Course Introduction

Purpose
• The intent of this course is to provide an overview of the operation and function
of the system protection features of the HCS08 architecture.

Objectives
• Describe each of the HCS08 system protection features.
• Describe how to use the HCS08 system protection features to protect against
code runaway or unexpected behavior.
• Describe how to configure and operate each of the HCS08 system protection
features.

Content
• 18 pages
• 3 questions

Learning Time
• 25 minutes

Welcome to the HCS08 System Protection Features course. These features are
designed to provide greater system integrity and greater system protection while
your software is operating.

The intent of this course is to provide an overview of the operation and function of
the system protection features of the HCS08 architecture. These features, which
can be used to provide greater stability and performance in your programs, include
the computer operating properly (COP) watchdog timer; a low-voltage detection
system, which includes a low-voltage warning (LVW) and a low-voltage detect
(LVD); illegal opcode (ILOP) and illegal address (ILAD) detection; loss-of-lock and
loss-of-clock detection; and flash memory protection features.

This course will describe each of the HCS08 system protection features. It will also
examine how to use these features to protect against code runaway or unexpected
behavior. Finally, this course will describe how to configure and operate each of the
system protection features.

0
 What is System Protection?
• Protection in the case of:
– Sudden loss of power
– Code runaway
– Software processing errors

• Which can cause:

– Flash and memory corruption
– Unstable/unpredictable input and output states and behavior

• System protection features of the HCS08:

– COP Watchdog timer
– LVW and LVD
– ILOP and ILAD detection
– Loss-of-lock and loss-of-clock detection
– Flash memory protection features

Let's begin by looking at system protection and why it is necessary. System

protection, in this course, refers to protection against a sudden loss of power (or a
gradual loss of power), code runaway (corruption of your program counter), and
software processing errors.

Any of these types of situations can result in flash and memory corruption as well as
unstable and unpredictable input and output states and behavior. The features
shown here are designed to protect against these types of situations.

1
 COP Watchdog Timer
• Free-running counter cleared by user code

• Provides system integrity protection

• Allows the CPU to recover to a known, fixed state after unexpected events:
– Runaway software
– Software processing errors

• Includes a selectable time-out period

• Timer resets microcontroller if not serviced within the time-out period

• Enabled by default

Now, let’s move on to the COP Watchdog timer (also known as the COP timer).

First of all, it is a free-running counter that is cleared by user code. It provides

system integrity protection by containing any unexpected or undesired system
behavior to a minimum amount of time and, in so doing, contains the behavior to a
minimum number of instruction cycles.

The COP timer allows the CPU to recover to a known, fixed state after some sort of
unexpected event (such as runaway software or a software processing error)
occurs. The COP timer also allows you to select the time-out period and the length
of the time-out period.

The COP timer resets the microcontroller if it is not cleared manually by the user
software within the time-out period. As a result, the timer requires application
software intervention to prevent it from resetting the part.

The COP timer is turned on and enabled by default out of reset, so you must
actively disable it using software if you choose not to use the timer.

2
 COP Watchdog Timer
• Configuration handled in SOPT registers:
– SOPT (in GB/GT)
– SOPT1 and SOPT2 (in QG)

• From reset, the COP timer:

– Is enabled automatically
(Can be disabled by clearing COPE bit)
– Defaults to longest time-out period
(Can be shortened by clearing COPT bit)
– Defaults to 1-KHz clock source (in QG)
(Can be clocked from bus clock by clearing COPCLKS in SOPT2)

• Changes to COP timer configuration can be done only once after reset of
part. All the control bits are write-once.

The COP Watchdog timer can be configured using the system option (SOPT)
registers. These registers will vary slightly from microcontroller to microcontroller.
Please refer to the microcontroller data sheet for the device you are using in order
to obtain exact details of bit and register locations.

In the GB and GT family parts, the COP timer configuration is contained in the
SOPT registers. In the QG family parts, the timer configuration is contained in the
system option registers 1 and 2 (SOPT1 and SOPT2).

As stated previously, the COP timer is automatically enabled. It can be overridden

and disabled by clearing the COP enable (COPE) bit. The COP timer always
defaults to its longest time-out period between resets. You can adjust this default
setting by clearing the COP time-out (COPT) bit, which is also located in the SOPT
registers. In the case of the QG family, the COP timer defaults to the slower 1-KHz
clock source by clearing the COP clock select (COPCLKS) in SOPT2. This action
will result in the longest possible time-out period.

All of these configuration bit changes can only be done once after the part is reset
because all of these control bits are write-once only. You will learn why this is
important later in the course.

3
 COP Watchdog Timer

Control Bits
Clock Source COP Overflow Count
COPCLKS COPT

0 0 ~1 KHz 25 cycles (32 ms)1

HCS08QG
0 1 ~1 KHz 28 cycles (256 ms)1

HCS08GB/GT
1 0 Bus 213 cycles

1 1 Bus 218 cycles

1 Values are shown in this column based on tRTI = 1 ms.

COPT: Selects the number of clock cycles before COP timer expires

COPCLKS: Allows the COP timer to be clocked from the CPU bus clock or 1-KHz
internal clock source (on some devices)

Let's take a look at the COP Watchdog timer configuration bits.

Depending on the microcontroller involved, some of the features shown here may or may not be
present. In the simplest case, the GB/GT family, there is only a COPT bit, which simply allows
you to choose the time-out period of the COP timer. It is either 213 cycles of the bus clock or 218
cycles of the bus clock, a short and long period.

In the case of the QG family, you have the options mentioned previously, as well as an
additional bit, the COPCLKS bit. This bit allows you to choose not only the CPU bus clock as
your clock source, but it also allows you to select an internal 1-KHz clock source, which is
significantly slower and allows for different COP time-out values. As you can see in this table,
the 1-KHz clock source allows you to choose either a 25 cycle or 28 cycle count, which results in
approximately 32 milliseconds or 256 milliseconds, respectively. That assumes that your 1-KHz
clock is nominally 1 KHz.

In the case of the bus clock being your clock source, the COP timer does not increment when
the microcontroller is in Stop mode. The timer simply stops; once the STOP instruction is
issued, the COP timer stops counting. Once the microcontroller exits Stop mode, the timer
resumes counting from where it stopped. If you are using the 1-KHz clock source, the COP
timer is actually reinitialized to a value of zero as the part is put into Stop mode. Once the
microcontroller exits Stop mode, the COP timer starts counting again from zero. Note that the 1-
KHz clock source will run, even if the bus clock is lost.

It is important to understand that by selecting all these different times, you make a tradeoff
between the level of system protection you have and the amount of work that has to be done by
the application software. The shorter the COP time-out period is, the more often you need to
reset the COP timer so that it doesn't reset the microcontroller. It also means that code
runaway, in that type of situation, is allowed a fewer number of instruction cycles that it can
execute before the COP timer resets the part (which minimizes the amount of possible damage
or unexpected behavior).
4
 COP Watchdog Timer

Refresh rate depends on COP clock frequency (1 KHz or bus clock).

For example:
COP clock source = bus clock
Bus clock = 16 MHz
COPT = longest time-out (218 clock cycles)

COP time-out = 218

262,144 COP clock cycles

= 0.016384 seconds
16,000,000 COP clock cycles/second
or 1.6384 ms

This means that the COP timer must be serviced in software at least
every 1.638 ms or so to prevent the microcontroller from resetting.

Let’s look at a calculation that determines the COP time-out. Assume that you
select the bus clock as your clock source (in the case of the GB/GT family, that is
the only clock source available), your bus clock is running at 16 MHz, and your
COPT bit is set for your longest time-out period (218 cycles). You can see from the
calculations shown here that you get approximately 1.638 milliseconds between
COP timer resets. This means that you must execute a COP servicing routine (clear
the COP timer) manually in your user software at least once every 1.638
milliseconds to prevent it from resetting the microcontroller.

5
 COP Watchdog Timer

• Initialization:
– Always write the COP timer configuration, even when using default values
(locks in values and prevents accidental clearing of COPE bit).

• Operation:
– Software clearing of the COP timer is performed by writing any value to the
SRS register.
– COP timer bit in the SRS register indicates that a COP timer reset has
occurred.

• Tips for more robust system protection:

– Always place COP timer service code into main software loop.
– Don’t place COP timer servicing in ISRs or other subroutines.
– Use a single section of code to clear the COP timer, inside main loop.

So, what do you need to know about setting up the COP Watchdog timer? Let’s discuss a few
hints that will help you maximize the use of this timer.

As far as initialization goes, even if you choose to use the default settings for the COP timer for
your application, you should always write the COP timer configuration bits. This locks in the
values and prevents any accidental clearing of the COPE bit. For example, if you encounter a
code runaway situation and you have not written to the COP timer configuration bits, it is
possible that the runaway code will actually clear the COPE bit. This would disable the COP
timer and the code would continue to run away unchecked.

During the operation of the COP timer, what other things can you do? The actual servicing of
the COP timer is done by writing a value to the system reset status (SRS) register. If you get a
reset on the part and you check the SRS register and see that the COP bit is set, then it
indicates that the COP timer did reset the part.

You should always place the COP timer servicing code in your main software loop. Do not place
it inside an interrupt service routine (ISR) or other subroutine. It is possible that the subroutine
will begin to execute, particularly if it is in an ISR. The subroutine may execute continuously and
periodically, and continue to clear the COP timer. You will then have code executing even
though you are effectively in a code runaway situation.

In addition, you should always use a single section of code to clear the COP timer. It is easier to
calculate and predict how often you are servicing the COP timer if you only do it in one place in
your code. It is possible that your code will take too much time to execute and you may need to
clear it in multiple places. However, you should always service the COP timer in as few places
in your code as possible. Note that the COP timer is disabled when the microcontroller is in
active background debug mode.
6
 Question
What are some of the features of the COP Watchdog timer? Select all that
apply and then click Done.

It must be actively enabled using software.

It allows the CPU to recover to a known, fixed state after some sort of unexpected
event.

It includes a fixed time-out period.

It is a free-running counter that is cleared by user code.

It resets the microcontroller if it is not cleared within the time-out period.

It provides system integrity protection by containing any unexpected or undesired

system behavior.

Check your understanding of the COP Watchdog timer.

Correct.
The COP Watchdog timer allows the CPU to recover to a known, fixed state after
some sort of unexpected event. The timer is also a free-running counter that is
cleared by user code, and it resets the microcontroller if it is not cleared manually by
the user software within the time-out period. The timer provides system integrity
protection by containing any unexpected or undesired system behavior. It is turned
on and enabled by default out of reset, so you must actively disable it using
software if you choose not to use the timer. It is also configurable to allow you to
select the time-out period and the length of the time-out period.

7
 Low-voltage Detection System

• LVW
– Additional warning that VDD is falling
– Flag, not an interrupt
– Selectable for either 2.1V or 2.4V nominal

• LVD
– Can be configured as a reset or interrupt
– 1.8V nominal trip (default)
– 2.1V nominal trip also available
– Can be set to function in Stop mode

Now that you understand how to use the COP Watchdog timer, let's look at another
system protection feature: the low-voltage detection system. The low-voltage
detection system is comprised of two components: the LVW and the LVD.

The LVW indicates that your voltage is dropping on VDD. The LVW is a flag, not an
interrupt, and its level is selectable for either 2.1V or 2.4V nominal.

The LVD can be used to trigger a reset or interrupt on the microcontroller. Its level is
also configurable, either 1.8V or 2.1V nominal. The LVD can also be set to function
in Stop mode.

In battery applications, it is useful to use the LVW to detect a falling battery voltage
while the system still has enough power to operate. For example, the system can
store away data into non-volatile memory (NVM) to prepare for an imminent battery
replacement. Additionally, the LVW is a useful warning when the LVD is configured
to reset the part by providing an early indication to the software that a reset might
be coming soon.

8
 Low-voltage Detection System

VDD
Normal LVDV-
LVWV- Operating
Detect Voltage Select
Voltage
Warning Voltage Select VLVW 1 – VLVDH (High Trip Point)
1 – VLVWH (High Trip Point) 0 – VLVDL (Low Trip Point)
Low-voltage
0 – VLVWL (Low Trip Point) Warning

VLVD • Triggers interrupt

• Sets LVWF only Low-voltage
when enabled by
Detect
LVDIE

• Sets LVDF
Low-voltage detection system controls and
flags are located in the system power • Forces microcontroller
management status and control registers. to reset when enabled
by LVDRE

Now, it’s time to examine the control bits for the low-voltage detection system as
well as how the trip points relate to each other.

Under normal operating conditions, neither the flags or any of the low-voltage
detection circuitry should give you any interrupts. However, as the voltage drops
down to the voltage level for the warning voltage, either the high trip point or the low
trip point, the low-voltage warning flag (LVWF) will be set.

If the voltage continues to drop to the level of the low-voltage detection threshold,
either its high trip point or low trip point depending on how it is configured by the
low-voltage detection voltage (LVDV) bit, then the low-voltage detection circuitry
kicks in. If an interrupt is enabled with the low-voltage detection interrupt enable
(LVDIE) bit, that will trigger an interrupt, with the low-voltage detection flag (LVDF)
set. If the low-voltage detection reset enable (LVDRE) bit is also set, that will reset
the microcontroller based on this low-voltage detection. Note: Low-voltage detection
system controls and flags are located in the system power management status and
control registers.

The low-voltage detection circuitry is very useful in battery-type applications and

applications where the supply voltage may be unexpectedly interrupted or
unexpectedly decay.

9
 ILOP and ILAD Detection
ILOP Reset was caused by an attempt to execute an unimplemented or illegal opcode. The
STOP instruction is considered illegal if Stop is disabled by STOPE = 0 in the SOPT
register. The BGND instruction is considered illegal if active background debug mode
is disabled by ENBDM = 0 in the BDCSC register.

0 - Reset was not caused by an ILOP.

1 - Reset was caused by an ILOP.

ILAD Reset was caused by an attempt to access either data or an instruction at an

unimplemented memory address.

0 - Reset was not caused by an ILAD.

1 - Reset was caused by an ILAD.

Let’s take a look at two more features of the HCS08 families that allow you to
protect your system against code runaway or unexpected code execution: ILOP and
ILAD. These two bits are located in the SRS register.

If the program counter corrupts and you have a code runaway situation, it is
possible that you will attempt to execute an unimplemented or illegal opcode. The
STOP instruction is considered illegal if Stop is disabled by STOPE = 0 in the SOPT
register. The background (BGND) instruction is considered illegal if active
background debug mode is disabled by ENBDM = 0 in the background debug
controller status and control (BDCSC) register. If the CPU does not recognize your
input as a valid opcode, it will set the ILOP flag and a reset will occur. A “0”
indicates that the reset was not caused by an ILOP. A “1” indicates that the reset
was caused by an ILOP.

Additionally, an ILAD flag will be set and a reset will occur if an attempt is made to
access either data or instruction at an unimplemented memory address. This is
further protection against code runaway. A “0” indicates that the reset was not
caused by an ILAD. A “1” indicates that the reset was caused by an ILAD.

10
 Question

Match each HCS08 system protection feature to its description by dragging

the letters on the left to the boxes on the right. Click “Done” when you are
finished.

Can be configured as a reset or interrupt;

A LVW B can be set to function in Stop mode

Warning that VDD is falling; selectable for

B LVD A
either 2.1V or 2.4V nominal

Reset caused by an attempt to access data

C ILOP D
or instruction at an unimplemented memory
address
D ILAD Reset caused by an attempt to execute an
C
unimplemented or illegal opcode

Show
Done Reset
Solution

Let’s review some of the HCS08 system protection features.

Correct.

The LVW indicates that your voltage is dropping on VDD. The level is selectable for
either 2.1V or 2.4V nominal. The LVD can be used to trigger a reset or interrupt on
the microcontroller and it can also be set to function in Stop mode. If the program
counter gets corrupted and you have a code runaway situation, it is possible that
you will be attempting to execute an unimplemented or illegal opcode. If the CPU
does not recognize your input as a valid opcode, it will set the ILOP flag and a reset
will occur. An ILAD flag will be set and a reset will occur if an attempt is made to
access either data or instruction at an unimplemented memory address.

11
 Loss of Lock and Loss of Clock
• Feature on the HC9S08GB/GT family of devices

• ICG module controls:

– ICGC2 register
• LOLRE
• LOCRE
– ICGS1 register
• LOLS
• LOCS

• If either reset capability is enabled after reset by the ICG, the ICG bit in the
SRS register will be set.

Another system protection feature on the HC9S08GB/GT family of devices is loss-

of-lock and loss-of-clock detection, which is located within the internal clock
generation (ICG) module.

Inside these devices, you will find a control register, ICGC2, which contains a loss-
of-lock reset enable (LOLRE) and a loss-of-clock reset enable (LOCRE). In the
status register, ICGS1, you will find the FLL loss-of-lock status (LOLS) register bit
and the loss-of-clock status (LOCS) register bit.

These features allow you to reset the part in case the primary clock is lost. If the
clock gets out of regulation and becomes unlocked, these features will set the
status flag and then, if enabled, will reset the part. If LOLRE or LOCRE are not
enabled, an interrupt is generated, rather than a reset. Therefore, it is important to
create an ISR if you are not using these reset mechanisms.

12
 Flash Memory Protection
• Flash block protection settings loaded at reset and cannot be modified by
user code
– NVPROT (NVM location) loaded into FPROT (high-page register)
– FPROT only modified through background debug commands

• GB/GT family
– Block sizes of 512 bytes, 1 Kbytes, 2 Kbytes, 4 Kbytes, 8 Kbytes,
16 Kbytes, 32 Kbytes, and entire array

• QG family
– Similar to HC08 and S12
– Protect in increments of 512 bytes
– Set by setting end address

Let’s move on to some of the flash memory protection features.

The first feature is the flash block protection feature. These flash block protection
settings are actually loaded at reset and they cannot be modified by user code.
They are loaded from an NVM location called non-volatile flash protect (NVPROT).
They are then loaded into a high-page register called flash protect (FPROT).
FPROT can then only be modified through background debug commands.

The way in which the memory is divided for flash block protection varies slightly
between microcontrollers. For the GB/GT family, the block sizes range from 512
bytes to 8 Kbytes to the entire array.

With the QG family, the block sizes are similar to the HC08 and S12. They offer
protection in increments of 512 bytes and are set by configuring the end address.

13
 Flash Block Protection
$1800
$0100
High-page FPROT
Registers
$182C

QG Family
GB/GT Family $8000

1 1111 1111

$C000
A8-A0

$E000

$F000

FPS2:0
FPS2:0
FLASH
FPS2:0

$F800
FPS2:0

$xxFF
110
111
FPS2:0

$FC00
Last unprotected memory address
101
FPS2:0

100
FPS2:0

$FE00
011
FPS2:0 000

010
001

$FFC0
NVPROT
$FFFF Vectors
Vectors
NOT TO SCALE

Here, you can see some examples of the block sizes for the GB/GT and QG
families.

In the GB/GT family, flash is protected in blocks that double in size from 512
bytes to 32,768 bytes (in powers of 2). Three FPS bits control the protected
flash block size. Here you can see which ranges of memory are covered and
protected for each FPS bit setting.

Notice that in the QG family, seven bits control the size of the block
protection in increments of 512 bytes. These seven bits are concatenated
with values of ones on the lower bits to create a 16-bit address. This address
sets the final ending address of the unprotected portion of flash.

14
 Vector Redirection
• Available when flash block protection is enabled

• Allows user to modify interrupt vector information without disabling flash

block protection

• Disabled by FNORED bit in NVOPT register

• When engaged, interrupt vectors are fetched from unprotected section of

flash, leaving original interrupt vectors (0xFFC0 to 0xFFFF) unchanged and
protected

The second flash memory protection feature is vector redirection.

The interrupt vectors are redirected when the flash block protection is enabled, so
you can modify interrupt vector information in a different location without disabling
the flash block protection. This is helpful when you are updating ISRs during
development, but you need to maintain flash block protection. Vector redirection can
be disabled using the flash vector redirection disable (FNORED) bit in the non-
volatile memory option (NVOPT) register. However, when vector redirection is
engaged, the interrupt vectors are fetched from an unprotected section of flash,
which leaves the original interrupt vectors (0xFFC0 to 0xFFFF) unchanged and
protected. Note: The reset vector (0xFFFE to 0xFFFF) is not redirected.

15
 Question
Is the following statement true or false? Click Done when you are finished.

“In the GB/GT family, seven bits control the size of the block protection in
increments of 512 bytes.”

True

False

Consider this question regarding flash memory protection.

Correct.

In the GB/GT family, flash is protected in blocks that double in size from 512 bytes
to 32,768 bytes (in powers of 2). In the QG family, seven bits control the size of the
block protection in increments of 512 bytes.

16
 Course Summary

• COP Watchdog timer

• Low-voltage detection system: LVW and LVD

• ILOP and ILAD detection

• Loss-of-lock and loss-of-clock detection

• Flash memory protection

• EB398/D available at www.freescale.com

In this course, you learned about the operation and function of the system protection features of
the HCS08 architecture. These features are designed to provide greater system integrity and
greater system protection while your software is operating.

You also reviewed the purpose of the COP Watchdog timer and discovered how it is configured
using the SOPT registers. You examined the COP timer’s configuration bits, a calculation for
determining a COP time-out, and a few helpful hints that will help you ensure that you are
maximizing the use of your timer.

You then learned about the low-voltage detection system. The LVW indicates that your voltage is
dropping on VDD. It is a flag, not an interrupt, and its level is selectable for either 2.1V or 2.4V
nominal. The LVD can be used to trigger a reset or interrupt on the microcontroller. Its level is
also configurable, either 1.8V or 2.1V nominal. The LVD can also be set to function in Stop
mode.

You examined other features of the HCS08 families that allow you to protect your system against
code runaway or unexpected code execution, such as ILOP, ILAD, loss-of-lock and loss-of-clock
detection, and flash memory protection.

If you would like to examine some different options for system protection, refer to Engineering
Bulletin 398 (EB398/D), entitled “Techniques to Protect MCU Applications Against Malfunction
Due to Code Run-Away.” This Engineering Bulletin is designed for the HC08 family of products.
However, the principles for the concepts apply to any microcontroller in the Freescale portfolio, if
the appropriate features are enabled.

17