Mitsubishi Motors DS5000TK User Manual

USER’S GUIDE

050396 66/173

67

Timed Access provides a statistical protection. It is
unlikely that randomly generated states will correctly
match the sequence and timing required to bypass the
Timed Access logic. Presented below is a brief justifica-
tion for each bit that is protected by Timed Access.

The EWT bit is protected to prevent errant software from
disabling the Watchdog Timer. The Watchdog is one of
the important mechanisms that assure correct opera-
tion and should not be turned off accidentally. RWT is
the bit that software uses to restart the Watchdog time–
out. The Secure Microcontroller makes this more diffi-
cult by Timed Access protecting the bit. Thus software
must “really” intend to reset the time–out in order to do
so. Note that the Watchdog Timer is disabled in Stop
mode. Critical applications which rely on the Watchdog
Timer should exercise caution if the application will uti-
lize Stop mode.

POR informs the software of the power supply condi-
tion. Specifically, it means the power has previously
dropped below the V

CCMIN

level and returned to nor-

mal. In many systems, this is a unique condition that
requires interaction with external hardware. Protecting
this bit with a Timed Access procedure prevents the
micro from accidentally performing a power on reset
procedure.

On a DS5000 series device, the PAA bit allows software
to alter the Partition. If this is done accidentally, the
resulting configuration could be unrecoverable without
human intervention. This could mean selecting a Parti-
tion that is outside of the user’s plan and that causes the
system to fail. In a like manner, the PA3–0 bits on a
DS5001 series device are protected through Timed
Access. As the DS5001 does not have a PAA bit, the
Partition control bits are directly protected. The motiva-
tion for protecting the AE bit is similar. This bit invokes a
Partitionable configuration where one had not been
selected during Bootstrap loading. While there are sev-
eral valid reasons to select AE, accidentally selecting
this condition might be unrecoverable without manual
intervention.

Note that the Timed Access logic protects against the
possibility of a single inadvertent write modifying a criti-
cal control bit. It does not protect against inadvertently
entering a section of code that contains the correct
sequence to modify a protected bit. However, the statis-
tical protection does greatly improve the system’s resil-
ience to a crash.

Watchdog Timer

The on–chip Watchdog Timer provides a method of re-
storing proper operation during transients that cause
the loss of controlled execution of software. When the
Watchdog Timer is enabled, it will eventually reach a
timeout condition after 122,800 machine cycles unless it
is reset by the application software. An internal reset to
the CPU will be generated if the timeout condition is ever
reached. Software which utilizes the Watchdog Timer
must periodically reset the RWT bit so that it will never
be reached during normal operation. The reset opera-
tion(s) should be inserted at critical check points in the
program. The Watchdog Timer will monitor program
execution to insure that these check points are reached,
indicating proper operation. If controlled execution of
the software is lost so that these check points are not en-
countered within the timeout period, then the Watchdog
Timer will provide an automatic reset. A block diagram
of the Watchdog Timer is shown in Figure 8–2.

The Special Function Register bits that are used to con-
trol the Watchdog include the Enable Watchdog Timer
bit (EWT; PCON.2), the Reset Watchdog Timer bit
(RWT; IP.7), and the Watchdog Timer Reset status flag
(WTR; PCON.4). The Watchdog Timer incorporates a
free–running counter that starts counting as soon as the
clock oscillator begins operation following a Power On
Reset. If a 12 MHz crystal is used as the time base ele-
ment, this gives a timeout period of 122.88 ms. The
Watchdog Timer Reset function is enabled with a Timed
Access write operation which sets the EWT bit to a 1. A
Watchdog Timer Reset will then occur the next time that
the free–running counter reaches its timeout condition.

Regardless of whether the Watchdog Timer will be
used, it should be initialized after each reset. If the
Watchdog Timer is desired, then the first step is to reset
the timer count. This is necessary since the timer is free
running and may be about to time–out. Set the RWT bit
to a logic 1 using a Timed Access procedure. This will
restart the timer with the full interval. Then enable the
Watchdog Timer reset function by setting the EWT bit to
a logic 1, again with a Timed Access procedure. Note
that the EWT bit only controls whether the reset is
issued, not whether the timer runs. The Watchdog Timer
must now be reset prior to 122,800 machine cycles or it
will reset the CPU. If the Watchdog Timer is not used,
then clear the EWT bit to a logic 0 using a Timed Access
procedure. Since the EWT bit is nonvolatile, this makes
certain that the Watchdog reset function remains dis-
abled.