Skip to main content
B
BLeon.2
Visitor II
September 25, 2021
Question

STM32H723 embedded bootloader command GO fail

  • September 25, 2021
  • 7 replies
  • 3666 views

 I use STM32H723VET6. Bootloader ver 9.2. When I can send command GO at FDCAN (PD1, PD0), I receive ACK(0x79), but after that MCU is fail.

My function:

void BootCanGo(uint8_t* answer)

{

           uint32_t Delayer = 0x8FFFFF;

           uint8_t SendedData[4];

           

           CanTxHeader.Identifier = BOOT_CAN_COMMAND_GO;

           SendedData[0] = 0x08;

           SendedData[1] = 0x00;

           SendedData[2] = 0x00;

           SendedData[3] = 0x00;

           /* Start the Transmission process */

           CanTxHeader.DataLength = FDCAN_DLC_BYTES_4;

           HAL_FDCAN_AddMessageToTxFifoQ(&hfdcan, &CanTxHeader, SendedData);

           

           while ((HAL_FDCAN_GetRxFifoFillLevel(&hfdcan, FDCAN_RX_FIFO0) < 1) && --Delayer) {};

           

           HAL_FDCAN_GetRxMessage(&hfdcan, FDCAN_RX_FIFO0, &CanRxHeader, CanRxData);

           *answer = CanRxData[0];

}

Write memory and Erase memory commands run correct. A program in flash memory mode (BOOT0 pin LOW) run correct. There are no limitations in AN2606:

0693W00000FAPgWQAX.jpgI tried to run the debugger on the STM32H723 (device side). I stop the program, and after the command GO I start it again in step mode. After of several steps disconnection occurs:

0693W00000FAQMNQA5.jpgFlash in STM32H723:

0693W00000FAPgbQAH.jpgWhat am I doing wrong?

    This topic has been closed for replies.

    7 replies

    I
    Imen.D
    Technical Moderator
    October 1, 2021

    Hello @BLeon.2​ ,and welcome to the Community,

    Make sure to properly configure the vector table.

    Do you use/enable interrupts? Did you try with BOOT0 in high?

    Imen

    T
    Tesla DeLorean
    Graduate II
    October 1, 2021

    Vector Tables, Watchdog, Stacks, Interrupts, expectations.

    Have code very early in Reset_Handler (in assembler) assert/toggle GPIO or tweet/squawk via UART. Confirm it's entering your code, and then check-point from there on out..

    Have HardFault_Handler() and Error_Handler() that report actionable data, not die silently.

    B
    BLeon.2Author
    Visitor II
    October 1, 2021

    The address of the entry to the main() does not appear in the PC register. Failure occurs in system memory. I checked the VTOR register through CubeProgrammer (0xE000ED08), turned on disable interrupts in main program, nothing helped.

    T
    Tesla DeLorean
    Graduate II
    October 1, 2021

    main() is significant down-stream from the Reset_Handler, SystemInit, and initialization of statics, etc.

    Start at the point that transfer of control occurs, figure out who's dying. If the ROM's handed-off to you, it's role is over.

    B
    BLeon.2Author
    Visitor II
    October 1, 2021

    Above in the line of the disambler:

    -> 0x1FF1274E F7FFF9B4 BL.W 0x1FF11ABA

    there is a write the address of the next instruction to LR: 0x1FF1ABA, which does not exist.

    T
    Tesla DeLorean
    Graduate II
    October 1, 2021

    I think you're wrong on the details/interpretation, suggest you save a copy of the Loader ROM, and send/attach that here.

    B
    BLeon.2Author
    Visitor II
    October 1, 2021

    I read System memory (0x1FF00000 - 0x1FF1FFFF) in this .bin file. I couldnt load .bin and added .hex permission.

    AN2606, Table 77:

    59 Kbyte starting from address 0x1FF00000, contain the bootloader firmware.

    T
    Tesla DeLorean
    Graduate II
    October 1, 2021
    1FF11ABA SUB16 sub_1FF11ABA: ; Xref 1FF1274E
1FF11ABA E92D 4FF8 stmdb sp!, {r3, r4, r5, r6, r7, r8, r9, r10, r11, lr}
1FF11ABE 2000 movs r0, #0
1FF11AC0 F8DF 446C ldr.w r4, [pc, #1132] ; $1FF11F30=$24002D04
1FF11AC4 9000 str r0, [sp, #0]
1FF11AC6 F20F 4874 addw r8, pc, #1140 ; $474
1FF11ACA F88D 0000 strb.w r0, [sp]
1FF11ACE F44F 3900 mov.w r9, #131072 ; $20000
1FF11AD2 F8DF 7460 ldr.w r7, [pc, #1120] ; $1FF11F34=$24002904
1FF11AD6 F44F 3580 mov.w r5, #65536 ; $10000
1FF11ADA F8DF 6450 ldr.w r6, [pc, #1104] ; $1FF11F2C=$24001868
1FF11ADE F8DF A444 ldr.w r10, [pc, #1092] ; $1FF11F24=$240035A0
1FF11AE2 E016 b.n loc_1FF11B12
1FF11AE4 LOC loc_1FF11AE4: ; Xref 1FF11B50
1FF11AE4 6030 str r0, [r6, #0]
1FF11AE6 2079 movs r0, #121
1FF11AE8 60F5 str r5, [r6, #12]
1FF11AEA 463A mov r2, r7
1FF11AEC 7038 strb r0, [r7, #0]
1FF11AEE 4631 mov r1, r6
1FF11AF0 4650 mov r0, r10
1FF11AF2 F7FF FD2A bl sub_1FF1154A
1FF11AF6 60F5 str r5, [r6, #12]
1FF11AF8 2010 movs r0, #16
1FF11AFA F000 F8C1 bl sub_1FF11C80
1FF11AFE F8C6 900C str.w r9, [r6, #12]
1FF11B02 2000 movs r0, #0
1FF11B04 8038 strh r0, [r7, #0]
1FF11B06 LOC loc_1FF11B06: ; Xref 1FF11BC2
1FF11B06 F000 F8BC bl sub_1FF11C82
1FF11B0A 60F5 str r5, [r6, #12]
1FF11B0C 2079 movs r0, #121
1FF11B0E LOC loc_1FF11B0E: ; Xref 1FF11BFA 1FF11C7E
1FF11B0E F000 F8B7 bl sub_1FF11C80
1FF11B12 LOC loc_1FF11B12: ; Xref 1FF11AE2 1FF11B1C 1FF11B86 1FF11BC8
1FF11B12 ; 1FF11BF4 1FF11C00 1FF11C06 1FF11C28
1FF11B12 2140 movs r1, #64
1FF11B14 4650 mov r0, r10
..
    1FF12734 LOC loc_1FF12734: ; Xref 1FF12734 1FF12740 1FF12746 1FF1274C
1FF12734 ; 1FF12752
1FF12734 E7FE b.n loc_1FF12734
1FF12736 LOC loc_1FF12736: ; Xref 1FF12724
1FF12736 F8DF 1588 ldr.w r1, [pc, #1416] ; $1FF12CC0=$240037B8
1FF1273A 6008 str r0, [r1, #0]
1FF1273C F7FA FD9D bl sub_1FF0D27A
1FF12740 E7F8 b.n loc_1FF12734
1FF12742 LOC loc_1FF12742: ; Xref 1FF12728
1FF12742 F7FD FFB4 bl sub_1FF106AE
1FF12746 E7F5 b.n loc_1FF12734
1FF12748 LOC loc_1FF12748: ; Xref 1FF12720
1FF12748 F7FF FF96 bl sub_1FF12678
1FF1274C E7F2 b.n loc_1FF12734
1FF1274E LOC loc_1FF1274E: ; Xref 1FF1272C
1FF1274E F7FF F9B4 bl sub_1FF11ABA
1FF12752 E7EF b.n loc_1FF12734
1FF12754 LOC loc_1FF12754: ; Xref 1FF1272E
1FF12754 F3BF 8F4F dsb sy
1FF12758 F8DF 1568 ldr.w r1, [pc, #1384] ; $1FF12CC4=$E000ED0C
1FF1275C F8DF 0568 ldr.w r0, [pc, #1384] ; $1FF12CC8=$05FA0004
1FF12760 680A ldr r2, [r1, #0]
1FF12762 F402 62E0 and.w r2, r2, #1792 ; $700
1FF12766 4302 orrs r2, r0
1FF12768 600A str r2, [r1, #0]
1FF1276A F3BF 8F4F dsb sy
1FF1276E LOC loc_1FF1276E: ; Xref 1FF12770
1FF1276E BF00 nop
1FF12770 E7FD b.n loc_1FF1276E
...

    B
    BLeon.2Author
    Visitor II
    October 2, 2021

    Ok.

    My knowledge of assembler is not deep.

    After reset:

    0x1FF11AB2 E8BD4070 POP {r4-r6,lr}
0x1FF11AB6 F7FFBD38 B.W 0x1FF1152A
0x1FF11ABA E92D4FF8 PUSH {r3-r11,lr}
0x1FF11ABE 2000 MOVS r0,#0x00
0x1FF11AC0 F8DF446C LDR.W r4,[pc,#1132] ; @0x1FF11F30

    During the execution of the program, I have the following register values:

    0x1FF11AB1 BD46 POP {r1-r2,r6,pc}
0x1FF11AB3 70E8 STRB r0,[r5,#0x03]
0x1FF11AB5 FF4038F7 DCD 0x38F7FF40
0x1FF11AB9 2DBD CMP r5,#0xBD
0x1FF11ABB F8E9004F STR r0,[r9,#0x4F]
0x1FF11ABF DF20 SVC 0x20
0x1FF11AC1 6CF8 LDR r0,[r7,#0x4C]
    0x1FF12748 F7FFFF96 BL.W 0x1FF12678
0x1FF1274C E7F2 B 0x1FF12734
0x1FF1274E F7FFF9B4 BL.W 0x1FF11ABA
0x1FF12752 E7EF B 0x1FF12734

    T
    Tesla DeLorean
    Graduate II
    October 2, 2021

    But does it get to your Reset_Handler?

    Do you get an ACK related to the GO command?

    Trying to determine

    a) If it accepts the GO command, and enters your code

    b) Does not accept the GO command

    B
    BLeon.2Author
    Visitor II
    October 3, 2021

    I get an ACK related to the GO command with correct address. If I send a wrong address, I get NACK. In all cases when I receive ACK (for different addresses in the GO command, for example 0x08000000, 0x08000004, ...) a MCU failure occurs.

    But the System Memory change happens before the command GO is sent.

    B
    BLeon.2Author
    Visitor II
    October 3, 2021

    I tried the GO command on STM32H743zi via uart. Сonsidering the limitations described in AN2606, the command operates as described in AN3155. I tried to apply these limitations to H723, but to no avail.

    Terms & ConditionsAccessibility statement