I want to access the AAP registers to unlock a device. How can I get access to these?
The AAP registers are only accessible through the debug interface, and only when the device is locked. To lock the device you have to clear the Debug Lock Word (DLW), see the Reference Manual. This is the only way to lock the debug access, both from software and from the debugger.
When the device is locked the AAP registers can be accessed with J-Link Commander (JLink.exe). Below is a sequence of commands run in J-Link Commander that will unlock a previously locked chip. Note that there is no possibility of unlocking a locked device without mass erasing it. This method will only work if the device is already locked.
To access the AAP registers we have to use the Serial Wire Debug Port (SW-DP). The documentation for this interface can be found in ARM Debug Interface Architecture Specification. The most important part is the SELECT register which selects the current Access Port (AP). For accessing AAP, APSEL should be 0. When accessing APs only 4 registers can be accessed at the same time. The field APBANKSEL in the SELECT register specifies which. To access AAP_CMD, AAP_CMDKEY and AAP_STATUS, APBANKSEL should be 0x0. To access AAP_IDR, APBANKSEL should be 0xf.
The following definitions are used below.
EFM32_AAP_ID 0x16e60001 // Device is locked
EFM32_AHBAP_ID 0x24770011 // Device is unlocked
EFM32_DPID 0x2ba01477 // Debug port ID
# Initiate SWD interface (only needed if pin reset has been asserted after USB 0 was issued)
# Read DPID - should return value EFM32_DPID
# SELECT register: APSEL = 0x0, APBANKSEL = 0xf
SWDWriteDP 2 0xf0
# Dummy read AP address 0xFC. Ignore this value
# Read AP address 0xFC. This should be EFM32_AAP_ID when the device is locked.
# If the device is NOT locked it will instead read EFM32_AHBAP_ID
# SELECT register: APBANKSEL = 0
SWDWriteDP 2 0x00
# Enter the unlock key to AAP_CMDKEY to enable writing to AAP_CMD
SWDWriteAP 1 0xcfacc118
# Set erase bit in AAP_CMD
SWDWriteAP 0 0x1
# Check the AAP_STATUS register for erase BUSY bit, erase should take ~40ms
# Do a dummy read first
# The device can be reset by setting erase bit in AAP_CMD
SWDWriteAP 0 0x2
I am busy with an EFM32GG280F1024 and try to load a binary with the Segger JLink.
I tried your Segger commands to unlock and erase the EFM32.
The commands seem to work, but the EFM32 is not erased. There is still the bootloader firmware at memory position 0x00.
Is the bootloader firmware locked with an other mechanism?
I use the following Segger command to load the binary into the flash:
loadbin /home/prj/Inreda/InrAp1F1/main.bin 0
Any suggestions why it is not loaded?
kind regards, Erik Postma
Is the device locked before you enter these commands? Specifically, do you read 0x16e60001 when reading AP address 0xFC? (Note that the post actually had a typo before, you need to read this register twice in order to get the correct value. I have edited the post above).
If the MCU is not locked, the erase command will not work and the bootloader will still be kept. The segger 'loadbin' command does not work with EFM32 devices. Instead use the energyAware Commander to load the binary. This GUI tool also has a command line interface if you require that.
I locked debug mode in the board with efm32gg processor.
I'm using efm32g_dvk that unlock the controller.
After using function unlock with unlocking successful from dvk, I try to writing firmware into GG and st-link2 answered me target is cortex-m3 not found.
I'm read the flash-memory from adress 0xFE041FC (Debug Lock Word) and value of this adress is 0.
I using openOCD for read memory and programming GG-chip.
Help solve the problem, please.
P.S.: Before this problem I'm try locking all flash and ULW, DLW, MLW and using procedure unlock of dvk.
And thenGG was unlocked.
OK. I can access the EFM32 with JLinkExe. The problem was, that I could not load the firmware. I did use loadbin, so it is now clear why that does not work.
I loaded my firmware with eACommander and it works fine. I did not know eACommander has also commandline options. Flashing firmware also works fine with the commandline. Now I can put the flash instruction in my make-file.
There is only one thing I could not find. After flashing I have to disconnect the EFM32 form the JLink and the power-line. There are more commandline option and have tried some, but I could not find a way to reset the EFM32 and let it start executing the firmware.
Suggestion how I can restart the EFM32 with the JLink programmer?
kind regards, Erik Postma
The energyAware Commander has a --reset option. Does not that work?
Filip, give me answer to my question (v.s.)
VSBochkov: It seems your problem is unrelated to the AAP register (you can successfully unlock the device). Please start a new topic in the Q&A forum and provide details about what happens when you try to connect. I am not able to understand exactly what the problem is.
I reopen this topic. I have brand new EFM32GG/LG/WG device with preprogrammed bootloader from factory, which is unlocked. I have very simple question - Can I erase the flash memory of unlocked device using AAP registers? Can it be done or not?
1. Turn the power-on, set reset pin L
2. send AAP window expansion sequence
3. release reset
4. send initialize SWD sequences -> 56clock with SWDIO high + JTAG-to-SWD sequence(0x79E7,MSB first) + 56 clock with SWDIO high
5. read value 0x2BA01477 from DP IDCODE register
6. select Bank F in DP select register (~ SWDWriteDP 2 0xF0 command)
7. dummy read of AP (~ SWDReadAP 3 command)
8. read ID value from DP (~ SWDReadDP 3 command)
What is the readed value from this reading? AAP ID value or AHB-AP ID?
9. If I read AAP ID value, now I can access the AAP register and I can evoke mass erase from AAP registers. But from time to time at this time I cannot read AAP ID value (0x16E60001) but AHB-AP value 0x24770011. Why? I assume that If i perform AAP extended sequence then AAP registers can be accessed permanently... What is the reason for this AHB-AP/AAP ID changes?