AN-1263
APPLICATION NOTE
One Technology Way • P.O. Box 9106 • Norwood, MA 02062-9106, U.S.A. • Tel: 781.329.4700 • Fax: 781.461.3113 • www.analog.com
Security Integrity of the ADuCM350
INTRODUCTION An optional elf hash calculation across instruction space can
be performed and stored within flash. During user code
The ADuCM350 offers various features developed to address
execution, a hash function can be called to authenticate flash
the following three goals:
user code (this complements the CRC signature check feature).
• To ensure that the device conditions are suitable for code
execution FLASH
• To prevent unauthorized access or copying of user code Write protection of individual pages can be programmed
• To prevent tampering of a device with the intention of to prevent accidental overprograming of flash memory.
altering its intended use In general, all flash commands are key protected to avoid
This application note outlines the initialization, real-time accidental flash operations, such as program, erase, and so on.
checking, authentication, flash, JTAG/serial wire, failure JTAG/SERIAL WIRE
analysis, and serial downloader features.
As a feature, JTAG/serial wire access is user controlled,
INITIALIZATION preventing debug access and viewing of user code.
Power supply monitors ensure that the device is properly • On power up, JTAG/serial wire access is disabled if a
powered and do not allow execution outside an acceptable control key has been programmed by the user in the
range. Monitoring is continuous. reserved space of user flash (Address 0x5FFE8).
Otherwise, the JTAG/serial wire access is enabled.
Flash hardware performs a CRC32 signature check of all flash
The value of the control key is 0x16032010.
information space memory (factory installed kernel) before the
• Additionally, JTAG/serial wire access can be enabled/
first instruction fetch is performed. This validates that the flash
disabled in the application code by writing to the
can be reliably accessed.
FEECON1 register.
Upon completion of kernel execution, a CRC32 signature check
of user Page 0 is performed before the first user instruction is FAILURE ANALYSIS
performed. Analog Devices, Inc., has access to the device for failure
• Signature check is performed using forward signature only. analysis, but cannot view customer code without the assistance
• During development, the check can be skipped if the of the customer.
signature written to flash (Address 0x7FC) is 0xFFFFFFFF. Failure analysis of flash-related issues can only be accomplished
in cooperation with the customer (a user-specified key must be
REAL-TIME CHECKING
supplied to Analog Devices).
Word parity checking on each flash access can be performed
to prevent code execution in the event of an intermittent bit
SERIAL DOWNLOADER
failure. Itmonitors and detects, but does not make corrections. Using the UART interface, a part can be bulk erased and
reprogrammed. This is useful in the event a part is improperly
Under user control, forward and backward hardware
programmed, such as if the debug access is locked out.
accelerated CRC32 signature checking across any number of
pages can be performed, as an interval check, during run time. For bulk erase, there must be access to a pin dedicated to this
purpose. This allows the customer to protect access to the
An integrated watchdog timer monitors real-time operation or
downloader pin.
monitors the part in hibernate mode.
The serial downloader does not have read capability, thus user
AUTHENTICATION
code is protected.
A truly random number generator implemented in the
hardware allows the formulation of challenge responses.
Rev. 0 | Page 1 of 2
�AN-1263 Application Note
NOTES
REVISION HISTORY
11/13—Revision 0: Initial Version
©2013 Analog Devices, Inc. All rights reserved. Trademarks and
registered trademarks are the property of their respective owners.
AN11794-0-11/13(0)
Rev. 0 | Page 2 of 2
