F29H85x-SDK  1.02.01.00
 
Uart Flash Programmer

Table of Contents

Texas Instruments F29x UART Flash Programmer CLI Example Package

Located in F29H85X-SDK /flash_programmers/uart_flash_programmer

Introduction

This page provides a brief rundown of the F29x UART Flash Programmer.

The UART Flash Programmer is a command-line interface (CLI) tool that runs on a PC and communicates with an F29x device via UART. It can be used to load firmware1 via UART boot mode. It can also communicate with a UART secondary bootloader (SBL) running on the device to perform more advanced operations, such as programming the device's flash memory. See RAM-based UART SBL and Flash-based UART SBL for more detail.

The Flash Programmer CLI is supported on Windows and Linux operating systems. Precompiled executables are included for Windows, and a CMake build script is provided for Linux.

‍1. In HS-FS (High Security - Field Securable) state, boot authorization is disabled, and a special mode called RAMOPEN is enforced, which prevents instructions from executing in flash. Therefore, RAM-based SBL is used for peripheral boot to receive and execute Flash Programmer commands.

  • For more information, please see the "RAMOPEN Feature" of the ROM section in the F29H85x Technical Reference Manual (TRM).
Attention
For more information, please see Application Note on Serial Flash Programming for F29x Device.

Build from source

Two methods are provided to compile the source code found under /src directory:

  • (Windows only) VS Project : User should import uart_flash_programmer.sln into Visual Studio and build the project.
  • (Linux & Windows) CMake: A CMakeLists.txt file is provided to build the project using CMake.
    1. Use build_cmake.sh to automate CMake build
      • Do chmod +x build_cmake.sh && ./build_cmake.sh
    2. Manual instructions on building CMake:
      • In the terminal, proceed to create a build folder and cd into folder via
        • mkdir build && cd build
      • Generate CMake artifacts via
        • cmake -S .. -DCMAKE_BUILD_TYPE={Debug/Release}
      • Build the CMake project via
        • cmake --build .
      • The generated executable would be called uart_flash_programmer under the build folder

Precompiled executables

Two versions of the precompiled Windows executable are provided for this example:

  • uart_flash_programmer.exe (x86_64)
    • Peripheral(UART) boot is enabled at startup
      • The program will start by sending the RAM-based SBL image to the device in UART boot mode, after which the ROM will hand off device control to the SBL. The user will then be prompted with options to communicate with the SBL running on the device.
      • Note: As dictated by the ROM flow, peripheral boot must occur before any subsequent HSM operations for Key Provisioning (KP) and Code Provisioning (CP) when using the RAM-based SBL. For more information on the ROM and its prerequisite setup, please refer to the "ROM bootloader" section of the Application Note.
    • If a custom SBL is used without Flash Programmer's packet protocol, --boot-only parameter can be added to only load the SBL in UART boot and exit.
  • uart_flash_programmer_appIn.exe (x86_64)
    • Peripheral(UART) boot is disabled
      • The program will bypass the peripheral boot step and directly prompt the user with the available options.
      • This requires that the SBL is already running on the device, such as Flash-based SBL.
      • To achieve this in a custom build, undefine the macro ENABLE_PERIPHERAL_BOOT in include/Common.h
include/Common.h
//
// Define the macro to download ram-based sbl image to the device via periperial (UART) boot mode. Occurs during program startup.
// It's the only difference between (non-appIn vs appIn) precompiled executable
//
#define ENABLE_PERIPHERAL_BOOT
Note
Although precompiled executables are not provided for Linux, they can be easily generated by editing include/Common.h with the desired configuration and running the build_cmake.sh script as described previously.

Device Types (Device Lifecycle)

F29H85x device progress through a lifecycle defined by their security state. The following table lists the MCU device types (also known as device lifecycles) and their corresponding security policies:

F29x Device Type
HS-FS
(High Security - Field Securable) 		• No authentication on device boot
• No device security features are enforced except load HSM auth
• No SSU Security Configuration protection
HS-KP
(High Security - Key Provisioned) 		• Requires authentication on device boot
• Device security features are enforced
• SSU security configuration are cleared and uses default settings
• A temporary state prior to HS-SE
HS-SE
(High Security - Security Enforced) 		• Requires authentication on device boot
• Device security features are enforced
• SSU security configuration are configured and is protected by HSM2
• Secure boot enabled and Root-of-Trust on user key

‍2. While the Hardware Security Module (HSM) is independent of the Safety and Security Unit (SSU), which governs the C29x CPU and memory security model via its security configuration, the HSM does validate and protect the Security Configuration when device security features are enabled.

‍For more information. Refer to the SSU section of the F29H85x TRM.

Device Conversion

By default, any out-of-the-box device is in the HS-FS state. This indicates that the device comes with the manufacturer's key, and no HSM security features are enforced. In the HS-FS state, the CPU is permitted to directly program its flash banks without the HSM, and is denoted as unsecure programming.

Device conversion from HS-FS to HS-SE is performed through provisioning, two operations must be conducted:

  1. Provision the deivce with a custom key
  2. Flash SSU Security Configuration (Sec Cfg BLOB)

The first operation is known as Key Provisioning (KP), which converts an HS-FS device into a temporary HS-KP state.

The second operation is part of Code Provisioning (CP), which converts an HS-KP device into an HS-SE device with full device, CPU, and memory security enabled.

KP & CP

Key Provision (HS-FS to HS-KP):

     During Key Provisioning, the user can replace the TI-provided key with a custom private key via OTP Keywriter service. Once a new custom key is provisioned successfully, the device converts to the HS-KP state after a power-on reset (PORSn). Authentication is now enforced, and the user must supply the correct X.509 certificate-appended binary images, security configurations, or keys to pass authentication for future operations.

Code Provision (HS-KP/SE to HS-SE):

     Code Provisioning encompasses the secure flashing of the Sec Cfg, CPU flash, and HSM flash, all of which require HSM authentication and validation. In the HS-KP state, successfully programming the Security Configuration will convert the device to HS-SE after a power-on reset (PORSn). Although the order of flashing operations is not strictly enforced, it is recommended to flash the Sec Cfg first, followed by the HSM flash and then the CPU flash. Code Provisioning supports all flash bank modes.

The UART Flash Programmer CLI and RAM-based UART SBL supports Key and Code Provisioning as available options.

Attention
For more information regarding HSM security software, security features, and the provisioning flow in detail, please request access to the TIFS-SDK for F29H85x , available on the same TI download page as the F29H85X-SDK for F29H85x .

Flash Bank Modes

The following is a brief summary of the F29H85x device flash bank modes:

(For F29H85x devices with smaller flash configurations, reduce each flash size by the same ratio.)

F29H85x Bank modes
Mode 0 • Bank swap disabled
• CPU1 4MB flash
• CPU3 flash disabled
Mode 1 • Bank swap enabled
• CPU1 2MB flash
• CPU3 flash disabled
Mode 2 • Bank swap disabled
• CPU1 2MB flash
• CPU3 2MB flash
Mode 3 • Bank swap enabled
• CPU1 1MB flash
• CPU3 1MB flash

By default, an out-of-box device is in mode 0.

Attention
For more information on flash bank modes and their allocated addresses, refer to the F29H85x device datasheet.

DFU, FOTA and LFU

Throughout various documents, these terms are used to represent different firmware upgrade terminologies. In the context of F29H85x , they are described as follows:

Device Firmware Upgrade (DFU):

  • Programming directly to active flash banks. No firmware can run from flash during DFU.
    • No flash bank mode restrictions
  • Performs the firmware upgrade via a device reset (CPU1.WDRSn, CPU1.SYSRSn, XRSn, PORSn) in flash boot or a branch instruction to the flash entry point.
    • Note: When using peripheral boot in the HS-FS state, RAMOPEN is enforced, which prevents instructions from executing in flash. Therefore, the user must perform a device reset.

Firmware Over-The-Air (FOTA):

  • Programming to dormant flash whilst user application is running.
    • Bank mode 1 & 3 only
  • Performs the firmware upgrade via a device reset (CPU1.WDRSn, CPU1.SYSRSn, XRSn, PORSn) in flash boot.

Live Firmware Upgrade (LFU):

  • Programming to dormant flash whilst user application is running.
    • Bank mode 1 & 3 only
  • Performs the firmware upgrade whilst user application is running.
    • Addintional restrictions apply due to timing constraint of live firmware switching.

The most relevant firmware upgrade method depends on the service model and end-user application requirements.

RAM vs Flash-based SBL

The UART Flash Programmer can interface with either a RAM-based or a Flash-based UART SBL. Their primary differences are outlined below:

SBL Comparison
RAM-based UART SBL Flash-based UART SBL
Former name Flash Kernel Boot Manager
Type Temporary, runs in RAM Persistent, resides alongside of user application
Device boot SBL loads via:
• Periperial UART boot (.bin)
• CCS Debug3 (.out) 		SBL loads via:
• Flash boot (.bin)
(programmed by RAM-based SBL)
• CCS Flash3 (.out)
• Uniflash3(.out)
Which programmer to use • uart_flash_programmer.exe
• build w/ ENABLE_PERIPHERAL_BOOT 		• uart_flash_programmer_appIn.exe
• build w/o ENABLE_PERIPHERAL_BOOT
Unsecure Programming
(HS-FS only) 		DFU
• Programs to active flash bank
• supports all bankmode - 0,1,2,3 		FOTA
• A/B partition, programs to dormant flash bank
• supports bankmode 1 and 3
Secure Programming Secure KP & CP
• Interface with OTP Keywriter
• DFU in mode 0 and 2
• FOTA in mode 1 and 3 		Secure CP (HS-SE only)
• FOTA
HSM Firmware
(Pre-req for secure programming) 		RAM-based HSM runtime Flash-based HSM runtime
Use case • Initial device bringup & conversion
• DFU service model 		• FOTA service model

As described, the primary purpose of the RAM-based SBL is for initial device bring-up, such as supporting KP to provision private keys, which converts the device to HS-KP and subsequently to HS-SE with CP commands.

In contrast, the Flash-based SBL is programmed by the RAM-based SBL and is part of the device firmware that activates upon receiving Flash Programmer commands. Its functionality is a streamlined version of the RAM-based SBL, tailored for FOTA. It requires the RAM-based SBL to set up the appropriate bank modes and security states before the Flash-based SBL can be booted.

‍3. Only available in HS-FS (unsecure programming). This will not work in HS-KP or HS-SE, since boot authentication and the JTAG debug firewall are enabled by default.

Running the program

The Flash Programmer is a command-line tool. Run it from a terminal with the required arugments.

Windows Example:

uart_flash_programmer.exe -d <device> -p <COM_PORT> [other options]

Linux Example:

./uart_flash_programmer -d <device> -p <COM_PORT> [other options]

The program can be run interactively, where it will prompt for operations and wait for user input, or in an automated mode using the --input parameter to provide a sequence of commands.

For details on peripheral boot and avilable commands, see the sections below.

Peripheral UART boot

To load a RAM-based SBL via device peripheral, first set the device boot pin into UART boot.

TRM Section 4.3, Device Boot Modes
F29H85x Default Boot Modes
Boot Mode GPIO72
(Default boot mode select pin 1) 		GPIO84
(Default boot mode select pin 2)
Parallel IO 0 0
UART 0 1
CAN 1 0
Flash 1 1

Then reset / plug-in the device to the PC, so Boot ROM is in UART Boot. And run the UART Flash Programmer (uart_flash_programmer.exe or build with ENABLE_PERIPHERAL_BOOT).

In UART Boot, ROM will first send SoC ID strings via UART, and then waits for incoming UART data before timeout occurs(~2min) & switches to Wait Boot. Once it receives UART data, it'll echo back the data, or stops if something fails to validate. The flash programmer monitors the echo-back data and will exit with failure status if the echoed back does not match the expected data.

Therefore, if Flash Programmer receives an unmatched data and exits, simply reset the device (XRSn suffice) and retry again.

However, if a UART bootload of an image is consistently stuck (ROM stopped echoing back data which stops programmer from progressing), user can visually observe where data transfer stopped and have a clue of what happened:

  • ROM stops reading at 4th byte
    • Improper certificate format
    • ROM expects X.509 certificate to always start with 0x3082
  • ROM stops before 4096th bytes
    • Certificate unmatched SMPK
    • Boot authentication is enabled and ROM couldn't verify the key (unmatched key hash)
  • ROM stops at the end of image
    • Unmatched signature
    • Boot authentication is enabled and ROM couldn't verify the image signature (unmatched signature)

BootROM Invalid Certificate Format

See the image above on an example of bootloading an example that has improper X.509 format.

/note Since ROM sends out SoCID string at the start of UART Boot and UART Flash Programmer monitors echo-back data for validation, while it is unlikely for a mannual run to experience the clash between the two, when automating the flow, please make sure device power-on/reset is at least 100ms apart from invoking the UART Flash Programmer for UART boot.

Generating Combined Image with X.509 Certificate

All application & SBL images must be in binary format and be prepended with a X.509 certificate. Even in HS-FS where authentication is disabled, the ROM and SBL still use the length field of a dummy certificate to determine how many bytes to read.

To generate the combined image with an X.509 certificate, please refer to the post-build steps in the RAM/Flash-based SBL examples. (Note that the Flash-based SBL also incorporates additional steps to combine the bootloader code and application firmware).

  • In CCS 20+, Post-build steps can be found under (Project) Properties->Build->Steps

In addition, refer to the various signing scripts located in F29H85X-SDK /tools/boot/signing.

Flash Programmer Supported Parameters

Syntax:
uart_flash_programmer.exe -d f29h85x -p <COM/tty Port> -k <Ram-based SBL image>.bin
-a1 <Unsecure CPU1 application image>.bin -sr <Ram-based HSM runtime image>.bin -sk <user key>.cert -s1 <Secure CPU1 application image>.bin
-sh <Flash-based HSM application image>.bin -sc <sec cfg image>.bin -q -w
-k, --kernerl is not available for appIn.exe (w/o ENABLE_PERIPHERAL_BOOT)
-hb, --hostbaud is not available for non-appIn.exe (w/ ENABLE_PERIPHERAL_BOOT)

Supply -h or –help as a parameter will prompt the following message: 

    F29x UART Firmware Programmer
    Supported parameters are:

    -d,  --device <device>     - The device family of the target device:
                                (f29h85x, f29p58x, f29p32x)
    -p,  --port   <port>       - Serial COM/tty port used for UART communication.
                                (port format: COM<num>, /dev/ttyUSB<num>, /dev/ttyACM<num>)
    -k,  --kernel    <file>    - File path for ram-based sbl (formerly flash kernel)
    -a1, --appcpu1   <file>    - File path for Flash-based C29 CPU1 application image (HS-FS Only)
    -a3, --appcpu3   <file>    - File path for Flash-based C29 CPU3 application image (HS-FS Only)
    -sr, --hsmrt     <file>    - File path for RAM-based HSM runtime (HSMRt) image    (Prerequisite for KP & CP)
    -sk, --hsmkeys   <file>    - File path for HSM keys image                         (HS-KP key provision)
    -s1, --cpappcpu1 <file>    - File path for Flash-based C29 CPU1 application image (HS-SE code provision)
    -s3, --cpappcpu3 <file>    - File path for Flash-based C29 CPU3 application image (HS-SE code provision)
    -sh, --cpapphsm  <file>    - File path for Flash-based HSM application image      (HS-SE code provision)
    -sc, --cpseccfg  <file>    - File path for Sec Cfg program image                  (HS-SE code provision)
    -e1, --entryaddr <hex_num> - (optional) Override entry address of the C29 CPU1 application
    -tb, --targetbaud  <dec_num> - (optional) Propose the specified UART baudrate amongst target & host when reconfiguring UART (automatic in non-appIn). If not set, by default the target-proposed baudrate would be used.
    -hb, --hostbaud    <dec_num> - (appIn ONLY) Configures host with the alternate UART baudrate. Use this param when target's baudrate is different than the default baudrate (BootROM's UART boot baudrate).

    Note: -d, -p are mandatory parameters. -k is mandatory in non-appIn
        Images must be in binary format and includes an X.509 certificate.

    -i, --input <,>  - Provide command input options via parameter rather than keyboard input to the console
                    (format: comma-separated values <num,num>, for example "--input 3,4,11,15")
    --boot-only      - Only do peripheral boot and exits the program right after. Can be used to load any SBL without programmer's packet protocol support.

    -h, --help       - Show this help.
    -l, --log <file> - Log mode. Redirect all non-essential printouts to the specified file, will override -q mode
    -q, --quiet      - Quiet mode. Suppress all non-essential printouts
    -w               - Wait on keypress before exiting
    --version        - Display version information

    Syntax: -d f29h85x -p COM41 -k ram_based_uart_sbl.bin --appcpu1 c29_cpu1_application.bin --entryaddr 10001000 --hsmrt HSM_runtimeImage.bin --hsmkeys HSM_customKeyCert.bin --cpseccfg sec_cfg_cert.bin --cpappcpu1 c29_cpu1_application.bin -cpapphsm hsm_application.bin -l output.log

Flash Programmer Operations

When running the program, after the peripheral UART boot (if applicable) , the user will be prompted with the following options:

Flash Programmer Command Options

Programming Commands:

  • 1. CPU1 DFU/FOTA
    • HS-FS only
    • If selected, the host will send the Flash-based CPU1 command and its application image to the SBL, which then programs it using the C29 Flash API. The default flash start address is 0x10000000.
    • Mandatory parameter: -a1 (–appcpu1)
  • 2. CPU3 DFU/FOTA
    • HS-FS only
    • If selected, the host will send the Flash-based CPU3 command and its application image to the SBL, which then programs it using the C29 Flash API. The default flash start address is 0x10400000.
    • Mandatory parameter: -a3 (–appcpu3)
  • 3. Load HSM RAM Image
    • Note: This step is the prerequisite for any RAM-based SBL's Key Provision & Code Provision flow
    • If selected, host will send a RAM-based HSM runtime image to the device and subsequently boot the runtime image in HSM.
    • Mandatory parameter: -sr (–hsmrt)
  • 4. Load HSM Key
    • This step transitions the device into HS-KP by burning a user key. The OTP Keywriter (in the form of a RAM-based HSM runtime) must be loaded prior to this operation.
    • If selected, the host will send the custom key to the SBL. The SBL then requests a keywriter service from the HSM. Upon success, a device reset transitions the device into HS-KP.
    • Mandatory parameter: -sk (–hsmkeys)
  • 5. Program Sec Cfg
    • HS-KP or HS-SE
    • This step is needed to transition from HS-KP to HS-SE. Unlike other programming operations, the Sec Cfg sector image does not need to be prepended with an X.509 certificate, as it already contains one.
      • For more on generating Sec Cfg sector image, see F29H85X-SDK /tools/misc/genSeccfgBin.py and Driverlib SSU examples that utilitizes the script to generate a sector image.
    • If selected, host will send the sector image to program Sec Cfg sectors. If the device is in HS-KP, it'll convert into HS-SE upon success with a device reset.
    • Mandatory parameter: -sc (–cpseccfg)
  • 6. Load HSM Flash Image
    • HS-KP or HS-SE
    • Note: This step is the prerequisite for any Flash-based SBL's Code Provision flow (Need to be loaded by RAM-based SBL).
    • If selected, host will send the Flash-based HSM application image to be programmed via HSM services.
    • Mandatory parameter: -sh (–cpapphsm)
  • 7. Load C29 CPU1 Image
    • HS-KP or HS-SE
    • If selected, host will send the Flash-based CPU1 application image to be programmed via HSM services. The default start flash address is 0x10000000.
    • Mandatory parameter: -s1 (–cpappcpu1)
  • 8. Load C29 CPU3 Image
    • HS-KP or HS-SE
    • If selected, host will send the Flash-based CPU3 application image to be programmed via HSM services. The default start flash address is 0x10400000.
    • Mandatory parameter: -s3 (–cpappcpu3)

Utility Commands:

  • 10. Sync Device Status
    • If selected, host will send command and wait for SBL response message.
    • Note: In Flash-based SBL, the response message will also indicate if the application firmware has been booted.
  • 11. Get SocID Info
    • If selected, SBL will respond with SocID informations populated by ROM and parse it accordingly.
    • Contains ROM info, firmware version and HSM security info.
  • 12. Get Boot ROM Status
    • If selected, SBL will respond with brom_status information populated by ROM and parse it accordingly.
    • Contains ROM runtime info, boot errors, NMI entries, SSU and Flash information
    • The status is not be up-to-date with run time status as ROM only populates it at boot time.
  • 13. Run CPU1
    • If selected, CPU1 will either branch to the default entry address or to an alternate entry address if -e (–entryaddr) is provided.
    • Optional parameter: -e1 –entryaddr < hex address >
  • 14. Run CPU3
    • If selected, CPU1 will configure CPU3 to bring it out of reset and load ram/flash entry address depending on the SBL type.
  • 15. Reset CPU1
    • If selected, CPU1 will invoke watchdog timer and reset the CPUs & HSM (CPU1.WDRSn).
  • 19. Configure UART Baud Rate
    • If selected, the host will send a new baud rate request. The SBL then responds with the new baud rate that it chooses, and both the host and target will switch to this new rate.
    • An optional baud rate proposal (-tb, –targetbaud) can be sent with the request, and the SBL will attempt to conform to the proposed rate. This is useful when the baud rate needs to be adjusted due to board/setup limitations or for testing different rates.
    • Note: If ENABLE_PERIPHERAL_BOOT is enabled, host will automatically send this command immediately after peripheral boot to increase the data transfer speed for all subsequent commands to the RAM-based SBL.
    • Optional parameter: -tb, –targetbaud <decimal baud>
  • 20. Set Bankmode 0
    • If selected, SBL will attempt to set flash bank mode to 0.
    • HS-FS only, not yet implemented for CP.
  • 21. Set Bankmode 1
    • If selected, SBL will attempt to set flash bank mode to 1.
    • HS-FS only, not yet implemented for CP.
  • 22. Set Bankmode 2
    • If selected, SBL will attempt to set flash bank mode to 2.
    • HS-FS only, not yet implemented for CP.
  • 23. Set Bankmode 3
    • If selected, SBL will attempt to set flash bank mode to 3.
    • HS-FS only, not yet implemented for CP.
  • 0. Done
    • Exits the program with return status

Changelog

Shown below lists all the software revision history for the uart flash programmer:

Software Version SDK Release Changelog
v1.00.00 1.00.00.00 First release, in F29H85X-SDK
v1.01.00 1.01.00.00 Enhancements:
  • Added cpu3 support
v2.00.00 1.02.01.00 Enhancements:
  • Added new packet protocol support
  • Added debug print logs for failure
  • Added program bank modes option
  • Added SoCID parsing and Brom Status parsing script
  • Added alternate baud rate command and logic
  • Added automation flow via –input parameter
  • Changed to C++ 20 Standard
  • Modified build_cmake.sh for faster build and dialog

Addintional resource

Help and Support

For additional help and support, please visit E2E™ design support forum

API usage

APIs for Uart Flash Programmer