Programming Recovery
UG0451 User Guide Revision 7.0 37
9 Programming Recovery
Programming recovery, if enabled, allows the device to automatically recover from a power failure during
a programming operation. Programming recovery requires an external SPI flash to be connected to
SPI_0 within the MSS/HPMS.
Programming recovery is supported for MSS ISP and IAP and is not intended for recovery from the
following events:
• SPI flash error
• Authentication error of programming bitstream
• Loss of communications link during ISP
If there is loss of communications link during programming, the system controller does not time out, but
keeps waiting for more data indefinitely. In this case, the communications link must be reestablished.
Programming recovery details:
• If power fails, recovery occurs during power up where neither the FPGA fabric nor the Cortex-M3
processor is active.
• After the recovery is successful, the device is enabled automatically.
• If recovery fails, the device needs to be powered up again.
• If the golden image is corrupted, the recovery occurs each time the device reboots but eventually it
fails and the device goes to idle state.
Programming recovery is not supported in M2S/M2GL050 devices.
9.1 Programming Recovery Implementation
Programming recovery works through the MSS/HPMS SPI_0 port. An external SPI flash device needs to
be programmed with the golden image and the corresponding SPI directory and connected to the SPI_0
port.
Note: Four SPI slave select pins of the SPI_0 interface (SS4, SS5, SS6, and SS7) drive high during
programing (except 005 and 010 devices). The remaining SPI_0 pins are tristated with weak pull up.
These four pins that drive high during programming must not be used as control pins. The I/O level and
drive strength are based on the previous settings programmed into the device.
SmartFusion2 and IGLOO2 devices need to be programmed with programming recovery settings in
Libero SoC to enable programming recovery during manufacturing flow, as shown in the following figure.
The required security settings are also programmed at that time. After the recovery settings are
programmed, they must not be changed or modified during remote updates. The remote update of
security or recovery setting in the field poses a risk because if power fails in the middle of the update, the
recovery setting might get corrupted. If the recovery setting gets corrupted, the recovery does not take
place when power comes back. For more information, see the Libero SoC User Guide.
For implementation details, see the following documents:
• Implementing Auto Update and Programming Recovery Features Using Ethernet Interface for
SmartFusion2 Devices Demo Guide
• Implementing Programming Recovery and In-Application Programming Features Using Ethernet
Interface for SmartFusion2 Devices Demo Guide
To Next Page
Loading...