Mitsubishi DS5000TK, DS907x SIP manual 050396 66/173

Timed Access provides a statistical protection. It is unlikely that randomly generated states will correctly match the sequence and timing required to bypass the Timed Access logic. Presented below is a brief justifica- tion for each bit that is protected by Timed Access.

The EWT bit is protected to prevent errant software from disabling the Watchdog Timer. The Watchdog is one of the important mechanisms that assure correct opera- tion and should not be turned off accidentally. RWT is the bit that software uses to restart the Watchdog time± out. The Secure Microcontroller makes this more diffi- cult by Timed Access protecting the bit. Thus software must ªreallyº intend to reset the time±out in order to do so. Note that the Watchdog Timer is disabled in Stop mode. Critical applications which rely on the Watchdog Timer should exercise caution if the application will uti- lize Stop mode.

POR informs the software of the power supply condi- tion. Specifically, it means the power has previously

dropped below the VCCMIN level and returned to nor- mal. In many systems, this is a unique condition that

requires interaction with external hardware. Protecting this bit with a Timed Access procedure prevents the micro from accidentally performing a power on reset procedure.

On a DS5000 series device, the PAA bit allows software to alter the Partition. If this is done accidentally, the resulting configuration could be unrecoverable without human intervention. This could mean selecting a Parti- tion that is outside of the user's plan and that causes the system to fail. In a like manner, the PA3±0 bits on a DS5001 series device are protected through Timed Access. As the DS5001 does not have a PAA bit, the Partition control bits are directly protected. The motiva- tion for protecting the AE bit is similar. This bit invokes a Partitionable configuration where one had not been selected during Bootstrap loading. While there are sev- eral valid reasons to select AE, accidentally selecting this condition might be unrecoverable without manual intervention.

Note that the Timed Access logic protects against the possibility of a single inadvertent write modifying a criti- cal control bit. It does not protect against inadvertently entering a section of code that contains the correct sequence to modify a protected bit. However, the statis- tical protection does greatly improve the system's resil- ience to a crash.

Watchdog Timer

The on±chip Watchdog Timer provides a method of re- storing proper operation during transients that cause the loss of controlled execution of software. When the Watchdog Timer is enabled, it will eventually reach a timeout condition after 122,800 machine cycles unless it is reset by the application software. An internal reset to the CPU will be generated if the timeout condition is ever reached. Software which utilizes the Watchdog Timer must periodically reset the RWT bit so that it will never be reached during normal operation. The reset opera- tion(s) should be inserted at critical check points in the program. The Watchdog Timer will monitor program execution to insure that these check points are reached, indicating proper operation. If controlled execution of the software is lost so that these check points are not en- countered within the timeout period, then the Watchdog Timer will provide an automatic reset. A block diagram of the Watchdog Timer is shown in Figure 8±2.

The Special Function Register bits that are used to con- trol the Watchdog include the Enable Watchdog Timer bit (EWT; PCON.2), the Reset Watchdog Timer bit (RWT; IP.7), and the Watchdog Timer Reset status flag (WTR; PCON.4). The Watchdog Timer incorporates a free±running counter that starts counting as soon as the clock oscillator begins operation following a Power On Reset. If a 12 MHz crystal is used as the time base ele- ment, this gives a timeout period of 122.88 ms. The Watchdog Timer Reset function is enabled with a Timed Access write operation which sets the EWT bit to a 1. A Watchdog Timer Reset will then occur the next time that the free±running counter reaches its timeout condition.

Regardless of whether the Watchdog Timer will be used, it should be initialized after each reset. If the Watchdog Timer is desired, then the first step is to reset the timer count. This is necessary since the timer is free running and may be about to time±out. Set the RWT bit to a logic 1 using a Timed Access procedure. This will restart the timer with the full interval. Then enable the Watchdog Timer reset function by setting the EWT bit to a logic 1, again with a Timed Access procedure. Note that the EWT bit only controls whether the reset is issued, not whether the timer runs. The Watchdog Timer must now be reset prior to 122,800 machine cycles or it will reset the CPU. If the Watchdog Timer is not used, then clear the EWT bit to a logic 0 using a Timed Access procedure. Since the EWT bit is nonvolatile, this makes certain that the Watchdog reset function remains dis- abled.