AVR Bootloader protection

Does anyone have any good way to protect an AVR from accidential flash / erase commands?

Imagine, a bug in the application software causes a jump into the bootloader - that just happens to be around the code that calls page erase or page write - so that routine does what's it's supposed to, writes random data to a random page or erases a random page. There is no protection, SPM works b/c we are in bootloader code.

How can you protect from this - seems the lock bits are no good b/c once you set them you have to do a chip erase to clear them.

Ideally you would be able to stop the chip from being able to jump to any code in the bootloader, only being able to get there from a reset. But this isn't a reality.

Thanks for any thoughts Ralph

Reply to
Loading thread data ...

Define 8 positions in th eboot loader that the CPU must run though to get to the boot loader write. In each position, the CPU sets a bit of a byte.. When exiting the bootloader, clear this byte.

Let an interrupt clear this byte periodically. It should verify that it is clear in a loop

volatile BYTE x; do x = 0; while (x != 0);

The code generated would be similar to: LDI r16,0 ST (z),r16

And you dont want to jump into the routine at the ST instruction with R16 set to 0xff.

The only instructions that set the bits should be in the bootloasder unless you execute the boot loader from the start,. you should not have all bits set.

There is always the chance that you do an indirect store of 0xFF to this location but the chance is reduced significantly when this is done.

It is a little similar to how you can use a watchdog. Set a bit if a certain task has executed. If all bits are set, service the watchdog, and clear the byte. If not all tasks has executed at least once in the watchdog period the reset will come.

Best Regards,
Ulf Samuelsson   ulf@a-t-m-e-l.com
 Click to see the full signature
Reply to
Ulf Samuelsson

it is




There is



So I guess the answer is there is no way you can 100 % protect your application from accidental corruption of the image if you are using a bootloader.

Why is there not a write only register - called something like SPM DISABLE that can only be cleared by a reset. As SPM can already be disabled by the processor it seems like that would only be a couple of latches and would make it easy to protect your application.


Reply to

ElectronDepot website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.