Erik Jerkersson Saab Ericsson Space October 12 2005. The EEPROM Experience.
Software Data Protection
Austrian Aerospace, Vienna, Austria
Headquarters: Göteborg, Sweden
Mechanical Products Division, Linköping, Sweden
Austrian Aerospace,Berndorf, Austria
Saab Ericsson Space Inc.Los Angeles, USA
Ground support equipment
Total sales 2004 Saab Ericsson Space Group: 669 MSEK [ 91 MUSD / 73 M€ ]
Employees: 524, engineers University Degree or higher 54 %,engineers 40 %,others 6 %
State-of-art tools for design and analysis:- digital electronics - microwave electronics- antenna design - mechanical / thermal design
3000 m² for electronics production in Göteborg, class 100 000 and class 10 000 for hybrid production
200m² for electronics production in Vienna, class 100 000
300 m² for thermal hardwareproduction in Berndorf, class 10 000
400 m² for mechanical systems and satellite integration in Linköping, class 100 000
110 manufacturing operatorsMultichip Module TechnologiesSurface Mount TechnologiesPlated Through Hole TechnologiesComposite manufacturing
7 antenna test ranges4 thermal vacuum chambers (+1 in Vienna)2 vibrators (+1 in Vienna)Components and Materials laboratory
Command and Data Handling Systems
for more than 80 satellites in telecom,
Science and earth observation applications.
Guidance and Control
for more than 160 Ariane launchers and
now also for Vega!
Payload Processing and Control
for Inmarsat, Galileosat, Envisat, Metop...
Radio occultation GRAS, GPSOS
Profiles of temperature in the troposphere
Profiles of water vapour in the troposphere
Cloud top temperature/pressure
Sea and land temperatures2 IASIInfrared Atmospheric SoundingInterferometer
Cooling the device speeded up the process to “forget”
Heating helped the EEPROM to “remember” the data stored inside.
Figure 1 Degrading bit
Write strobe frequency dependency
Write strobe Pulses
Perturbation on Write strobe
Reset signal oscillation
Buffer driving EEPROM
All EEPROMs were locked by the software protection algorithm all the time during these experiments.
Due to the low numbers (12) of devices included in the test it is not wise to generalize the result. The result listed below could be different with another set of EEPROMs.Experiments in the IASI projectNoise sensitivity
The address was stable, the CS_N was forced to active and the WR_N and RD_N were forced inactive when the disturbance was applied on the reset signal. The disturbance was applied for 5 minutes in each test.
No indication of sensitivity to disturbances on the reset signal was found.Reset signal oscillation
The output of the buffers may start to oscillate during this period and by this affect the EEPROMs in an undesired way.
This floating of signals could be the case in a system where the CPU leaves the control to another master during DMA.
Signals could be floating with voltage slowly decreasing during the transaction for a short period of time. Enough time for the buffers to start oscillating.Buffer driving EEPROM
Figure 4 Example of oscillating EEPROM signal when the driver is tristated
Even if an EEPROM is locked a write access will trigger the internal write cycle, however without writing anything (provided all timing is ok). This will cause the EEPROM not to be accessible for reading up to 10 ms.
Any read during this time will give undefined data
(there will be a pattern but origin of pattern found is not within scope of investigation).
This phenomenon is not mentioned in the data sheet5 SOFTWARE DATA PROTECTION
Figure 6 Start up sequence
In the beginning we thought that enabling the Software Data protection was enough.
So, while running code in EEPROM, only one tiny wrong write access to the EEPROM and you will found yourself in the hot water!IASI software data protection experience (cont.)
Data sheet states “With the software data protection enabled the entire memory array is protected from unintentional writes due to noise on the control inputs or minor bus contentions”.
Data sheet also states “By using only the three byte sequence rather than the six byte sequence, the user is assured that the Software Data Protection is always enabled and that inadvertent writes will not corrupt the data in memory”.
High speed processors and SW without control are a potential danger when used in a system together with EEPROM.6 MALICIOUS SOFTWARE
This could be the case if the SW for some reason is crashing and running wild without any control.
In the frame of the IASI project an investigation in this matter was performed and it was clear that the EEPROM is sensitive to usage outside the data sheet recommendations.
The behaviour of the EEPROM varied depending on whether the EEPROM was in the locked or unlocked mode.
Not respecting the 10 ms delay when writing to the EEPROM and crossing a page boundary is DANGEROUS to the EEPROM and might result in sub page corruption.
Not respecting the timing of the byte load cycle will not cause any sub page corruption.
Violating the byte load window timing requirement may only affect the page which was written.
“Byte load window” is the time to wait after the last EEPROM specific write pulse to the next write pulse (100us). “Byte load cycle” is the time between subsequent write accesses in page mode (0.55-30us). “Write cycle time” is the EEPROM internal write cycle (10ms).Malicious SW - unlocked EEPROM
The dangerous pulse width on WR_N was found to be below 100 ns.
This corresponds well to the behaviour described earlier under the heading Signal integrity.
A short pulse on WR_N could occur if the SW does not respect the number of wait states required. Normal write pulse width had no dangerous effect.Malicious SW - locked EEPROM
It is essential to have clean and noiseless EEPROM control signals.
In a design, avoid floating signals as input to buffers, which can lead to oscillation on the outputs of the buffers. If an oscillating buffer is driving EEPROM signals it can corrupt the EEPROM contents.
EEPROM is affected by a write access and will be unavailable for 10 ms even if the Software Data Protection is enabled.
Be aware of malicious SW. Always respect timing stated in the data sheet. Make sure the SW designer knows the EEPROM user constraints. Have the EEPROM locked.7 CONCLUSIONS