3.2.1 Command Description

This section provides a detailed description of the request and response codes used in the Secure Firmware Upgrade protocol.

Unlock Command

The Unlock command sequence is shown in the following figure with corresponding responses.

Figure 3-11. Secure Firmware Upgrade Unlock Command
  • The Unlock command must be issued before the first Data command
    • It is used to calculate the application start address and end address.
    • This information will be used to validate if the addresses sent are within the range of the Flash memory.
    • It is used to validate that the addresses coming with the data packet to be programmed are within the region for which the unlock command is invoked.
  • The number of bytes of data to be received is 8 Bytes (Start Address + Image Size).
  • Start Address:
    • It is the application Start Address of the Flash memory.
    • It is device-dependent and should always be greater than or equal to the bootloader end address.
    • It must be aligned at an Erase Unit Size boundary, which is device-dependent.
    • To upgrade the bootloader itself, this value must be set to 0.
  • Image size must be in increments of Erase Unit bytes, which is device-dependent.

Data Command

The Data command sequence is shown in the following figure with corresponding responses.

Figure 3-12. Secure Firmware Upgrade Data Command
  • Data Command facilitates the transmission of image data.
  • Total data size comprises the Block Start Address (4 Bytes), Encrypted Data (256 Bytes), and Tag (16 Bytes).
  • Block Start Address is required to be situated within the area that was unlocked using the Unlock Command.
  • Attempting to write data outside the boundaries of the unlocked region will result in an error, and the data provided will be disregarded. If a data writing operation to the Flash memory is unsuccessful, the system will generate a Flash failure code.

Device Configuration Command

The Device Configuration command sequence with corresponding responses is shown in the following figure.

Figure 3-13. Secure Firmware Upgrade Device Configuration Command
  • This command is enabled only when the Enable Fuse Programming feature is selected for the bootloader.
  • The Device Configuration command is used to send the device configuration bits (Fuse Settings). Data size is equal to the sum of the device config area start address (4 Bytes) and Device Configuration page size (256 Bytes), which is device-dependent.
  • Device configuration start address should be the start of the device configuration area.
  • Device configuration data should contain all the fuse settings applicable to the device. Partial Fuse bit programming is not supported.
  • Attempts to request the write outside of the device configuration area will result in an error and supplied data will be discarded.

Verify Command

The Verify command sequence with corresponding responses is shown in the following figure.

Figure 3-14. Secure Firmware Upgrade Verify Command
  • Verify command is utilized to confirm the integrity of the transmitted and programmed image .
  • A signature is generated by employing the private key on the host side, which is based on the application image.
  • The client computes a signature derived from the data retrieved from the Flash memory post-programming. To authenticate the signature of the received application image, the Public Key is employed.

Reset Command

The Reset command sequence with corresponding responses is shown in the following figure.

Figure 3-15. Secure Firmware Upgrade Reset Command
  • Reset command facilitates the transition from the bootloader to the execution of the application.
  • Additional bytes are utilized to fulfill the requirements of the protocol structure.
  • This function is essential in scenarios where the host lacks direct control over the reset pin. Additionally, it remains beneficial in circumstances where the host does possess control over the reset pin.