Tricore TC1796 (MED17/EDC17)

**soxten** · 25th October, 2013, 07:56 AM

I start this thread for Infineon Tricore TC1796 MCU.
This processor is hard to clone, Magic Motorsport X19 Tool can clone this MCU but it`s expensiv.
X17 Tool 3300euro + 200euro for each MCU as you whan`t to clone...

I have found some info as I show here below.
Link: http://www.infineon.com/dgdl/tc1796_...c4972cb1&ack=t
Page 7:30 to 7:33

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
UCB Configuration, Confirmation and Activation
In order to set up a UCB correctly, several steps must be done to avoid incorrect and
inoperable UCB contents and, as a result, unrepairable read/write protection.
There are three main tasks to execute for UCB setup:

1. Configuration of a UCB
This step includes the programming of the first page of a UCB by executing a User
Configuration Page command. This first page determines the protection type and the
two 32-bit keywords. Unused bytes in the first page of the UCB must be programmed
with 00H.

2. Confirmation of the Keywords
The 32-bit confirmation code word, which is located in the third page of a UCB,
should be programmed only after a check of the correct programming of the two
32-bit keywords. Reason: wrong keywords in a UCB can never be retrieved (because
UCBs are not readable), and a confirmed read or write protection cannot be disabled
and changed anymore when the password check (see Page 7-33) always fails.
The check for correct keywords in a UCB requires to execute a reset operation (e.g.
software reset) after the configuration has been setup as described under point 1.
After the reset, the protection is not fully activated because the confirmation code in
UCB2 UCP8 A000 0800H [1:0] Protection configuration bits (content as
defined for PROCON2)
A000 0808H [9:8] Copy of bytes [1:0]
? others Must be programmed to 00H
UCP9 ? all This page is reserved for future
purposes; must be programmed to 00H
UCP10 A000 0600H [3:0] 32-bit confirmation code: 8AFE15C3H
A000 0608H [11:8] Copy of 32-bit confirmation code
? others Must be programmed to 00H
UCP11 ? all This page is reserved for future
purposes; must be programmed to 00H
Table 7-16 Layout of User Configuration Blocks (cont?d)
UCB Page Address Byte(s) Content
TC1796
System Units (Vol. 1 of 2)
Program Memory Unit
User?s Manual 7-30 V2.0, 2007-07
PMU, V2.0
the UCB is still not valid but it is already configured. After issuing a Disable Read
Protection or Disable Write Protection command (depending on the configured
protection type) with the expected passwords, the status flag FSR.PROER indicates,
whether password checking was ok or not.
If PROER = 0 after the Disable Read Protection or Disable Write Protection
command, the password check was ok, meaning that the keywords in the UCB are
identical with the passwords that have been transmitted with the command. Now the
32-bit confirmation code word must be still programmed into the third page of the
UCB by the Write User Configuration Page command. Unused bytes of the third page
of the UCB should be programmed with 00H. After that operation, the selected
protection is defined to be ?installed?.
If PROER = 1 after the Disable Read Protection or Disable Write Protection
command, the password check was negative. In this case (and if the correct
passwords are not known), the related UCB has to be erased again and the UCB
setup must be repeated as described under point 1.
3. Activation of an Installed Protection
When a read or write protection has been installed, it can only be activated by
executing any reset operation. After this reset operation, an installed protection
becomes ?active?.

7.2.7.2 Write and OTP Protection for PFLASH
Write protection is a feature that must be installed by the user of the TC1796 device. In
the delivery state of the TC1796, no write protection is installed meaning that the UCBs
are in erased state. If sector write protection is active for a PFLASH sector, erasing and
programming of this sector is only possible if the corresponding UCB keywords are
known.

OTP write protection can be installed and enabled for a PFLASH sector only once after
the TC1796 delivery state. Write protection configuration for a PFLASH sector can be
modified by erasing and re-programming of the related UCB.
The sector write protection configuration must be initially programmed into one of the
three UCBs by using the Write User Configuration Page command. With this command,
the user determines the PFLASH sector(s) to be write-protected and two 32-bit keywords
which are required to temporarily disable an already installed write protection
configuration or to temporarily disable an active sector write protection. Erasing and
reprogramming of UCB0 or UCB1 can be performed up to 4 times during TC1796 device
lifetime.
As described above on Page 7-29, sector write protection remains active as long as no
Disable Write Protection command is issued. Within this command sequence, the user
has to identify itself by its passwords and its user level (UL, see command sequence
definition). After the Disable Write Protection command, sector write protection is
temporarily disabled for all sectors that belong to the user. Thereby, disabling of write
TC1796
System Units (Vol. 1 of 2)
Program Memory Unit
User?s Manual 7-31 V2.0, 2007-07
PMU, V2.0
protection is hierarchically controlled. This means, if user 0 (assigned to UCB0) disables
write protection for his sector(s), also write protection for user 1 (assigned to UCB1) is
disabled but not vice versa (user 1 can only disable his own protected sectors).
Note: Sector specific write protection may be combined with read protection. In this
case, after execution of the Disable Sector Write Protection command the
protected sectors are only unlocked if read protection is also disabled.
Resumption of the temporarily disabled write protection (and read protection) is done by
sending the Resume Protection command or by executing a reset operation. For UCB2,
disabling write protection and thus re-programming is not possible.
The configuration of an installed write protection is indicated by:
? Three status flags FSR.WPROINx (x = 0-2) that indicate whether sector write
protection is installed for UCBx or not
? Status flag FSR.PROIN = 1; this bit is set coincidently with FSR.WPROINx
? Status flags SnL (n = 0-12) in the three Protection Configuration registers PROCONx
(x = 0-2) that indicate which Flash sectors are write-protected by UCBx
? The state of a write protection (enabled or temporarily disabled) is indicated by bits
FSR.WPRODIS0 (for UCB0) and FSR.WPRODIS1 (for UCB1).
After the execution of an Erase User Configuration Block command, which requires the
preceding disabling of an active write protection by the Disable Write Protection
command, all keywords and all protection parameters in the UCB are erased. Thus, the
UCB is totally unprotected until it becomes re-programmed. The only exception is UCB2,
which can never be erased after installation of OTP write protection.
If global write protection is additionally installed (implicitly with an installed read
protection), a Disable Read Protection command must be issued before the write
protection configuration parameters in UCB0 can be modified by user 0.
Note: All PFLASH sectors can be write-protected or OTP-protected, separately for all
three users. DFLASH sectors cannot be separately write-protected (only generally
via Read Protection).
TC1796
System Units (Vol. 1 of 2)
Program Memory Unit
User?s Manual 7-32 V2.0, 2007-07
PMU, V2.0

7.2.7.3 Read Protection for PFLASH and DFLASH
When read protection is active, read accesses from PFLASH and DFLASH memory
locations are generally disabled, if code execution is not started from internal Flash after
reset. Additionally, a global write protection is always active for a read-protected
PFLASH and DFLASH. This feature supports a protection against trojan horse
programs. Note that read protection cannot be activated separately for PFLASH and
DFLASH.
Read protection is installed only via UCB0. At programming of UCB0, the highest bit of
its second byte (corresponds to bit PROCON0.RPRO, see Page 7-59) must be set.
After the configuration and confirmation of UCB0 (see Page 7-29), read protection is
installed but still not active. After the following reset operation, the installed read
protection becomes really active. It remains active as long as no Disable Read
Protection command is issued. This command is password-protected and the user must
provide the two passwords for temporarily disabling the read protection. This mechanism
assures, that an installed read protection configuration can only be changed (e.g.
disabled) by an user which has knowledge about the two keywords that have been
initially programmed into the UCB. After the Disable Read Protection command, the read
protection configuration as defined in UCB0 can be changed (after erasing UCB0), if not
coincidently sector write protection is installed by the user 0 (in this case, also sector
write protection must be disabled). A temporarily disabled read protection can be reenabled
by sending the Resume Protection command, or by executing a reset operation.
Read protection can be combined with sector specific write protection. In this case, after
execution of the Disable Read Protection command, only those sectors are unlocked for
write accesses, which are not separately write-protected.
The status of a correctly installed read protection is indicated by:
? Status flag FSR.RPROIN = 1; this bit becomes updated after a reset operation (when
the Boot ROM code has been left) and when read protection has been configured.
? Status flag PROCON0.RPRO = 1; indicates an installed (and confirmed) read
protection as programmed in the protection configuration bits of UCB0.
? Read protection active flag FCON.RPA; indicates the state of an installed read
protection (active or temporarily disabled).
There are also two Flash access disable bits in register FCON, DCF (= Disable Code
Fetch) and DDF (= Disable Data Fetch), which control the Flash access during an active
read protection. During execution of the Boot ROM program (see Page 4-18) with read
protection, the following three locations for program code execution can be selected:
? Case 1: code execution from internal PFLASH
? Case 2: code execution from internal program memory after execution of a bootstrap
loader
? Case 3: code execution from external program memory via EBU
TC1796
System Units (Vol. 1 of 2)
Program Memory Unit
User?s Manual 7-33 V2.0, 2007-07
PMU, V2.0
With a reset operation, the FCON register bits DCF and DDF are set. When starting code
execution from internal PFLASH, these flags become cleared by the Boot ROM program
before Boot ROM exit. This means that code execution from PFLASH and data read
accesses from PFLASH or DFLASH is generally allowed. The program code, which
executes the data read accesses from Flash, can be located in any program memory.
When starting from internal or external program RAM (case 2 and 3), flags DCF and DDF
remain set at Boot ROM exit. This means, that code execution from PFLASH and data
read access from PFLASH or DFLASH is disabled. In this case, code or data accesses
from PFLASH or DFLASH are only possible while read protection is temporarily disabled
by the password protected Disable Read Protection command (FCON.RPA is cleared).
In this disable state, it is also possible to clear the DCF/DDF flags of register FCON.
Flash data accesses from dedicated bus masters others than the CPU/DMI can be
disabled separately with FCON register bits DDFDBG, DDFDMA, and DDFPCP of
register FCON. When such a bit is set, the corresponding bus master (Debug system,
DMA controller, or PCP) is not allowed to access PFLASH or DFLASH memory. When
these bits are set once, they can only be cleared again when read protection is not
selected at all (inactive), or temporarily disabled.
Note: The debug interface is disabled after Boot ROM exit with read protection.

7.2.7.4 Password Check Control
The Disable Write Protection command and the Disable Read Protection command
provide a protected command sequence, meaning that two 32-bit passwords must be
issued within the command. Both commands are executed only if the two passwords are
identical with the two keywords that are stored in the corresponding user configuration
block. If one or both passwords are not identical to their related keywords, the protected
sectors remain in the locked state (read- and/or write-protected) and the protection error
flag FSR.PROER is set. In this case, a new Disable Write Protection command or a
Disable Read Protection command is only accepted after the next TC1796 reset
operation.
Note that the Disable Write Protection command can be applied for user 0 (UCB0) or
user 1 (UCB1). The Disable Read Protection command can be applied only for user 0
(UCB0).
__________________________________________________ __________________________________________________ ____________________________________________

So... IF you hack password (2x32bit) then you can erase/write 4 times before you brake the MCU (OPT area)

**SERBAN 70** · 18th October, 2015, 04:58 PM

Which tool necessary for this purpose

**simaservis1108** · 19th October, 2015, 12:13 AM

New unprogrammed MCU is the solution.

**Youneselm** · 4th January, 2016, 02:11 AM

Look in other treads about this microprocessor.:-)

You can always rewrite the Vflash in these ecu's, like it was a dealer update thats it. But beware! Vflash read or write. There are some tools that only read map data and not other like immo,...( cmd) only Virtual flash.