Define 8 positions in th eboot loader that the CPU must run though to get to the boot loader write. In each position, the CPU sets a bit of a byte.. When exiting the bootloader, clear this byte.
Let an interrupt clear this byte periodically. It should verify that it is clear in a loop
volatile BYTE x; do x = 0; while (x != 0);
The code generated would be similar to: LDI r16,0 ST (z),r16
And you dont want to jump into the routine at the ST instruction with R16 set to 0xff.
The only instructions that set the bits should be in the bootloasder unless you execute the boot loader from the start,. you should not have all bits set.
There is always the chance that you do an indirect store of 0xFF to this location but the chance is reduced significantly when this is done.
It is a little similar to how you can use a watchdog. Set a bit if a certain task has executed. If all bits are set, service the watchdog, and clear the byte. If not all tasks has executed at least once in the watchdog period the reset will come.
--
Best Regards,
Ulf Samuelsson ulf@a-t-m-e-l.com
This is a personal view which may or may not be
share by my Employer Atmel Nordic AB
skrev i meddelandet
news:1105303676.224988.97460@c13g2000cwb.googlegroups.com...
> Does anyone have any good way to protect an AVR from accidential flash
> / erase commands?
>
> Imagine, a bug in the application software causes a jump into the
> bootloader - that just happens to be around the code that calls page
> erase or page write - so that routine does what's it's supposed to,
> writes random data to a random page or erases a random page. There is
> no protection, SPM works b/c we are in bootloader code.
>
> How can you protect from this - seems the lock bits are no good b/c
> once you set them you have to do a chip erase to clear them.
>
> Ideally you would be able to stop the chip from being able to jump to
> any code in the bootloader, only being able to get there from a reset.
> But this isn't a reality.
>
> Thanks for any thoughts
> Ralph
>