AN12422 S32G2 Boot Process
AN12422 S32G2 Boot Process
Contents
1 Introduction 1 Introduction......................................1
2 Key terms used in the document.....1
S32G family is a high-performance vehicle network processor, combining
3 First Boot......................................... 2
CAN/LIN/FlexRay networking with high data rate Ethernet networking.
3.1 Power up......................................3
The target applications for S32G are: 3.2 BMODE configuration.................. 3
3.3 RCON configuration.....................3
• Central gateways and domain controllers connecting various networks 3.4 FUSE configuration......................4
and translating their protocols 3.5 Setting up the external memory for
• Firmware Over-The-Air (FOTA) masters controlling secure software Boot..............................................4
3.6 Image Vector Table (IVT).............4
image downloads and their distribution to the ECUs in the network
3.7 Self-test DCD............................... 6
• Secure key management 3.8 Device Configuration Data (DCD)
..................................................... 6
• Smart antennas
3.9 Application boot code image........7
• High-performance central compute nodes 3.10 BootROM..................................... 7
3.11 BootROM clock configuration...... 8
3.12 Image authentication and
2 Key terms used in the document decryption during secure boot..... 9
3.13 BootROM Fail Safe...................... 9
Boot Core – HSE_M7, the only CPU available when the hardware reset 3.14 BootROM at STANDBY Exit........ 9
sequence completes 4 Boot From external NVM.................9
BootROM – Firmware available in HSE ROM area that is executed by HSE_M7 4.1 Required hardware configuration
..................................................... 9
after reset.
4.2 QSPI boot.................................. 10
Non Secure boot – BootROM passes control to the user application residing 4.3 SD/MMC Boot............................ 10
outside HSE subsystem. 5 Serial Boot.....................................11
6 Bring up considerations.................12
Secure boot – BootROM passes control to the HSE firmware running on 7 References.................................... 12
HSE_M7. BOOT_SEQ bit in the IVT Boot configuration word defines if Secure 8 Revision history............................. 13
boot is to be enabled.
Boot mode pins (BMODE1 and BMODE2) – These pins are available to be configured by user to select the desired boot mode.
These are the first user inputs read by BootROM.
Serial boot - This boot mode allows application code to be downloaded to SRAM using LIN or CAN.
RCON - Boot configurations defined outside of the chip. RCON can be parallel (using 32 dedicated IOs) or serial (using I2C
based EEPROM).
External Flash – Non Volatile memory connected on QSPI, SD or MMC interface.
IVT (Image Vector Table) - The Image Vector Table (IVT) is the first image that the BootROM reads from the boot device. The
IVT contains the required data components like image entry point, pointer to Device Configuration Data (DCD) and other pointers
used by the BootROM during the boot process. The location of the IVT is the only fixed requirement by BootROM.
® ®
CM7_0 and A53_0 – Application cores that can be enabled by the BootROM. Either of CM7_0 or A53_0 are selected based on
BOOT_TARGET configuration in IVT Boot Configuration Word.
NXP Semiconductors
First Boot
3 First Boot
For a virgin device, the device can be forced to enter Serial boot mode using BMODE pins. In case boot from an external flash is
selected using BMODE and no image is present in the external flash, the device enters into serial boot mode after eight resets.
Refer to Serial Boot for further details.
Key steps for booting up the device:
1. Ensure power supply on the board
2. Ensure correct BMODE settings
3. Lauterbach (LTB) and T32 support for S32G2
Steps to load an application and execute directly from SRAM using LTB
1. Example T32 Script (S32G274A_CM7_0_Attach.cmm) to attach to S32G CM7_0 provided in the attachment section of
the AN
2. Custom application (constraint – SRAM size of 8MB), use data.load.elf <File_name.elf> from the LTB window
Steps if Serial boot is required:
1. Application binary to download (Constraint – SRAM size of 8 MB)
2. Tool to transfer binary on Serial (UART/CAN) port. Use S32 Design Studio (S32DS) flash tool can also be used for
serial download
3. Hardware bus connection for the serial interface to target board
Steps if required to boot from QSPI:
1. Prepare binary image using S32DS IVT configurator
2. Use S32DS flash tool to program the QSPI flash. The tool is available with S32DS installation at directory
<installation_directory> \S32DS.3.4\S32DS\tools\S32FlashTool\GUI\s32ft.exe
3. Select the target as S32G274A, Algorithm as QSPI flash component on hardware and COM port as per individual
machine configuration
4. Follow the instructions available with S32DS flash tool (S32_Flash_Tool_User_Guide.pdf in the S32DS installation
directory) for further steps
5. Configure RCON as per recommendation in Boot Config Word setting
6. Configure BMODE to ‘10’ (See table 1 below for further details)
7. The device will boot from QSPI after the next reset
Steps if required to boot from SD/MMC:
1. Prepare binary image using S32DS IVT configurator
2. Use S32DS flash tool to program the SD/MMC. The tool is available with S32DS installation at directory
<installation_directory> \S32DS.3.4\S32DS\tools\S32FlashTool\GUI\s32ft.exe
3. Select the target as S32G274A, Algorithm as SD/MMC component on hardware and COM port as per individual
machine configuration
4. Follow the instructions available with S32DS flash tool for further steps
5. Alternatively, a utility application like Win32DiskImager can also be used to format and write raw binary into the SD card.
Plug in the SD card into the target board
6. Configure BMODE to ‘10’ (See table 1 below for further details)
7. Configure RCON as per recommendation in Boot Config Word setting
8. The device will boot from SD/MMC after the next reset
3.1 Power up
The user must ensure that all power supplies required for operation of S32G2 are up in the sequence as mentioned in the S32G2
datasheet. Also, the supply limits for all power pins mentioned in the device datasheet must be respected at all times.
X 1 1 Reserved
To use serial RCON, RCON8 pin must be pulled HIGH. The BootROM then assumes that a serial EEPROM is connected on the
I2C port (RCON7 and RCON8). The 32 reset configuration bits are then fetched from the external EEPROM (first 4 bytes from
offset 0x0 of the device) as part of the Boot process.
The address of the EEPROM device should be set as 0xA0.
FUSE_SEL fuse must be blown in case S32G2 is required to be forced to boot using Fuses. The BOOT_CFGn fuses must be
blown prior to setting the FUSE_SEL fuse.
The rest of the bits in the three boot configuration fuses are used for configuration of external memory interface or configuration
of serial boot supporting peripherals. BOOT_CFG2 and BOOT_CFG3 fuse words can only be set by fuse programming.
[1] For Rev 1 Silicon, in case of SD/MMC/eMMC boot the BootROM expects the IVT to be placed at 0h location of the
external NVM.
0x08 4 Self-Test DCD pointer Pointer to the start of the configuration data used for BIST
0x0C 4 Self-Test DCD Backup pointer Pointer to the start of the backup configuration data used
for BIST
0x14 4 DCD Backup pointer Pointer to the start of backup DCD configuration data
0x18 4 HSE FW Flash Start pointer Pointer to the start of the HSE_H firmware in flash memory
0x1C 4 HSE FW Backup Flash Start pointer Pointer to the start of the backup HSE_H firmware in
flash memory
0x20 4 Application Flash Start pointer Pointer to the start of the application code in flash memory
0x24 4 Application Backup Flash Pointer to the start of the backup application code in
Start pointer flash memory
0x28 4 Boot Configuration Word Configuration data used to select the boot configuration
0x2C 4 Life-Cycle Configuration Word Configuration data used for advancing Life-Cycle
NOTE
Ensure that the Life cycle configuration word at offset 0x2c is set to '0'.
The IVT image Header is a fixed value (0xD1010060 – shown here in Big Endian format) for S32G2 and is shown in the device
RM also.
The IVT Boot Configuration Word can be used to select:
1. The boot core - either M7_0 or A53_0 as the boot core (bits 0-1),
2. Enable/Disable boot target watchdog (bit2) (SWT0 can be only configured)
3. Secure boot mode - configures between the secure and non-secure boot mode (bit 3)
The IVT Life-cycle configuration word can be used to advance the lifecycle of the device to OEM_PROD (bit 0) or IN_FIELD (bit
1). Life cycle once advanced cannot be reverted back.
NOTE
Care must be taken that the values for both configuration word are set appropriately (either 0 or 1 as required). Not
writing to these words in IVT may be incorrectly interpreted as ‘1’ by the BootROM thereby implicating incorrect
settings. Some of these settings require fuse bits to be blown that may result in irrevocable changes to the
device settings.
BootROM supports concept of backup image for Self-test DCD, DCD, Application and HSE_FW. For each type of program image,
BootROM first tries to execute its primary image if IVT points to a valid location. Only 0x0 is considered an invalid location. If
primary image points to 0x0 or primary image header does not match with image required header or authentication fails, wherever
applicable, BootROM tries to execute backup image pointed by IVT.
Execution of Self-test is always followed by a reset. The recommended Self-test DCD is provided as a binary with Safety Software
Framework (SAF) release.
0x04 4 RAM Start pointer Pointer to the RAM location BootROM uses to copy the code.
0x08 4 RAM entry pointer Pointer to start of code execution. This pointer should be within the
section of SRAM where the application image is downloaded.
0x10 48 Reserved
0x40 Code_length Code Code can be any size up to the max size of System SRAM.
3.10 BootROM
BootROM is the first software that runs on S32G2 after any reset. It is placed in an internal ROM (accessible only to HSE_M7) and
is executed by HSE_M7. After the execution of the BootROM, the control is passed either to HSE FW (in case of secure boot) or
to customer application (in case of non-secure boot).
BootROM relies on user inputs in the form of BMODE pins, RCON and Fuse configurations to decide and enable the appropriate
boot mode.
In case of non-secure boot, BootROM configures the system clock to FIRC before handing the control to the application code.
In case of secure boot, BootROM passes control to HSE FW with system clock as CORE_PLL DFS. The HSE FW does not change
any clock settings before handing over the control to application.
Refer to S32G2_BOOT_Settings.xlsx attached with the device RM for more details on clock and other peripheral configurations
touched by BootROM.
NOTE
In Rev 1 Silicon (mask 1N92V), for application size greater than 1 MB, QSPI reconfiguration parameters must be
programmed. For Rev 2 Silicon (mask 0P77B), this limitation has been fixed.
NOTE
The QuadSPI POR Delay value needs to be programmed as per external flash requirement. These are not
automatically applied at standby exit. HSE provides a service to enable the POR delay at next boot after standby
exit. Please refer to HSE manuals for further details.
NOTE
For Application Boot via SD interface, when BOOT_SEQ == 0, RAM start pointer for application should not point
between 0x34008050 to 0x34008200. This address range is used by BootROM for internal operation during boot
via "SD.interface". BootROM also uses 4 KB of SRAM memory starting 0x343FF000 for ADMA descriptors in case
of μSDHC boot. Application image header should not point to this location in case of μSDHC boot.
Speed Modes Max Data Transfer Rate Clock Speed Signal Voltage
BOOT_CFG1[19] controls selection of Default Speed or High Speed mode in case SD card is used over μSDHC interface.
Speed Modes Max Data Transfer Rate Clock Speed Bus Width
BOOT_CFG1[22:19] controls selection of Speed modes in case MMC/eMMC card is used over μSDHC interface.
5 Serial Boot
Serial Boot mode enables application code to be downloaded to SRAM through serial peripherals. The two primary use cases for
serial boot are:
• End-of-line flash memory and fuse programming
• Recovery of chips that fail to boot correctly (nonresponsive modules)
This feature can be disabled by blowing fuse DIS_SER_BOOT.
Serial Boot mode is entered via the BMODE input pins. The device also enters serial boot mode if the Functional reset counter
reaches a value >= 8. The functional reset may be result of any of the errors encountered during BootROM execution for e.g.,
software programming errors during development, flash memory failure, PCB failure during production, timeout due to failure of
hardware modules, authentication failure during secure boot, exceptions during BootROM execution, unavailability of a valid boot
image in the selected NVM and so on.
In Serial Boot mode, BootROM continuously polls for activity on any of the available interfaces:
• CAN
• LIN (UART)
In CUST_DEL life cycle, BootROM does not configure any watchdog when polling on serial interfaces. However for life cycles
OEM_PROD and IN_FIELD, HSE SWT is activated with a timeout of 60 seconds.
The application should also specially take care that once serial download is complete, BootROM enables the SWT_0 with its
default configuration. It is now the responsibility of the application to take care of servicing the watchdog.
Please refer to chip RM for further details.
6 Bring up considerations
S32G2 boot architecture is designed in such a way that it always expects the device to be in serial boot mode when none of
the NVM devices have a verified application in it. Once in serial boot mode, the device expects to receive the application on
UART/CAN interfaces as defined in the Serial boot. For simple tests, the developer or tester can even download an application
to SRAM directly however with a clear limitation that BootROM may interfere with UART/CAN settings.
To understand the boot architecture better, BMODE configurations needs to be revisited.
In a production line scenario, for a virgin device the FUSE_SEL would be available in reset state (depicted by 0 in the Table 1) and
setting BMODE pins to serial boot would allow downloading the complete application image. Flash tools working on serial boot
mode and provided with S32 Design Studio (S32DS) can also be used. As a next step, the FUSE_SEL should be blown such that
the boot configurations are picked up from BOOT_CFG fuses rather than external RCON. After FUSE_SEL is set to 1, the BMODE
configurations earlier depicting serial boot now automatically configures the device to boot from external NVM, refer to Table 1.
The type of NVM is configured based on the BOOT_CFG1 fuse word.
During development phases, it is always recommended to configure the BMODE pins to put device in serial boot mode
when erasing/programming the external NVM. If the device is configured to boot from external NVM and the NVM is being
erased/programmed, then there are possibilities that an interruption in flash erase/program operation may bring irrevocable
changes to the state of the device. For instance, there can be a scenario wherein the IVT header and few other entries of the IVT
table get programmed but the Life cycle configuration word remains in erased state (0xFFFFFFFF) and the flash operation gets
interrupted. In such a case, after next reset the device will look for boot configurations and on finding it to be a ‘boot from NVM’
it would start executing from the NVM. On locating the right IVT header it would start feeding the BootROM with the parameters
in the IVT table and would also feed the unintentional Lifecycle advancement command. The BootROM would then advance
the Lifecycle of the device and the device may no longer be accessible through the debugger. To avert such an issue, the
recommendation of keeping device in serial boot through BMODE pins is provided during programming of NVM and the user must
always verify external flash for the availability of right content. This should not be confused with the serial boot entry when device
is configured to boot from external NVM and no legitimate image is found in the NVM.
7 References
S32G2 Hardware Design Guidelines (S32G2HDG)
S32G2 RM Rev 2
S32G-PROCEVB-S Schematic
8 Revision history
Table 11. Revision history
While NXP has implemented advanced security features, all products may be subject to
unidentified vulnerabilities. Customers are responsible for the design and operation of their
applications and products to reduce the effect of these vulnerabilities on customer’s applications
and products, and NXP accepts no liability for any vulnerability that is discovered. Customers
should implement appropriate design and operating safeguards to minimize the risks associated
with their applications and products.
NXP, the NXP logo, NXP SECURE CONNECTIONS FOR A SMARTER WORLD, COOLFLUX,
EMBRACE, GREENCHIP, HITAG, I2C BUS, ICODE, JCOP, LIFE VIBES, MIFARE, MIFARE
CLASSIC, MIFARE DESFire, MIFARE PLUS, MIFARE FLEX, MANTIS, MIFARE ULTRALIGHT,
MIFARE4MOBILE, MIGLO, NTAG, ROADLINK, SMARTLX, SMARTMX, STARPLUG, TOPFET,
TRENCHMOS, UCODE, Freescale, the Freescale logo, AltiVec, C‑5, CodeTEST, CodeWarrior,
ColdFire, ColdFire+, C‑Ware, the Energy Efficient Solutions logo, Kinetis, Layerscape, MagniV,
mobileGT, PEG, PowerQUICC, Processor Expert, QorIQ, QorIQ Qonverge, Ready Play,
SafeAssure, the SafeAssure logo, StarCore, Symphony, VortiQa, Vybrid, Airfast, BeeKit,
BeeStack, CoreNet, Flexis, MXC, Platform in a Package, QUICC Engine, SMARTMOS, Tower,
TurboLink, UMEMS, EdgeScale, EdgeLock, eIQ, and Immersive3D are trademarks of NXP
B.V. All other product or service names are the property of their respective owners. AMBA,
Arm, Arm7, Arm7TDMI, Arm9, Arm11, Artisan, big.LITTLE, Cordio, CoreLink, CoreSight, Cortex,
DesignStart, DynamIQ, Jazelle, Keil, Mali, Mbed, Mbed Enabled, NEON, POP, RealView,
SecurCore, Socrates, Thumb, TrustZone, ULINK, ULINK2, ULINK-ME, ULINK-PLUS, ULINKpro,
µVision, Versatile are trademarks or registered trademarks of Arm Limited (or its subsidiaries)
in the US and/or elsewhere. The related technology may be protected by any or all of patents,
copyrights, designs and trade secrets. All rights reserved. Oracle and Java are registered
trademarks of Oracle and/or its affiliates. The Power Architecture and Power.org word marks and
the Power and Power.org logos and related marks are trademarks and service marks licensed
by Power.org.
© NXP B.V. 2021. All rights reserved.
For more information, please visit: http://www.nxp.com
For sales office addresses, please send an email to: [email protected]