11.3.1.1 Flash

The Flash is divided into a set of pages. A page is the smallest addressable unit when erasing the Flash. It is only possible to erase an entire page or multiple pages at a time. Writes can be done per byte or word. One page consists of 512 bytes.

The Flash can be divided into three sections, each consisting of a variable number of pages. These sections are:

Bootloader Code (BOOT) Section

The code placed in the BOOT section has full write access to the entire Flash except for the BOOT section itself. Bootloader software must be placed in this section if used.

Application Code (APPCODE) Section

The code placed in the Application Code section has limited write access and can only write to the Application Data Flash section. This section typically contains the executable application code.

Application Data (APPDATA) Section

The code placed in the Application Data section has no write access. This section typically contains the parameters.

Inter-Section Write Protection

For security reasons, writing to the Flash section where the code is currently executing is impossible. Code writing to the APPCODE section needs to be executed from the BOOT section, and the code writing to the APPDATA section needs to be executed from either the BOOT section or the APPCODE section.

Table 11-1. Write Protection for Self-Programming
Program Execution SectionSection Being AddressedProgramming AllowedCPU Halted
BOOTBOOTNo-
APPCODEYesYes
APPDATAYes
EEPROMNo
APPCODEBOOTNo-
APPCODE
APPDATAYesYes
EEPROMNo
APPDATABOOTNo-
APPCODE
APPDATA
EEPROM

Section Sizes

The sizes of these sections are set by the Boot Size (FUSE.BOOTSIZE) fuse and the Code Size (FUSE.CODESIZE) fuse. The fuses select the section sizes in blocks of 512 bytes. The BOOT section stretches from FLASHSTART to BOOTEND. The APPCODE section spreads from BOOTEND to APPEND. The remaining area is the APPDATA section.

Figure 11-2. Flash Sections Sizes and Locations

If FUSE.BOOTSIZE is written to ‘0’ Flash is regarded as the BOOT section. If FUSE.CODESIZE is written to ‘0’ and FUSE.BOOTSIZE > 0, the APPCODE section runs from BOOTEND to the end of Flash (no APPDATA section).

When FUSE.CODESIZE ≤ FUSE.BOOTSIZE, the APPCODE section is removed, and the APPDATA runs from BOOTEND to the end of Flash.
Table 11-2. Setting Up Flash Sections
BOOTSIZECODESIZEBOOT SectionAPPCODE SectionAPPDATA Section
0-0 to FLASHEND--
> 000 to BOOTENDBOOTEND to FLASHEND-
> 0 ≤ BOOTSIZE0 to BOOTEND-BOOTEND to FLASHEND
> 0> BOOTSIZE0 to BOOTENDBOOTEND to APPENDAPPEND to FLASHEND

By not employing bootloader software, the Flash capacity for the application code can be maximized by allocating the application code to the BOOT section, eliminating the need for a separate Application Code section and still allowing for an optional Application Data section.

Note:
  1. After Reset, the default vector table location is at the start of the APPCODE section. If code running in the BOOT section requires interrupts, the interrupt vector table can be moved to the beginning of the BOOT section. An example is a bootloader that uses interrupts while updating the main code in the Application Code section, done by setting the Interrupt Vector Select (IVSEL) bit in the CPUINT.CTRLA register. Refer to the CPUINT - CPU Interrupt Controller section for details.
  2. If BOOTEND/APPEND, as result of the BOOTSIZE/CODESIZE fuse setting exceeding the device FLASHEND, the corresponding fuse setting is ignored, and the default value is used. Refer to FUSE - Configuration and User Fuses in the Memories section for default values.

Size of Flash Sections

If FUSE.BOOTSIZE is written to 0x04 and FUSE.CODESIZE to 0x08, the first 4*512 bytes will be BOOT, the next 4*512 bytes will be APPCODE, and the remaining Flash will be APPDATA.

Flash Protection

In addition to the inter-section write protection, the NVMCTRL provides a security mechanism to avoid unwanted access to the Flash memory sections. Even if the CPU can never write to the BOOT section, a Boot Section Read Protection (BOOTRP) bit in the Control B (NVMCTRL.CTRLB) register is provided to prevent the read and execution of code from the BOOT section. This bit can be set only from the code executed in the BOOT section and has effect only when leaving the BOOT section.

Two other write protection bits (APPCODEWP and APPDATAWP) exist in the NVMCTRL.CTRLB register that can be set to prevent further updates of the respective Application Code and Application Data sections.

Attempting to read a protected memory area with insufficient privileges shall cause the Flash controller to return a no-operation (NOP) status and cause a bus error. Examples of such illegal reads can be:
  1. Reading BOOT from APPCODE when BOOTRP is set.
  2. Jumping to BOOT from APPCODE and attempting to fetch an instruction from BOOT.