fdc000, 0x00003F7E}, /* WDOG WCR */ {0x00000002, (UINT32 *)0x53fdc004, 0x00005555}, /* WDOG WSR */ {0x00000002, (UINT32 *)0x53fdc004, 0x0000aaaa}, /* WDOG WSR */ {0x00000004, (UINT32 *)0xb8002000, 0x14110802}, /* EIM CTL H 0x11134722 */ {0x00000004, (UINT32 *)0xb8002004, 0x80330d01}, /* EIM CTL L -0x50331D01- 16 Bit */

{0x00000004, (UINT32 *)0xb8002008, 0x00000800}, /* EIM CTL A */ {0x00000002, (UINT32 *)0xa0002394, 0x00000060}, /* EIM CS0 -6F0C- 16 Bit */ {0x00000002, (UINT32 *)0xa0002394, 0x00000003}, /* EIM CS0 -6F0C- 16 Bit */ {0x00000002, (UINT32 *)0xa0000000, 0x000000ff}, /* EIM CS0 - R/A - 16 Bit */ {0x00000004, (UINT32 *)0xb8001004, 0x000ac7a8}, /* SDRAM CS0 CFG0 - Timing */ {0x00000004, (UINT32 *)0xb8001000, 0x92110080}, /* SDRAM CS0 CTL0 - Enable */ {0x00000004, (UINT32 *)0x80000400, 0x00000000}, /* SDRAM CS0 - Precharge */ {0x00000004, (UINT32 *)0xB8001000, 0xa2110080}, /* SDRAM CS0 - Refresh */ {0x00000004, (UINT32 *)0x80000000, 0x00000000}, /* SDRAM CS0 - Refresh */ {0x00000004, (UINT32 *)0x80000000, 0x00000000}, /* SDRAM CS0 - Refresh */ {0x00000004, (UINT32 *)0xB8001000, 0xb2110080}, /* SDRAM CS0 - Load Mode */ {0x00000001, (UINT32 *)0x80000033, 0x00000000}, /* SDRAM CS0 - Load Mode */ {0x00000004, (UINT32 *)0xB8001000, 0x82114c80}, /* SDRAM CS0 - Norm Mode */ }};

Above code is based on following table.

Table 1-16. Valid DCD address range

Address range Start address Length (in bytes)

CCM register set 0x43FD4000 0x00004000

CSD0 memory 0x90000000 0x10000000

CSD1 memory 0xA0000000 0x10000000

WEIM register set 0x83FDA000 0x00001000

NANDFC register set 0x83FDB000 0x00000F00

CS0 memory 0xB0000000 0x08000000

CS1 memory 0xB8000000 0x08000000

CS2 memory 0xC0000000 0x08000000

CS3 memory 0xC8000000 0x04000000

CS4 memory 0xCC000000 0x02000000

CS5 memory 0xCE000000 0x01FF0000

System Boot



In boot flow the DCD data is used prior to being verified.The DCD data must be included as part of memory regions verified indicated in one of the HAB CSF commands.

1.6.2 Serial Downloader (BMOD[1:0] = 11)Serial downloader is invoked when the external flash device is not programmed or when a failure is encountered during the boot flow process. It is invoked in any of the following condition

— BMOD=11— BMOD=10 && BT_VIRGIN =0— BMOD=00 /10 and no valid image in Flash— ROM is in internal boot and none of the fuses for external flash are satisfied.— Security hardware failure— Run time exception occurs— Error returned by the HAB functions in Production Mode.

USB OH3 memory 0x73F80000 0x00004000

IOMUXC registers 0x73F8A000 0x00004000

UART 1 register 0x73FBC000 0x00004000

UART 2 register 0x73FC0000 0x00004000

I2C1 register 0x83FC4000 0x00004000

WDOG register 0x73F98000 0x00004000

PLL1 register 0x83F80000 0x00004000



ESDHC1 register 0x70004000 0x00004000




EMI register 0x83FD8000 0x00004000

ESD RAM controller register

0x83FD9000 0x00001000

M4IF register 0x83FD8000 0x00001000

Address range Start address Length (in bytes)

System Boot



To determine the active serial port either UART or USB, MCU ROM polls UART and USB status register for about 32 seconds. If there is no activity on either port within predefined polling loop time then ROM will power down the phone using WDOG. In USB/UART bootloader valid case the WDOG will be serviced periodically. If the communication between the Host and ELVIS IC hangs for more than 32 sec or processor goes into and endless loop then WDOG will expire and power down the device.If UART is selected as the communication path then UART1/2/3 is configured for baud rate 115.2 kbps, parity disable, 1 stop bit and 8- bit TX-RX character length and data is downloaded using the Serial protocol (Section 1.11).Else if USB is selected then USB core and the external transceiver or Internal transceiver(Selected based on the BT_USB_SRC fuse) is configured.

The USB/UART Boot flow is shown in Figure 1-9.Figure 1-9. USB/UART Boot flow

32 timer over

NoYes Poll USB/UART activity

USB/UART ?

USB

UART

Complete the High Speed USB enumeration

process in Non-Stream Mode

Ready for serial download

No

Yes

Configure USBOTG, UART1, program WDOG(MCU) for 32 sec timer

PowerDown Device

System Boot



1.6.2.1 USBThe i.MX51 USB support is composed of the USBOH3 (USB OTG core controller, compliant with the USB 2.0 specification and three additional USB hosts) and the USBPHY (HS USB transceiver).

USB OTG port is the bootable USB device. Additional USB hosts are intended for the intraplatform communication and not bootable.

To enumerate the ROM boot USB function the host PC needs a compatible windows driver and a specific application “ADS Tool kit”. Once enumerated, the USB boot device uses a specific protocol “Download protocol” to download an application, DCD block or CSF and launch the application.

For USB boot, the USBOH3 controller is used, with either the integrated PHY (typical use), or via ULPI interface to an auxiliary PHY. Selection between the two PHYs, is determined by either is done by BT_USB_SRC fuse or the corresponded GPIO pin, Table 1-18 shows the possible fuse values and their corresponding feature enabled. The Boot ROM USB driver configures the USB controller to function in High Speed non-stream bulk mode with 512B maximal packet size. The control endpoints EP0IN and EP0OUT are configured for control transfer and for data transfer in bulk mode EP1OUT and EP2IN are configured as IN and OUT transactions respectively. The supported transceivers are in Table 1-17.

Table 1-17. Supported USB Transceivers

1USB External Phy was tested on Philips1504 and SMSC3300/3311 only

USB configuration detailsA High speed(HS for UTMI, ULPI )Non-stream mode with maximal packet size 512B low level USBOTG function device driver is supported. Following are the type of supported USB transceivers.

• USB ULPI interface.• USB UTMI interface.

Transceiver Speed Interface USB Controller Mode

Internal PHY High Speed (HS)

UTMI High Speed(HS) non-stream bulk mode with a maximal packet size 512B

External PHY1 HS ULPI High Speed(HS) non-stream bulk mode with a maximal packet size 512B

System Boot



The VID/PID and strings for USB device driver are listed in Table 1-19

Table 1-19. VID/PID and Strings for USB Device Driver

A typical USB boot flow is shown in Figure 1-10.

Table 1-18.

BOOT MODE ELVIS fuse

UTMI PHY BT_USB_SRC=0

ULPI PHY BT_USB_SRC=1

Descriptor Value Remarks

VID 0x15A2

(Freescale vendor ID)

PID 0x0041 Allocated Based on

BPN (Before Part Number)

String Descriptor1(iManufacturer)

Freescale Semiconductor Inc.

String Descriptor2(iProduct)

S Blank ELVIS

SE Blank ELVIS

NS Blank ELVIS

String Descriptor4 Freescale Flash

String Descriptor5 Freescale Flash

System Boot



Figure 1-10. USB Boot flow

1.6.2.2 UARTAll the UART (UART1, UART2 and UART3) port are boot device.

Once initialized, the UART boot device uses a specific protocol “Serial Downloader Protocol” to download an application, DCD block or CSF and launch the application.

The UART driver uses the communication parameters given in the Table 1-14

BT_USB_SRC ??

BT_USB_SRC=0

BT_USB_SRC=1

Complete ULPI 8 bit Synchronous Configuration

and USBOTG = HS with Non-stream mode

Complete UTMI 8bit synchronous Configuration

and USBOTG = HS with Non-stream mode

Complete the USB enumeration process

Poll for Activity

ULPI, HS path

Read BT_USB_SRC(1/0) fuse

UTMI, HS path

System Boot



Table 1-20. UART Configuration

1.6.3 Internal Boot Mode with Fuses(BMOD[1:0] = 10)

Internal boot (from boot fuses only) is selected by driving value of ‘10’ on the BOOT_MODE[1:0] pins, at device power up. This mode is equivalent to the Internal boot (from boot pins), BOOT_MODE[1:0]=00,with the only difference that boot pins are ignored, regardless to BT_GPIO_SEL fuse value. Boot alway start from boot fuses. This allows to customers to burn fuses on the closed produc-tion device, with no external muxes on BOOT_MODE, pullups/pulldowns and with no uncertainty on the way to the fallback boot downloader, caused by unknown boot pin values during the initial boot from the product device.

Customers can set BOOT_MODE[1:0]=10 on production device and burn fuses on the same device (by falling back to USB/UART downloader), without changing value of BOOT_MODE[1:0] or pullups/pull-downs on the boot pins.For cleaner jumping to UART/USB boot loader in case of initial fuse burning, BT_VIRGIN fuse was introduced. If BOOT_MODE[1:0]=10&&BT_VIRGIN=0, then ROM code jumps directly to UART/USB boot loader, without trying other interfaces. BT_VIRGIN is supposed to be burnt by the cus-tomer during initial fuse burning

.

1.6.4 Error Logging• All the ROM errors are logged to pu_irom_error_status(Address : 0x1ffe1a98) variable.

Parameter Value

Baud rate 115.2 kbaud

Parity check Disabled

Word size 8 bits

Stop bits 1 bit

RTS Ignored

CTS Controlled by host

Receive pin RXD1

Transmit pin TXD1

System Boot



1.7 Exception handlingThe exception vectors located at the start of internal ROM are used to map all the ARM exceptions (except the reset exception) to a duplicate exception vector table in iRAM.During the boot phase, the iRAM vectors point to the serial downloader in iROM. After boot theOS loader can overwrite the vectors as required. The code below is used to map the ROM exception vector table to the duplicate one in iRAM.

;; Define linker area for iROM exception vector tableAREA IROM_VECTORS, CODE, READONLY

LDR PC, Reset_AddrLDR PC, Undefined_AddrLDR PC, SWI_AddrLDR PC, Prefetch_AddrLDR PC, Abort_AddrNOP ; Reserved vectorLDR PC, IRQ_AddrLDR PC, FIQ_AddrLDR PC, SW_monitor_addr

;; Define exception vector tableReset_Addr DCD start_addressUndefined_Addr DCD iRAM_Undefined_HandlerSWI_Addr DCD iRAM_SWI_HandlerPrefetch_Addr DCD iRAM_Prefetch_HandlerAbort_Addr DCD iRAM_Abort_Handler DCD 0 ; Reserved vectorIRQ_Addr DCD iRAM_IRQ_HandlerFIQ_Addr DCD iRAM_FIQ_HandlerSW_monitor_add DCD SW monitor exception

start_address DCD start ;reset handler vector

No special interrupt handling routines are required during bootup. Instead, the iRAM exception table is filled with the address of the USB/UART Bootloader module, so that any exception or interrupt will result in the RAM Path being executed. Interrupts are disabled during bootROM code execution and can be enabled after bootROM code execution.Flash or RAM applications image are responsible for enabling

of interrupt as required .

System Boot



1.8 USB Low Power BootElvis supports low power boot (LPB) mode with depleted or disconnected battery, from USB power supply only.

ROM involvement in LPB is required to be minimal, while the most configuration operations, if required, will be performed by downloaded PMIC and USB drivers.

The platform current consumption during LPB ROM stage shall be less than 100mA of VUSB. For this purpose, DRAM module can be disabled and the primary boot image will be downloaded to iRAM.

Three Low Power Boot modes have being supported:

BT_LPB[1:0]=00 - LPB Disabled

BT_LPB[1:0]=01 - Generic PMIC and one GPIO input (Low battery)

BT_LPB[1:0]=10 - Generic PMIC and two GPIO inputs (Low battery and Charger detect)

BT_LPB[1:0]=11 - Atlas AP Power Management IC.

In case of BT_LPB[1:0] = 11, ROM expects the the Atlas Interrupt to be Routed via GPIO1_5 pin.ROM reads the value on the GPIO1_5 to see whether the PMIC Interrupt is set or not.If GPIO1_5 = 1,then the LPB Flow is executed,else Normal Boot flow continues.

Generic PMICs indicate power conditions through GPIO1_2 pin. In the most basic case, Generic PMIC indicate low battery condition:

0 - means battery is low/depleted/not connected

1 - battery is Ok for the normal boot.

LPB status is indicated to the upper layer software by means of the bits[1:0] of the SCS1 register of the IIM module.

if the value of these bit fields is 00,then it indicates Normal Boot and if the value is found to be 11,then it indicates Low power Boot

For better flexibility, in BT_LPB[1:0]=10 mode, GPIO1_3 receives an indication about charger presence in the system.

Maximal LPB ARM core frequency is customed and stored in fuses BT_LPB_FREQ[2:0]. Table 1-21.

LPB_FREQ[2:0] Frequency Value(MHz)

000 192 MHz(default,out of reset,depends on CKIH OSC frequency).Please refer to section 1.6.1.2 for more details on this particular frequency.

001 133

010 55.33

System Boot



ROM code supports all primary boot devices in LPB mode, however the assumption that UART and USB boot devices will not be used by customers in LPB mode.

LPB flowchart is shown in Figure 1-11

1. Check Whether the LPB feature is enabled by reading BT_LPB[1:0] fuse.

2. If low power boot feature is not enabled, boot up normally.

3. If LPB feature is enabled, then follow the below procedure.

4.Check for ATLAS PMIC if it is used follow below procedure else got to step -10

5.Check for GPIO1_5 ,if it is 1 follow the below procedure.

6.Check if PHY is UTMI (BT_USB_SRC==0) and charger is connected(Using UTMI charger detection procedure). if yes go to step-15 else follow below steps

7.Check if PHY is ULPI(BT_USB_SRC==1) or UTMI charger detection failed follow below steps

8.Update the status 0x03 in the SCS1 register which will be required for Application software .

9.Initializes the clocks based on the BT_LPB_FREQ[2:0].Go to step 16

10. Query LPB conditions are met via GPIO(s) as given in the flow chart. GPIO1_2 pin indicates low battery condition is present(value = 0), GPIO1_3 pin indicates charger connected status(value =1).

11.Check whether a low battery condition exist.if yes then proceed further else go to step15. Check for wall adapter/charger(GPIO1_3) if it is available go to step-15 else follow below steps

12.Check if PHY is UTMI (BT_USB_SRC==0) and charger is connected(Using UTMI charger detection procedure),if available go to step-15 else follow below steps.

13.Check if PHY is ULPI(BT_USB_SRC==1) or UTMI charger detection failed follow below steps.Update the status 0x03 in the SCS1 register which will be required for Application software .

14. Incase a 3rd Party PMIC is used, ARM core clock is configured based on LPB_FREQ[1:0].Goto step-16.

15. Configure the PLL and clocks as in normal boot

011 200

100 220

101 166

110 266

111 Normal boot frequency,400MHz

LPB_FREQ[2:0] Frequency Value(MHz)

System Boot



16. After the Initial 2k Copy from the selected boot device,Check for the Following condition.

if the ongoing Boot is on a lowpower scenario and the Fusebank 0, Offset 0x000C, bit 1 value equals Zero,then Do a Connect (pull up on the D+ line and initiate an attach event) on the respective USB interface.This is to gain another 500ms time in context of a dead battery.Copy the rest of the Image from

System Boot



the selected boot device and proceed with the secure boot flow , loads the customer application and jumps to execute it.

System Boot



Figure 1-11. USB Low Power Boot Flow

LPB (Low Power Boot Check)

Is BT_LPB==00 ?(Is LPB allowed?)

BT_LPB==11(Is ATLAS AP allowed?)

If GPIO1_2==1 (Low power condition exits ?)

BT_LPB[1:0]==10 AND GPIO1_3==1 (Wall adapter/Charger detected ?)

If UTMI Phy(BT_USB_SRC==00) AND Charger(wall/usb) detected

If((lowpowerboot) and (fusebank 0 offset 0x000C bit1 == 0))

NORMAL BOOT Clock(Unlimited power budget)

Copy initial 2k image from the boot device

Update the SCS1 to 0x03.Low Power Boot Clock

Copy initial 2k from boot device

Copy rest of the image and Continue with secure Boot flow

Initiate an attach event on the respective usb interface

No

No

No

No

No

Yes

Yes

Yes

Yes

Yes

Yes

No

Yes

ATLAS AP LPB

“A”

Yes

If ULPI_Phy(BT_USB_SRC)==1 || UTMI charger not detected)

Yes

No

System Boot



Figure 1-12. USB Low Power Boot Flow(Contd.)

“A”

If GPIO1_5 pin asserted ‘1'

Set IIM_SCS1 reg to 0x03

NORMAL BOOT Clock Config(Unlimited power

budget)Copy the Initial 2k Low Power Boot Clock .Copy the initial 2K

no

If UTMI Phy(BT_USB_SRC==00) AND Charger(wall/

usb) detected

If ULPI_Phy((BT_USB_

SRC==1) || UTMI charger not detected)

no

yes

Initiate an attach event on the respective usb

interface

If((lowpowerboot) and (fusebank 0 offset 0x000C bit1 == 0))

Copy rest of the image and Continue with secure Boot flow

yes

no

yes

yes

System Boot



1.9 High Assurance Boot (HAB)The High Assurance Boot (HAB) component of the ROM protects against the potential threat of attackers modifying areas of code or data in programmable memory to make it behave in an incorrect manner. The HAB also prevents attempts to gain access to features which should not be available. The integration of the HAB feature with the ROM code ensures that i.MX51 does not enter an operational state if the existing hardware security modules have detected a condition that may be a security compromise or areas of memory deemed to be important have been modified.

Figure 1-13. Secure Boot Components

Figure 1-13 illustrates the components used during a secure boot, and is applicable to the AP. The AP core have independent HAB libraries and make use of the shared RTICv3, shared SAHARAv4LT and SCC2. The HAB provides support for SHA-256 message digests and RSA encryption operations. The HAB supports SHA-256 through SAHARAv4LT, RTICv3 hardware modules or through a software implementation that runs on the core processor. The RSA encryption operations are performed by software.

1.9.1 HAB TYPEThe HAB requires the location of two components in flash: the starting address of the Super Root Key (SRK) data and the starting address of the Command Sequence File (CSF) data. Both of these components are defined in the flash header as illustrated in Figure 1-4. The SRK defined in the application data located in flash is validated by the HAB. The HAB will perform a SHA-256 hash digest of the SRK provided in the application data. It will then compare the computed hash with that stored in the i.MX51 efuses. If validation of the SRK is unsuccessful the ROM will enter the serial bootloader.

The CSF provides the signature and certificate information for the flash image. The CSF is generated by using a client/server Code Signing Tool (CST). Function Prototypes

Core Processor

RO

M

HAB

RTICv3Flash

RAM

SCC

2, S

AH

ARAv

4LT

Shared peripheral

System Boot



1.9.1.1 HAB TYPESThe boot flow is influenced by device HAB TYPE as specified in Table 1-16.

1.9.2 Function PrototypesThree HAB functions are available to application code residing outside of the ROM. An additional function is also available to enter the ROM serial bootloader directly. These functions can be considered trustworthy since they are located in ROM and cannot be changed.

1.9.2.1 pu_irom_boot_decisionSyntax:

void pu_irom_boot_decision(void)

Description:

Entry point for the serial downloader. Performs the check of whether to use UART or USB for the serial bootloader.

Inputs:• None.

Returned Value:• None.

PreConditions/Assumptions:• GPIO for selecting USB Serial PHY and ULPI PHY is set appropriately .

Table 1-22. HAB Types

HAB TYPE Value Action

HAB_ENGINEERING 0x1 Initialize secure hardware, execute DCD block and authenticate applications prior to their execution. Any errors detected are logged, but have no influence on the boot flow.

HAB_PRODUCT 0x2 Initialize secure hardware, execute DCD block and authenticate applications prior to their execution. Any errors detected are logged and control passes to the USB/UART Bootloader.

HAB_SEC_DISABLED 0x4 Bypass HAB functions: do not initialize SHW, do not execute HW Configuration block and do not authenticate applications prior to their execution.

System Boot



Post Conditions:• None.

1.9.2.2 hab_csf_checkSyntax:

hab_result hab_csf_check(UINT8 csf_count,UINT32 *csf_list);

Description

Performs integrity checks on software in programmable memory as instructed by CSFs.

Inputs:

The number of CSFs to be processed and their locations

Returned Value:

The structure typedef struct {

unsigned char status; /* Status code */unsigned char type; /* HAB type from Table 1-22 */

} hab_result;

with processor TYPE and one of the following status codes:• HAB_PASSED if all CSFs are valid and all verifications in all CSFs are satisfied.• HAB_DATA_OUT_OF_BOUNDS if csf_count is 0, csf_count exceeds maximum length of CSF

chain or csf_list is NULL.• Appropriate error code for other failures as stated in Table 1-24, ’Status CodeConstants’.• HAB_FAILURE otherwise.

Pre Condition/Assumptions:• Verified blocks list and subordinate keys list are initialized.• The parameter csf_list points to a list of length csf_count.

Post Condition:• The verified blocks list contains the list of successfully verified data blocks,padded at the end of

the list to indicate that no more verified block is available.• The subordinate keys list contains successfully validated subordinate keys.• If HAB_SHA1_RTIC_KEEP, HAB_RSA_SHA1_RTIC_KEEP, HAB_SHA256_RTIC_KEEP

and HAB_RSA_SHA256_RTIC_KEEP algorithm types are used in CSF commands, the RTIC hash digest registers and runtime enable masks are initialized in preparation for run-time mode operation.

System Boot



1.9.2.3 hab_assert_verificationSyntax:

hab_result hab_assert_verification(UINT8 *block_start,UINT32 block_length);

Description:

Perform only after a CSF Check. Determines if a block of data lies within the regions of the pre-authenticated block or the regions verified during CSF Check.The state of the SCC (if enabled and the processor TYPE is not engineering) is also tested to ensure that the hardware is secure.

Inputs:

Starting address and length (in bytes) of the data block.

Returned Value:

The structure:

typedef struct {

unsigned char status; /* Status code */unsigned char type; /* HAB type from Table 1-22 */

} hab_result;

with processor TYPE and one of the following status codes:• HAB_PASSED if all tests pass,• HAB_FAIL_ASSERT if block is not pre-authenticated or in regions verified during CSF Check,• HAB_SCC_NOT_SECURE if SCC is not in the secure state and processor TYPE is not

engineering,• HAB_FAILURE otherwise.

Pre Condition/Assumptions:

• The verified blocks list contains (start, length) pairs of 32 bit unsigned integer values, padded at the end of the list to indicate that no more verified block is available. If the given block has been verified or pre-authenticated, it is assumed to lie wholly within the boundaries of a single block in the verified blocks list.

Post Condition:

None.

System Boot



1.9.3 API Jump Table AddressesThe address of the HAB functions are available via a jump table defined in the ROM.Table 1-23 below lists the functions and the associated jump table address. Jump table is placed before copyright section. A total of 0x48 bytes space is reserved for copyright section.

1.9.4 HAB Status Codes and Algorithm TypesTable 1-24. HAB Status Codes

Table 1-23. HAB API Jump Table Addresses

HAB API Function Jump Table Address

hab_csf_check 0x40

hab_assert_verification 0x44

pu_irom_boot_decision 0x50

Name Description Value

HAB_DATA_OUT_OF_BOUNDS Data specified is out of bounds. 0x8d

HAB_FAIL_ASSERT Error during Assert Verification. 0x55

HAB_FAIL_HASH_VERIFICATION Hash verification failed (including hash verification on certificates).

0x36

HAB_FAIL_PK_VER Certificate parsing failed, or the cer-tificate contained an unsupported key (including unsupported key length).

0x33

HAB_FAIL_SIG_VERIFICATION Signature verification failed (includ-ing signature verification on certifi-cate).

0x35

HAB_FAIL_SUPER_ROOT_INSTALL Super-Root key installation failed. 0x47

HAB_FAILURE Failure not matching any other description.

0x39

HAB_INVALID_CSF_COMMAND CSF Command Sequence contains an unsupported command identifier.

0x4b

HAB_INVALID_CSF_HEADER Absence of expected CSF Header (including mismatched HAB Ver-sion).

0x4e

HAB_INVALID_CSF_LENGTH CSF length is unsupported. 0x4d

HAB_INVALID_CSF_TYPE CSF TYPE does not match proces-sor TYPE.

0x2e

System Boot



HAB_INVALID_CSF_UID CSF UID does not match either processor UID or generic UID.

0x2d

HAB_INVALID_CSF_CODE CSF Customer/Product code does not match processor Cus-tomer/Product code.

0x3a

HAB_INVALID_KEY_INDEX Key index is either unsupported, or an attempt is made to overwrite the Super-Root key from a CSF com-mand.

0x87

HAB_PASSED Successful operation completion. 0xf0

HAB_SCC_NOT_SECURE SCC unexpectedly not in Secure State.

0x17

HAB_SECURE_RAM_BAD_KEY SecureRAM secret key invalid. 0x1e

HAB_SECURE_RAM_CLR_FAIL SecureRAM initialisation failure. 0x1d

HAB_SECURE_RAM_FAIL SecureRAM Self Test failure. 0x1b

HAB_SCC_FAIL SCC .unexpectedly not in Non-Secure State

0x53

HAB_SECURE_RAM_INT_ERR SecureRAM internal failure. 0x2b

HAB_SECURE_RAM_SEC_KEY SecureRAM secret key unexpect-edly in use.

0x27

HAB_SAHARA_FAIL SAHARA failure. 0x3c

HAB_SAHARA_SCC_FAIL SAHARA/SCC connectivity failure. 0x59

HAB_RTIC_REGION_FAIL All RTIC regions are allocated. 0xa3

HAB_RTIC_SCC_FAIL RTIC/SCC connectivity failure. 0x93

HAB_SHW_DISABLED SHW is not enabled. 0x0f

HAB_UNINITIALISED_KEY_INDEX An attempt is made to read a key from the list of subordinate public keys at a location where no key is installed.

0x8b

HAB_UNSUPPORTED_ALGORITHM Algorithm type is either invalid or otherwise unsupported (e.g. Debug Port activated while the HAC of a non-engineering processor TYPE is in use).

0x8e

HAB_INVALID_WRITE_REG Write operation to register failed. 0x66

Name Description Value

System Boot



1.10 SRTC InitializationThe SRTC is initialized by the ROM as part of the HAB library. The SRTC low power secured registers (Secure Counter MSB/LSB Register, Alarm register and Monotonic counter register) cannot be configured by non-secure software. Non-secure software is an considered as application code executing after a secure boot that:

• is not executed in Trusted mode on an ARM Trustzone capable core or;• not in supervisor mode.

A dedicated Non Secure Access (NSA) bit in SRTC low power control register can allow non-secured SW to update the secured registers. This bit can be set only by secured software. In any case, the SRTC secured registers cannot be configured once the SRTC is locked. Neither the time nor the monotonic count can be altered after SRTC is locked, and once the SRTC is locked it cannot be disabled. The initialization steps performed by the boot ROM depend on the security mode of the SRTC.

1.10.1 SRTC Security ModesThe security mode of the SRTC is controlled by the two SRTC security mode fuses defined in the IIM and are listed in Table 1-25 below. There are three different modes that can be defined, with each mode causing the boot ROM/HAB library to operate in a different manner.

Table 1-25. SRTC Security Modes

When SRTC security mode is set to the High Security Mode (1x), external images, even those that are authenticated by the HAB library, are not allowed to reprogram the SRTC secure time and monotonic counter registers. Only a special RAM kernel downloaded via a serial connection is capable of reprogramming the SRTC secure time and counter registers.

When SRTC security mode is set to Medium Security Mode (01) or Low Security Mode (00), then any external image is able to reprogram the SRTC secure time and counter registers.

The HAB library in boot ROM does not make use of the other fuses assigned to the SRTC defined in the IIM. That is, the monotonic counter update field (SRTC_MCOUNT) and the SRTC lock (SRTC_LOCK) fuses are not updated directly by the boot ROM or HAB.

1.10.2 HAB Support For SRTC in High Security ModePrior to exit from the ROM the HAB ensures that the SRTC is configured appropriately for the given security mode defined in the SRTC mode efuses. The following sections describe the functionality for each SRTC mode.

SRTC_SECMODE value Fuse bits

Low Security Mode 00

Medium Security Mode 01

High Security Mode 1x

System Boot



NOTE: The HAB_TYPE (HAB_PRODUCT or HAB_ENGINEERING) does not impact how the HAB library initialized the SRTC. This is dictated by the SRTC mode efuses only.

In order for an application to have the capability to update the SRTC time and counter values, a special CSF must contain the following two WRITE_TO_REGISTER (WTR) commands:

• A WTR command to write 0xFFFFFFFF to SRTC Low Power Status register (LPSR) to clear all the failure status bits, and

• A WTR command to write 0x00000000 to SRTC Low Power Control Register (LPCR) to disable counter and clock.

A normal CSF will not have the above specified WRITE_TO_REGISTER commands, not allowing the application to update the time and count values.

1.10.3 HAB Support For SRTC in Medium and Low Security ModesThe HAB library does not perform any initialization for these SRTC modes.

1.10.4 External Boot SupportFor direct (non-secure) boot modes that require boot ROM to be executed first, such as a direct NAND flash boot, If SRTC is in High or Medium security mode the HAB sets the SV bit in SRTC LPCR to move SRTC to FAIL state. If SRTC is in INIT state, the HAB will also set IE bit along with SV bit in SRTC LPCR to move SRTC out of INIT state to FAIL state.

1.11 Serial Download protocolThis section describes the serial download protocol used for all boot devices in the serial bootloader oni.MX51.Each stage in the protocol begins with a command issued by the host to the device, followed by a response from the device to the host. For most commands, that completes the protocol stage. The excep-tion is the Write File command, which has an additional data stream sent from the host to the device after the response.The protocol is terminated by the host issuing a Write File command with application file type. Afterprocessing the Write File commands, the device interprets the next command as a Completed command,and resumes execution of the boot flow in order to authenticate the downloaded application (if required)and then execute it.

1.11.1 Get Status

The Get Status command retrieves the error log stored during a failed boot (or the success code whenSerial bootloader is selected deliberately).

System Boot



The fields have the following interpretation:• SC = Status Code. Four copies of the status code are sent.• - = Don’t Care (but must be present)

1.11.2 Read Memory

The Read Memory command reads a stream of bytes, half-words or words of data starting from a givenaddress in memory. At production-level security, this command is ignored.

Table 1-27. Read Memory Command

The fields have the following interpretation:• A[3:0] = Target address (most-significant byte first).• DS = Data Size (0x08 = byte, 0x10 = half-word, 0x20 = word). Unsupported DS values result inthe failure response.• C[3:0] = Number of data elements (bytes, half-words or words as appropriate) in data stream(most-significant byte first).• ACK[3:0] = 0x56, 0x78, 0x78, 0x56.

• - = Don’t Care (but must be present)

1.11.3 Write MemoryThe Write Memory command writes a byte, half-word or word of data to a given address in memory.

Table 1-28. Write Memory Command

The fields have the following interpretation:• A[3:0] = Target address (most-significant byte first).• DS = Data Size (0x08 = byte, 0x10 = half-word, 0x20 = word). Unsupported DS values result inthe failure response.

Table 1-26. Get Status Command

Command 0x05 0x05 - - - - - - - - -

Response SC SC SC SC SC

System Boot



• D[3:0] = Data to write(most-significant byte first). For DS = 0x08, only D[0] is used. For DS =0x10, only D[1:0] is used.• ACK[3:0] = 0x12, 0x34, 0x34, 0x12 for production-level security, and 0x56, 0x78, 0x78, 0x56otherwise.


At production-level security, the address ranges which may be written are restricted to those listed for DCD. Attempts to write outside of the valid ranges are ignored and result in the failure response. For other security levels, no restrictions apply to the target address.

1.11.4 Re-enumerateThe Re-enumerate command resets the USB connection with an updated descriptor.

Table 1-29. Re-enumerate Command

The fields have the following interpretation:• SN[3:0] = Serial number for enumeration descriptor.


1.11.5 Write File

The Write File command writes a stream of bytes to a given address in memory. The byte stream may beassigned a file type in order to distinguish CSF, DCD and application files. An application file type leadsto the termination the serial download protocol, with the next command (whatever the command byte val-ues) being treated as the Completed command.

Table 1-30. Write File Command

The fields have the following interpretation:• A[3:0] = Target address (most-significant byte first).• C[3:0] = Number of bytes in data stream (most-significant byte first).• FT= File Type (0xAA = application (terminates protocol), 0xCC = CSF, 0xEE = DCD). Withunrecognized FT values, the file is still downloaded, but the pointers to the three essential files arenot modified.• ACK[3:0] = 0x12, 0x34, 0x34, 0x12 for production-level security, and 0x56, 0x78, 0x78, 0x56otherwise.• - = Don’t Care (but must be present)

At production-level security, the address ranges which may be written are restricted to those listed for

Command 0x09 0x09 - - - - - - - SN[3:0] -

Response 0x89 0x23 0x23 0x89

System Boot



DCD. Attempts to write outside of the valid ranges are ignored and result in the failure response. For other security levels, no restrictions apply to the target address.

1.11.6 Completed

The Completed command is required after the Write File command with application file type in order toterminate the protocol. The content of the command is irrelevant, but a command must be sent. Thiscommand triggers authentication and DCD processing (if required) followed by execution of theapplication. At production-level security, if application authentication fails, the serial download protocol resumes, with the status code for authentication failure available through the Get Status command.

Table 1-31. Completed Command

The fields have the following interpretation:• - = Don’t Care (but must be present)

Command - - - - - - - - - - -

Response 0x88 0x88 0x88 0x88

System Boot



1.12 Appendix - ATable 1-32. Nand Device Addressing

Address Device Number of address cycle

Page per Block

Notes

Com

man

d

1 2 3 4 5

Com

man

d

1/2 KB page, SLC/MLC

4 32 5 LSB bits of Row1 give offset in block & 13 remaining bits choose block number

0x00 Col1 Row1 Row2 Row3 None None

2KB SLC 5 62 6 LSB bits of Row1 give offset in block & 11 remaining bits choose block number

0x00 Col1 Col2 Row1 Row2 Row3 0x30

2KB MLC 4 128 7 LSB bits of Row1 give offset in block & 9 remaining bits choose block number

0x00 Col1 Col2 Row1 Row2 None 0x30

4KB SLC/MLC

5 128 7 LSB bits of Row1 give offset in block & 12 remaining bits choose block number

0x00 Col1 Col2 Row1 Row2 Row3 0x30

System Boot



Table 1-33. Nand Device Addressing

Device Page Copying for 8KB Block Address Cycle

Page1 0x00,0x00,0x00,0x00

Page2 0x00,0x01,0x00,0x00

Page3 0x00,0x02,0x00,0x00

Page4

0x00,0x03,0x00,0x00

Page5 0x00,0x04,0x00,0x00

Page6 0x00,0x05,0x00,0x00

Page7

0x00,0x06,0x00,0x00

Page8

0x00,0x07,0x00,0x00

Next Block accesses (upon Error)

Page1 0x00,0x20,0x00,0x00

Page2 0x00,0x21,0x00,0x00

Page3 0x00,0x22,0x00,0x00

Page4 0x00,0x23,0x00,0x00

Page5 0x00,0x24,0x00,0x00

Page6 0x00,0x25,0x00,0x00

Page7 0x00,0x26,0x00,0x00

512Byte Page SLC/MLC

Page8 0x00,0x27,0x00,0x00

System Boot





Figure 1-14. Nand Device Addressing

Page1 0x00,0x00,0x00,0x00,0x00

Page2 0x00,0x00,0x01,0x00,0x00


Page1 0x00,0x00,0x40,0x00,0x00

2 KB Page SLC

Page2 0x00,0x00,0x41,0x00,0x00

Page1 0x00,0x00,0x00,0x00,0x00

Page2 0x00 0x00 0x01 0x00 0x00


Page1 0x00 0x00 0x80 0x00 0x00

2 KB Page MLC

Page2 0x00 0x00 0x81 0x00 0x00

Device Page copying for 8KB Block

Address Cycles

Page1 0x00,0x00,0x00,0x00,0x00


4 KB Page SLC/MLC

Page1

0x00,0x00,0x80,0x00,0x00

System Boot



1.13 Appendix - B

1.13.1 Application Note: Boot from a NAND device

1.13.1.1 IntroductionThis Section explains the various fuse settings that need to be performed on the Elvis SOC for booting from NAND device to happen.Boot ROM copies only the Initial Program Loader(IPL),autenticates the IPL and jumps to execute the IPL.IPL is a small program whose responsibilty is to download and execute the rest of the Program Image.Also a brief description is given on the various components of the IPL(Initial Program Loader).

Figure 1-15. ROM copies the IPL and jump to execute it

The various components that needs to be present in the IPL is dependent on the HAB_TYPE[2:0] fuse values.The Figure shown below shows the typical example about the IPL image layout.

DCD DATA : Device configuration data.This block consist of the Barker value(0xB17219E9),length of the DCD,then the access type- address -value triplets.External Flash Header : The Length of the IPL has to be present in this field.It is expected to be present at the location where DCD data ends.APPLN : Customer application Code.Flash Header : This Block Contains the Information about the IPL.This is expected to be present at a fixed offset.For Nand,this is at 0x400byte offset from the base address.CSF DATA : Certificate and Command sequence file dataSRK DATA : Super Root key data.

BOOT ROM

Download and Jump

INITIAL PROGRAM LOADER

(IPL)

System Boot



Figure 1-16. IPL Component Layout in Flash and the Destination Memory

DCD DATA

SRK DATA

CSF DATA

FLASH HEADER

Flash header 0x400

Flash base 0x000

APPLN

External flash headerDCD DATA

SRK DATA

CSF DATA

FLASH HEADER

APPLN

0x90000000

0x90000300

0x90000400

0x90000500

0x90004F00

External flash header

NAND FLASH

DESTINATION MEMORY

app_start_addrapp_barkercsf_ptrdcd_ptr_ptrsrk_ptrdcd_ptrapp_dest_ptr

Flash header structure

IPL Component layout in Flash and the Destination Memory(CSD0)

0x90000100

System Boot



The IPL should consist of the following components for various HAB TYPE values :-

Case 1: HAB TYPE = ENGG(001’b)

1.FLASH HEADER (APP HDR)2.APPLICATION (APPLN)3.CSF data (CSF - Not Mandatory)4.RSA Exponent and modulus(SRK data- Not Mandatory)5.DCD Data( DCD)

Case 2: HAB TYPE = PROD(Any value in the range 000’b to 111’b other than 001’b and 100’b)

1.FLASH HEADER (APP HDR )2.APPLICATION (APPLN )3.CSF data (CSF )4.RSA Exponent and modulus(SRK data)5.DCD Data( DCD)

Case 3: HAB TYPE = SECURITY DISABLED(100’b)

1.FLASH HEADER (APP HDR)2.APPLICATION (APPLN )

For the ROM to Work with SLC NAND Flash(Device Model Details :512 byte PageSize,8 bit Bus Width, 3 Address Cycle,128 byte Spare Area),the Fuses below has to be configured as Shown below.

BT_MEM_CTL[1:0] = 01BT_MEM_TYPE[1:0] = 00BT_BUS_WIDTH[1:0] = 00BT_PAGE_SIZE[1:0] = 00BT_MLC_SEL = 0 BT_SPARE_SIZE = 0

In addition to these fuses mentioned above,HAB TYPE[2:0]fuses and the BMOD pins has to be set as per the Intended case.

For Internal Boot Mode operation, the IPL for Nand has to have the Flash Header placed at an Offset of 0x400 from the base address.

System Boot



1.13.2 Flash Header detailsCase 1 ENGG mode :

In BMOD[1:0] = 00(Internal Mode) with HAB TYPE[2:0] = 010(ENGG), then the FLASH HDR need to have a proper app_start_addr, app_barker(0x000000B1), dcd_ptr_ptr, dcd_ptr, app_dest_ptr. The Other pointers in the Flash header can be NULL.

dcd_ptr_ptr: This must be set to point to the dcd_ptr which is present in the flash header structure.dcd_ptr points to the DCD data which is expected to be in the format as Suggested in the Device Configuration Data (DCD) section of the System Boot chapter.This field must be set to FLASH_HEADER start address + 0x14 (e.g., if the flash header starts at 0x1FFEA400, then dcd_ptr_ptr field must have a value of 0x1FFEA400 + 0x14 = 0x1FFEA414)

ROM Copies the Initial 4K data from the Flash to the nfc buffer,Installs the DCD data,then copies the initial 4k data from the nfc buffer onto the destination address pointed by the app_dest_ptr. In the IPL,at the end of the DCD table,length of the IPL is expected by the ROM code.ROM uses this field to copy the rest of the Image from the NAND device onto the destinaton RAM pointed by the app_dest_ptr.

The format of the srk_ptr can be found from the Flash header Section of the System boot chapter.

If the app_dest_ptr is an IRAM address,then no DCD needs to be Installed.In this case the DCD data can have only the DCD-barker field and the DCD-block-length field whose value is equal to zero.

A typical Flash header structure for ENGG mode is shown below:-

struct flash_hdr { UINT32 app_start_addr; UINT32 app_barker; UINT32 csf_ptr; UINT32 dcd_ptr_ptr; const hab_rsa_public_key *srk_ptr; UINT32 dcd_ptr; UINT32 app_dest_ptr; }const start_app = {0x90000300, 0x000000B1, 0x00, (0x90000400+0x14), 0x00, 0x90000100,0x90000000};

Case 2 PROD mode:

In BMOD[1:0] = 00(Internal Mode) with HAB TYPE[2:0] = PROD,then the FLASH HDR need to have all the elements properly filled.ROM Copies the Initial 4K data from the Flash to the nfc buffer,Installs the DCD data,then copies the initial 4k data from the nfc buffer onto the destination address pointed by the app_dest_ptr.

System Boot



In the IPL,at the end of the DCD table,length of the IPL is expected by the ROM code.ROM Uses this Field to Copy the rest of the Image from the NAND device onto the Destination RAM pointed by the app_dest_ptr. Then the Security check is performed on the Downloaded Code.

Following region in the IPL has to be signed.

1.Flash Header 2.Application Code3.DCD data.

These regions has to be mentioned in the CSF certificate while doing the Signing.The SRK HASH values have to be blown onto the Fuses SRK_HASH[255:0].The SCC key values has to be blown onto the fuses SCC_KEY[0:163],if not blown then the SCC will be moved to insecure state and Production test case fails.The Unique ID UID[0:63],Customer Code HAB_CUS[7:0] fuses also have to be blown to appropriate values that matches with that present in the CSF file.A typical Flash header structure for PROD mode is shown below:-struct flash_hdr { UINT32 app_start_addr; UINT32 app_barker; UINT32 csf_ptr; UINT32 dcd_ptr_ptr; const hab_rsa_public_key *srk_ptr; UINT32 dcd_ptr; UINT32 app_dest_ptr; }const start_app = {0x90000300, 0x000000B1, 0x90000500, (0x90000400+0x14)), 0x90004F00, 0x90000100,0x90000000}; Case 3 Security Disabled Mode:In BMOD[1:0] = 00(Internal Mode) with HAB TYPE[2:0] = 100(Security Disabled),then the FLASH HDR need to have only the app_start_addr and the app_barker whose value is 0x000000B1.ROM Will Copy the initial 4k data onto the nfc buffer and check for the barker value and jump to the app_start_addr.Example of flash header can be as follows:-struct flash_hdr { UINT32 app_start_addr; UINT32 app_barker; UINT32 csf_ptr; UINT32 dcd_ptr_ptr; const hab_rsa_public_key *srk_ptr; UINT32 dcd_ptr; UINT32 app_dest_ptr; }const start_app = {0xCFFF0000, 0x000000B1, 0x0, 0x0, 0x0, 0x0,0xCFFF0000};Note : -In this case IPL should be linked to NFC Buffer as DCD processing is not supported in Security Disabled Mode.

mx51 boot block guide 1.3

Documents