2 watchdog timer, Atchdog, Imer – Maxim Integrated Secure Microcontroller User Manual

Secure Microcontroller User’s Guide

70 of 187

POR informs the software of the power supply condition. Specifically, it means the power has previously
dropped below the V

CC MIN

level and returned to normal. In many systems, this is a unique condition that

requires interaction with external hardware. Protecting this bit with a timed-access procedure prevents the
microcontroller from accidentally performing a power-on reset procedure.

On a DS5000 series device, the PAA bit allows software to alter the partition. If this is done accidentally,
the resulting configuration could be unrecoverable without human intervention. This could mean
selecting a partition that is outside of the user’s plan and that causes the system to fail. In a like manner,
the PA3–0 bits on a DS5001 series device are protected through timed access. As the DS5001 does not
have a PAA bit, the partition control bits are directly protected. The motivation for protecting the AE bit
is similar. This bit invokes a partitionable configuration where one had not been selected during bootstrap
loading. While there are several valid reasons to select AE, accidentally selecting this condition might be
unrecoverable without manual intervention.

Timed-access logic protects against a single inadvertent write modifying a critical control bit. It does not
protect against inadvertently entering a section of code that contains the correct sequence to modify a
protected bit. However, the statistical protection does greatly improve the system’s resilience to a crash.

8.2 Watchdog Timer

The on-chip watchdog timer provides a method of restoring proper operation during transients that cause
the loss of software control. The watchdog timer incorporates a free-running counter that starts counting
as soon as the clock oscillator begins operation following a power-on reset. When the watchdog timer is
enabled, it eventually reaches a timeout condition after 122,800 machine cycles, unless the application
software resets it. If a 12MHz crystal is used as the time-base element, this gives a timeout period of
122.88ms. An internal reset to the CPU is generated if the timeout condition is reached. Software that
uses the watchdog timer must periodically reset the watchdog to 0h critical points in the program. If
controlled execution is lost so that these check points are not encountered within the timeout period, the
watchdog timer provides an automatic reset. The SFR bits that control the watchdog include the enable
watchdog timer bit (EWT; PCON.2), the reset watchdog timer bit (RWT; IP.7), and the watchdog timer-
reset status flag (WTR; PCON.4).

If the watchdog timer is desired, the first step is to reset the timer count. This is necessary since the timer
is free running and can be about to time out. Set the RWT bit to a logic 1 using a timed-access procedure.
This restarts the timer with the full interval. Then enable the watchdog timer-reset function by setting the
EWT bit to a logic 1, again with a timed-access procedure. Note that the EWT bit only controls whether
the reset is issued, not whether the timer runs. The watchdog timer must now be reset prior to 122,800
machine cycles or it will reset the CPU. If the watchdog timer is not used, clear the EWT bit to a logic 0
using a timed-access procedure. Since the EWT bit is nonvolatile, this ensures the watchdog-reset
function remains disabled.

If operation without the watchdog timer is desired, the EWT bit should be cleared following any type of
reset by using the timed-access register. This ensures the watchdog timer never causes an undesired reset
during execution of the application software.

During subsequent program execution, the watchdog timer can be reset by a timed-access write operation
that sets the RWT bit to 1. This causes the watchdog timer to begin counting machine cycles again from
an initial count of 0. The RWT bit is automatically cleared immediately after the watchdog timer is reset.
The following code fragments illustrates the reset of the watchdog timer: