# help needed: ISP for w78e516b

Status
Not open for further replies.

#### cdcll

##### Full Member level 3
Hi,

Does anyone can tell me how to implement the in system programming function for MCU w78e516b from Winbond? and how to access the security register?

cdcll

V
Points: 2

#### silvio

For the lover of MCS51 family:

Flash Utility for W78E516B / W78LE516:
Winbond's Flash Utility package includes a sample schematic, binary and source files for Winbond's 64Kx8 Application Flash memory and for Winbond's 4Kx8 In-System Programming Boot Flash. The binary files should be programmed into the microcontroller using a standard device programmer. The DOS application program included will communicate with the microcontroller and download a new binary file from a PC to the microcontroller when it is 'in-system'.

https://www.winbond-usa.com/products/mcp/development/ISPDEMO.ZIP

Regards,
Silvio

#### cdcll

##### Full Member level 3
Dear silvio,

Thank you for the reply. I have downloaded the ispdemo, but the demo did not explain how to lock the programme code with the ISP.
The datasheet of w78e516b said the code can be protected by a Security Register which is located at the 0FFFFH of the LDROM space, and it also said the Security Register can not be accessed in programming mode. Does it mean I can not protect my code if I need the In-System Programming feature? if not, could you please tell me how should I do?
Thanks!

BR,
cdcll

#### silvio

Hi cdcll

I must admit I've used only the Turbo 51 from Winbond.

My question that raise first is where you are when you set on "0" the security bits inside Security Register ? In LDROM or APROM space ?

Looking into w78e516b data sheet I saw that the circuit allow me to erase the 4K LDROM space by loading SFRCN with 0xE2.
This way, I believe you could erase the Security Register located at the top of LDROM space (0xFFFF)
But you can do that only if you're working in APROM space, easily achieved because by default, w78e516b boots from APROM space after a power on reset.
Doing this, you reset on 1s all bits inside Security Register, but you loose the bootcode located on LDROM space, too.
Thus, you must reload the bootcode, from APROM to LDROM space and then you could perform usual ISP operation for revising contents of APROM.

I don't know if will work, but I strongly believe the Winbond's designer must allow you somehow to ISP the chip, keeping the protection code of APROM space.

Regards,
Silvio

#### cdcll

##### Full Member level 3
Hello silvio,

Thank you again!
Do you mean that I have to ISP the 64K APROM first, then erase the 4K LDROM (with the Security Register reset to all 1's?), after that I need to rewrite the bootcode to the LDROM, and finally I can program the Security Register by setting the SFRAH and SFRAL to 0xFF? Then it means the Security Register is only for APROM code protection?
I think I am still not clear with the ISP mechanisim.

Best Regards,
cdcll

#### yager

##### Member level 5
To enter ISP mode, CHPCON=0x87, CHPCON=0x59, CHPCON=......
Please check the data sheet and demo code by the silvio's post.
Here is a solution to access the Security Register (0xFFFF @ LDROM)
which the data sheet and demo code does not mention very clearly:
Your code run at LDROM when you'd like to update your code in APROM,
1. Erase APROM (it will also reset the Security Register to 0xFF [no protect])
Code:
SFRCN=0x22
2. Program/Verify APROM
Code:
..........
3. Lock both of APROM and LDROM:
Code:
 protect=~(0x1|0x2|0x4) // reserved bits = 1, lock/movc/encrypt (depends on your desire)
SFRCN=0x61
SFRAH=0xFF
SFRAL=0xFF
SFRFD=0xFF & protect
Now, you could check it via any 51's programmer.
Anyway, I used the above to protect code via ISP for Winbond's W78E58/W78E516.
BTW, you could read the Security Register back even it was locked:
Code:
SFRCN=0x40
SFRAH=0xFF
SFRAL=0xFF
................ (read it via SFRFD after a wake-up from idle mode)
And the Security Register will be reset just to erase APROM,
it is not needed to erase LDROM if you do not update your code in LDROM.
Another words, to lock it when the code is running in LDROM,
it is also not needed to switch back to APROM.
So it is easy to implement, just like to program APROM....
I emulated Philips's ISP Intel HEX format, so I could use Philips's WinISP to update.

Enjoy coding!

#### silvio

God, how much I hate "cheap" advertising on pure technical data sheets.
A small excerpt from w78e516b data sheet, page 12:

This in-system programming feature makes the job easy and efficient in which the application needs to update
firmware frequently. In some applications, the in-system programming feature make it possible to
easily update the system firmware without opening the chassis.

This appears in the middle of technical information. Instead giving you details in order to help you solve your problem, they spent four rows to tell you how green is the grass in the garden.

Yager talks from his experience :
1. Erase APROM (it will also reset the Security Register to 0xFF [no protect])

That means, I erase the APROM space and in the same time the top location of LDROM space.
And that erase, fetching from LDROM space (PC access the LDROM ) !!!!
I'm confident it's 100 % true. But where is that mentioned inside data sheet ?
Even no words about how many banks are inside LDROM flash, because we all know that if it's common flash and not EEPROM, we can't erase a byte location when we fetch from the same flash bank (you can't kick your own ass).
How could cdcll figure out the above, when few pages down reads

The W78E516B has a Special Setting Register, the Security Register, which can not be accessed in
programming mode.

What programming mode ?
If we look at bit 1 of CHPCON register our programming life turns black:

FBOOTSL 0: The Loader Program locates at the 64 KB APROM. 4KB LDROM is destination for re-programming.
1: The Loader Program locates at the 4 KB memory bank. 64KB APROM is destination for re-programming.

What we are doing when programming ?
- programming APROM fetching from LDROM (usual procedure, but at first time LDROM must be programmed external, prior to soldering on board)
- programming LDROM fetching from APROM (only if we need to change the bootloader)

But both are programming !
On which of the above two options we are not allowed to access the Security Register ?

Do you need another example on bad interpretation ?
Read on page 17: A MOVC instruction in internal program memory space
will always be able to access the ROM data in both internal and external memory.
What it's weird here, you can ask ?
Well, I presume the internal program memory space is located in APROM (or I'm wrong and could be in LDROM either ????)
Ok, let's say I fetch from APROM and use internal MOVC to access the ROM data from external memory. Because I read I can do that.
But what kind of external memory when I use the all 64K inside ? And even if I don't, where is the bit in order to find the border where the internal and external memory join ?
Like for the RAM when bit 4 of CHPCON is set.
Can tell someone how can I read the page 17 referenced above ?

Have fun,
Silvio

#### yager

##### Member level 5
Thanks silvio's explanation, I'm so lazy....
Yes, the data sheet is so suck!
A couple years ago, I had same question as cdcll's post and suspected as:
silvio said:
Even no words about how many banks are inside LDROM flash, because we all know that if it's common flash and not EEPROM, we can't erase a byte location when we fetch from the same flash bank (you can't kick your own ass).
Unfortunately, I could not get any support from the supplier.
So I wrote some code to try to find it out....
Finally, I also surprised this result, but it is working.
silvio said:
Read on page 17: A MOVC instruction in internal program memory space
will always be able to access the ROM data in both internal and external memory.What it's weird here, you can ask ?
Well, I presume the internal program memory space is located in APROM (or I'm wrong and could be in LDROM either ????)
I think it is not useful for W78E516, because it has 64K code size.
But it could be needed if the internal ROM size below 64K such like as W77E58 (32K, but PC also is 64K).
To assume a board (used W77E58) which it was locked (except MOVC feature),
it also used an external memory, and I found its code has jump/call to external memory.....
1. I could find its entry point and wrote a fake code to replace the external memory
2. when it jump/call out to my fake code, I could take full control and use MOVC to read the internal ROM...
So the locked W77E58 will be easy to c-r-a-c-k.
I think.

yager

#### silvio

Yager wrote: So the locked W78E58 will be easy to c-r-a-c-k.

That's I'm afraid to say, before.
But sad, it could disapoint cdcll, who expects something nice from the chip.

Regards,
Silvio

#### cdcll

##### Full Member level 3
Dear silvio & yager,

Thank you very much!

Both of you make me much clear with the ISP mechanism of the w78e516b and even the chip itself! Actually I have submited the same question at the Winbond's website, but I have not got any response from Winbond.

However, I am lucky that both of you give me a hand!

Best wishes,
cdcll

#### yager

##### Member level 5
mmm...the locked 51 is easy to c-r-a-c-k?
I think no one will set his hardware as like as the above.
To know more 51, I strongly recommend to read (someone called 51's bible)
"MCS(R) 51 Microcontroller Family User's Manual"
https://www.intel.com/design/mcs51/manuals/272383.htm
it is free and released by Intel (the mother of 51).
Such like as: Program Memory Locks (lock/MOVC/encryption) p.3-29~3-30

The chip is cheap, as I mentioned before, the W78E516 is similar to W78E62/W78E65 (w/PWM).
The price of 62/65 will be under US$1.1 if they'd like to sell (not LCD Monitor supplier). The ST has released its uPSD series (formerly Waferscale/WSI), it does not need to program before solding (download via JTAG). Like as uPSD3212 (64+16KB Flash, 2K SRAM, 2 UARTs, I2C, ADC, PWM, PLD, LVD...) its price is under US$4.5, why not to try ST's uPSD
if you could not get the cheapest W78E62/W78E65 (W78E516 is ~US\$3.5).
FYR

Status
Not open for further replies.