Flash Corruption――Flash文件系统破坏原因分析及Lattice电源管理解决方案

1FlashCorruption:SoftwareBugorSupplyVoltageFault?FlashCorruption:SoftwareBugorSupplyVoltageFault?ShyamChandra,LatticeSemiconductorAnswer:Both!Flashmemoryiscommonlyusedtostorefirmwareinembeddedsystems.Occasionally,thefirmwarestoredintheFlashmemoryinsomesystemsisaccidentallycorrupted,preventingthesystemfrombootingupafterpower-on.Flashcorruptioniscommonlyassociatedwithasoftwarebug.However,itisalsocommonlyunderstoodthattheprobabilityofFlashcorruptionincreaseseitherduringpowercyclingtestsorduringmarginingtests.TheFlashcorruptionproblemtendstobemoreseverewhenthenumberofcomplexASICsorSOCsusedontheboardincreases.ThisarticleexaminesFlashcorruptionanditscausesbeyondasoftwarebug,andsuggestsmethodstominimizethecorruption.HowDoTheFlashMemoryContentsBecomeCorrupted?Figure1illustratesatypicalcircuitboard’sCPUcircuitry.Whenthepoweristurnedon,theresetgeneratorfirstactivatestheCPUresetsignal.ItthenwaitsuntilthepowertotheCPU,FlashmemoryandtheDDRmemoryeachreachesitscorrectoperationlevel,waitsforanadditionalextendedperiodoftime(about150ms)andthendeactivatestheCPUresetsignal.Whentheresetsignalisdeactivated,theCPUbeginstoexecutetheinitializationroutineintheFlashmemory,transfersthecontentsofthefirmwarestoredintheFlashmemoryintotheDDRmemoryandthenexecutestheprogramfromtheDDRmemory.2FlashCorruption:SoftwareBugorSupplyVoltageFault?FlashCPUDDRMemInitializationRoutineMainRoutineFlashUpdateRoutineFirmwareMemoryMap1V-Core3V3-I/O1V5-DDR30V75-Vtt1V5-DDR30V75-Vtt3V3-I/OResetGeneratorCPUResetWriteDisableWhichSupplyRailstoMonitor?Figure1–TypicalCPUSectionandFirmwareMemoryMapTheproceduretoloadfirmwareintotheFlashmemoryis:-FirmwareisdownloadedintotheDDRmemorythroughacommunicationinterface.-JumptotheFlashUpdateRoutinetoreprogramtheFlashwiththenewfirmware.-Powertotheprocessorisrecycledandthenewfirmwaretakeseffect.TheFlashmemorycontentscanbecomecorruptedifthecodeexecutionjumpstotheFlashUpdateRoutineinadvertently.Whentheboardpoweriscycled,thecorruptversionofthecodeisloadedintotheDDRandtheboarddoesnotfunctionasexpected.ThecodeexecutioncouldjumptothisFlashUpdateRoutineinadvertentlydueeithertoasoftwarebugortoafaultysupplyvoltagerail(duringthepower-offevent,forexample).Asoftwarebugcanbedetectedusingnormaldebuggingmethods.However,afaultypowersupplyvoltageishardtodetect,asthesupplyvoltageerrorcanoccuranywhere.HowDoesASupplyVoltageFaultCauseTheProgramToJumpToTheFlashUpdateRoutine?AllICshavebothminimumandmaximumoperatingvoltagespecifications.Ifthemaximumvoltagespecificationisexceeded,thedeviceisdamaged,andifthesupplydropsbelowtheminimumsupplylevel,thedevicenolongeroperatesasspecified.Forexample,thecorevoltagespecificationoftheCPUinFigure1is1.2V+/-5%.Ifthevoltagedropsbelowthislevel,theabilityoftheCPU’sinternalinstructionexecutionpipelinetoreliablytransferinstructionsanddataiscompromised,and(dependingon3FlashCorruption:SoftwareBugorSupplyVoltageFault?theCPU’sprocessandoperatingtemperature)theinstructioncanbeincorrectlyexecuted.Forexample,a“Move”instructioncanbeinterpretedasa“Pop”instruction,andthecodeexecutionthenjumpstoarandommemorylocation(determinedbythecontentsofthestack).Dependingonthecontentsofthatmemorylocationandtheerrorinexecution,theprocessorcaneitherhangorjumptotheFlashUpdateRoutine,corruptingtheFlashmemoryandoverwritingtheFlashmemorycontents.AdroopinDDRmemoryvoltageorthresholdvoltagealsointroduceserrorsintheinstructionsanddatatransferredbetweenthememoryandCPU.ThiserroneouscodeexecutioncancauseajumptotheFlashUpdateRoutine,corruptingFlashmemory.Whendoesthesupplyvoltagedroop?Thepowersupplyvoltagedroopcanoccurforthefollowingreasons:-Cardpowerdown–Whenthepowertotheboardisturnedoff,notallsuppliesontheboardturnoffatthesametime,becausetheturnoffratedependsonthesupplycapacity,load,outputcapacitor,etc.Becausethepowersupplyturn-offslewrateisveryslowcomparedtotheprocessor’sinstructionexecutionspeed,theprocessorcanexperienceasupplyfault,causingittomis-executeinstructionsbeforethesupplyisfullyturnedofforbeforeitsresetsignalisactivated.-Momentarygroundvoltagerise–Thepowerconsumptionofsomeprocessorscanfluctuatedynamically,dependingontheexecutedinstructions.Whensuchchangesoccur,thedevicedrawslargeamountsofcurrentforbriefperiodsfromthepowersource,anddumpstheseintotheground.Asaresult,thesupplyvoltagecanmomentarilydroopandthegroundvoltagemayincrease.Thedurationofsuchaconditiondependsontheinductanceofthesupplypath.HowcanFlashcorruptionduetosupplyvoltagefaultsbeminimized?TheprobabilityofFlashcorruptioncanbeminimizedbyactivatingtheCPUresetwhenanysupplyraildropsbelowitsthresholdlevel.Thispreventscodeexecutionunderfaultypowersupplyconditions.TheresetgeneratoractivatesboththeCPUresetsignalaswellasthewriteprotectionsignaltotheFlashmemory.Insomecases,theresetgeneratoroutputisnotdirectlyusedtoresettheCPU.Instead,itisconnectedtoaCPLD,whichexecutesaresetdistributionalgorithm.Insuchcases,thewriteprotectionsignalfortheFlashshouldbeactivatedbecausetheCPUmaynotberesetassoonasthepowersupplyvoltagebecomesfaulty.TheresetgeneratorICinFigure1monitorsallCPUrails–1.0V,3.3V,1.5Vand0.75V–a