# Section 23. CodeGuard<sup>TM</sup> Security ## **HIGHLIGHTS** This section of the manual contains the following major topics: | 23.1 | Code Protection Overview | 23-2 | |-------|--------------------------------------------------------------|-------| | 23.2 | Device Specific Code Protection Features | 23-3 | | 23.3 | Program Memory Organization | 23-4 | | 23.4 | Data RAM Organization | 23-5 | | 23.5 | Control Registers | 23-5 | | 23.6 | The Boot Segment (BS) | 23-6 | | 23.7 | The Secure Segment (SS) | 23-19 | | 23.8 | The General Segment (GS) | 23-24 | | 23.9 | Reset, Trap and Interrupt Service Routine (ISR) Vector Space | 23-27 | | 23.10 | Definition of Security Privileges | 23-27 | | 23.11 | Rules Concerning Program Flow | 23-29 | | | Rules Concerning Interrupts | | | 23.13 | Rules for Accessing RAM Data | 23-33 | | 23.14 | Security Features and Device Operational Mode | 23-34 | | 23.15 | Typical Procedures for Boot Loading a Device | 23-35 | | 23.16 | Typical Installation of Third-Party Protected Algorithm | 23-36 | | 23.17 | Related Documents | 23-37 | | 23.18 | Revision History | 23-38 | | | | | #### Note: This family reference manual section is meant to serve as a complement to device data sheets. Depending on the device variant, this manual section may not apply to all dsPIC33F/PIC24H devices. Please consult the note at the beginning of the "Special Features" chapter in the current device data sheet to check whether this document supports the device you are using. Device data sheets and family reference manual sections are available for download from the Microchip Worldwide Web site at: http://www.microchip.com #### 23.1 CODE PROTECTION OVERVIEW Microchip's CodeGuard™ Security enables multiple parties to securely share resources (memory, interrupts and peripherals) on a single chip. Intellectual Property (IP) vendors, Original Design/Original Equipment Manufacturers (ODM/OEM) and Value-Added Resellers (VAR) now have an opportunity to reap the following benefits using these on-chip code protection features: - · System cost reduction - · Component reduction and associated benefits to inventory management - · Decreased risk of losing IP to unqualified partners - · Increased security during code distribution and Flash memory update The on-chip program Flash memory in a dsPIC33F/PIC24H device can be organized into three code space segments. Each of these segments has an implied security privilege level and system function: - The Boot Segment (BS) has the highest security privilege level. It has greater access to the other segments. The Boot Segment is intended for secure boot loader and device update functions. - The Secure Segment (SS) is the next highest security privilege. This segment is designed for storing proprietary algorithms from algorithm vendors. - The General Segment (GS) has the lowest security privilege. This segment is designed for the end user system code. Segments of user data RAM space of the device can be allocated as secure RAM, which are directly associated with the Boot or Secure segments. Any operation of the system that potentially allows exposure of the code or data contents is restricted, based on the segment from which the operation originated, or the segment to which the operation targets. Restricted operations include: - Programming, Erase or Verify Operations - · Reads or Writes of Code Space - · Reads or Writes of Protected Data Space - Code Flow Change into a Secure Segment from outside the segment - · Interrupt Vectors into a Secure Segment Configuration bits are provided to enable access to the Secure Segments and their parameters. These bits allow configuration of both the sizes and restrictions of the program Flash memory, and RAM segments. ## 23.2 DEVICE SPECIFIC CODE PROTECTION FEATURES Two different subsets of CodeGuard Security features are available on dsPIC33F/PIC24H devices. On devices with smaller memory sizes, program memory can be allocated to Boot Segment and General Segment; however, there is no Secure Segment and no Data RAM protection. On larger memory devices, memory can be allocated to Boot Segment, Secure Segment and General Segment code space. On these larger memory devices, Data RAM can be allocated to Boot Segment and Secure Segment. Table 23-1 shows the code protection features that are available. Refer to the "Special Features" chapter in the specific device data sheet to correlate these features with specific devices or product families. Table 23-1: Code Protection Features | Feature | Smaller Memory<br>Devices | Larger Memory<br>Devices | |---------------------------------------------|---------------------------|--------------------------| | Assign Code Space as Boot Segment | Yes | Yes | | Assign Code Space as Secure Segment | _ | Yes | | Assign Code Space as General Segment | Yes | Yes | | Assign Data RAM to Boot and Secure Segments | _ | Yes | #### 23.3 PROGRAM MEMORY ORGANIZATION The total user program memory can be allocated into one of the three segments. The size of these different segments is determined by Configuration bits. The relative location of the segments does not change, such that a Boot Segment, if present, occupies the memory area just after the device interrupt vector space. The Secure Segment, if present, occupies the space just after the Boot Segment, and the General Segment occupies the space just after the Secure Segment, as shown in Figure 23-1. 0x000000 Reset/Interrupt Vector Space (VS) Boot Segment space immediately Boot Segment Access Area follows the Reset/Interrupt Vector Space Boot Segment (BS) Secure Segment space immediately Secure Segment Access Area follows the Boot Segment Secure Segment (SS) General Segment space immediately follows the Secure Segment General Segment (GS) Max Internal User Memory Size Unimplemented Memory Space 0x7FFFFE Figure 23-1: Program Memory Organization from Segment and Privilege Perspective ## 23.4 DATA RAM ORGANIZATION Data RAM memory can also be allocated into code protection segments: Boot, Secure and General. Segment size is primarily specified by Configuration bits. The relative locations of the segments do not change, meaning that a Boot Segment RAM area occupies the memory region at the end of the non-DMA RAM, the Secure Segment RAM occupies the area just before the Boot Segment and the General Segment RAM occupies the remainder of the data RAM space, as shown in Figure 23-2. **Note:** DMA RAM is not present on all dsPIC33F/PIC24H devices. For DMA RAM availability and sizes, refer to the "**Memory Organization**" chapter in the specific device data sheet. Figure 23-2: DATA RAM Organization from Segment Perspective ## 23.5 CONTROL REGISTERS Several Configuration and Special Function Registers (SFRs) control the security functions. On basic and intermediate security implementations, some of these registers do not exist. The key registers for supporting the code security features are: - FBS: Boot Segment Configuration Register Byte - BSRAM: Boot Segment RAM Special Function Register - FSS: Secure Segment Configuration Register Byte - SSRAM: Secure Segment RAM Special Function Register - FGS: General Segment Configuration Register - INTTREG: Interrupt Vector and Priority Status Special Function Register #### 23.6 THE BOOT SEGMENT (BS) The Boot Segment has the highest privilege. The Boot Segment can be small, allowing a simple and secure boot loader, or it can be large, enabling it to hold a more sophisticated secure operating system. The Boot Segment can also rewrite its own locations, enabling it to store and update data such as "encryption keys". #### 23.6.1 **Allocating the Boot Segment** The existence and size of the Boot Segment are determined by Configuration bits BSS<2:0> (FBS<3:1>). The default option, on an erased non-programmed device, is to exclude the Boot Segment. When implemented, the Boot Segment begins at the end of the interrupt vector space and continues to an address specified by the BSS<2:0> bits. 0x000000 Reset/Interrupt Vector Space (VS) Boot Segment space immediately Boot Segment Access Area follows the Reset/Interrupt Vector Space and continues to an address specified by BSS<2:0>. Boot Segment (BS) Secure Segment Access Area Secure Segment (SS) General Segment (GS) Max Internal User Memory Size Unimplemented Memory Space 0x7FFFFE Figure 23-3: **Boot Segment Memory Allocation** #### **BOOT SEGMENT SIZE OPTIONS** 23.6.1.1 Table 23-2 provides an example of Boot Segment size options (in this case, for devices with 64 KB flash memory). The start and end program memory addresses listed are typical. For specific program memory addresses for a given device, refer to the "Memory Organization" chapter in the specific device data sheet. | Table 23-2: | Boot Segment Size Exai | npie | |-------------|------------------------|------| | | | | | BSS2:BSS0 | Security Level | BS Size | BS Start Address | BS End Address | |-----------|----------------|----------------|------------------|----------------| | x11 | | No Boot Progra | am Flash Segment | | | 110 | Standard | Small | 0x000200 | 0x0007FE | | 010 | High | Small | 0x000200 | 0x0007FE | | 101 | Standard | Medium | 0x000200 | 0x001FFE | | 001 | High | Medium | 0x000200 | 0x001FFE | | 100 | Standard | Large | 0x000200 | 0x003FFE | | 000 | High | Large | 0x000200 | 0x003FFE | #### Register 23-1: FBS: Boot Segment Configuration Register Byte Lower Third Byte: | R/P | R/P | r | r | R/P | R/P | R/P | R/P | |-------|---------------------|---|---|-------------------------|-----|---------------------|-----| | RBS< | 1:0> <sup>(1)</sup> | _ | _ | BSS<2:0> <sup>(2)</sup> | | BWRP <sup>(3)</sup> | | | bit 7 | | | | | | bit 0 | | | Legend: | r = Reserved | P = Programmable I | bit | |-------------------|------------------|-----------------------|--------------------| | R = Readable bit | W = Writable bit | U = Unimplemented bit | t, read as '0' | | -n = Value at POR | '1' = Bit is set | '0' = Bit is cleared | x = Bit is unknown | bit 7-6 RBS<1:0>: Boot Segment RAM Code Protection bits<sup>(1)</sup> 11 = No Boot RAM defined 10 = Boot RAM is 128 bytes 01 = Boot RAM is 256 bytes 00 = Boot RAM is 1024 bytes bit 5-4 Reserved: Do not use. Programming values will have no effect bit 3-1 BSS<2:0>: Boot Segment Program Flash Code Protection bits<sup>(2)</sup> x11 = No Boot program Flash segment 110 = Standard security, Small Boot Segment 010 = High security, Small Boot Segment 101 = Standard security, Medium Boot Segment 001 = High security, Medium Boot Segment 100 = Standard security, Large Boot Segment 000 = High security, Large Boot Segment bit 0 BWRP: Boot Segment Program Flash Write Protection bit<sup>(3)</sup> 1 = Boot segment can be written0 = Boot segment is write-protected **Note 1:** Not all devices have Boot Segment RAM code protection. Refer to Table 23-3, Table 23-4 and Table 23-5, for device specific information. - 2: The exact definitions of Small, Medium and Large Boot Segment vary from one device to another. Refer to Table 23-6, Table 23-7 and Table 23-8, for device specific information. - 3: If a Boot Segment is not needed, the BWRP bit must be programmed as a '1'. © 2007-2012 Microchip Technology Inc. Table 23-3: Data RAM Segment Sizes for Devices with 30 KB RAM | Configuration Bits | RBS<1:0> = 11<br>OR<br>RBS<1:0> = 10 AND RL_BSR = 1 | RBS<1:0> = 10 AND RL_BSR = 0<br>OR<br>RBS<1:0> = 01 AND RL_BSR = 1 | RBS<1:0> = 01 AND RL_BSR = 0<br>OR<br>RBS<1:0> = 00 AND RL_BSR = 1 | RBS<1:0> = 00 AND RL_BSR = 0 | |--------------------------------------------------------------------|-----------------------------------------------------|--------------------------------------------------------------------|--------------------------------------------------------------------|-------------------------------| | RSS<1:0> = 11 | GS RAM = 28672 0x0800 | GS RAM = 28544 0x0800 | GS RAM = 28416 0x0800 | GS RAM = 27648 0x0800 | | OR<br>RSS<1:0> = 10 AND RL_SSR = 1 | | | BS RAM = 256 0x7700 | BS RAM = 1024 0x7400 | | | 0x77FF | BS RAM = 128 0x7780 0x77FF | 0x77FF | 0x77FF | | | GS RAM = 28416 0x0800 | GS RAM = 28416 0x0800 | GS RAM = 28416 0x0800 | GS RAM = 27648 0x0800 | | RSS<1:0> = 10 AND RL_SSR = 0<br>OR<br>RSS<1:0> = 01 AND RL_SSR = 1 | | SS RAM = 128 0x7700 | BS RAM = 256 0x7700 | BS RAM = 1024 0x7400 | | | 0x77FF | BS RAM = 128 | 0x77FF | 0x77FF | | | GS RAM = 26624 0x0800 | GS RAM = 26624 0x0800 | GS RAM = 26624 0x0800 | GS RAM = 26624 0x0800 | | RSS<1:0> = 01 AND RL_SSR = 0<br>OR<br>RSS<1:0> = 00 AND RL_SSR = 1 | SS RAM = 2048 0X7000 | SS RAM = 1920 0x7000 | SS RAM = 1792 0x7000 | SS RAM = 1024 0x7000 0x7400 | | | 0x77FF | BS RAM = 128 0x7780 0x77FF | BS RAM = 256 0x7700 0x77FF | 0x77FF | | | GS RAM = 24576<br>SS RAM = 4096 0x6800 | GS RAM = 24576<br>SS RAM = 3968 0x6800 | GS RAM = 24576 | GS RAM = 24576 0x0800 0x6800 | | RSS<1:0> = 00 AND RL_SSR = 0 | | | 0.770 | SS RAM = 3072 | | | 0x77FF | BS RAM = 128 0x7780 0x77FF | BS RAM = 256 0x7700 0x77FF | BS RAM = 1024 0x7400 0x77FF | OR = Logical OR, AND = Logical AND Legend: If the defined Boot Segment size is greater than, or equal to, the defined Secure Segment, then the Secure Segment size selection has no effect and the Secure Segment is Note: disabled. Table 23-4: Data RAM Segment Sizes for Devices with 16 KB RAM | Configuration Bits | RBS<1:0> = 11<br>OR | RBS<1:0> = 10 AND RL_BSR = 0<br>OR | RBS<1:0> = 01 AND RL_BSR = 0<br>OR | RBS<1:0> = 00 AND RL_BSR = 0 | |--------------------------------------------------------------------|------------------------------|-----------------------------------------------|-----------------------------------------------|---------------------------------------------| | | RBS<1:0> = 10 AND RL_BSR = 1 | RBS<1:0> = 01 AND RL_BSR = 1 | RBS<1:0> = 00 AND RL_BSR = 1 | | | RSS<1:0> = 11 | GS RAM = 14336 0x0800 | GS RAM = 14208 0x0800 | GS RAM = 14080 0x0800 | GS RAM = 13312 0x0800 | | OR<br>RSS<1:0> = 10 AND RL_SSR = 1 | | | BS RAM = 256 0x3F00 | BS RAM = 1024 0x3C00 | | | 0x3FFF | BS RAM = 128 | 0x3FFF | 0x3FFF | | | GS RAM = 14080 0x0800 | GS RAM = 14080 0x0800 | GS RAM = 14080 0x0800 | GS RAM = 13312 0x0800 | | RSS<1:0> = 10 AND RL_SSR = 0<br>OR<br>RSS<1:0> = 01 AND RL_SSR = 1 | | | | BS RAM = 1024 0x3C00 | | | SS RAM = 256 0x3F00 0x3FFF | SS RAM = 128 | BS RAM = 256 0x3FF0 | 0x3FFF | | | GS RAM = 12288 0x0800 | GS RAM = 12288 0x0800 | GS RAM = 12288 0x0800 | GS RAM = 12288 0x0800 | | RSS<1:0> = 01 AND RL_SSR = 0<br>OR<br>RSS<1:0> = 00 AND RL SSR = 1 | SS RAM = 2048 0x3800 | SS RAM = 1920 0x3800 | SS RAM = 1792 0x3800 | SS RAM = 1024 BS RAM = 1024 0x3800 0x3C00 | | | | BS RAM = 128 0x3F80 | BS RAM = 256 0x3F00 | | | | 0x3FFF | 0x3FFF | 0x3FFF | 0x3FFF | | | GS RAM = 10240 0x0800 0x3000 | GS RAM = 10240 0x0800<br>SS RAM = 3968 0x3000 | GS RAM = 10240 0x0800<br>SS RAM = 3840 0x3000 | GS RAM = 10240 0x0800 | | RSS<1:0> = 00 AND RL_SSR = 0 | | | | SS RAM = 3072 0x3000 | | | | 0x3F80 | BS RAM = 256 0x3F00 | BS RAM = 1024 0x3C00 | | Legend: OR = Logical OR AND | 0x3FFF | BS RAM = 128 0x3FF6 0x3FFF | 0x3FFF | 0x3FFF | OR = Logical OR, AND = Logical AND Legend: If the defined Boot Segment size is greater than, or equal to, the defined Secure Segment, then the Secure Segment size selection has no effect and the Secure Segment is Note: disabled. Section 23. CodeGuard™ Security Table 23-5: Data RAM Segment Sizes for Devices with 8 KB RAM | Configuration Bits | RBS<1:0> = 11<br>OR<br>RBS<1:0> = 10 AND RL_BSR = 1 | RBS<1:0> = 10 AND RL_BSR = 0<br>OR<br>RBS<1:0> = 01 AND RL_BSR = 1 | RBS<1:0> = 01 AND RL_BSR = 0<br>OR<br>RBS<1:0> = 00 AND RL_BSR = 1 | RBS<1:0> = 00 AND RL_BSR = 0 | |--------------------------------------------------------------------|-----------------------------------------------------|--------------------------------------------------------------------|--------------------------------------------------------------------|------------------------------| | RSS<1:0> = 11 | GS RAM = 6144 0x0800 | GS RAM = 6016 0x0800 | GS RAM = 5888 0x0800 | GS RAM = 5120 0x0800 | | OR<br>RSS<1:0> = 10 AND RL_SSR = 1 | | | 0x1F00 | BS RAM = 1024 0x1C00 | | | 0x1FFF | BS RAM = 128 | BS RAM = 256 0x1F60 0x1FFF | 0x1FFF | | D00 4.0 4.0 AND D1 00D 4. | GS RAM = 5888 0x0800 | GS RAM = 5888 0x0800 | GS RAM = 5888 0x0800 | GS RAM = 5120 0x0800 | | RSS<1:0> = 10 AND RL_SSR = 0<br>OR<br>RSS<1:0> = 01 AND RL_SSR = 1 | | Ox1F00 | DC DAM 050 0x1F00 | BS RAM = 1024 0x1C00 | | | SS RAM = 256 | SS RAM = 128 | BS RAM = 256 0x1F60 0x1FFF | 0x1FFF | | | GS RAM = 4096 0x0800 | GS RAM = 4096 0x0800 | GS RAM = 4096 0x0800 | GS RAM = 4096 0x0800 | | RSS<1:0> = 01 AND RL_SSR = 0<br>OR<br>RSS<1:0> = 00 AND RL_SSR = 1 | SS RAM = 2048 0x1800 | SS RAM = 1920 0x1800 | SS RAM = 1792 0x1800 | SS RAM = 1024 | | | 0x1FFF | BS RAM = 128 | BS RAM = 256 | 0x1FFF | | | GS RAM = 2048 | GS RAM = 2048 | GS RAM = 2048 | GS RAM = 2048 0x0800 0x1000 | | RSS<1:0> = 00 AND RL_SSR = 0 | | | | SS RAM = 3072 0x1C00 | | | 0x1FFF | BS RAM = 128 | BS RAM = 256 | BS RAM = 1024<br>0x1FFF | Legend: OR = Logical OR, AND = Logical AND If the defined Boot Segment size is greater than, or equal to, the defined Secure Segment, then the Secure Segment size selection has no effect and the Secure Segment is disabled. Section 23. CodeGuard™ Security Table 23-6: Program Flash Segment Sizes for 256 KB Devices | Configuration Bits | BSS<2:0> = x11 0K | BSS<2:0> = x10 1K | BSS<2:0> = x01 4K | BSS<2:0> = x00 8K | |--------------------------|------------------------------------|----------------------------------------------|-----------------------------------------------|-----------------------------------------------------------| | \$\$\$<2:0> = x11 | VS = 256 IW 0x000000<br>0x000200 | VS = 256 IW 0x000000<br>0x000200<br>0x000800 | VS = 256 IW 0x000000<br>BS = 3840 IW 0x000200 | VS = 256 IW 0x000000<br>BS = 7936 IW 0x000200 | | 0K | GS = 87296 IW 0x02ABFE | GS = 86528 IW 0x02ABFE | 0x002000<br>GS = 83456 IW<br>0x02ABFE | 0x004000<br>GS = 79360 IW<br>0x02ABFE | | \$\$\$<2:0> = x10 | VS = 256 IW 0x000000<br>0x000200 | VS = 256 IW | VS = 256 IW 0x000000<br>BS = 3840 IW 0x000200 | VS = 256 IW 0x000000<br>BS = 7936 IW 0x000200 | | 8K | SS = 7936 IW 0x004000 | SS = 7168 IW 0x004000 | SS = 4096 IW 0x002000<br>0x004000 | 0x004000 | | | GS = 79360 IW 0x02ABFE | GS = 79360 IW 0x02ABFE | GS = 79360 IW 0x02ABFE | GS = 79360 IW 0x02ABFE | | SSS<2:0> = x01 | VS = 256 IW 0x000000<br>0x000200 | VS = 256 IW | VS = 256 IW 0x000000<br>BS = 3840 IW 0x000200 | VS = 256 IW | | 16K | SS = 16128 IW 0x008000 | SS = 15360 IW 0x008000 | 0x002000<br>SS = 12288 IW<br>0x008000 | 0x004000<br>0x008000 | | | GS = 71168 IW 0x02ABFE | GS = 71168 IW 0x02ABFE | GS = 71168 IW 0x02ABFE | GS = 71168 IW 0x02ABFE | | | VS = 256 IW 0x000000<br>0x000200 | VS = 256 IW | VS = 256 IW 0x000000<br>BS = 3840 IW 0x000200 | VS = 256 IW 0x000000<br>BS = 7936 IW 0x000200<br>0x004000 | | SSS<2:0> = x00 | SS = 32512 IW | SS = 31744 IW | 0x002000<br>SS = 28672 IW | SS = 24576 IW | | Legend: IW = Instruction | GS = 54784 IW 0x010000<br>0x02ABFE | GS = 54784 IW 0x010000<br>0x02ABFE | GS = 54784 IW 0x010000<br>0x02ABFE | GS = 54784 IW 0x02ABFE | **Legend:** IW = Instruction Words Note: If the defined Boot Segment size is greater than, or equal to, the defined Secure Segment, then the Secure Segment size selection has no effect and the Secure Segment is disabled. Table 23-7: Program Flash Segment Sizes for 128 KB Devices | Configuration Bits | BSS<2:0> = x11 0K | BSS<2:0> = x10 1K | BSS<2:0> = x01 4K | BSS<2:0> = x00 8K | |--------------------------|------------------------------------------------|---------------------------------------|-----------------------------------------------|------------------------------------------------| | \$\$\$<2:0> = x11 | VS = 256 IW 0x000000<br>0x000200 | VS = 256 IW | VS = 256 IW 0x000000<br>BS = 3840 IW 0x000200 | VS = 256 IW 0x000000<br>BS = 7936 IW 0x000200 | | 0K | | | 0x002000 | 0x004000 | | | GS = 43776 IW 0x0157FE 0x02ABFE | GS = 43008 IW 0x0157FE 0x02ABFE | GS = 39936 IW<br>0x0157FE<br>0x02ABFE | GS = 35840 IW 0x0157FE 0x02ABFE | | 000 00 | VS = 256 IW 0x000000<br>0x000200 | VS = 256 IW | VS = 256 IW 0x000000<br>BS = 3840 IW 0x000200 | VS = 256 IW 0x000000<br>BS = 7936 IW 0x000200 | | SSS<2:0> = x10<br>8K | SS = 7936 IW 0x004000 | SS = 7168 IW 0x004000 | SS = 4096 IW 0x002000<br>0x004000 | 0x004000 | | | GS = 35840 IW 0x0157FE 0x02ABFE | GS = 35840 IW<br>0x0157FE<br>0x02ABFE | GS = 35840 IW<br>0x0157FE<br>0x02ABFE | GS = 35840 IW 0x0157FE 0x02ABFE | | | VS = 256 IW 0x000000<br>0x000200 | VS = 256 IW | VS = 256 IW 0x000000<br>BS = 3840 IW 0x000200 | VS = 256 IW 0x000000<br>BS = 7936 IW 0x000200 | | SSS<2:0> = x01 | | | 0x002000 | 0x004000 | | IUK | SS = 16128 IW | SS = 15360 IW | SS = 12288 IW | SS = 8192 IW | | | VS = 256 IW 0x000000<br>0x000200 | VS = 256 IW | VS = 256 IW | VS = 256 IW 0x000000<br>BS = 7936 IW 0x000200 | | SSS<2:0> = x00<br>32K | SS = 32512 IW | SS = 31744 IW | 0x002000<br>SS = 28672 IW | 0x004000<br>SS = 24576 IW | | Logand: IW - Instruction | GS = 11264 IW 0x010000<br>0x0157FE<br>0x02ABFE | GS = 11264 IW | GS = 11264 IW | GS = 11264 IW 0x010000<br>0x0157FE<br>0x02ABFE | **.egend:** IW = Instruction Words Note: If the defined Boot Segment size is greater than, or equal to, the defined Secure Segment, then the Secure Segment size selection has no effect and the Secure Segment is disabled. Table 23-8: Program Flash Segment Sizes for 64 KB Devices Configuration Bits BSS<2:0> = x11 0K | Configuration Bits | BSS<2:0> = x11 0K | BSS<2:0> = x10 1K | BSS<2:0> = x01 4K | BSS<2:0> = x00 8K | |--------------------------|--------------------------------------------------|-----------------------------------------------------------------------|-----------------------------------------------------------|------------------------------------------------| | SSS<2:0> = x11 | VS = 256 IW 0x000000 | VS = 256 IW 0x000000<br>0x000200<br>0x000800 | VS = 256 IW 0x000000<br>BS = 3840 IW 0x002000<br>0x002000 | VS = 256 IW 0x000000<br>0x000200 0x004000 | | 0К | GS = 21760 IW 0x00ABFE | GS = 20992 IW 0x00ABFE | GS = 17920 IW 0x00ABFE | GS = 13824 IW 0x00ABFE | | | 0x02ABFE | 0x02ABFE | 0x02ABFE | 0x02ABFE | | | VS = 256 IW 0x000000<br>0x000200<br>SS = 3840 IW | VS = 256 IW 0x000000<br>BS = 768 IW 0x000200<br>SS = 3072 IW 0x000800 | VS = 256 IW 0x000000<br>0x000200 | VS = 256 IW 0x000000<br>BS = 7936 IW 0x000200 | | SSS<2:0> = x10<br>4K | 0x002000 | 0x002000 | 0x002000 | 0x004000 | | | GS = 17920 IW 0x00ABFE 0x02ABFE | 0x00ABFE | 0x00ABFE<br>0x02ABFE | 0x00ABFE<br>0x02ABFE | | | 0,000000 | 0×000000 | 0×000000 | 0,000000 | | | VS = 256 IW 0x000000<br>0x000200 | VS = 256 IW 0x000000<br>BS = 768 IW 0x000200<br>0x000800 | VS = 256 IW 0x000000<br>BS = 3840 IW 0x000200 | VS = 256 IW 0x000000<br>BS = 7936 IW 0x000200 | | SSS<2:0> = x01<br>8K | SS = 7936 IW 0x004000 | SS = 7168 IW 0x004000 | SS = 4096 IW 0x002000<br>0x004000 | 0x004000 | | | GS = 13824 IW 0x00ABFE 0x02ABFE | GS = 13824 IW 0x00ABFE 0x02ABFE | GS = 13824 IW 0x00ABFE 0x02ABFE | GS = 13824 IW 0x00ABFE 0x02ABFE | | | 0×000000 | 0×00000 | 0×000000 | 0×000000 | | | VS = 256 IW 0x000000 | VS = 256 IW 0x000000<br>BS = 768 IW 0x000200<br>0x000800 | VS = 256 IW 0x000000 0x0000200 | VS = 256 IW 0x000000<br>BS = 7936 IW 0x000200 | | SSS<2:0> = x00 | SS = 16128 IW | SS = 15360 IW 0x008000 | SS = 12288 IW | SS = 8192 IW 0x004000<br>GS = 5632 IW 0x008000 | | Logand: IW - Instruction | 0x02ABFE | 0x00ABFE<br>0x02ABFE | 0x00ABFE<br>0x02ABFE | 0x00ABFE<br>0x02ABFE | Legend: IW = Instruction Words Note: If the defined Boot Segment size is greater than, or equal to, the defined Secure Segment, then the Secure Segment size selection has no effect and the Secure Segment is disabled. Section 23. CodeGuard™ Security Table 23-9: Program Flash Segment Sizes for 32 KB Devices | BSS<2:0> = x11 0K | BSS<2:0> = x10 1K | |------------------------|-------------------------------------------------------------------------| | VS = 256 IW | VS = 256 IW BS = 768 IW Ox00001FE 0x00200 0x0007FE 0x00027FE 0x000800 | | 0x0057FE | 0x0057FE | | BSS<2:0> = x01 4K | BSS<2:0> = $x00 8K$ | | VS = 256 IW | VS = 256 IW | | GS = 7168 IW 0x0057FE | 0x003FFE<br>0x004000<br>0x0057FE | **Legend:** IW = Instruction Words Table 23-10: Program Flash Segment Sizes for 16 KB Devices | able 23-10. Program Flash Segment Sizes for 10 KB Devices | | | | | | |-----------------------------------------------------------|----|----------------------------------------------------------------------------------|----|--|--| | BSS<2:0> = x11 | 0K | BSS<2:0> = x10 | 1K | | | | VS = 256 IW 0x000000<br>0x0001FE<br>0x000200 | | VS = 256 IW 0x000000<br>0x0001FE<br>0x0002FE<br>0x0002FE<br>0x0002FE<br>0x000800 | | | | | GS = 5376 IW 0x002BFE 0x002C00 0x0057FE | | GS = 4608 IW 0x002BFE 0x002C00 0x0057FE | | | | | BSS<2:0> = x01 | 4K | BSS<2:0> = x00 | 8K | | | | VS = 256 IW 0x000000 0x0001FE 0x000200 | | VS = 256 IW 0x000000<br>0x0001FE<br>0x000200 | | | | | GS = 1536 IW 0x0021FFE 0x0022000 0x002BFE 0x002C00 | | 0x002BFE<br>0x002C00 | | | | **Legend:** IW = Instruction Words Table 23-11: Program Flash Segment Sizes for 12 KB Devices | Configuration Bits | | ment Sizes | |------------------------|--------------|----------------------------------| | | VS = 256 IW | 0x000000<br>0x0001FE<br>0x000200 | | BSS<2:0> = x11 0K | GS = 3840 IW | 0x001FFE | | | VS = 256 IW | 0x000000<br>0x0001FE | | | BS = 256 IW | 0x000200<br>0x0003FE<br>0x000400 | | BSS<2:0> = $x10$ 256 | | 0,000+00 | | | GS = 3584 IW | 0x001FFE | | | VS = 256 IW | 0x000000<br>0x0001FE<br>0x000200 | | | BS = 768 IW | | | BSS<2:0> = x01 768 | | 0x0007FE<br>0x000800 | | | GS = 3072 IW | 0x001FFE | | | VS = 256 IW | 0x000000<br>0x0001FE | | BSS -2:0; - voo - 4702 | BS = 1792 IW | 0x000200 | | BSS<2:0> = x00 1792 | | 0x000FFE | | | GS = 2048 IW | 0x001000<br>0x001FFE | | | | _ | **Legend:** IW = Instruction Words Note: The segr The segment organizations as shown in Table 23-3 through Table 23-11 are typical, but some devices may differ. To verify the memory segment sizes for different settings, refer to the "Memory Organization" and "Flash Programming" chapters in the specific device data sheet. #### 23.6.2 Selecting the Security Level of the Boot Segment The security level of the Boot Segment is determined by the Configuration bit BSS2 (FBS<3>): - 1 = Standard security - 0 = High security When the Boot Segment is configured for high security, the number of access methods is more limited than with standard security. The differences are noted in the following sections. For additional information, refer to 23.11 "Rules Concerning Program Flow". ## 23.6.3 Write Protection of the Boot Segment The Boot Segment can be write-protected by programming Configuration bit BWRP (FBS<0>): - 1 = Boot segment can be written - 0 = Boot segment is write-protected When write-protected, page erase and programming operations targeting the Boot Segment of program Flash are disabled. Setting the WR bit within the NVMCON Special Function Register will not start an operation. Erase operations that erase the entire Boot Segment are allowed; however, the Secure and General Segments are also erased. #### 23.6.4 Allocating Boot Segment RAM The Boot Segment can also allocate a portion of the data RAM memory of the device for exclusive access by code executing within the Boot Segment. This protects the data integrity of algorithms executing within the Boot Segment. If a Boot Segment is not allocated, BSS<2:0> = x11 (FBS<3:1>), then a RAM segment cannot be allocated. The existence and size of Boot Segment RAM are determined by the RBS<1:0> (FBS<7:6>) Configuration bits. One of the options is to exclude the Boot Segment RAM, which is the default option on an erased, non-programmed device. Figure 23-4 shows that the Boot Segment RAM is located at the end of data RAM, or at the last location before the DMA memory area. The Boot Segment RAM starts at an address specified by the RBS<1:0> bits. **Note:** DMA RAM is not present on all dsPIC33F/PIC24H devices. For DMA RAM availability and sizes, refer to the "**Memory Organization**" chapter in the specific device data sheet. Figure 23-4: Boot Segment Data RAM Allocation Table 23-12 shows an example of Boot Segment RAM size options for dsPIC33F/PIC24H devices. The start addresses listed are typical. For specific addresses, refer to the "**Memory Organization**" chapter in the specific device data sheet. Table 23-12: Boot Segment RAM Size Example | RBS<1:0> | BS<br>Size/Bytes | BS Start<br>Address | BS End<br>Address | | |----------|------------------|---------------------|-------------------|--| | 11 | | No Boot Segment | | | | 10 | Small/128 | EOM-0x007F | EOM | | | 01 | Medium/256 | EOM-0x00FF | EOM | | | 00 | Large/1024 | EOM-0x03FF | EOM | | Note: EOM refers to the last location of data RAM excluding DMA RAM. #### 23.6.5 Run Time Release of Boot Segment RAM When an algorithm within the Boot Segment completes its task and is preparing to return execution to code within a lower priority segment, it can be helpful to release some of the RAM allocated to the Boot Segment. The Boot Segment RAM control Special Function Register contains the RL\_BSR (BSRAM<0>) bit (refer to Register 23-2). When this bit is set, the system releases a portion of the BS RAM back to the next lower priority segment defined. Table 23-13 is an example of RAM mapped with RL\_BSR = '0' and RL\_BSR = '1'. Table 23-13: Boot Segment RAM Release | DDC 4.0 | BS Size when: | | | |----------|-----------------|-----------------|--| | RBS<1:0> | RL_BSR = 0 | RL_BSR = 1 | | | 11 | No Boot Segment | | | | 10 | Small | No Boot Segment | | | 01 | Medium | Small | | | 0.0 | Large | Medium | | ## 23.6.6 Releasing the Secure RAM for General Use The secure code segments can release some allocation of its secure RAM for general use at any time during operation. For example, the minimum allocation can be reserved for the BS to store sensitive volatile variables during General Segment code run time. Then, when the code branches to the BS segment to execute an algorithm, the BS code can clear the RL\_BSR bit to secure the maximum allocation of the secure RAM for its use. After the BS code execution completes, it can set the RL\_BSR bit to again minimize the allocated secure RAM. Both the Boot and Secure Segments have an associated BSRAM and SSRAM register, which contains the RL\_BSR or RL\_SSR bits respectively. Only BS has write access to the BSRAM register, and only SS has write access to the SSRAM register. **Note:** On any reset, the maximum allocations are in a secure state because the RL\_BSR and RL\_SSR bits are Reset. The RAM security bits determine whether RAM is secured or not. - If RSS<1:0> = 11 (FSS<7:6>), no secure RAM is allocated and the RL\_SSR bit is ignored - If RBS<1:0> = 11 (FBS<7:6>), no boot RAM is allocated and the RL\_BSR bit is ignored #### Register 23-2: BSRAM: Boot Segment RAM Special Function Register | U-0 |--------|-----|-----|-----|-----|-----|-----|-------| | _ | _ | _ | _ | _ | _ | _ | _ | | bit 15 | | | | | | | bit 8 | | U-0 | U-0 | U-0 | U-0 | U-0 | R-0 | R-0 | R/W-0 | |-------|-----|-----|-----|-----|--------|--------|--------| | _ | _ | _ | _ | _ | IW_BSR | IR_BSR | RL_BSR | | bit 7 | | | | | | | bit 0 | Legend: R = Readable bit W = Writable bit U = Unimplemented bit, read as '0' -n = Value at POR '1' = Bit is set '0' = Bit is cleared x = Bit is unknown bit 15-3 Unimplemented: Read as '0' bit 2 IW\_BSR: Boot Segment RAM Illegal Write Status bit (read-only) 1 = At least one illegal write has been attempted since last read of this register 0 = No illegal write has been attempted since this register was last read The IW\_BSR bit is cleared on any Reset. It is also cleared after the BSRAM register is read while executing in BS. bit 1 IR\_BSR: Boot Segment RAM Invalid Read Status bit (read-only) 1 = At least one invalid read has occurred since last read of this register 0 = No invalid read of protected BS RAM section has occurred since this register was last read The IR\_BSR bit is cleared on any Reset. It is also cleared after the BSRAM register is read while executing in BS. bit 0 RL\_BSR: Boot Segment RAM Release Status bit 1 = BS has released the secure RAM for general use. All but the highest 128 bytes are released. 0 = BSRAM is held secure for BS only The RL\_BSR bit is cleared to zero on any Reset. ## 23.7 THE SECURE SEGMENT (SS) The Secure Segment has the second highest privilege and is ideal for storing proprietary algorithm routines. Access to the Secure Segment from lower priority segments are limited to "calls" to the Secure Segment. #### 23.7.1 Allocating the Secure Segment The Secure Segment is allocated by the Configuration bits SSS<2:0> (FSS<3:1>). Figure 23-5 shows the Secure Segment begins immediately following the Boot Segment. If there is no Boot Segment, the Secure Segment starts at the end of the Reset/Interrupt Vector Space. The default is to exclude a Secure Segment. Figure 23-5: Secure Segment Memory Allocation The Secure Segment continues to an address specified by the SSS<2:0> bits. Table 23-14 shows an example of Secure Segment options (in this case, for devices with 64 KB Flash memory). The end addresses listed in these tables are typical. Refer to the "Memory Organization" chapter in the specific device data sheet for specific addresses for a given device. Table 23-14: Secure Segment Size Example | SSS<2:0> | Security Level | SS<br>Size | SS Start<br>Address | SS End<br>Address | |----------|---------------------------------|------------|---------------------|-------------------| | x11 | No Secure Program Flash Segment | | | | | 110 | Standard | Small | E.O. BS + 1 | 0x001FFE | | 010 | High | Small | E.O. BS + 1 | 0x001FFE | | 101 | Standard | Medium | E.O. BS + 1 | 0x003FFE | | 001 | High | Medium | E.O. BS + 1 | 0x003FFE | | 100 | Standard | Large | E.O. BS + 1 | 0x007FFE | | 000 | High | Large | E.O. BS + 1 | 0x007FFE | Note: E.O. BS refers to the last location of the Boot Segment. #### Register 23-3: FSS: Secure Segment Configuration Register Byte | R/P | R/P | r | r | R/P | R/P | R/P | R/P | |-------|---------------------|---|---|-----|-------------------------|-----|---------------------| | RSS< | I:0> <sup>(1)</sup> | _ | _ | | SSS<2:0> <sup>(2)</sup> | | SWRP <sup>(3)</sup> | | bit 7 | | | | | | | bit 0 | | Legend: | r = Reserved | P = Programmable b | P = Programmable bit | | |-------------------|------------------|------------------------|----------------------|--| | R = Readable bit | W = Writable bit | U = Unimplemented bit, | , read as '0' | | | -n = Value at POR | '1' = Bit is set | '0' = Bit is cleared | x = Bit is unknown | | bit 7-6 RSS<1:0>: Secure Segment RAM Code Protection bits<sup>(1)</sup> 11 = No Secure RAM defined 10 = Secure RAM is 256 bytes less BS RAM 01 = Secure RAM is 2048 bytes less BS RAM 00 = Secure RAM is 4096 bytes less BS RAM bit 5-4 Reserved: Programming values will have no effect bit 3-1 SSS<2:0>: Secure Segment Program Flash Code Protection bits<sup>(2)</sup> x11 = No Secure program Flash segment 110 = Standard security, Small Secure Segment 010 = High security, Small Secure Segment 101 = Standard security, Medium Secure Segment 001 = High security, Medium Secure Segment 100 = Standard security, Large Secure Segment 000 = High security, Large Secure Segment For device specific information, see Table 23-8. bit 0 SWRP: Secure Segment Program Flash Write Protection bit<sup>(3)</sup> 1 = Secure Segment can be written 0 = Secure Segment is write-protected **Note 1:** Not all devices have Secure Segment RAM code protection. For device specific information, refer to Table 23-3, Table 23-4 and Table 23-5. - 2: The exact definitions of Small, Medium and Large Secure Segment vary from one device to another. For device specific information, refer to Table 23-6, Table 23-7 and Table 23-8. - 3: If a Secure Segment is not needed, the SWRP bit must be programmed as a '1'. ### 23.7.2 Selecting the Security Level of the Secure Segment The security level of the secure code segment is determined by the Configuration bit SSS2 (FSS<3>): - 1 = Standard security - 0 = High security When the Secure Segment is configured for high security, the number of access methods is more limited than with standard security. The differences are noted in the subsequent sections. ### 23.7.3 Write Protection of the Secure Segment The Secure Segment can be write-protected by programming the SWRP (FSS<0>) Configuration bit. - 1 = Secure Segment can be written - 0 = Secure Segment is write-protected When write-protected, or page erase and programming operations targeting the Secure Segment of program Flash are disabled, setting the WR bit within the NVMCON Special Function Register will not start an operation. Erase operations that erase the entire Secure Segment are allowed; however, the General Segment is also erased. ## 23.7.4 Allocating Secure Segment RAM The Secure Segment can also allocate a portion of the data RAM for code protection. However, if a Secure Segment is not allocated, SSS<2:0> = x11 (FSS<3:1>), then a RAM segment cannot be allocated. The existence and size of Secure Segment RAM are determined by the RSS<1:0> (FSS<7:6>) Configuration bits. One of the options is to exclude the Secure Segment RAM, which is the default option on an erased, non-programmed device. The Secure Segment RAM ends at the last location before the Boot Segment RAM. The Secure Segment RAM starts at an address specified by the RSS<1:0> bits. Figure 23-6: Secure Segment Data RAM Allocation Table 23-15 shows an example of Secure Segment RAM allocations. The start addresses listed are typical. Refer to the "Memory Organization" chapter in the specific device data sheet for specific addresses for a given device. Table 23-15: Secure Segment RAM Size Example | RSS<1:0> | SS<br>Size | SS Start<br>Address | SS End<br>Address | |----------|-------------------|---------------------|-------------------| | 11 | No Secure Segment | | | | 10 | Small | S.O. BS - 0x0100 | S.O. BS - 1 | | 01 | Medium | S.O. BS - 0x0800 | S.O. BS - 1 | | 00 | Large | S.O. BS - 0x1000 | S.O. BS - 1 | Note: S.O. BS refers to the first location of basic segment data RAM. #### 23.7.5 Run Time Release of Secure Segment RAM Like the Boot Segment, the Secure Segment can allocate and release RAM. The Secure Segment RAM control SFR contains the RL\_SSR (SSRAM<0>) bit (refer to Register 23-4). When this bit is set, the system releases a portion of the Secure Segment RAM back to the next lower priority segment defined. Table 23-16 is an example of RAM mapped with RL\_SSR = 0 and RL\_SSR = 1. Table 23-16: Secure Segment RAM Release | RSS<1:0> | Secure Segment Size When: | | | |----------|---------------------------|-------------------|--| | K33<1:0> | RL_SSR = 0 | RL_SSR = 1 | | | 11 | No Secure Segment | | | | 10 | Small | No Secure Segment | | | 01 | Medium Small | | | | 00 | Large | Medium | | #### 23.7.6 Releasing the Secure Segment RAM for General Use The secure code segments can release some allocation of its secure RAM for general use at any time during operation. For example, the minimum allocation can be reserved for the Secure Segment to store sensitive volatile variables during General Segment code run time. When the code branches to the Secure Segment to execute an algorithm, the Secure Segment code can clear the RL\_SSR bit to secure the maximum allocation of the secure RAM for its use. After the Secure Segment code execution completes, it can set the RL\_SSR bit to again minimize the allocated secure RAM. Both the Boot and Secure Segments have an associated BSRAM and SSRAM register, which contains the RL\_BSR or RL\_SSR bits, respectively. Only the Boot Segment has write access to the BSRAM register, and only the Secure Segment has write access to the SSRAM register. Note that on any Reset, because the RL\_SSR bit is Reset, the maximum allocations are in a secure state. The RAM security bits determine whether RAM is secured or not. If RSS<1:0> = 11 (FSS<7:6>), no secure RAM is allocated and the RL\_SSR bit is a "don't care". #### Register 23-4: SSRAM: Secure Segment RAM Special Function Register | U-0 | | | |--------------|-----|-----|-----|-----|-----|-----|-----|--|--|--| | _ | _ | _ | _ | _ | _ | _ | _ | | | | | bit 15 bit 8 | | | | | | | | | | | | U-0 | U-0 | U-0 | U-0 | U-0 | U-0 | R-0 | R-0 | | | | |-------|-----|-----|-----|-----|--------|--------|--------|--|--|--| | _ | _ | _ | _ | _ | IW_SSR | IR_SSR | RL_SSR | | | | | bit 7 | | | | | | | | | | | Legend: R = Readable bit W = Writable bit U = Unimplemented bit, read as '0' -n = Value at POR '1' = Bit is set '0' = Bit is cleared x = Bit is unknown bit 15-3 **Unimplemented:** Read as '0' bit 2 IW\_SSR: Secure Segment RAM Illegal Write Status bit (read-only) 1 = At least one illegal write has been attempted since last read of this register 0 = No illegal write of protected SSRAM has been attempted since this register was last read The IW\_SSR bit is cleared on any Reset. It is also cleared *after* the SSRAM register is read while executing in Secure Segment. bit 1 IR\_SSR: Secure Segment Invalid Read Status bit (read-only) 1 = At least one invalid read has occurred since last read of this register 0 = No invalid read of protected SSRAM has occurred since this register was last read The IR\_SSR bit cleared on any Reset. It is also cleared *after* the SSRAM register is read while executing in Secure Segment. bit 0 RL\_SSR: Secure Segment Release Status bit 1 = Secure Segment has released the secure RAM for general use. All but the highest 128 bytes are released 0 = SSRAM is held secure for Secure Segment only RL\_SSR bit is cleared to zero on any Reset. ## 23.8 THE GENERAL SEGMENT (GS) The General Segment has the lowest security privilege level. The General Segment is intended to contain the majority of the application code. Its size is essentially the on-chip memory minus the Boot Segment and Secure Segment. If there are no Boot or Secure Segments, the General Segment uses all of the on-chip memory. #### 23.8.1 Allocating the General Segment The General Segment always exists, regardless of whether the Boot and Secure Segments are allocated. It is specified by the GSS<1:0> Configuration bit in the FGS register. The location of the General Segment depends on the existence of the Boot and Secure Segments. Figure 23-7 shows that if both Boot and Secure Segments are allocated, the General Segment immediately follows the Secure Segment. If a Boot Segment is allocated, but a Secure Segment is not, the General Segment immediately follows the Boot Segment. If neither a Boot Segment nor a Secure Segment is allocated, the General Segment immediately follows the Reset/Interrupt Vector Space (VS). The device default is to exclude Boot and Secure Segments. By default, the entire program memory is allocated as General Segment. 0x000000 Reset/Interrupt Vector Space (VS) General Segment is allocated by **Boot Segment Access Area** GSS<1:0> bit in FGS Register If both Boot and Secure Boot Segment (BS) segments are allocated, the General Segment space follows the Secure Segment (as shown) Secure Segment Access Area If a Boot Segment is allocated but a Secure Segment is not, the General Segment immediately Secure Segment (SS) follows the Boot Segment If neither a Boot nor a Secure Segment is allocated, the General Segment immediately follows the Reset/Interrupt Vector Space General Segment (GS) Max Internal **User Memory** Size Unimplemented Memory Space 0x7FFFE Figure 23-7: General Segment Allocation #### Register 23-5: FGS: General Segment Configuration Register | r | r | r | r | r | R/P | R/P | R/P | |-------|---|---|---|---|------|---------------------|-------| | _ | _ | _ | _ | _ | GSS< | 1:0> <sup>(1)</sup> | GWRP | | bit 7 | | | | | | | bit 0 | | Legend: | r = Reserved | P = Programmable I | bit | |-------------------|------------------|-----------------------|--------------------| | R = Readable bit | W = Writable bit | U = Unimplemented bit | t, read as '0' | | -n = Value at POR | '1' = Bit is set | '0' = Bit is cleared | x = Bit is unknown | bit 7-3 Reserved: Do not use bit 2-1 GSS<1:0>: General Segment Program Flash Code Protection bits<sup>(1)</sup> 11 = General Segment not protected 10 = Standard security; general program Flash segment starts at end of SS and ends at EOM 0x = High security; general program Flash segment starts at end of SS and ends at EOM bit 0 GWRP: General Segment Program Flash Write Protection bit 1 = General segment can be written0 = General segment is write-protected **Note 1:** On certain devices, GSS<1> is Reserved, and GSS<0> is referred to as the GCP bit. Refer to the "**Special Features**" chapter in the specific device data sheet for details. ## 23.8.2 Selecting the Security Level of the General Segment Depending on the device, there are up to three levels of security to choose for the General Segment. Refer to the "**Special Features**" chapter in the specific device data sheet to determine how many options are available. Configuration bits GSS<1:0> (FGS<2:1>) determine the level of protection for this segment: - 11 = No protection - 10 = Standard security - 0x = High security #### 23.8.3 Write Protection of the General Segment The General Segment can be write-protected by programming the GWRP (FGS<0>) Configuration bit, similarly to write-protecting the Boot Segment: - 1 = General code segment can be written - 0 = General code segment is write-protected ## 23.9 RESET, TRAP AND INTERRUPT SERVICE ROUTINE (ISR) VECTOR SPACE The first 256 instruction words are reserved for the RESET instruction, trap and interrupt vectors. Protection of this segment depends on the state of the BSS<2:0> (FBS<3:1>) and GSS<1:0> (FGS<2:1>) or GCP (FGS<1>) code protection bits. If a Boot Segment is allocated, the Vector Space protection is the same as the Boot Segment. In other words, if a Boot Segment is defined, erase and programming operations of the Vector Space can only be performed via Boot Segment code. If a Boot Segment is not allocated, the Vector Space protection is the same as the General Segment and erase, and programming operations of the Vector Space can be performed via the General Segment code. A write to this segment is enabled or disabled by the BWRP bit if a Boot Segment is allocated, or by the GWRP bit if a Boot Segment is excluded. #### 23.10 DEFINITION OF SECURITY PRIVILEGES It is important to understand the relative privilege levels of the three code protection segments. Operations can be described as being relative to higher or lower privilege segments. The Boot Segment has the highest privilege level and can directly access code in the lower segments. The Secure Segment can directly access code in the General Segment, but can only issue calls to code in the Boot Segment. The General Segment can only access code from either of the higher segments by issuing calls. Rules governing access privileges are discussed in sections 23.11 "Rules Concerning Program Flow" through 23.14.1 "Rules for Programming Devices in RTSP". Table 23-17 presents a summary overview of these rules during normal run-time operation. Table 23-17: Privileged Operations Rules Summary | Target Segment | | General Segment | | | | | | | Secure Segment | | | | Boot | Segment | | IVT and AIVT | | | | | | |--------------------------------------------------------------|-----------------|------------------------------------------------------------------------------------------|-----|------|-----|-----|------|------|----------------|-----------|------------|--------|--------|---------|--------|--------------|-------|-----------------|----------|--------|-----| | Protection Level | | None Standard | | dard | Hi | igh | Stan | dard | Hi | gh | Stan | dard | High | | None | | Stand | lard | Hi | gh | | | Write-Pro | Write-Protected | | Yes | No | Requested Operation (Yes/No) | | | | | | | | | | | | | | | | | | | | | | | PC Rollover into Target Segment | | Yes N/A | N/A | N/A | N/A | | | N/A <b>(N</b> c | ote 3) | | | | PFC from reset vector instruction to Target Segment (Note 5) | | Yes Note 2 | Note 2 | Yes | Yes | Note 2 | Note 2 | | | Note | <b>4</b> | | | | VFC (Vector Flow Change) to Target Segment (Note 5) | | Yes Note 2 | Note 2 | Yes | Yes | Note 2 | Note 2 | | | Note | <b>4</b> | | | | PFC from BS to Target Segment (Note 1) | | Yes | | Note | e 4 | | | | PFC from SS to Target Segment (Note 1) | | Yes Note 2 | Note 2 | | | Note | e 4 | | | | PFC from GS to Target Segment (Note 1) | | Yes Note 2 | Note 2 | Yes | Yes | Note 2 | Note 2 | Note 4 | | | | | | | R/W of Target Segment RAM | BS | Yes | Yes | Yes | Yes | Yes | Yes | No | No | No | No | Yes | Yes | Yes | Yes | | | n/a | 3 | | | | while executing from: Note: Stack assumed to be in GS | SS | Yes No | No | No | No | | | | | | | | RAM space, access needed | GS | Yes | Yes | Yes | Yes | Yes | Yes | No | | | | | | | Table Read/PSV of Target | BS | Yes | Yes | Yes | Yes | No | No | Yes | Yes | No | No | Yes | Segment Program Flash while executing from: | SS | Yes | Yes | Yes | Yes | No | No | Yes | Yes | Yes | Yes | No | No | No | No | Yes | Yes | Yes | Yes | Yes | Yes | | (Note 7) | GS | Yes | Yes | Yes | Yes | Yes | Yes | No Yes | Yes | Yes | Yes | Yes | Yes | | Table Write of Target Segment (load write latches) | • | Yes | Program Row/Erase Page | BS | Yes | No | Yes | No | No | No | Yes | No | No | No | Yes | No | Yes | No | Yes | No | Yes | No | Note 8 | No | | of Target Segment program Flash | SS | Yes | No | Yes | No | No | No | Yes | No | Yes | No | No | No | No | No | Note 6 | No | Note 6 | No | Note 6 | No | | while executing from: | GS | Yes | No | Yes | No | Yes | No Note 6 | No | Note 6 | No | Note 6 | No | | Erase All | Erase All | | | | | | | | | | nand not v | | - | | | | | | | | | | Erase BS Segment/code-protect | | | | | | | | Eras | | S/BS/VS s | U | | | | | es | | | | | | | Erase GS Segment/code-protect | | Erase GS/SS segments and GS/SS code protection fuses Erase VS if no Boot Segment defined | | | | | | | | | | | | | | | | | | | | | Erase GS Segment/code-protect | | Erase GS segment and GS code protection fuses Erase VS if no Boot Segment defined | | | | | | | | | | | | | | | | | | | | | Erase GS Segment | | | | | | • | | | | | rase GS | Segmer | t Only | | | | | | | | | | Program configuration register | | | | | | | | | | | | Yes | | | | | | | | | | | Nata 4 December Floor Obe | | | | | | | | | | | - f (b | | | | | | | | | | | dsPIC33F/PIC24H Family Reference Manual - Note 1: Program Flow Change (PFC) is defined as when the PC is loaded with a new value instead of the normal automatic increment. It includes JUMP, CALL, RETURN, RETFIE, Computed Jump etc. - **2:** PFC is allowed only to the first 32 instruction locations of the segment. - 3: Since execution is not permitted in the VS segment, this condition is not possible. - 4: A PFC operation (i.e., branch, call etc.) into the IVT and AIVT segment is possible. But as soon as execution is attempted out of this segment an illegal address trap will result (unless pointed to Reset vector at address 0x000000). - 5: VFC (Vector Flow Change) is defined as when the PC is loaded with a Interrupt or trap vector address. - **6:** Operation allowed if there is no higher security privilege-segment defined. - 7: TBLRD or DS read will execute but return all '0's if not allowed. - 8: Operation is allowed for dsPIC33FJXXXGPX06/X08/X10, dsPIC33FJXXXMCX06/X08/X10 and PIC24HJXXXGPX06/X08/X10 devices. For all other devices, operation is not allowed. ## 23.11 RULES CONCERNING PROGRAM FLOW Program flow refers to the execution sequence of program instructions in program memory. Normally, instructions are executed sequentially as the Program Counter (PC) increments. When code protection is implemented, program flow conforms to privilege level. That is, a program executing from code-protected memory can flow from a higher security segment to a lower segment, but not vice versa. For example, a program executing from the Secure Segment can flow into the General Segment but not into the Boot Segment. Program Flow Change (PFC) occurs when the PC is reloaded as a result of Call, Jump, Computed Jump, Return, Return from Subroutine, or other form of branch instruction. A PFC allows the program flow to follow an alternate path. A normal PFC only allows the program to branch within the same segment. A Restricted PFC allows the program to branch to a special Segment Access Area of a higher security segment. Vector Flow Change (VFC) occurs when the PC is reloaded with an Interrupt or Trap vector. Jumping into secure code at unintended locations can expose code to algorithm detection. Therefore, PFC and VFC operations are restricted if they violate the privilege hierarchy. Figure 23-8: Program Flow Rules Table 23-18 presents an overview matrix of possible operations between program memory segments. Blank cells indicate conditions where read/write/erase and PFC operations cannot be performed. When the Boot Segment or Secure Segment is implemented with high security level, a PFC from a lower privilege level must be restricted to the segment access area. Any PFC attempt outside the segment access area results in a security Reset. For more details, refer to 23.11.3 "Program Flow Errors". Table 23-18: Possible Operations Between Program Memory Segments | | | Operation To: | | | | | | | | | | | |---------------------------|----------|---------------|-------------------|-----------|--------------------|-----------------------------------|--------------|-----------|--|--|--|--| | Code<br>Executed<br>From: | | | egment<br>y Level | | Segment<br>y Level | General Segment<br>Security Level | | | | | | | | | | Standard | High | Standard | High | Standard | High | None | | | | | | BS | Standard | R, P, PFC | _ | R, P, PFC | PFC* | R, P, PFC | PFC | R, P, PFC | | | | | | | High | _ | R, P, PFC | R, P, PFC | PFC* | R, P, PFC | PFC | R, P, PFC | | | | | | SS | Standard | PFC | PFC* | R, P, PFC | | R, P, PFC | PFC | R, P, PFC | | | | | | | High | PFC | PFC* | _ | R, P, PFC | R, P, PFC | PFC | R, P, PFC | | | | | | GS | Standard | PFC | PFC* | PFC | PFC* | R, P, PFC | _ | | | | | | | | High | PFC | PFC* | PFC | PFC* | _ | R, P,<br>PFC | _ | | | | | | | None | PFC | PFC* | PFC | PFC* | _ | _ | R, P, PFC | | | | | Legend: R - Read P - Program (write)/Erase PFC - Program Flow Change allowed to anywhere in the segment PFC\* – Restricted Program Flow changes (can branch to Segment Access areas only) #### 23.11.1 Flow Changes PFCs within a segment are unrestricted. Generally, PFC and VFC changes from one segment to another segment are not restricted, except as follows. - To ensure the integrity of the operations of code within the Boot and Secure Segments, the user must restrict program flow options to those segments. Program flow can be limited to only allow the segment access areas to be a branch target. The segment access areas are the first 32 instruction locations of the Boot Segment or Secure Segment code space. - If the security level of the Boot Segment or Secure Segment is high, and a PFC originates from a lower priority segment, the target of the PFC must be within the access area - If the security level of Boot Segment or Secure Segment is high, and a VFC occurs, the target of the VFC must be within the segment access area The owners of the code within the Boot Segment or Secure Segment code space can ensure that the access area contains branches to specified sections of the application code, verified to not expose the algorithm. #### 23.11.2 Reset Instruction A typical device Reset will reset the PC to 0x000000, then begins execution at that location. There must be a branch instruction at locations 0x000000-0x000002 that branch to beginning of code. The instruction at the Reset vector can branch to any location unless the Boot Segment or Secure Segment is in high security, then the target must be to the specific segment access area. Typically, the target of the RESET instruction is to the General Segment code space. #### 23.11.3 Program Flow Errors If a PFC or VFC targets a restricted location, that operation will cause a security reset. The device will Reset and set the IOPUWR (RCON<14>) status bit, indicating an illegal operation. In addition to this specific security reset, there are also program flow checks that are built into all devices. If a program flow or vector flow change targets unimplemented program memory space, an address error trap occurs. Code execution from the vector segment, other than the instruction at the Reset location, is not allowed. If attempted, it results in an address error trap. #### 23.11.4 Retargeting Reset After Boot The Reset operation is independent of which segment the device is operating in when a Reset occurs. To prevent code probing, the reset vector is protected when a Boot Segment is allocated. If a Boot Segment exists, the Vector Space, including the reset vector, is part of the Boot Segment and restricted by Boot Segment rules. If a Boot Segment does not exist, the Vector Space, including the reset vector, is part of the General Segment and can be modified by the General Segment. For example, assume that a part has a boot sector that contains a boot loader. Initially, at Reset, the device resets to a location within the boot loader. The boot loader will run and load user code into the General Segment. When this operation is complete, the boot loader can rewrite the reset vector instruction to point to the user code. At the next Reset, the Reset will go to the user code; however, the user code cannot rewrite the reset vector instruction. #### 23.12 RULES CONCERNING INTERRUPTS #### 23.12.1 Interrupts and Traps in Secure Modes Interrupt handling is restricted for the following reasons: - A Return from Interrupt is one way to corrupt intended program flow (by changing the return address in the stack) - The secure code should have the opportunity to clear sensitive information before responding to an interrupt #### 23.12.1.1 BS AND SS INTERRUPT VECTORS If an interrupt occurs while the program is running in the Boot Segment or Secure Segment, the processor obtains the interrupt vector from the special Boot Segment interrupt vector location at (BS + 0x20), or the special Secure Segment interrupt vector at (SS + 0x20). Note: There are two special interrupt vectors: one within the Boot Segment and the other within Secure Segment. Interrupts occurring when code executes in one of these segments causes the processor to vector to the special interrupt vector for that segment. Users may employ a special ISR within the protected segment to hide critical data, and then manually vector to the real ISR by reading the INTTREG SFR. #### 23.12.1.2 INTERRUPT AND TRAP HANDLING SEQUENCE The sequence for handling interrupts and traps is as follows: - Interrupt or trap occurs while code is executing in a Secure Segment, for example in the Boot Segment. - 2. Return address is pushed on the Stack. - The contents of location (BS + 0x20) are loaded into the PC instead of the usual interrupt vector. - 4. Special ISR is executed at address pointed to by (BS + 0x20). - 5. Sensitive information from W registers is stored to the secure RAM area, whether this is the Boot Segment or Secure Segment RAM space. - 6. Actual return address is retrieved from Stack and saved in secure RAM. - Actual return address is replaced with new return address. For example, BS + 0x30. BS + 0x30 is located in the BS to BS + 0x3E address range. Keep in mind that this range is where PFC is allowed from outside Boot Segment. - 8. INTTREG SFR is read to determine which interrupt vector to jump to. - 9. Interrupt vector is read from the vector table and executes an indirect jump. - 10. Users ISR begins execution. - 11. User code executes. - 12. Return from interrupt (back to location BS + 0x30). - 13. Read actual return address from secure RAM area. - 14. Restore W registers. - 15. Execute indirect jump to go back to Boot Segment. Table 23-19: Vector Operations in Normal User Mode | Vector Operation | Result in Normal User Mode | |-----------------------------------------|----------------------------------------------------------------| | Hardware Interrupt while in BS | Obtain vector from special BS ISR vector location at BS + 0x20 | | Hardware Interrupt while in SS | Obtain vector from special SS ISR vector location at SS + 0x20 | | Hardware Interrupt while in GS | Obtain vector from normal ISR vector location | | Software Interrupt and Trap while in BS | Obtain vector from special BS ISR vector location at BS + 0x20 | | Software Interrupt and Trap while in SS | Obtain vector from special SS ISR vector location at SS + 0x20 | | Software Interrupt and Trap while in GS | Obtain vector from normal ISR vector location | ## 23.13 RULES FOR ACCESSING RAM DATA #### 23.13.1 Using Segment RAM If the Boot Segment or the Secure Segment has allocated protected RAM space, that RAM is not accessible by code running outside of that segment. For example, code running in the Secure Segment or General Segment cannot access RAM protected by the Boot Segment. If an instruction does an unauthorized read of a protected RAM location, the read operation and the instruction occur; however, the resulting write of the instruction is disabled. For example, "mov ssram, w0" will read from the SSRAM location, however the write to w0 will not occur. The results from the ALU are zeroed out and the write does not occur. An unauthorized read of a protected RAM location, within the boot RAM segment, sets the IR\_BSR (BSRAM<0>) bit. This bit remains set until a device Reset or until the BSRAM register is read by code executing from within the Boot Segment. Similarly, an unauthorized read from the secure RAM segment sets the IR\_SSR (SSRAM<0>) bit. This bit remains set until a device Reset or until the SSRAM register is read by code executing from within the Secure Segment. An unauthorized write to a protected RAM location causes a write of '0' to the protected location. An unauthorized write of a protected RAM location will set either the IW\_BSR (BSRAM<2>) bit or IW\_SSR (SSRAM<1>) bit to the unauthorized read status bits. They are cleared by a device Reset or until the BSRAM or SSRAM register is read by code executing from within the Boot or Secure Segment, respectively. #### 23.13.2 Stack Allocation The user can allocate the stack space anywhere in the RAM; however, the General Segment RAM is the only area that both the Boot and Secure Segment can access. Therefore, the stack should be allocated in the General Segment RAM area. If the stack accidentally intrudes into the "BSRAM" or "SSRAM" area, then writes due to push operations and reads due to pop operations will act as unauthorized RAM accesses described in the previous section. This can and should be prevented by using the Stack Pointer Limit register (SPLIM) and setting the contents of the SPLIM to an appropriate address. #### 23.13.3 Register Dumping Protection The device initializes W registers on all resets. Data RAM is not initialized and resets can leave valid data in data RAM. RAM contents security must be maintained. #### 23.14 SECURITY FEATURES AND DEVICE OPERATIONAL MODE Security functions are dependant on the operational mode of the device. Each device can operate in one of following modes: - In Run-Time Self-Programming (RTSP) mode (normal device operation), the application code is running and the application code can invoke self programming. - In the In-Circuit Serial Programming<sup>™</sup> (ICSP<sup>™</sup>) mode, the programming mode provides native, low-level programming capability to erase, program and verify the chip. The device is under the command of a device programmer such as PRO MATE<sup>®</sup> 3 or MPLAB<sup>®</sup> ICD 3. #### 23.14.1 Rules for Programming Devices in RTSP The device programs itself by using erase commands to first clear a portion of the code. It then writes the new code or data into the write latches, and finally uses a programming command to program the write latch contents into the Flash array. Erase or programming commands are specified by the device specific NVMCON SFR. The NVMOP bit field selects the particular function and the ERASE bit selects between programming and erase functions. The WR bit within the NVMCON register invokes programming operations. Consequently, to protect code integrity, the device restricts the operations that occur on setting the WR bit. #### 23.14.1.1 ERASING AND PROGRAMMING CODE ROWS OR PAGES Depending on the implementation of the Flash array, the NVMOP bit specifies erasing or programming a page of the program Flash array. - If segment write protection is enabled, then no erase or programming operations occurs within that segment. - · Code running within a segment can erase or program part of its own segment. - Code running within higher priority segments can erase or program part of a lower priority segment, unless the lower priority segment has selected high security. - If the Vector Space has inherited high security associated with the Boot Segment or General Segment, then no segment can erase or program part of the Vector Space. If a Boot Segment is defined, only the Boot Segment can erase or program part of the Vector Space. If no Boot Segment is defined, any segment can erase or program part of the Vector Space. #### 23.14.1.2 ERASING A SEGMENT AND CLEARING CODE PROTECTION There are several variants of NVMOP commands that will erase an entire segment of program Flash, erase all lower-priority segments of program Flash and clear the code protection Configuration bits in one operation. This is the only way to release code protection on a segment. These commands can be executed when running from any segment. These commands will not erase any contents from the segment RAM. #### 23.14.2 Rules for Programming Devices Using ICSP When the device is connected to a device programmer, the allowable operations are limited to erasing, programming and verifying the device code memory. - The device programmer uses segment erase commands to erase the device and clear the code protection. - Programming commands are ignored, if any level of code protection is selected. To program, there must be no Boot Segment or Secure Segment specified, and the General Segment must have no code protection. - Devices with any level of code protection cannot be verified. Attempts to verify code-protected devices results in reading zeroes Once the device is programmed with the desired code, the Configuration bits are written to enable the code protection level. After this operation, the only way to change the device code is by the code itself, or by erasing and clearing the code protection once more. ## 23.15 TYPICAL PROCEDURES FOR BOOT LOADING A DEVICE A typical scenario for boot loading a device using code protection of these devices, is a system upgraded in the field. Here, the device uses two segments, the Boot Segment and the General Segment. The General Segment contains the application. The Boot Segment contains a secure boot loader. Both segments have high security enabled. At system Reset, the device vectors to the application in the General Segment. As the system is operating in the field, a technician connects a reprogramming tool to the system. The application recognizes this connection and branches to a location within the Boot Segment access area. This branch is highly secure and the attempt to modify this branch likely results in a device Reset. The Boot Segment contains code that allows encrypted communication with the tool. The encryption keys are safe within the contents of the Boot Segment code because only the Boot Segment can access them. If serialized programming is used when the boot loader is initially programmed into the system, the encryption key could be specific to a particular system, further enhancing the strength of the encrypted communication. Once the boot loader verifies valid communication with the external programming tool, it can then erase the code within the General Segment and clear the General Segment code protection. The boot loader then receives the encrypted code update from the tool, decrypts it and programs it into the general space. As the boot loader is running, it is immune from the disruption from interrupts or traps as it can vector those to a secure location within the boot loader itself. As the boot loader finishes, it can program the Configuration bits to reprotect the general space, make any necessary updates to the vectors and then return to the general application. #### 23.15.1 Boot Loader in the General Segment Devices with basic code protection only have one segment, the General Segment. Because there is only one segment, it is not possible to erase the segment and clear code protection without also erasing any boot loader that might be resident within the General Segment. This limits the options for booting but does not prevent it. The boot loader needs to erase and reprogram Flash in "less than segment" partitions, and the loader cannot select write protection for the General Segment. It is also not possible to protect the loaded code from compromises caused by the boot loader itself. #### 23.15.2 Incremental Loads As long as neither write-protection nor high security is selected for the segment, "incremental" loads are possible. Incremental loads are still possible in high security segments as long as the loader resides within that segment. However, once the segment is write-protected, it cannot be changed until the entire segment is erased and code protection is cleared by a segment erase command. You can choose to locate a jump-table for interrupt vectors in an unprotected segment and update the jump-table with changing interrupt vectors. This allows Boot Segment write protection. #### 23.16 TYPICAL INSTALLATION OF THIRD-PARTY PROTECTED ALGORITHM In this scenario, the system integrator is purchasing an algorithm from a third-party vendor. Here, the system integrator wants to protect his system code from problems with the third-party algorithm, and the third-party algorithm vendor wants to ensure that no one in the system integrator's possessive company compromises his code. Normally, this is a matter of trust for the third-party vendor, since normally the third-party vendor must provide the integrator native code for the integrator to link into his system code and program into the device. If the third-party vendor can provide his code in an encrypted fashion, and if the device can isolate the third-party code, the third-party vendor can ensure his code remains proprietary. In this scenario, the device allocates Boot, Secure and General segments. The system integrator's code resides in the General Segment and a boot loader similar to the one described in the previous section is contained in the Boot Segment. As the system integrator builds his system, his boot loader and application code are programmed into the device. A special loader, provided by the third-party vendor, is programmed into the Secure Segment. This loader decrypts and programs the third-party's algorithm using a key provided by the third-party vendor to the system integrator. Once the Secure Segment is protected, the algorithm inside is not accessible by the system integrators code in the Boot or General Segments. The third-party code can only be accessed through calls to the Secure Segment access area. The protected algorithm should maintain critical data parameters within protected RAM area. When the algorithm is about to finish and return to code within another segment, it should "cleanse" its RAM area. ## 23.17 RELATED DOCUMENTS This section lists documents related to this section of the manual. These documents may not be written specifically for the dsPIC33F/PIC24H Product Family, but the concepts are pertinent and could be used with modification and possible limitations. The current documents related to CodeGuard™ Security are: Title Document # CodeGuard™ Security: Protecting Intellectual Property in Collaborative System Designs DS70179 **Note:** For additional Application Notes and code examples for the dsPIC33F/PIC24H device family, visit the Microchip web site (www.microchip.com). #### 23.18 REVISION HISTORY #### Revision A (March 2007) This is the initial released version of the document. #### Revision B (May 2007) Minor updates were made to this document. ## Revision C (September 2009) This revision incorporates the following updates: - · Notes: - Added the following note in Table 23-17: Operation is allowed for dsPIC33FJXXXGPX06/X08/X10, dsPIC33FJXXXMCX06/X08/X10 and PIC24HJXXXGPX06/X08/X10 devices. For all other devices, operation is not allowed - Additional minor corrections such as language and formatting updates have been incorporated throughout the document #### **Revision D (August 2012)** This revision includes the following updates: - Removed the row, Erase Target Segment data flash while executing from:, in Privileged Operations Rules Summary (see Table 23-17) - The content in 23.7 "Design Tips" was relocated to 23.15.1 "Boot Loader in the General Segment" and 23.15.2 "Incremental Loads" - Minor updates to text and formatting changes were incorporated throughout the document #### Note the following details of the code protection feature on Microchip devices: - Microchip products meet the specification contained in their particular Microchip Data Sheet. - Microchip believes that its family of products is one of the most secure families of its kind on the market today, when used in the intended manner and under normal conditions. - There are dishonest and possibly illegal methods used to breach the code protection feature. All of these methods, to our knowledge, require using the Microchip products in a manner outside the operating specifications contained in Microchip's Data Sheets. Most likely, the person doing so is engaged in theft of intellectual property. - Microchip is willing to work with the customer who is concerned about the integrity of their code. - Neither Microchip nor any other semiconductor manufacturer can guarantee the security of their code. Code protection does not mean that we are guaranteeing the product as "unbreakable." Code protection is constantly evolving. We at Microchip are committed to continuously improving the code protection features of our products. Attempts to break Microchip's code protection feature may be a violation of the Digital Millennium Copyright Act. If such acts allow unauthorized access to your software or other copyrighted work, you may have a right to sue for relief under that Act. Information contained in this publication regarding device applications and the like is provided only for your convenience and may be superseded by updates. It is your responsibility to ensure that your application meets with your specifications. MICROCHIP MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND WHETHER EXPRESS OR IMPLIED, WRITTEN OR ORAL, STATUTORY OR OTHERWISE, RELATED TO THE INFORMATION, INCLUDING BUT NOT LIMITED TO ITS CONDITION, QUALITY, PERFORMANCE, MERCHANTABILITY OR FITNESS FOR PURPOSE. Microchip disclaims all liability arising from this information and its use. Use of Microchip devices in life support and/or safety applications is entirely at the buyer's risk, and the buyer agrees to defend, indemnify and hold harmless Microchip from any and all damages, claims, suits, or expenses resulting from such use. No licenses are conveyed, implicitly or otherwise, under any Microchip intellectual property rights. #### **Trademarks** The Microchip name and logo, the Microchip logo, dsPIC, KEELOQ, KEELOQ logo, MPLAB, PIC, PICmicro, PICSTART, PIC<sup>32</sup> logo, rfPIC and UNI/O are registered trademarks of Microchip Technology Incorporated in the U.S.A. and other countries. FilterLab, Hampshire, HI-TECH C, Linear Active Thermistor, MXDEV, MXLAB, SEEVAL and The Embedded Control Solutions Company are registered trademarks of Microchip Technology Incorporated in the U.S.A. Analog-for-the-Digital Age, Application Maestro, BodyCom, chipKIT, chipKIT logo, CodeGuard, dsPICDEM, dsPICDEM.net, dsPICworks, dsSPEAK, ECAN, ECONOMONITOR, FanSense, HI-TIDE, In-Circuit Serial Programming, ICSP, Mindi, MiWi, MPASM, MPLAB Certified logo, MPLIB, MPLINK, mTouch, Omniscient Code Generation, PICC, PICC-18, PICDEM, PICDEM.net, PICkit, PICtail, REAL ICE, rfLAB, Select Mode, Total Endurance, TSHARC, UniWinDriver, WiperLock and ZENA are trademarks of Microchip Technology Incorporated in the U.S.A. and other countries. $\ensuremath{\mathsf{SQTP}}$ is a service mark of Microchip Technology Incorporated in the U.S.A. All other trademarks mentioned herein are property of their respective companies. © 2007-2012, Microchip Technology Incorporated, Printed in the U.S.A., All Rights Reserved. Printed on recycled paper. ISBN: 978-1-62076-501-2 # QUALITY MANAGEMENT SYSTEM CERTIFIED BY DNV = ISO/TS 16949= Microchip received ISO/TS-16949:2009 certification for its worldwide headquarters, design and wafer fabrication facilities in Chandler and Tempe, Arizona; Gresham, Oregon and design centers in California and India. The Company's quality system processes and procedures are for its PIC® MCUs and dsPIC® DSCs, KEELOQ® code hopping devices, Serial EEPROMs, microperipherals, nonvolatile memory and analog products. In addition, Microchip's quality system for the design and manufacture of development systems is ISO 9001:2000 certified. ## Worldwide Sales and Service #### **AMERICAS** Corporate Office 2355 West Chandler Blvd. Chandler, AZ 85224-6199 Tel: 480-792-7200 Fax: 480-792-7277 Technical Support: http://www.microchip.com/ support Web Address: www.microchip.com Atlanta Duluth, GA Tel: 678-957-9614 Fax: 678-957-1455 **Boston** Westborough, MA Tel: 774-760-0087 Fax: 774-760-0088 Chicago Itasca, IL Tel: 630-285-0071 Fax: 630-285-0075 Cleveland Independence, OH Tel: 216-447-0464 Fax: 216-447-0643 **Dallas** Addison, TX Tel: 972-818-7423 Fax: 972-818-2924 Detroit Farmington Hills, MI Tel: 248-538-2250 Fax: 248-538-2260 Indianapolis Noblesville, IN Tel: 317-773-8323 Fax: 317-773-5453 Los Angeles Mission Viejo, CA Tel: 949-462-9523 Fax: 949-462-9608 Santa Clara Santa Clara, CA Tel: 408-961-6444 Fax: 408-961-6445 Toronto Mississauga, Ontario, Canada Tel: 905-673-0699 Fax: 905-673-6509 #### ASIA/PACIFIC **Asia Pacific Office** Suites 3707-14, 37th Floor Tower 6, The Gateway Harbour City, Kowloon Hong Kong Tel: 852-2401-1200 Fax: 852-2401-3431 Australia - Sydney Tel: 61-2-9868-6733 Fax: 61-2-9868-6755 China - Beijing Tel: 86-10-8569-7000 Fax: 86-10-8528-2104 China - Chengdu Tel: 86-28-8665-5511 Fax: 86-28-8665-7889 China - Chongqing Tel: 86-23-8980-9588 Fax: 86-23-8980-9500 **China - Hangzhou** Tel: 86-571-2819-3187 Fax: 86-571-2819-3189 China - Hong Kong SAR Tel: 852-2401-1200 Fax: 852-2401-3431 China - Nanjing Tel: 86-25-8473-2460 Fax: 86-25-8473-2470 China - Qingdao Tel: 86-532-8502-7355 Fax: 86-532-8502-7205 China - Shanghai Tel: 86-21-5407-5533 Fax: 86-21-5407-5066 China - Shenyang Tel: 86-24-2334-2829 Fax: 86-24-2334-2393 China - Shenzhen Tel: 86-755-8203-2660 Fax: 86-755-8203-1760 China - Wuhan Tel: 86-27-5980-5300 Fax: 86-27-5980-5118 China - Xian Tel: 86-29-8833-7252 Fax: 86-29-8833-7256 China - Xiamen Tel: 86-592-2388138 Fax: 86-592-2388130 China - Zhuhai Tel: 86-756-3210040 Fax: 86-756-3210049 #### ASIA/PACIFIC India - Bangalore Tel: 91-80-3090-4444 Fax: 91-80-3090-4123 India - New Delhi Tel: 91-11-4160-8631 Fax: 91-11-4160-8632 India - Pune Tel: 91-20-2566-1512 Fax: 91-20-2566-1513 Japan - Osaka Tel: 81-66-152-7160 Fax: 81-66-152-9310 Japan - Yokohama Tel: 81-45-471- 6166 Fax: 81-45-471-6122 Korea - Daegu Tel: 82-53-744-4301 Fax: 82-53-744-4302 Korea - Seoul Tel: 82-2-554-7200 Fax: 82-2-558-5932 or 82-2-558-5934 Malaysia - Kuala Lumpur Tel: 60-3-6201-9857 Fax: 60-3-6201-9859 Malaysia - Penang Tel: 60-4-227-8870 Fax: 60-4-227-4068 Philippines - Manila Tel: 63-2-634-9065 Fax: 63-2-634-9069 Singapore Tel: 65-6334-8870 Fax: 65-6334-8850 Taiwan - Hsin Chu Tel: 886-3-5778-366 Fax: 886-3-5770-955 Taiwan - Kaohsiung Tel: 886-7-536-4818 Fax: 886-7-330-9305 Taiwan - Taipei Tel: 886-2-2500-6610 Fax: 886-2-2508-0102 Thailand - Bangkok Tel: 66-2-694-1351 Fax: 66-2-694-1350 #### **EUROPE** Austria - Wels Tel: 43-7242-2244-39 Fax: 43-7242-2244-393 Denmark - Copenhagen Tel: 45-4450-2828 Fax: 45-4485-2829 France - Paris Tel: 33-1-69-53-63-20 Fax: 33-1-69-30-90-79 **Germany - Munich** Tel: 49-89-627-144-0 Fax: 49-89-627-144-44 Italy - Milan Tel: 39-0331-742611 Fax: 39-0331-466781 Netherlands - Drunen Tel: 31-416-690399 Fax: 31-416-690340 **Spain - Madrid** Tel: 34-91-708-08-90 Fax: 34-91-708-08-90 **UK - Wokingham** Tel: 44-118-921-5869 Fax: 44-118-921-5820 11/29/11