Hi,

The Freescale Kinetis device series has two different protection mechanisms.
a) Flash security byte (FSEC), located at offset 0x40C in the internal flash memory. This byte allows to set flash security, mass erase enable bit, etc...
b) Program Flash Protection (FPROT), located at offset 0x408-0x40B in the internal flash memory. They allow to protect up to 32 regions in flash from erase / write accesses.

The unlock Kinetis command in J-Link Commander handles protection mechanism a). J-Link Commander checks if system security is set and if so, it tries to clear it. In your case, it seems so that the program flash protection is set of the sector, located at 0x00004000 and therefore programming / erasing fails. Clearing the program flash protection bytes should suffice to be able to mass erase the device.

Can you please read back the flash configuration field which includes the FPROT bytes?
This can be done in J-Link Commander as follows:
mem 400 10

- Erik

That's strange. The flash protection violation error is reported if the "Flash Protection Violation Flag" in the FTFA_FSTAT register is set after triggering erase operation. Regarding to the description, this flag is set when a program / erase attempt was made to a protected flash area only. This would confirm my assumption that the flash area at 0x4000 is protected but according to the FPROT bytes (addr 0x408-0x40B ), it is not.

Can you please power-on-reset your target, start J-Link Commander with the command line arguments below, execute the steps and provide a screenshot of the entire output?:

JLink.exe -device MKV31F512xxx12 -speed 4000
r
mem 400 10
erase
mem 400 10

Can you please check if flash download is working with either of the two images in the attached *.zip?

JLink.exe -device MKV31F512xxx12 -speed 4000
r
loadfile <EXTRACT_DIR>\Full_Flash_ExpectLockRegion1_TestData.mot
r
loadfile <EXTRACT_DIR>\Full_Flash_TestData.mot

Please send a screenshot again. So far it seems to me that the flash is somehow broken. Do you have the opportunity to check functionality on another device?

for sure I know there is a protected area somewhere - I would like to get rid of that protected code to be able re-program device

As I previously described: The flash program protection is located in the first flash sector at offset 0x0408 - 0x040B. According to the read back data from this memory region, the flash protection is not set for any region. Therefore, it seems to me that the flash region 1 (0x00004000 - 0x00007FFF) is broken. The screenshots, confirms that programming all regions, expect of region 1, works just fine.

Device is not broken but programmed with some protected area somewhere

Neither the flash protection, nor the system security is set.

Hi Peter,

In general, when the system security is not set (flash can be read out), the program flash protection as well as the system security can be determined by reading out the memory at 0x400 (Flash Configuration Field). This can be done by using J-Link Commander and the "mem 400 10" command. For further information regarding the meaning of the values of the flash configuration field, please refer to the Freescale KV reference manual.

In case, the system security is set and therefore the debugger does not have access to the system bus or any other memory mapped peripherals, the system security can be determined through AP[1] (MDM-AP) bank 0. Using the AP/DP access, the MDMAP_REG_STAT can be read out which contains different system information (e.g. system security, mass erase enable, etc...). For further information regarding this, please refer to the "Debug" -> "JTAG status and control registers" chapter in the Freescale KV RM.


- Erik

Hi Peter,

So question is when using IAR IDE+JLink to program/debug device how to set it to avoid this region?

J-Link does *not* write this region.
If it is written, it is done by your application.
The IFR area that holds the XACC bits is not even memory mapped visible.


Best regards
Alex

Dear Alex,

In this thread, JLink on unsecure and erase Kinetis FLASH
You mention:
"J-Link does *not* write this region.
If it is written, it is done by your application."

Our production programming team has performed "Erase chip". This has resulted in the kinetics MK64FN1M0VLL12 locking up. We have a a whole bunch of PCBs with this problem.

I believe, the "Erase chip" command from J-Link puts 0x00 instead of 0xFF at address 0x400. Hence, J-Link does write in this region!

It would be great if you can help us how to solve this problem and revive a complete batch of PCBs with this problem.

Thanks,
Tilak
ps: Using J-Flash V6.12a

Hi,

I believe, the "Erase chip" command from J-Link puts 0x00 instead of 0xFF at address 0x400. Hence, J-Link does write in this region!

Does not make sense...
If you do a chip erase, all bytes in the internal flash will be set to 0xFF.
Please note that the readout protection at 0x40C is defined as: 0xFF == device is read protected. This is a specification that comes from the Kinetis device.
However, J-Link is able to recover a device that has all bytes (including the readout protection) erased (0xFF).
For the Kinetis series it is recommended to not perform a chip erase + reset before programming new data.
It should be:
Reset
Erase
Program
Reset
to avoid any "read protected device detected" messages.


- Alex