Overview
The OTPC (One-Time Programmable Controller) is an anti-fuse based embedded non-volatile memory, featuring high security and data immutability. Each memory cell has a default value of 1 and can only be irreversibly programmed to 0 one time.
OTP Layout
The OTP layout is shown in the figure below.
Note
Refer to the corresponding User Manual for the detailed layout of each OTP partition, .
Physical Zone
The size of the physical zone is 0x800 bytes. Its layout has been predefined by Realtek and includes the mapping zone, security zone, user-defined physical zone, ROM code patch zone, and hidden physical zone.
Caution
The physical zone only supports a one-time, irreversible write from 1 to 0. Please operate with caution.
Physical Zone Partition |
Address |
Description |
Usage |
|---|---|---|---|
Mapping Zone |
(0x000-0x1FF, 512 bytes) |
Mapped to the logical zone |
|
Security Zone |
(0x200-0x37F, 384 bytes) |
Stores various keys and related configurations |
|
User-defined Physical Zone |
(0x380-0x4FF, 384 bytes) |
For user’s free use |
|
ROM Code Patch Zone |
(0x500-0x6FF, 512 bytes) |
Used for applying patches to ROM code |
|
Hidden Physical Zone |
(0x700-0x7FF, 256 bytes) |
Used for functions like RMA |
Logical Zone
The size of the logical zone is 0x400 bytes. The value of the logical zone can be modified multiple times. The logical zone is mapped from the mapping zone (0x000 ~ 0x1FF, 512 bytes) of the physical zone through a relationship defined by Realtek. The mapping relationship is shown in the figure below.
Each block of data in the logical zone occupies one frame in the mapping zone. The hardware sequentially scans the content of each frame in the mapping zone and maps the data to the logical zone. When multiple frames map to the same address in the logical zone, the hardware uses the data from the last frame, which allows the logical zone to be modified multiple times.
Note
Refer to the corresponding User Manual for the detailed mapping relationship between the logical zone and the mapping zone.
Each modification to the value of the logical zone occupies one frame in the mapping zone. Therefore, when the mapping zone is full, the logical zone can no longer be modified.
The layout of the logical zone has been predefined by Realtek and includes the system data zone, user-defined MTP zone, calibration zone, etc.
Logical zone Partition |
Address |
Description |
Usage |
|---|---|---|---|
System data zone |
(0x000-0x01F, 32 bytes) |
Stores system data. |
|
Wi-Fi Calibration zone |
(0x020-0x13F, 288 bytes) |
Stores Wi-Fi calibration data. |
Used by Realtek |
HCI-USB |
(0x150-0x15F, 16 bytes) |
Stores configuration data related to USB devices. |
Used by Realtek |
Cap-Touch Calibration zone |
(0x160-0x16F, 16 bytes) |
Stores Cap-Touch calibration data. |
Used by Realtek |
User-defined MTP zone |
(0x170-0x19F, 48 bytes) |
For user’s free use. |
|
BT parameters zone |
(0x1B0-0x1FF, 80 bytes) |
Stores BT parameters. |
Used by Realtek |
Logical Zone Partition |
Address |
Description |
Usage |
|---|---|---|---|
System data zone |
(0x000-0x01F, 32 bytes) |
Stores system data. |
|
Wi-Fi Calibration zone |
(0x020-0x14F, 304 bytes) |
Stores Wi-Fi calibration data. |
Used by Realtek |
Cap-Touch Calibration zone |
(0x160-0x16F, 16 bytes) |
Stores Cap-Touch calibration data. |
Used by Realtek |
User-defined MTP zone |
(0x170-0x19F, 48 bytes) |
For user’s free use. |
|
Zigbee parameters zone |
(0x1A0-0x1FF, 16 bytes) |
Stores configuration data related to SDIO devices. |
Used by Realtek |
BT parameters zone |
(0x1B0-0x1FF, 80 bytes) |
Parameters for BT. |
Used by Realtek |
Logical Zone Partition |
Address |
Description |
Usage |
|---|---|---|---|
System data zone |
(0x000-0x01F, 32 bytes) |
Stores system data. |
|
Wi-Fi Calibration zone |
(0x020-0x14F, 304 bytes) |
Stores Wi-Fi calibration data. |
Used by Realtek |
Cap-Touch Calibration zone |
(0x160-0x16F, 16 bytes) |
Stores Cap-Touch calibration data. |
Used by Realtek |
User-defined MTP zone |
(0x170-0x19F, 48 bytes) |
For user’s free use. |
|
Zigbee parameters zone |
(0x1A0-0x1FF, 16 bytes) |
Stores configuration data related to SDIO devices. |
Used by Realtek |
BT parameters zone |
(0x1B0-0x1FF, 80 bytes) |
Parameters for BT. |
Used by Realtek |
Logical Zone Partition |
Address |
Description |
Usage |
|---|---|---|---|
System data zone |
(0x000-0x01F, 32 bytes) |
Stores system data. |
|
Wi-Fi Calibration zone |
(0x020-0x14F, 304 bytes) |
Stores Wi-Fi calibration data. |
Used by Realtek |
Cap-Touch Calibration zone |
(0x160-0x16F, 16 bytes) |
Stores Cap-Touch calibration data. |
Used by Realtek |
User-defined MTP zone |
(0x170-0x19F, 48 bytes) |
For user’s free use. |
|
Zigbee parameters zone |
(0x1A0-0x1FF, 16 bytes) |
Stores configuration data related to SDIO devices. |
Used by Realtek |
BT parameters zone |
(0x1B0-0x1FF, 80 bytes) |
Parameters for BT. |
Used by Realtek |
Logical Zone Partition |
Address |
Description |
Usage |
|---|---|---|---|
System data zone |
(0x000-0x01F, 32 bytes) |
Stores system data. |
|
Wi-Fi Calibration zone |
(0x020-0x14F, 304 bytes) |
Stores Wi-Fi calibration data. |
Used by Realtek |
User-defined MTP zone |
(0x170-0x19F, 48 bytes) |
For user’s free use. |
|
Cap-Touch Calibration zone |
(0x160-0x16F, 16 bytes) |
Stores Cap-Touch calibration data. |
Used by Realtek |
BT parameters zone |
(0x1B0-0x1FF, 80 bytes) |
Stores BT parameters. |
Used by Realtek |
Logical Zone Partition |
Address |
Description |
Usage |
|---|---|---|---|
System data zone |
(0x000-0x01F, 32 bytes) |
Stores system data. |
|
Wi-Fi Calibration zone |
(0x020-0x13F, 288 bytes) |
Stores Wi-Fi calibration data. |
Used by Realtek |
User-defined MTP zone |
(0x170-0x19F, 48 bytes) |
For user’s free use. |
|
Cap-Touch Calibration zone |
(0x1A0-0x1AF, 16 bytes) |
Stores Cap-Touch calibration data. |
Used by Realtek |
HCI-SDIO |
(0x200-0x29F, 160 bytes) |
Stores configuration data related to SDIO devices. |
Used by Realtek |
HCI-USB |
(0x2A0-0x2FF, 288 bytes) |
Stores configuration data related to USB devices. |
Used by Realtek |
Ethernet MAC address zone |
(0x300-0x305, 6 bytes) |
Used to store the Ethernet MAC address for RMII. |
Used by Realtek |
OTP API Reference
OTP API
API
Description
Operating Zone
OTP_Read8
Read a single byte from the OTP physical zone.
Physical Zone
OTP_Read32
Read 4 bytes from the OTP physical zone.
Physical Zone
OTP_Write8
Write a single byte to the OTP physical zone.
Physical Zone
OTP_LogicalMap_Read
Read the OTP logical map zone by length.
Logical Zone
OTP_LogicalMap_Write
Write to the OTP logical map zone address by length.
Logical Zone
otp_logical_remain
Get the remaining available length of OTP in the logical map zone.
Logical Zone
OTPSetCRC
Set the CRC check value for the secure zone.
Physical Zone
OTP_Read8
Item
Description
Function
Read a single byte from the OTP physical zone.
Parameters
Addr: The address of the OTP physical zone to be read.
Data: The OTP data read buffer (1 byte).
Return Value
Read operation result
RTK_SUCCESS: Success
RTK_FAIL: Fail
OTP_Read32
Item
Description
Function
Read 4 bytes from the OTP physical zone.
Parameters
Addr: The address of the OTP physical zone to be read.
Data: The OTP data read buffer (4 bytes).
Return Value
Read operation result
RTK_SUCCESS: Success
RTK_FAIL: Fail
OTP_Write8
Item
Description
Function
Write a single byte to the OTP physical zone.
Parameters
Addr: The address of the OTP physical zone to be written.
Data: The 1-byte data to be written.
Return Value
Write operation result
RTK_SUCCESS: Success
RTK_FAIL: Fail
OTP_LogicalMap_Read
Item
Description
Function
Read the OTP logical map zone by length.
Parameters
pbuf: The buffer used by the OTP logical map zone.
addr: The starting address of the OTP logical map zone to be read.
len: The byte length of the OTP logical map zone to be read.
Return Value
Read operation result
RTK_SUCCESS: Success
RTK_FAIL: Fail
OTP_LogicalMap_Write
Item
Description
Function
Write to the OTP logical map zone address by length.
Parameters
addr: The starting address of the OTP logical map zone to be written.
cnts: The byte length of the OTP logical map zone to be written
data: The data to be written.
Return Value
Write operation result
RTK_SUCCESS: Success
RTK_FAIL: Fail
otp_logical_remain
Item
Description
Function
Get the remaining available length of OTP in the logical map zone.
Parameters
None
Return Value
Remaining available length
OTPSetCRC
Item
Description
Function
Set the CRC check value for the secure zone.
Parameters
None
Return Value
Operation result
RTK_SUCCESS: Success
RTK_FAIL: Fail
OTP API Usage
Logical Zone
Program the value of logical address 0x02[1] to 1 by following steps:
Read the original value of logical address 0x02 and check the function return value.
u8 data_read; int ret; ret = OTP_LogicalMap_Read(&data_read, 2, 1);
Assume the data read from logical address 0x02 in step 1 is 0xA0. Perform an OR operation between 0xA0 and the target bit 0x02[1], keeping the rest of the data at default values. Therefore, the new value to be written is 0xA2.
Write the new value 0xA2 to logical address 0x02 and check the function return value.
u8 data_written = 0xA2; int ret; ret = OTP_LogicalMap_Write(2, 1, &data_written);
Note
If it’s the first time programming a specific byte when programming the system data zone, special handling is required for that byte. Refer to System Data Zone.
Physical Zone
Program the value of physical address 0x02[1] to 0 by following steps:
Read the original value of physical address 0x02 and check the return value.
u8 data_read; int ret; ret = OTP_Read8(0x2, &data_read);
Assume the data read from physical address 0x02 in step 1 is 0xAF. Perform an AND operation between 0xAF and the target bit 0x02[1], keeping the rest of the data at default values. Therefore, the new value to be written is 0xAD.
Write the new value 0xAD to physical address 0x02 and check the return value.
u8 data_written = 0xAD; int ret; ret = OTP_Write8(0x2, data_written);
OTP Serial Port Programming
Program the physical and logical zones of the OTP via the serial port.
Logical Zone
Use the following commands to perform read and write operations on the logical zone.
Operation |
Command |
Description |
|---|---|---|
Read |
AT+OTP=RMAP |
Read the entire logical zone |
Write |
AT+OTP=WMAP,<address>,<length>,<data> |
Write to a specified address in the logical zone
Note The length of the data string must be even and should not include the 0x prefix. |
To program the value of logical address 0x02[1] to 1, follow these steps:
Read the logical map and check the original value at logical address 0x02.
AT+OTP=RMAP
EFUSE[000]: ff ff a0 ff ff ff ff ff ff ff ff ff ff ff ff ff
EFUSE[010]: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
EFUSE[020]: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
EFUSE[030]: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
...
Assume the data read from logical address 0x02 in step 1 is 0xA0. Perform an OR operation between 0xA0 and the target bit 0x02[1], keeping the rest of the data at default values. Therefore, the new value to be written is 0xA2.
rite the new value 0xA2 to logical address 0x02.
AT+OTP=WMAP,0x2,0x1,A2
[ATCMD_OTP-I] efuse wmap write len:1, string len:2
Read the data again to verify if the write operation was successful.
AT+OTP=RMAP
EFUSE[000]: ff ff a2 ff ff ff ff ff ff ff ff ff ff ff ff ff
EFUSE[010]: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
EFUSE[020]: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
EFUSE[030]: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
...
Note
If it’s the first time programming a specific byte when programming the system data zone, special handling is required for that byte. Refer to System Data Zone.
Physical Zone
Use the following commands to perform read and write operations on the physical zone.
Operation |
Command |
Description |
|---|---|---|
Read |
AT+OTP=RRAW |
Read the entire physical zone |
Write |
AT+OTP=WRAW,<address>,<length>,<data> |
Write to a specified address in the physical zone
Note The length of the data string must be even and should not include the 0x prefix. |
To program the value of physical address 0x02[1] to 0, follow these steps:
Read the physical map to check the original value at physical address 0x02.
AT+OTP=RRAW
RawMap[000]: ff ff af ff ff ff ff ff ff ff ff ff ff ff ff ff
RawMap[010]: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
RawMap[020]: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
RawMap[030]: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
...
Assume the data read from physical address 0x02 in step 1 is 0xAF. Perform an AND operation between 0xAF and the target bit 0x02[1], keeping the rest of the data at default values. The new value to be written is 0xAD.
Write the new value 0xAD to physical address 0xAD.
AT+OTP=WRAW,0x2,0x1,AD
[ATCMD_OTP-I] efuse wraw write len:1, string len:2
wraw: 2 ad
Read the data again to verify if the write operation was successful.
AT+OTP=RRAW
RawMap[000]: ff ff ad ff ff ff ff ff ff ff ff ff ff ff ff ff
RawMap[010]: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
RawMap[020]: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
RawMap[030]: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
...
Note
The RF calibration tool uses the command iwpriv to program the OTP, but it is not recommended for other tools to use this command for OTP programming.
Usage
Logical Zone
The logical zone is partitioned into zones such as system data, Wi-Fi calibration data, and User-defined MTP.
System Data Zone
The system data zone (0x000 ~ 0x01F, 32 bytes) is used to store system data that may be required at system boot. The system data is automatically loaded by hardware into the system registers and takes effect at system boot.
Note
Refer to the corresponding User Manual for the mapping relationship between the system data zone and the system registers.
For historical reasons, if a byte in the system data zone is programmed for the first time, the corresponding system register will retain its initial value of 0x00, rather than the 0xFF read from the logical zone. Therefore, special handling is required for the first-time programming of system data.
Note
When a byte in the system data zone has been programmed to a non-0xFF value and is then programmed back to 0xFF, the value of the corresponding system register will be 0xFF, not the initial value of 0x00. Therefore, it is not recommended to program a byte in the system data zone from a non-0xFF value to 0xFF.
The programming flow for system data is as follows:
Example
To program the value of logical address 0x02[1] to 1, follow these steps:
Read the logical map to check the original value at logical address 0x02.
AT+OTP=RMAP
or
u8 data_read; OTP_LogicalMap_Read(&data_read, 2, 1);
Determine the value to be written based on the read value.
If the data read from logical address 0x02 in step 1 is 0xA0, it indicates that this byte is not being programmed for the first time. Perform an OR operation between 0xA0 and the target bit 0x02[1], so the new value to be written is 0xA2.
AT+OTP=WMAP,0x2,0x1,A2
or
u8 data_written = 0xA2; OTP_LogicalMap_Write(2, 1, &data_written);
If the data read from logical address 0x02 in step 1 is 0xFF, it indicates that this byte is being programmed for the first time. Perform an OR operation between 0x00 and the target bit 0x02[1], so the new value to be written is 0x02.
AT+OTP=WMAP,0x2,0x1,02
or
u8 data_written = 0x02; OTP_LogicalMap_Write(2, 1, &data_written);
Read the data again to verify if the write operation was successful.
AT+OTP=RMAP
or
u8 data_read; OTP_LogicalMap_Read(&data_read, 2, 1);
System Data Programming Scenarios
Generally, system data has its initial values, and the user modifies it as needed.
Offset Address |
Bit |
Symbol |
Initial Value |
Description |
Scenario |
|---|---|---|---|---|---|
0x02 |
[0] |
FLASH_DEEPSLEEP_EN |
0 |
Enable Flash deep sleep mode 0: Disable 1: Enable |
Program it to 1 to enable deep sleep mode for Flash during sleep, otherwise ignore it. |
0x02 |
[1] |
SPIC_ADDR_4BYTE_EN |
0 |
Enable SPI Flash controller 4-byte address mode 0: Disable 1: Enable |
Program it to 1 if using external Flash with capacity > 16MB, otherwise ignore it. |
0x02 |
[2] |
SPIC_BOOT_SPEEDUP_DIS |
0 |
Disable SPIC initialization speedup during boot 0: Speedup 1: No speedup |
Program it to 1 to disable SPIC initialization speedup during system boot, otherwise ignore it. |
0x02 |
[3] |
BOOT_FLASH_CLOCK_SEL |
0 |
Flash clock selection during boot 0: 20MHz 1: 10MHz |
Program it to 1 to set Flash clock to 10MHz during system boot, otherwise ignore it. |
0x02 |
[4] |
BOOT_INT_FLASH |
0 |
Boot from external or internal Flash 0: Internal Flash 1: External Flash |
Program it to 1 to boot from external Flash, otherwise ignore it. |
0x02 |
[5] |
BOOT_CNT_LMT_EN |
0 |
Enable soft boot count limit 0: Disable 1: Enable |
Program it to 1 to enable system soft boot count limit, otherwise ignore it. |
0x03 |
[0] |
DIS_BOOT_LOG_EN |
0 |
Disable boot log 0: Enable 1: Disable |
Program it to 1 to disable boot log, otherwise ignore it. |
0x03 |
[1] |
LOW_BAUD_LOG_EN |
0 |
Select Loguart baud rate 0: 1.5Mbps 1: 115200bps |
Program it to 1 to set LOGUART baud rate to 115200, otherwise ignore it. |
0x03 |
[2] |
LOGIC_SECURE_BOOT_EN |
0 |
Enable secure boot function 0: Disable 1: Enable |
|
0x03 |
[3] |
LOGIC_RSIP_EN |
0 |
Enable RSIP function 0: Disable 1: Enable |
|
0x03 |
[4] |
LOGIC_RDP_EN |
0 |
Enable RDP function 0: Disable 1: Enable |
|
0x03 |
[5] |
BOOT_RAND_DELAY_EN |
0 |
Enable random delay during boot 0: Disable 1: Enable |
Program it to 1 to add random delay during system boot, otherwise ignore it. |
0x03 |
[6] |
USB_CLK_CAL_EN |
0 |
Enable SoC clock calibration for USB 0: Disable 1: Enable |
Program it to 1 to enable SoC clock calibration for USB, otherwise ignore it. |
0x03 |
[7] |
USB_DOWNLOAD_EN |
0 |
Enable USB download function 0: Disable 1: Enable |
Program it to 1 to enable USB download function, otherwise ignore it. |
Offset Address |
Bit |
Symbol |
Initial Value |
Description |
Scenario |
|---|---|---|---|---|---|
0x02 |
[0] |
FLASH_DEEPSLEEP_EN |
0 |
Enable Flash deep sleep mode 0: Disable 1: Enable |
Program to 1 to enable Flash deep sleep during sleep mode, otherwise ignore. |
0x02 |
[1] |
SPIC_ADDR_4BYTE_EN |
0 |
Enable SPI Flash controller 4-byte address mode 0: Disable 1: Enable |
Program to 1 if using external Flash with capacity > 16MB, otherwise ignore. |
0x02 |
[2] |
SPIC_BOOT_SPEEDUP_DIS |
0 |
Disable SPIC initialization speedup at boot 0: Speedup 1: No speedup |
Program to 1 to disable SPIC initialization speedup at system boot, otherwise ignore. |
0x02 |
[3] |
BOOT_FLASH_CLOCK_SEL |
0 |
Select Flash clock at boot 0: 20MHz 1: 10MHz |
Program to 1 to set Flash clock to 10MHz at system boot, otherwise ignore. |
0x03 |
[0] |
DIS_BOOT_LOG_EN |
0 |
Disable boot log 0: Enable 1: Disable |
Program to 1 to disable boot log, otherwise ignore. |
0x03 |
[1] |
LOW_BAUD_LOG_EN |
0 |
Select Loguart baud rate 0: 1.5Mbps 1: 115200bps |
Program to 1 if LOGUART baud rate is 115200, otherwise ignore. |
0x03 |
[2] |
SECURE_BOOT_EN |
0 |
Enable secure boot function 0: Disable 1: Enable |
|
0x03 |
[3] |
RSIP_EN |
0 |
Enable RSIP function 0: Disable 1: Enable |
|
0x03 |
[4] |
RDP_EN |
0 |
Enable RDP function 0: Disable 1: Enable |
|
0x03 |
[5] |
BOOT_RAND_DELAY_EN |
0 |
Enable random delay at boot 0: Disable 1: Enable |
Program to 1 to add random delay at system boot, otherwise ignore. |
Offset Address |
Bit |
Symbol |
Initial Value |
Description |
Scenario |
|---|---|---|---|---|---|
0x02 |
[0] |
FLASH_DEEPSLEEP_EN |
0 |
Enable Flash deep sleep mode 0: Disable 1: Enable |
Program to 1 to enable Flash deep sleep during sleep mode, otherwise ignore. |
0x02 |
[1] |
SPIC_ADDR_4BYTE_EN |
0 |
Enable SPI Flash controller 4-byte address mode 0: Disable 1: Enable |
Program to 1 if using external Flash with capacity > 16MB, otherwise ignore. |
0x02 |
[2] |
SPIC_BOOT_SPEEDUP_DIS |
0 |
Disable SPIC initialization speedup at boot 0: Speedup 1: No speedup |
Program to 1 to disable SPIC initialization speedup at system boot, otherwise ignore. |
0x02 |
[3] |
BOOT_FLASH_CLOCK_SEL |
0 |
Select Flash clock at boot 0: 20MHz 1: 10MHz |
Program to 1 to set Flash clock to 10MHz at system boot, otherwise ignore. |
0x03 |
[0] |
DIS_BOOT_LOG_EN |
0 |
Disable boot log 0: Enable 1: Disable |
Program to 1 to disable boot log, otherwise ignore. |
0x03 |
[1] |
LOW_BAUD_LOG_EN |
0 |
Select Loguart baud rate 0: 1.5Mbps 1: 115200bps |
Program to 1 if LOGUART baud rate is 115200, otherwise ignore. |
0x03 |
[2] |
SECURE_BOOT_EN |
0 |
Enable secure boot function 0: Disable 1: Enable |
|
0x03 |
[3] |
RSIP_EN |
0 |
Enable RSIP function 0: Disable 1: Enable |
|
0x03 |
[4] |
RDP_EN |
0 |
Enable RDP function 0: Disable 1: Enable |
|
0x03 |
[5] |
BOOT_RAND_DELAY_EN |
0 |
Enable random delay at boot 0: Disable 1: Enable |
Program to 1 to add random delay at system boot, otherwise ignore. |
Offset Address |
Bit |
Symbol |
Initial Value |
Description |
Scenario |
|---|---|---|---|---|---|
0x02 |
[0] |
FLASH_DEEPSLEEP_EN |
0 |
Enable Flash deep sleep mode 0: Disable 1: Enable |
Program to 1 to enable Flash deep sleep during sleep mode, otherwise ignore. |
0x02 |
[1] |
SPIC_ADDR_4BYTE_EN |
0 |
Enable SPI Flash controller 4-byte address mode 0: Disable 1: Enable |
Program to 1 if using external Flash with capacity > 16MB, otherwise ignore. |
0x02 |
[2] |
SPIC_BOOT_SPEEDUP_DIS |
0 |
Disable SPIC initialization speedup at boot 0: Speedup 1: No speedup |
Program to 1 to disable SPIC initialization speedup at system boot, otherwise ignore. |
0x02 |
[3] |
BOOT_FLASH_CLOCK_SEL |
0 |
Select Flash clock at boot 0: 20MHz 1: 10MHz |
Program to 1 to set Flash clock to 10MHz at system boot, otherwise ignore. |
0x03 |
[0] |
DIS_BOOT_LOG_EN |
0 |
Disable boot log 0: Enable 1: Disable |
Program to 1 to disable boot log, otherwise ignore. |
0x03 |
[1] |
LOW_BAUD_LOG_EN |
0 |
Select Loguart baud rate 0: 1.5Mbps 1: 115200bps |
Program to 1 if LOGUART baud rate is 115200, otherwise ignore. |
0x03 |
[2] |
SECURE_BOOT_EN |
0 |
Enable secure boot function 0: Disable 1: Enable |
|
0x03 |
[3] |
RSIP_EN |
0 |
Enable RSIP function 0: Disable 1: Enable |
|
0x03 |
[5] |
BOOT_RAND_DELAY_EN |
0 |
Enable random delay at boot 0: Disable 1: Enable |
Program to 1 to add random delay at system boot, otherwise ignore. |
Offset Address |
Bit |
Symbol |
Initial Value |
Description |
Scenario |
|---|---|---|---|---|---|
0x02 |
[0] |
FLASH_DEEPSLEEP_EN |
0 |
Enable Flash deep sleep mode 0: Disable 1: Enable |
Program to 1 to enable Flash deep sleep during sleep mode, otherwise ignore. |
0x02 |
[1] |
SPIC_ADDR_4BYTE_EN |
0 |
Enable SPI Flash controller 4-byte address mode 0: Disable 1: Enable |
Program to 1 if using external Flash with capacity > 16MB, otherwise ignore. |
0x02 |
[2] |
SPIC_BOOT_SPEEDUP_DIS |
0 |
Disable SPIC initialization speedup at boot 0: Speedup 1: No speedup |
Program to 1 to disable SPIC initialization speedup at system boot, otherwise ignore. |
0x02 |
[3] |
BOOT_FLASH_CLOCK_SEL |
0 |
Select Flash clock at boot 0: 20MHz 1: 10MHz |
Program to 1 to set Flash clock to 10MHz at system boot, otherwise ignore. |
0x02 |
[5:4] |
BOOT_NOR_FLASH |
0 |
Boot from Nor or Nand Flash 0/3: Determined by power-on latch 1: Nor Flash 2: Nand Flash |
Program to desired value to select Flash type for system boot. |
0x02 |
[6] |
USB_LOAD_SPEED |
0 |
USB speed selection 0: High-speed mode 1: Full-speed mode |
Program to 1 to configure USB as full-speed mode when using USB download function, otherwise ignore. |
0x02 |
[7] |
SPIC_NAND_PAGE_SIZE |
0 |
Nand Flash page size selection 0: 2KB 1: 4KB |
Program to 1 to set Nand Flash page size to 4KB at system boot, otherwise ignore. |
0x03 |
[0] |
DIS_BOOT_LOG_EN |
0 |
Disable boot log 0: Enable 1: Disable |
Program to 1 to disable boot log, otherwise ignore. |
0x03 |
[1] |
LOW_BAUD_LOG_EN |
0 |
Select Loguart baud rate 0: 1.5Mbps 1: 115200bps |
Program to 1 if LOGUART baud rate is 115200, otherwise ignore. |
0x03 |
[2] |
SECURE_BOOT_EN |
0 |
Enable secure boot function 0: Disable 1: Enable |
|
0x03 |
[3] |
RSIP_EN |
0 |
Enable RSIP function 0: Disable 1: Enable |
|
0x03 |
[4] |
RDP_EN |
0 |
Enable RDP function 0: Disable 1: Enable |
|
0x03 |
[5] |
BOOT_RAND_DELAY_EN |
0 |
Enable random delay at boot 0: Disable 1: Enable |
Program to 1 to add random delay at system boot, otherwise ignore. |
0x03 |
[7] |
USB_DOWNLOAD_EN |
0 |
Enable USB download function 0: Disable 1: Enable |
Program to 1 to enable USB download function, otherwise ignore. |
Offset Address |
Bit |
Symbol |
Initial Value |
Description |
Scenario |
|---|---|---|---|---|---|
0x00 |
[2:1] |
BOOT_SRC_SEL |
0 |
Select boot source 0/3: Boot from Flash 1: Boot from USB 2: Boot from SDIO |
|
0x00 |
[3] |
BT_Function_EN |
0 |
Enable BT function in NIC mode 0: Disable 1: Enable |
Program to 1 to enable BT function in NIC mode, otherwise ignore. |
0x00 |
[5:4] |
SDIO_PINMUX |
0 |
Select SDIO pinmux in NIC mode 0:PINMUX Index 0 (group 1: PA4-PA5,PA18-PA21) 1:PINMUX Index 1 (group 6: PC2-PC7) 2/3: RSVD |
Program to 1 if using PC2-PC7 for SDIO pinmux in NIC mode, otherwise ignore. |
0x00 |
[7:6] |
BOOT_INT_FLASH |
0 |
Boot from external or internal Flash 0/3: Determined by power on latch 1: Internal flash 2: External flash |
Program to the desired value to change the Flash location at system boot. |
0x02 |
[0] |
FLASH_DEEPSLEEP_EN |
0 |
Enable Flash deep sleep mode 0: Disable 1: Enable |
Program to 1 to enable Flash deep sleep during sleep mode, otherwise ignore. |
0x02 |
[1] |
SPIC_ADDR_4BYTE_EN |
0 |
Enable SPI Flash controller 4-byte address mode 0: Disable 1: Enable |
Program to 1 if using external Flash with capacity > 16MB, otherwise ignore. |
0x02 |
[2] |
SPIC_BOOT_SPEEDUP_DIS |
0 |
Disable SPIC initialization speedup at boot 0: Speedup 1: No speedup |
Program to 1 to disable SPIC initialization speedup at system boot, otherwise ignore. |
0x02 |
[3] |
BOOT_FLASH_CLOCK_SEL |
0 |
Select Flash clock at boot 0: 20MHz 1: 10MHz |
Program to 1 to set Flash clock to 10MHz at system boot, otherwise ignore. |
0x02 |
[4] |
SPIC_NAND_PAGE_SIZE |
0 |
Nand FLASH page size 0: Auto detect 1: 4KB |
Program to 1 to fix Nand Flash page size to 4KB at system boot, otherwise ignore. |
0x02 |
[5] |
BOOT_CNT_LMT_EN |
0 |
Enable soft boot count limit 0: Disable 1: Enable |
Program to 1 to enable system soft boot count limit, otherwise ignore. |
0x02 |
[7:6] |
BOOT_NOR_FLASH |
0 |
Boot from Nor or Nand Flash 0/3: Determined by power-on latch 1: Nor Flash 2: Nand Flash |
Program to the desired value to select Flash type at system boot. |
0x03 |
[0] |
DIS_BOOT_LOG_EN |
0 |
Disable boot log 0: Enable 1: Disable |
Program to 1 to disable boot log, otherwise ignore. |
0x03 |
[1] |
LOW_BAUD_LOG_EN |
0 |
Select Loguart baud rate 0: 1.5Mbps 1: 115200bps |
Program to 1 if LOGUART baud rate is 115200, otherwise ignore. |
0x03 |
[2] |
LOGIC_SECURE_BOOT_EN |
0 |
Enable secure boot function 0: Disable 1: Enable |
|
0x03 |
[3] |
LOGIC_RSIP_EN |
0 |
Enable RSIP function 0: Disable 1: Enable |
|
0x03 |
[4] |
LOGIC_RDP_EN |
0 |
Enable RDP function 0: Disable 1: Enable |
|
0x03 |
[7] |
USB_DOWNLOAD_EN |
0 |
Enable USB download function 0: Disable 1: Enable |
Program to 1 to enable USB download function, otherwise ignore. |
User-defined MTP Zone
The User-defined MTP zone (0x170 ~ 0x19F, 48 bytes) can be freely used by the user.
Realtek provides dedicated APIs for this zone for user access.
API
Description
efuse_get_remaining_length
Get the remaining available length of the mapped area.
efuse_mtp_read
Read all data from the User-defined MTP area.
efuse_mtp_write
Write data to the User-defined MTP area.
efuse_get_remaining_length
Item
Description
Function
Get the remaining available length of the mapped area.
Parameters
None
Return Value
Remaining available length.
efuse_mtp_read
Item
Description
Function
Read all data from the User-defined MTP area.
Parameters
data: Pointer to the buffer for the data to be read.
Return Value
Read operation result.
RTK_SUCCESS: Success
RTK_FAIL: Fail
efuse_mtp_write
Item
Description
Function
Write data to the User-defined MTP area.
Parameters
offset: The offset address of the area to be written (base address is the User-defined MTP area start address, 0x170).
len: Length of the data to be written.
data: Pointer to the data buffer to be written.
Return Value
Write operation result.
RTK_SUCCESS: Success
RTK_FAIL: Fail
API Usage
To program the value of logical address 0x172[1] (offset address 0x2) to 1, follow these steps:
Read the value from the User-defined MTP area and check the return value.
u8 data_read[48]; int ret; ret = efuse_mtp_read(data_read);Assume the data read from logical address 0x172 (offset address 0x2) in step 1 is 0xA0. Perform a bitwise OR operation between 0xA0 and the value for the target bit 0x172[1], keeping the other bits at their default values. Thus, the new value to be written is 0xA2.
Write the new value 0xA2 to the offset address 0x2 and check the function’s return value.
u8 data_written = 0xA2; int ret; ret = efuse_mtp_write(0x2, 0x1, &data_written);
Physical Zone
The physical zone is partitioned into the mapping zone, security zone, User-defined physical zone, ROM code patch zone, and hidden physical zone.
Security Zone
The security zone is divided into the following two parts:
Key area: 0x200~0x35F, 352 bytes. This area stores various types of keys and is automatically loaded into internal memory space at system boot.
Configuration area: 0x360~0x37F, 32 bytes. This area controls access permissions for the key area and other areas.
key Area
The key area includes the following content:
Function |
Name |
Size (bits) |
Start Offset |
End Offset |
Usage Method |
|---|---|---|---|---|---|
IPSEC |
S_IPSEC_Key1 (RDP) |
256 |
0x200 |
0x021F |
|
S_IPSEC_Key2 (Secure boot HMAC) |
256 |
0x220 |
0x023F |
||
NS_IPSEC_Key1 |
256 |
0x240 |
0x025F |
||
NS_IPSEC_Key2 |
256 |
0x260 |
0x027F |
||
USER PRI |
USER_PRI_KEY1 |
256 |
0x280 |
0x029F |
User key zone, freely available for use |
USER_PRI_KEY2 |
256 |
0x2A0 |
0x02BF |
||
RSIP |
RSIP_KEY1 |
256 |
0x2C0 |
0x02DF |
|
RSIP_KEY2 |
256 |
0x2E0 |
0x02FF |
||
SWD |
SWD_PASSWORD |
128 |
0x300 |
0x030F |
|
PSA |
HUK |
128 |
0x310 |
0x031F |
|
Secure Boot |
PK1 (ROTPK hash) |
256 |
0x320 |
0x033F |
|
PK2 (ROTPK hash) |
256 |
0x340 |
0x035F |
Function |
Name |
Size (bits) |
Start Offset |
End Offset |
Usage |
|---|---|---|---|---|---|
IPSEC |
S_IPSEC_Key1 (RDP) |
256 |
0x200 |
0x021F |
|
S_IPSEC_Key2 (Secure boot HMAC) |
256 |
0x220 |
0x023F |
||
NS_IPSEC_Key1 |
256 |
0x240 |
0x025F |
||
NS_IPSEC_Key2 |
256 |
0x260 |
0x027F |
||
ECDSA |
ECDSA_PRI_KEY1 |
256 |
0x280 |
0x029F |
|
ECDSA_PRI_KEY2 |
256 |
0x2A0 |
0x02BF |
||
RSIP |
RSIP_KEY1 |
256 |
0x2C0 |
0x02DF |
|
RSIP_KEY2 |
256 |
0x2E0 |
0x02FF |
||
SWD |
SWD_PASSWORD |
128 |
0x300 |
0x030F |
|
PSA |
HUK |
128 |
0x310 |
0x031F |
|
Secure Boot |
PK1 (ROTPK hash) |
256 |
0x320 |
0x033F |
|
PK2 (ROTPK hash) |
256 |
0x340 |
0x035F |
Function |
Name |
Size (bits) |
Start Offset |
End Offset |
Usage |
|---|---|---|---|---|---|
IPSEC |
S_IPSEC_Key1 (RDP) |
256 |
0x200 |
0x021F |
|
S_IPSEC_Key2 (Secure boot HMAC) |
256 |
0x220 |
0x023F |
||
NS_IPSEC_Key1 |
256 |
0x240 |
0x025F |
||
NS_IPSEC_Key2 |
256 |
0x260 |
0x027F |
||
ECDSA |
ECDSA_PRI_KEY1 |
256 |
0x280 |
0x029F |
|
ECDSA_PRI_KEY2 |
256 |
0x2A0 |
0x02BF |
||
RSIP |
RSIP_KEY1 |
256 |
0x2C0 |
0x02DF |
|
RSIP_KEY2 |
256 |
0x2E0 |
0x02FF |
||
SWD |
SWD_PASSWORD |
128 |
0x300 |
0x030F |
|
PSA |
HUK |
128 |
0x310 |
0x031F |
|
Secure Boot |
PK1 (ROTPK hash) |
256 |
0x320 |
0x033F |
|
PK2 (ROTPK hash) |
256 |
0x340 |
0x035F |
Function |
Name |
Size (bits) |
Start Offset |
End Offset |
Usage |
|---|---|---|---|---|---|
IPSEC |
S_IPSEC_Key2 (Secure boot HMAC) |
256 |
0x220 |
0x023F |
|
NS_IPSEC_Key1 |
256 |
0x240 |
0x025F |
||
NS_IPSEC_Key2 |
256 |
0x260 |
0x027F |
||
ECDSA |
ECDSA_PRI_KEY1 |
256 |
0x280 |
0x029F |
|
ECDSA_PRI_KEY2 |
256 |
0x2A0 |
0x02BF |
||
RSIP |
RSIP_KEY1 |
256 |
0x2C0 |
0x02DF |
|
RSIP_KEY2 |
256 |
0x2E0 |
0x02FF |
||
SWD |
SWD_PASSWORD |
128 |
0x300 |
0x030F |
|
PSA |
HUK |
128 |
0x310 |
0x031F |
|
Secure Boot |
PK1 (ROTPK hash) |
256 |
0x320 |
0x033F |
|
PK2 (ROTPK hash) |
256 |
0x340 |
0x035F |
Function |
Name |
Size (bits) |
Start offset |
End offset |
Usage |
|---|---|---|---|---|---|
IPSEC |
S_IPSEC_Key1 (RDP) |
256 |
0x200 |
0x021F |
|
S_IPSEC_Key2 (Secure boot HMAC) |
256 |
0x220 |
0x023F |
||
NS_IPSEC_Key1 |
256 |
0x240 |
0x025F |
||
NS_IPSEC_Key2 |
256 |
0x260 |
0x027F |
||
ECDSA |
ECDSA_PRI_KEY1 |
256 |
0x280 |
0x029F |
|
ECDSA_PRI_KEY2 |
256 |
0x2A0 |
0x02BF |
||
RSIP |
RSIP_KEY1 |
256 |
0x2C0 |
0x02DF |
|
RSIP_KEY2 |
256 |
0x2E0 |
0x02FF |
||
SWD |
SWD_PASSWORD |
128 |
0x300 |
0x030F |
|
PSA |
HUK |
128 |
0x310 |
0x031F |
|
Secure Boot |
PK1 (ROTPK hash) |
256 |
0x320 |
0x033F |
|
PK2 (ROTPK hash) |
256 |
0x340 |
0x035F |
Function |
Name |
Size (bits) |
Start Offset |
End Offset |
Usage |
|---|---|---|---|---|---|
IPSEC |
S_IPSEC_Key1 (RDP) |
256 |
0x200 |
0x021F |
|
S_IPSEC_Key2 (Secure boot HMAC) |
256 |
0x220 |
0x023F |
||
NS_IPSEC_Key1 |
256 |
0x240 |
0x025F |
||
NS_IPSEC_Key2 |
256 |
0x260 |
0x027F |
||
PKE |
PKE_PRI_KEY1 |
256 |
0x280 |
0x029F |
- |
PKE_PRI_KEY1 |
256 |
0x2A0 |
0x02BF |
||
RSIP |
RSIP_KEY1 |
256 |
0x2C0 |
0x02DF |
|
RSIP_KEY2 |
256 |
0x2E0 |
0x02FF |
||
SWD |
SWD_PASSWORD |
128 |
0x300 |
0x030F |
|
PSA |
HUK |
128 |
0x310 |
0x031F |
|
Secure Boot |
PK1 (ROTPK hash) |
256 |
0x320 |
0x033F |
|
PK2 (ROTPK hash) |
256 |
0x340 |
0x035F |
Configuration Area
The content of the configuration area is shown in the table below. Refer to the detailed descriptions in the corresponding chapters for the specific usage of each field in this area.
Offset |
Bits |
Symbol |
Description |
Usage |
|---|---|---|---|---|
0x360 |
[31:0] |
SWD_ID |
Device SWD ID |
|
0x364 |
[0] |
SWD_PWD_EN |
Enable SWD password |
|
[1] |
SWD_DBGEN |
SWD external debug authentication |
||
[2] |
SWD_NIDEN |
|||
[3] |
SWD_SPIDEN |
|||
[4] |
SWD_SPNIDEN |
|||
[5] |
SWD_PWD_R_Protection_EN |
Enable key read and write protection |
||
[6] |
SWD_PWD_W_Forbidden_EN |
|||
[7] |
HUK_W_Forbidden_EN |
|||
0x365 |
[0] |
RSVD |
||
[1] |
PK1_W_Forbidden_EN |
|||
[2] |
PK2_W_Forbidden_EN |
|||
[3] |
S_IPSEC_Key1_R_Protection_EN |
|||
[4] |
S_IPSEC_Key1_W_Forbidden_EN |
|||
[5] |
S_IPSEC_Key2_R_Protection_EN |
|||
[6] |
S_IPSEC_Key2_W_Forbidden_EN |
|||
[7] |
NS_IPSEC_Key1_R_Protection_EN |
|||
0x366 |
[0] |
NS_IPSEC_Key1_W_Forbidden_EN |
||
[1] |
NS_IPSEC_Key2_R_Protection_EN |
|||
[2] |
NS_IPSEC_Key2_W_Forbidden_EN |
|||
[3] |
USER_PRI_KEY1_R_Protection_EN |
Read and write protection for user key zone |
||
[4] |
USER_PRI_KEY1_W_Forbidden_EN |
|||
[5] |
USER_PRI_KEY2_R_Protection_EN |
|||
[6] |
USER_PRI_KEY2_W_Forbidden_EN |
|||
[7] |
RSIP_KEY1_R_Protection_EN |
|||
0x367 |
[0] |
RSIP_KEY1_W_Forbidden_EN |
||
[1] |
RSIP_KEY2_R_Protection_EN |
|||
[2] |
RSIP_KEY2_W_Forbidden_EN |
|||
[3] |
RSIP_MODE_W_Forbidden_EN |
|||
[4] |
SIC_SECURE_EN |
Disable SIC function |
Program to 0 if SIC function needs to be disabled. |
|
[5] |
CPU_PC_DBG_EN |
Allow debug port to obtain CPU PC value 1: Enable 0: Disable |
Program to 0 if debug port should be prevented from obtaining CPU PC value. |
|
[6] |
UDF1_TRUSTZONE_EN |
User-defined 1 zone (0x380~0x3BF) security 0: Enable 1: Disable |
Program to 0 if User-defined 1 zone should only be accessible by secure zone. |
|
[7] |
UDF2_TRUSTZONE_EN |
User-defined 2 zone (0x3C0~0x3FF) security 0: Enable 1: Disable |
Program to 0 if User-defined 2 zone should only be accessible by secure zone. |
|
0x368 |
[0] |
UART_DOWNLOAD_DISABLE |
Enter UART download mode via Trap pin 0: Disable 1: Enable (default) |
Program to 0 if entering UART download mode via UART Trap pin should be disabled. |
[1] |
RSVD |
|||
[2] |
RSIP_EN |
Enable/Disable RSIP function |
||
[3] |
SECURE_BOOT_EN |
Enable/Disable secure boot function |
||
[4] |
SECURE_BOOT_HW_DIS |
|||
[5] |
RDP_EN |
Enable/Disable RDP function |
||
[6] |
ANTI_ROLLBACK_EN |
|||
[7] |
FAULT_LOG_PRINT_DIS |
Disable ROM hard fault log 0: Disable 1: Enable (default) |
Program to 0 if ROM hard fault log needs to be disabled. |
|
0x369 |
[1:0] |
RSIP_MODE |
RSIP mode |
|
[2] |
HUK_DERIV_EN |
Enable/Disable HUK generation |
||
[3] |
USER_PHYSICAL_TZ1_EN |
User-defined physical 1 zone security 0: Enable 1: Disable |
Program to 0 if User-defined physical 1 zone should only be accessible by secure zone. |
|
[4] |
USER_PHYSICAL_TZ2_EN |
User-defined physical 2 zone security 0: Enable 1: Disable |
Program to 0 if User-defined physical 2 zone should only be accessible by secure zone. |
|
[5] |
SW_RSVD0 |
|||
[6] |
SWTRIG_UART_DOWNLOAD_DISABLE |
Disable software trigger to enter UART download mode 0: Disable 1: Enable (default) |
Program to 0 if entering UART download mode via software trigger should be disabled. |
|
[7] |
SPIC_PINMUX_IN_TESTMODE_DISABLE |
Realtek use |
Realtek use |
|
0x36A |
[7:0] |
RSVD |
||
0x36B |
[3:0] |
SECURE_BOOT_AUTH_LOG |
Secure boot authentication algorithm |
|
[7:4] |
SECURE_BOOT_HASH_LOG |
Secure boot hash algorithm |
||
0x36C |
[15:0] |
OTA_ADDR |
OTA address, 4K aligned |
|
0x36E |
[15:0] |
BOOTLOADER_VERSION |
Bootloader version |
|
0x370 |
[31:0] |
CRC0 |
CRC check |
|
0x374 |
[31:0] |
CRC1 |
||
0x378 |
[31:0] |
CRC2 |
||
0x37C |
[31:0] |
CRC3 |
Offset |
Bits |
Symbol |
Description |
Usage |
|---|---|---|---|---|
0x360 |
[31:0] |
SWD_ID |
SWD ID of the device |
|
0x364 |
[0] |
SWD_PWD_EN |
Enable SWD password |
|
[1] |
SWD_DBGEN |
SWD external debug authentication |
||
[2] |
SWD_NIDEN |
|||
[3] |
SWD_SPIDEN |
|||
[4] |
SWD_SPNIDEN |
|||
[5] |
SWD_PWD_R_Protection_EN |
Enable key read and write protection |
||
[6] |
SWD_PWD_W_Forbidden_EN |
|||
[7] |
HUK_W_Forbidden_EN |
|||
0x365 |
[0] |
RSVD |
- |
|
[1] |
PK1_W_Forbidden_EN |
|||
[2] |
PK2_W_Forbidden_EN |
|||
[3] |
S_IPSEC_Key1_R_Protection_EN |
|||
[4] |
S_IPSEC_Key1_W_Forbidden_EN |
|||
[5] |
S_IPSEC_Key2_R_Protection_EN |
|||
[6] |
S_IPSEC_Key2_W_Forbidden_EN |
|||
[7] |
NS_IPSEC_Key1_R_Protection_EN |
|||
0x366 |
[0] |
NS_IPSEC_Key1_W_Forbidden_EN |
||
[1] |
NS_IPSEC_Key2_R_Protection_EN |
|||
[2] |
NS_IPSEC_Key2_W_Forbidden_EN |
|||
[3] |
ECDSA_PRI_KEY1_R_Protection_EN |
|||
[4] |
ECDSA_PRI_KEY1_W_Forbidden_EN |
|||
[5] |
ECDSA_PRI_KEY2_R_Protection_EN |
|||
[6] |
ECDSA_PRI_KEY2_W_Forbidden_EN |
|||
[7] |
RSIP_KEY1_R_Protection_EN |
|||
0x367 |
[0] |
RSIP_KEY1_W_Forbidden_EN |
||
[1] |
RSIP_KEY2_R_Protection_EN |
|||
[2] |
RSIP_KEY2_W_Forbidden_EN |
|||
[3] |
RSIP_MODE_W_Forbidden_EN |
|||
[4] |
SIC_SECURE_EN |
Disable SIC function |
Program it to 0 if there’s a need to disable the SIC function. |
|
[5] |
CPU_PC_DBG_EN |
Debug port can obtain CPU PC value 1: Enable 0: Disable |
Program it to 0 if there’s a need to prevent the debug port from obtaining the CPU PC value. |
|
[6] |
UDF1_TRUSTZONE_EN |
User-defined 1 zone (0x380~0x3BF) security protection 0: Enable 1: Disable |
Program it to 0 if you want the User-defined 1 zone to be accessible only by the secure zone. |
|
[7] |
UDF2_TRUSTZONE_EN |
User-defined 2 zone (0x3C0~0x3FF) security protection 0: Enable 1: Disable |
Program it to 0 if you want the User-defined 2 zone to be accessible only by the secure zone. |
|
0x368 |
[0] |
UART_DOWNLOAD_DISABLE |
Enter UART download mode via Trap pin 0: Disable 1: Enable (default) |
Program it to 0 if there’s a need to disable entering UART download mode via the UART Trap pin. |
[1] |
RSVD |
- |
- |
|
[2] |
RSIP_EN |
Enable/Disable RSIP function |
||
[3] |
SECURE_BOOT_EN |
Enable/Disable secure boot function |
||
[4] |
SECURE_BOOT_HW_DIS |
|||
[5] |
RDP_EN |
Enable/Disable RDP function |
||
[6] |
Anti_Rollback_EN |
|||
[7] |
FAULT_LOG_PRINT_DIS |
Disable hard fault log in ROM 0: Disable 1: Enable (default) |
Program it to 0 if there’s a need to disable the ROM hard fault log. |
|
0x369 |
[1:0] |
RSIP_MODE |
RSIP mode |
|
[2] |
HUK_DERIV_EN |
Enable/Disable HUK generation |
||
[3] |
USER_PHYSICAL_TZ1_EN |
User-defined physical 1 zone security protection 0: Enable 1: Disable |
Program it to 0 if you want the User-defined physical 1 zone to be accessible only by the secure zone. |
|
[4] |
USER_PHYSICAL_TZ2_EN |
User-defined physical 2 zone security protection 0: Enable 1: Disable |
Program it to 0 if you want the User-defined physical 2 zone to be accessible only by the secure zone. |
|
[5] |
SW_RSVD0 |
- |
- |
|
[6] |
SWTRIG_UART_DOWNLOAD_DISABLE |
Disable software-triggered UART download mode entry 0: Disable 1: Enable (default) |
Program it to 0 if there’s a need to disable entering UART download mode via software trigger. |
|
[7] |
SPIC_PINMUX_IN_TESTMODE_DISABLE |
Used by Realtek |
Used by Realtek |
|
0x36A |
[7:0] |
RSVD |
- |
- |
0x36B |
[3:0] |
SECURE_BOOT_AUTH_LOG |
Secure boot authentication algorithm |
|
[7:4] |
SECURE_BOOT_HASH_LOG |
Secure boot hash algorithm |
||
0x36C |
[15:0] |
OTA_ADDR[15:0] |
OTA address, 4K aligned |
|
0x36E |
[15:0] |
BOOTLOADER[15:0] |
Bootloader version |
|
0x370 |
[31:0] |
CRC0[31:0] |
CRC check |
|
0x374 |
[31:0] |
CRC1[31:0] |
||
0x378 |
[31:0] |
CRC2[31:0] |
||
0x37C |
[31:0] |
CRC3[31:0] |
Offset |
Bits |
Symbol |
Description |
Usage |
|---|---|---|---|---|
0x360 |
[31:0] |
SWD_ID |
SWD ID of the device |
|
0x364 |
[0] |
SWD_PWD_EN |
Enable SWD password |
|
[1] |
SWD_DBGEN |
SWD external debug authentication |
||
[2] |
SWD_NIDEN |
|||
[3] |
SWD_SPIDEN |
|||
[4] |
SWD_SPNIDEN |
|||
[5] |
SWD_PWD_R_Protection_EN |
Enable key read and write protection |
||
[6] |
SWD_PWD_W_Forbidden_EN |
|||
[7] |
HUK_W_Forbidden_EN |
|||
0x365 |
[0] |
RSVD |
- |
|
[1] |
PK1_W_Forbidden_EN |
|||
[2] |
PK2_W_Forbidden_EN |
|||
[3] |
S_IPSEC_Key1_R_Protection_EN |
|||
[4] |
S_IPSEC_Key1_W_Forbidden_EN |
|||
[5] |
S_IPSEC_Key2_R_Protection_EN |
|||
[6] |
S_IPSEC_Key2_W_Forbidden_EN |
|||
[7] |
NS_IPSEC_Key1_R_Protection_EN |
|||
0x366 |
[0] |
NS_IPSEC_Key1_W_Forbidden_EN |
||
[1] |
NS_IPSEC_Key2_R_Protection_EN |
|||
[2] |
NS_IPSEC_Key2_W_Forbidden_EN |
|||
[3] |
ECDSA_PRI_KEY1_R_Protection_EN |
|||
[4] |
ECDSA_PRI_KEY1_W_Forbidden_EN |
|||
[5] |
ECDSA_PRI_KEY2_R_Protection_EN |
|||
[6] |
ECDSA_PRI_KEY2_W_Forbidden_EN |
|||
[7] |
RSIP_KEY1_R_Protection_EN |
|||
0x367 |
[0] |
RSIP_KEY1_W_Forbidden_EN |
||
[1] |
RSIP_KEY2_R_Protection_EN |
|||
[2] |
RSIP_KEY2_W_Forbidden_EN |
|||
[3] |
RSIP_MODE_W_Forbidden_EN |
|||
[4] |
SIC_SECURE_EN |
Disable SIC function |
Program it to 0 if there’s a need to disable the SIC function. |
|
[5] |
CPU_PC_DBG_EN |
Debug port can obtain CPU PC value 1: Enable 0: Disable |
Program it to 0 if there’s a need to prevent the debug port from obtaining the CPU PC value. |
|
[6] |
UDF1_TRUSTZONE_EN |
User-defined 1 zone (0x380~0x3BF) security protection 0: Enable 1: Disable |
Program it to 0 if you want the User-defined 1 zone to be accessible only by the secure zone. |
|
[7] |
UDF2_TRUSTZONE_EN |
User-defined 2 zone (0x3C0~0x3FF) security protection 0: Enable 1: Disable |
Program it to 0 if you want the User-defined 2 zone to be accessible only by the secure zone. |
|
0x368 |
[0] |
UART_DOWNLOAD_DISABLE |
Enter UART download mode via Trap pin 0: Disable 1: Enable (default) |
Program it to 0 if there’s a need to disable entering UART download mode via the UART Trap pin. |
[1] |
RSVD |
- |
- |
|
[2] |
RSIP_EN |
Enable/Disable RSIP function |
||
[3] |
SECURE_BOOT_EN |
Enable/Disable secure boot function |
||
[4] |
SECURE_BOOT_HW_DIS |
|||
[5] |
RDP_EN |
Enable/Disable RDP function |
||
[6] |
Anti_Rollback_EN |
|||
[7] |
FAULT_LOG_PRINT_DIS |
Disable hard fault log in ROM 0: Disable 1: Enable (default) |
Program it to 0 if there’s a need to disable the ROM hard fault log. |
|
0x369 |
[1:0] |
RSIP_MODE |
RSIP mode |
|
[2] |
HUK_DERIV_EN |
Enable/Disable HUK generation |
||
[3] |
USER_PHYSICAL_TZ1_EN |
User-defined physical 1 zone security protection 0: Enable 1: Disable |
Program it to 0 if you want the User-defined physical 1 zone to be accessible only by the secure zone. |
|
[4] |
USER_PHYSICAL_TZ2_EN |
User-defined physical 2 zone security protection 0: Enable 1: Disable |
Program it to 0 if you want the User-defined physical 2 zone to be accessible only by the secure zone. |
|
[5] |
SW_RSVD0 |
- |
- |
|
[6] |
SWTRIG_UART_DOWNLOAD_DISABLE |
Disable software-triggered UART download mode entry 0: Disable 1: Enable (default) |
Program it to 0 if there’s a need to disable entering UART download mode via software trigger. |
|
[7] |
SPIC_PINMUX_IN_TESTMODE_DISABLE |
Used by Realtek |
Used by Realtek |
|
0x36A |
[7:0] |
RSVD |
- |
- |
0x36B |
[3:0] |
SECURE_BOOT_AUTH_LOG |
Secure boot authentication algorithm |
|
[7:4] |
SECURE_BOOT_HASH_LOG |
Secure boot hash algorithm |
||
0x36C |
[15:0] |
OTA_ADDR[15:0] |
OTA address, 4K aligned |
|
0x36E |
[15:0] |
BOOTLOADER[15:0] |
Bootloader version |
|
0x370 |
[31:0] |
CRC0[31:0] |
CRC check |
|
0x374 |
[31:0] |
CRC1[31:0] |
||
0x378 |
[31:0] |
CRC2[31:0] |
||
0x37C |
[31:0] |
CRC3[31:0] |
Offset |
Bits |
Symbol |
Description |
Usage |
|---|---|---|---|---|
0x360 |
[31:0] |
SWD_ID |
Device SWD ID |
|
0x364 |
[0] |
SWD_PWD_EN |
Enable SWD password |
|
[1] |
SWD_DBGEN |
SWD external debug authentication |
||
[2] |
SWD_NIDEN |
|||
[3] |
SWD_SPIDEN |
|||
[4] |
SWD_SPNIDEN |
|||
[5] |
SWD_PWD_R_Protection_EN |
Enable key read and write protection |
||
[6] |
SWD_PWD_W_Forbidden_EN |
|||
[7] |
HUK_W_Forbidden_EN |
|||
0x365 |
[0] |
RSVD |
- |
|
[1] |
PK1_W_Forbidden_EN |
|||
[2] |
PK2_W_Forbidden_EN |
|||
[3] |
RSVD |
|||
[4] |
RSVD |
|||
[5] |
S_IPSEC_Key2_R_Protection_EN |
|||
[6] |
S_IPSEC_Key2_W_Forbidden_EN |
|||
[7] |
NS_IPSEC_Key1_R_Protection_EN |
|||
0x366 |
[0] |
NS_IPSEC_Key1_W_Forbidden_EN |
||
[1] |
NS_IPSEC_Key2_R_Protection_EN |
|||
[2] |
NS_IPSEC_Key2_W_Forbidden_EN |
|||
[3] |
ECDSA_PRI_KEY1_R_Protection_EN |
|||
[4] |
ECDSA_PRI_KEY1_W_Forbidden_EN |
|||
[5] |
ECDSA_PRI_KEY2_R_Protection_EN |
|||
[6] |
ECDSA_PRI_KEY2_W_Forbidden_EN |
|||
[7] |
RSIP_KEY1_R_Protection_EN |
|||
0x367 |
[0] |
RSIP_KEY1_W_Forbidden_EN |
||
[1] |
RSIP_KEY2_R_Protection_EN |
|||
[2] |
RSIP_KEY2_W_Forbidden_EN |
|||
[3] |
RSIP_MODE_W_Forbidden_EN |
|||
[4] |
SIC_SECURE_EN |
Disable SIC function |
Program to 0 if SIC function needs to be disabled. |
|
[5] |
CPU_PC_DBG_EN |
Allow debug port to obtain CPU PC value 1: Enable 0: Disable |
Program to 0 if debug port should be prevented from obtaining CPU PC value. |
|
[7:6] |
RSVD |
- |
- |
|
0x368 |
[0] |
UART_DOWNLOAD_DISABLE |
Enter UART download mode via Trap pin 0: Disable 1: Enable (default) |
Program to 0 if entering UART download mode via UART Trap pin should be disabled. |
[1] |
RSVD |
- |
- |
|
[2] |
RSIP_EN |
Enable/Disable RSIP function |
||
[3] |
SECURE_BOOT_EN |
Enable/Disable secure boot function |
||
[4] |
SECURE_BOOT_HW_DIS |
|||
[5] |
RSVD |
- |
- |
|
[6] |
Anti_Rollback_EN |
|||
[7] |
FAULT_LOG_PRINT_DIS |
Disable ROM hard fault log 0: Disable 1: Enable (default) |
Program to 0 if ROM hard fault log needs to be disabled. |
|
0x369 |
[1:0] |
RSIP_MODE |
RSIP mode |
|
[2] |
HUK_DERIV_EN |
Enable/Disable HUK generation |
||
[3] |
SWTRIG_UART_DOWNLOAD_DISABLE |
Disable software trigger to enter UART download mode 0: Disable 1: Enable (default) |
Program to 0 if entering UART download mode via software trigger should be disabled. |
|
[7:4] |
SW_RSVD0 |
- |
- |
|
0x36A |
[7:0] |
RSVD |
- |
- |
0x36B |
[3:0] |
SECURE_BOOT_AUTH_LOG |
Secure boot authentication algorithm |
|
[7:4] |
SECURE_BOOT_HASH_LOG |
Secure boot hash algorithm |
||
0x36C |
[15:0] |
OTA_ADDR[15:0] |
OTA address, 4K aligned |
|
0x36E |
[15:0] |
BOOTLOADER[15:0] |
Bootloader version |
|
0x370 |
[31:0] |
CRC0[31:0] |
CRC check |
|
0x374 |
[31:0] |
CRC1[31:0] |
||
0x378 |
[31:0] |
CRC2[31:0] |
||
0x37C |
[31:0] |
CRC3[31:0] |
Offset |
Bits |
Symbol |
Description |
Usage |
|---|---|---|---|---|
0x360 |
[31:0] |
SWD_ID |
SWD ID of the device |
|
0x364 |
[0] |
SWD_PWD_EN |
Enable SWD password |
|
[1] |
SWD_DBGEN |
SWD external debug authentication |
||
[2] |
SWD_NIDEN |
|||
[3] |
SWD_SPIDEN |
|||
[4] |
SWD_SPNIDEN |
|||
[5] |
SWD_PWD_R_Protection_EN |
Enable key read and write protection |
||
[6] |
SWD_PWD_W_Forbidden_EN |
|||
[7] |
HUK_W_Forbidden_EN |
|||
0x365 |
[0] |
RSVD |
- |
|
[1] |
PK1_W_Forbidden_EN |
|||
[2] |
PK2_W_Forbidden_EN |
|||
[3] |
S_IPSEC_Key1_R_Protection_EN |
|||
[4] |
S_IPSEC_Key1_W_Forbidden_EN |
|||
[5] |
S_IPSEC_Key2_R_Protection_EN |
|||
[6] |
S_IPSEC_Key2_W_Forbidden_EN |
|||
[7] |
NS_IPSEC_Key1_R_Protection_EN |
|||
0x366 |
[0] |
NS_IPSEC_Key1_W_Forbidden_EN |
||
[1] |
NS_IPSEC_Key2_R_Protection_EN |
|||
[2] |
NS_IPSEC_Key2_W_Forbidden_EN |
|||
[3] |
ECDSA_PRI_KEY1_R_Protection_EN |
|||
[4] |
ECDSA_PRI_KEY1_W_Forbidden_EN |
|||
[5] |
ECDSA_PRI_KEY2_R_Protection_EN |
|||
[6] |
ECDSA_PRI_KEY2_W_Forbidden_EN |
|||
[7] |
RSIP_KEY1_R_Protection_EN |
|||
0x367 |
[0] |
RSIP_KEY1_W_Forbidden_EN |
||
[1] |
RSIP_KEY2_R_Protection_EN |
|||
[2] |
RSIP_KEY2_W_Forbidden_EN |
|||
[3] |
RSIP_MODE_W_Forbidden_EN |
|||
[4] |
SIC_SECURE_EN |
Disable SIC function |
Program it to 0 if there’s a need to disable the SIC function. |
|
[5] |
CPU_PC_DBG_EN |
Debug port can obtain CPU PC value 1: Enable 0: Disable |
Program it to 0 if there’s a need to prevent the debug port from obtaining the CPU PC value. |
|
[6] |
UDF1_TRUSTZONE_EN |
User-defined 1 zone (0x380~0x3BF) security protection 0: Enable 1: Disable |
Program it to 0 if you want the User-defined 1 zone to be accessible only by the secure zone. |
|
[7] |
UDF2_TRUSTZONE_EN |
User-defined 2 zone (0x3C0~0x3FF) security protection 0: Enable 1: Disable |
Program it to 0 if you want the User-defined 2 zone to be accessible only by the secure zone. |
|
0x368 |
[0] |
HWTRIG_UART_DOWNLOAD_DISABLE |
Enter UART download mode via Trap pin 0: Disable 1: Enable (default) |
Program it to 0 if there’s a need to disable entering UART download mode via the UART Trap pin. |
[1] |
RSVD |
- |
- |
|
[2] |
RSIP_EN |
Enable/Disable RSIP function |
||
[3] |
SECURE_BOOT_EN |
Enable/Disable secure boot function |
||
[4] |
SECURE_BOOT_HW_DIS |
|||
[5] |
RDP_EN |
Enable/Disable RDP function |
||
[6] |
Anti_Rollback_EN |
|||
[7] |
FAULT_LOG_PRINT_DIS |
Disable hard fault log in ROM 0: Disable 1: Enable (default) |
Program it to 0 if there’s a need to disable the ROM hard fault log. |
|
0x369 |
[1:0] |
RSIP_MODE |
RSIP mode |
|
[2] |
HUK_DERIV_EN |
Enable/Disable HUK generation |
||
[3] |
SWTRIG_UART_DOWNLOAD_DISABLE |
Disable software-triggered UART download mode entry 0: Disable 1: Enable (default) |
Program it to 0 if there’s a need to disable entering UART download mode via software trigger. |
|
[7:4] |
SW_RSVD0 |
- |
- |
|
0x36A |
[7:0] |
RSVD |
- |
- |
0x36B |
[3:0] |
SECURE_BOOT_AUTH_LOG |
Secure boot authentication algorithm |
|
[7:4] |
SECURE_BOOT_HASH_LOG |
Secure boot hash algorithm |
||
0x36C |
[15:0] |
OTA_ADDR |
OTA address, 4K aligned |
|
0x36E |
[15:0] |
BOOTLOADER_VERSION |
Bootloader version |
|
0x370 |
[31:0] |
CRC0 |
CRC check |
|
0x374 |
[31:0] |
CRC1 |
||
0x378 |
[31:0] |
CRC2 |
||
0x37C |
[31:0] |
CRC3 |
Offset |
Bits |
Symbol |
Description |
Usage |
|---|---|---|---|---|
0x360 |
[31:0] |
SWD_ID |
Device SWD ID |
|
0x364 |
[0] |
SWD_PWD_EN |
Enable SWD password |
|
[1] |
SWD_DBGEN |
SWD external debug authentication |
||
[2] |
SWD_NIDEN |
|||
[3] |
SWD_SPIDEN |
|||
[4] |
SWD_SPNIDEN |
|||
[5] |
SWD_PWD_R_Protection_EN |
Enable key read and write protection |
||
[6] |
SWD_PWD_W_Forbidden_EN |
|||
[7] |
HUK_W_Forbidden_EN |
|||
0x365 |
[0] |
SWD_SoftWare_CTRL_EN |
||
[1] |
PK1_W_Forbidden_EN |
|||
[2] |
PK2_W_Forbidden_EN |
|||
[3] |
S_IPSEC_Key1_R_Protection_EN |
|||
[4] |
S_IPSEC_Key1_W_Forbidden_EN |
|||
[5] |
S_IPSEC_Key2_R_Protection_EN |
|||
[6] |
S_IPSEC_Key2_W_Forbidden_EN |
|||
[7] |
NS_IPSEC_Key1_R_Protection_EN |
|||
0x366 |
[0] |
NS_IPSEC_Key1_W_Forbidden_EN |
||
[1] |
NS_IPSEC_Key2_R_Protection_EN |
|||
[2] |
NS_IPSEC_Key2_W_Forbidden_EN |
|||
[3] |
PKE_PRI_KEY1_R_Protection_EN |
|||
[4] |
PKE_PRI_KEY1_W_Forbidden_EN |
|||
[5] |
PKE_PRI_KEY2_R_Protection_EN |
|||
[6] |
PKE_PRI_KEY2_W_Forbidden_EN |
|||
[7] |
RSIP_KEY1_R_Protection_EN |
|||
0x367 |
[0] |
RSIP_KEY1_W_Forbidden_EN |
||
[1] |
RSIP_KEY2_R_Protection_EN |
|||
[2] |
RSIP_KEY2_W_Forbidden_EN |
|||
[3] |
RSIP_MODE_W_Forbidden_EN |
|||
[4] |
SIC_SECURE_EN |
Disable SIC function |
Program to 0 if SIC function needs to be disabled. |
|
[5] |
CPU_PC_DBG_EN |
Allow debug port to obtain CPU PC value 1: Enable 0: Disable |
Program to 0 if debug port should be prevented from obtaining CPU PC value. |
|
[6] |
UDF1_TRUSTZONE_EN |
User-defined 1 zone (0x380~0x3BF) security 0: Enable 1: Disable |
Program to 0 if User-defined 1 zone should only be accessible by secure zone. |
|
[7] |
UDF2_TRUSTZONE_EN |
User-defined 2 zone (0x3C0~0x3FF) security 0: Enable 1: Disable |
Program to 0 if User-defined 2 zone should only be accessible by secure zone. |
|
0x368 |
[0] |
UART_DOWNLOAD_DISABLE |
Enter UART download mode via Trap pin 0: Disable 1: Enable (default) |
Program to 0 if entering UART download mode via UART Trap pin should be disabled. |
[1] |
RSVD |
|||
[2] |
RSIP_EN |
Enable/Disable RSIP function |
||
[3] |
SECURE_BOOT_EN |
Enable/Disable secure boot function |
||
[4] |
BOOT_RAND_DELAY_EN |
Enable random delay at boot |
Program to 0 to enable random delay at boot. |
|
[5] |
RDP_EN |
Enable/Disable RDP function |
||
[6] |
ANTI_ROLLBACK_EN |
|||
[7] |
FAULT_LOG_PRINT_DIS |
Disable ROM hard fault log 0: Disable 1: Enable (default) |
Program to 0 if ROM hard fault log needs to be disabled. |
|
0x369 |
[1:0] |
RSIP_MODE |
RSIP mode |
|
[2] |
HUK_DERIV_EN |
Enable/Disable HUK generation |
||
[3] |
USER_PHYSICAL_TZ1_EN |
User-defined physical 1 zone security 0: Enable 1: Disable |
Program to 0 if User-defined physical 1 zone should only be accessible by secure zone. |
|
[4] |
USER_PHYSICAL_TZ2_EN |
User-defined physical 2 zone security 0: Enable 1: Disable |
Program to 0 if User-defined physical 2 zone should only be accessible by secure zone. |
|
[5] |
PK_IDX (ROTPK hash Index) |
Public key hash index used by ROM |
Program to 0 to use PK2. |
|
[6] |
SWTRIG_UART_DOWNLOAD_DISABLE |
Disable software trigger to enter UART download mode 0: Disable 1: Enable (default) |
Program to 0 if entering UART download mode via software trigger should be disabled. |
|
[7] |
SPIC_PG1B_DISABLE |
Realtek use |
Realtek use |
|
0x36A |
[7:0] |
RSVD |
||
0x36B |
[3:0] |
SECURE_BOOT_AUTH_LOG |
Secure boot authentication algorithm |
|
[7:4] |
SECURE_BOOT_HASH_LOG |
Secure boot hash algorithm |
||
0x36C |
[15:0] |
OTA_ADDR |
OTA address, 4K aligned |
|
0x370 |
[15:0] |
CRC0 |
CRC check |
|
0x372 |
[15:0] |
CRC1 |
||
0x374 |
[15:0] |
CRC2 |
||
0x376 |
[15:0] |
CRC3 |
||
0x378 |
[63:0] |
BOOTLOADER_VERSION |
Bootloader version |
Note
If RSIP_MODE_W_Forbidden_EN is programmed, then 0x369[7:0] cannot be programmed
Security Zone CRC Check
CRC is used to defend against injection attacks. Protection is achieved by comparing a valid CRC entry programmed into the OTP with the CRC value calculated by the hardware for the security zone, ensuring that the security zone has not been attacked.
CRC Entry Usage Rules
There are 4 CRC entries in total in the OTP, each including 2 bytes of magic number and 2 bytes of valid CRC value. Only one entry can be used at a time, and they must be used in sequence. The current security zone CRC value can be obtained through hardware without software calculation. When enabling a new entry, program all previously used entries to 0x00 to invalidate them. These operations are integrated into the
OTPSetCRC()function, which users only need to call.The CRC calculation range is the security zone part (0x200~0x36B).
Ensure the security zone programming is completed before programming the CRC entry. Any modification to the calculation range in the security zone will change the CRC value, requiring reprogramming of a new CRC entry.
Once CRC checking is enabled, it cannot be disabled. If the magic number or valid CRC check fails, the ROM will enter an infinite loop.
CRC Entry Usage Rules
There are 4 CRC entries in total in the OTP, each including 2 bytes of magic number and 2 bytes of valid CRC value. Only one entry can be used at a time, and they must be used in sequence. The current security zone CRC value can be obtained through hardware without software calculation. When enabling a new entry, program all previously used entries to 0x00 to invalidate them. These operations are integrated into the
OTPSetCRC()function, which users only need to call.The CRC calculation range is the security zone part (0x200~0x36B).
Ensure the security zone programming is completed before programming the CRC entry. Any modification to the calculation range in the security zone will change the CRC value, requiring reprogramming of a new CRC entry.
Once CRC checking is enabled, it cannot be disabled. If the magic number or valid CRC check fails, the ROM will enter an infinite loop.
CRC Entry Usage Rules
There are 4 CRC entries in total in the OTP, each including 2 bytes of magic number and 2 bytes of valid CRC value. Only one entry can be used at a time, and they must be used in sequence. The current security zone CRC value can be obtained through hardware without software calculation. When enabling a new entry, program all previously used entries to 0x00 to invalidate them. These operations are integrated into the
OTPSetCRC()function, which users only need to call.The CRC calculation range is the security zone part (0x200~0x36B).
Ensure the security zone programming is completed before programming the CRC entry. Any modification to the calculation range in the security zone will change the CRC value, requiring reprogramming of a new CRC entry.
Once CRC checking is enabled, it cannot be disabled. If the magic number or valid CRC check fails, the ROM will enter an infinite loop.
CRC Entry Usage Rules
There are 4 CRC entries in total in the OTP, each including 2 bytes of magic number and 2 bytes of valid CRC value. Only one entry can be used at a time, and they must be used in sequence. The current security zone CRC value can be obtained through hardware without software calculation. When enabling a new entry, program all previously used entries to 0x00 to invalidate them. These operations are integrated into the
OTPSetCRC()function, which users only need to call.The CRC calculation range is the security zone part (0x200~0x36B).
Ensure the security zone programming is completed before programming the CRC entry. Any modification to the calculation range in the security zone will change the CRC value, requiring reprogramming of a new CRC entry.
Once CRC checking is enabled, it cannot be disabled. If the magic number or valid CRC check fails, the ROM will enter an infinite loop.
CRC Entry Usage Rules
There are 4 CRC entries in total in the OTP, each including 2 bytes of magic number and 2 bytes of valid CRC value. Only one entry can be used at a time, and they must be used in sequence. The current security zone CRC value can be obtained through hardware without software calculation. When enabling a new entry, program all previously used entries to 0x00 to invalidate them. These operations are integrated into the
OTPSetCRC()function, which users only need to call.The CRC calculation range is the security zone part (0x200~0x36B).
Ensure the security zone programming is completed before programming the CRC entry. Any modification to the calculation range in the security zone will change the CRC value, requiring reprogramming of a new CRC entry.
Once CRC checking is enabled, it cannot be disabled. If the magic number or valid CRC check fails, the ROM will enter an infinite loop.
CRC Entry Usage Rules
The physical OTP contains a total of 4 CRC entries, with each entry containing 2 bytes of valid CRC value. Only one entry can be used at a time, and they must be used in sequence. The CRC value of the current security zone can be obtained through hardware without software calculation. These operations are integrated into the
OTPSetCRC()function, and users only need to call this function.The CRC calculation range is the security zone (0x200~0x36F) portion.
Ensure that the security zone programming is completed before programming the CRC entry. Any modification to the calculation range of the security zone will result in a change of the CRC value, requiring reprogramming of a new CRC entry.
Once the CRC check is enabled, it cannot be disabled. If the CRC check fails, the ROM will enter an infinite loop.
Example
Ensure the security zone has been modified.
Write the CRC value and determine if the write was successful based on the return value and printed information.
int ret; ret = OTPSetCRC();
Restart the chip.
If the CRC entry check passes, the boot process will proceed successfully.
If the CRC entry check fails, the chip will enter an infinite loop in ROM and fail to boot normally.
Caution
It is recommended that users enable this function only when there is a need to defend against injection attacks. Otherwise, once this function is enabled, if the security zone CRC value does not match the value written to the CRC entry, the chip will be permanently unable to boot.
If the CRC entry has already been programmed and the user needs to modify the security zone again, the new CRC value must be written before rebooting. Otherwise, the chip will be permanently unable to boot.
User-defined Physical Zone
There are 4 blocks in the user-defined zone, which can be used freely by the user.
Name |
Zone |
Usage Method |
|---|---|---|
User_defined1 |
0x380-0x3BF |
|
User_defined2 |
0x3C0-0x3FF |
|
User_physical1 |
0x400-0x480 |
|
User_physical2 |
0x480-0x4FF |
|
Name |
Zone |
Usage Method |
|---|---|---|
User_defined1 |
0x380-0x3BF |
|
User_defined2 |
0x3C0-0x3FF |
|
User_physical1 |
0x400-0x480 |
|
User_physical2 |
0x480-0x4FF |
|
Name |
Zone |
Usage Method |
|---|---|---|
User_defined1 |
0x380-0x3BF |
|
User_defined2 |
0x3C0-0x3FF |
|
User_physical1 |
0x400-0x480 |
|
User_physical2 |
0x480-0x4FF |
|
Name |
Zone |
Usage Method |
|---|---|---|
User_defined1 |
0x380-0x3BF |
|
User_defined2 |
0x3C0-0x3FF |
|
User_physical1 |
0x400-0x480 |
Free for user use. |
User_physical2 |
0x480-0x4FF |
Free for user use. |
Name |
Zone |
Usage Method |
|---|---|---|
User_defined1 |
0x380-0x3BF |
|
User_defined2 |
0x3C0-0x3FF |
|
User_physical1 |
0x400-0x480 |
|
User_physical2 |
0x480-0x4FF |
|
Name |
Zone |
Usage Method |
|---|---|---|
User_defined1 |
0x380-0x3BF |
|
User_defined2 |
0x3C0-0x3FF |
|
User_physical1 |
0x400-0x480 |
|
User_physical2 |
0x480-0x4FF |
|
Realtek provides dedicated APIs for this zone for user access.
API
Description
efuse_otp_read
Read data from User-defined physical zone
efuse_otp_write
Write data to User-defined physical zone
efuse_otp_read
Item
Description
Function
Read data from User-defined physical zone
Parameters
offset: Offset address of target area (base address: 0x380)
len: Data length to read
buf: Pointer to data buffer
Return Value
Read operation result
RTK_SUCCESS: Success
RTK_FAIL: Failure
efuse_otp_write
Item
Description
Function
Write data to User-defined physical zone
Parameters
offset: Offset address of target area (base address: 0x380 for User-defined physical zone)
len: Data length to write
buf: Pointer to data buffer
Return Value
Write operation result
RTK_SUCCESS: Success
RTK_FAIL: Failure
API Usage
To program physical address 0x382[1] (offset address: 0x2) to 0, follow these steps:
Read value and check return value.
u8 data_read; int ret; ret = efuse_otp_read(0x2, 0x1, &data_read);Assume the read data from step 1 is 0xAF. Perform AND operation on 0xAF with target bit 0x382[1] value while keeping other bits default. The new value becomes 0xAD.
Write new value 0xAD to physical address 0x02 and check return value.
u8 data_written = 0xAD; int ret; ret = efuse_otp_write(0x2, 0x1, &data_written);
ROM Code Patch Zone
The ROM code patch zone (0x500 ~ 0x6FF, 512 bytes) is used for adding patches to the ROM within certain limits.
Note
If the ROM code patch feature is enabled, after write protection is enabled for the corresponding zone, it has the same level of security as a mask ROM.
At the time of chip manufacturing, if the ROM code patch feature is not enabled,
ROM_PATCH_ENwill be programmed to 0, permanently disabling this feature.Realtek does not currently use this zone. It can be used as a user-defined zone. Please consult Realtek for the methods and precautions for using this zone.
This zone is divided into multiple parts, and each part has an independent control bit.
Offset Address |
Bits |
Symbol |
Description |
Usage Instructions |
|---|---|---|---|---|
0x701 |
[1:0] |
ROM_PATCH_EN |
Enable ROM code patch function |
Program to 1 or 2 to enable ROM code patch function |
[2] |
ROM_PATCH_LWE1 |
Enable write protection for ROM code patch zone (0x500 ~ 0x51F, 32 bytes) |
Program to 0 to enable write protection for this zone |
|
[3] |
ROM_PATCH_LWE2 |
Enable write protection for ROM code patch zone (0x520 ~ 0x53F, 32 bytes) |
Program to 0 to enable write protection for this zone |
|
[4] |
ROM_PATCH_LWE3 |
Enable write protection for ROM code patch zone (0x540 ~ 0x55F, 32 bytes) |
Program to 0 to enable write protection for this zone |
|
[5] |
ROM_PATCH_LWE4 |
Enable write protection for ROM code patch zone (0x560 ~ 0x57F, 32 bytes) |
Program to 0 to enable write protection for this zone |
|
[6] |
ROM_PATCH_LWE5 |
Enable write protection for ROM code patch zone (0x580 ~ 0x5FF, 128 bytes) |
Program to 0 to enable write protection for this zone |
|
[7] |
ROM_PATCH_HWE |
Enable write protection for ROM code patch zone (0x600 ~ 0x6FF, 256 bytes) |
Program to 0 to enable write protection for this zone |
Offset Address |
Bits |
Symbol |
Description |
Usage Instructions |
|---|---|---|---|---|
0x701 |
[1:0] |
ROM_PATCH_EN |
Enable ROM code patch function |
Program to 1 or 2 to enable the ROM code patch |
0x701 |
[2] |
ROM_PATCH_LWE1 |
Enable write protection for ROM code patch zone (0x500 ~ 0x5FF, 256 bytes) |
Program to 0 to enable write protection for this zone |
0x701 |
[7] |
ROM_PATCH_HWE |
Enable write protection for ROM code patch zone (0x600 ~ 0x6FF, 256 bytes) |
Program to 0 to enable write protection for this zone |
Offset Address |
Bits |
Symbol |
Description |
Usage Instructions |
|---|---|---|---|---|
0x701 |
[1:0] |
ROM_PATCH_EN |
Enable ROM code patch function |
Program to 1 or 2 to enable the ROM code patch |
0x701 |
[2] |
ROM_PATCH_LWE1 |
Enable write protection for ROM code patch zone (0x500 ~ 0x5FF, 256 bytes) |
Program to 0 to enable write protection for this zone |
0x701 |
[7] |
ROM_PATCH_HWE |
Enable write protection for ROM code patch zone (0x600 ~ 0x6FF, 256 bytes) |
Program to 0 to enable write protection for this zone |
Offset Address |
Bits |
Symbol |
Description |
Usage Instructions |
|---|---|---|---|---|
0x701 |
[1:0] |
ROM_PATCH_EN |
Enable ROM code patch function |
Program to 1 or 2 to enable the ROM code patch |
0x701 |
[2] |
ROM_PATCH_LWE1 |
Enable write protection for ROM code patch zone (0x500 ~ 0x5FF, 256 bytes) |
Program to 0 to enable write protection for this zone |
0x701 |
[7] |
ROM_PATCH_HWE |
Enable write protection for ROM code patch zone (0x600 ~ 0x6FF, 256 bytes) |
Program to 0 to enable write protection for this zone |
Offset Address |
Bits |
Symbol |
Description |
Usage Instructions |
|---|---|---|---|---|
0x701 |
[1:0] |
ROM_PATCH_EN |
Enable ROM code patch function |
Program to 1 or 2 to enable the ROM code patch |
0x701 |
[2] |
ROM_PATCH_LWE1 |
Enable write protection for ROM code patch zone (0x500 ~ 0x5FF, 256 bytes) |
Program to 0 to enable write protection for this zone |
0x701 |
[7] |
ROM_PATCH_HWE |
Enable write protection for ROM code patch zone (0x600 ~ 0x6FF, 256 bytes) |
Program to 0 to enable write protection for this zone |
Offset Address |
Bits |
Symbol |
Description |
Usage Instructions |
|---|---|---|---|---|
0x701 |
[1:0] |
ROM_PATCH_EN |
Enable ROM code patch function |
Program to 1 or 2 to enable ROM code patch function |
[2] |
ROM_PATCH_LWE1 |
Enable write protection for ROM code patch zone (0x500 ~ 0x51F, 32 bytes) |
Program to 0 to enable write protection for this zone |
|
[3] |
ROM_PATCH_LWE2 |
Enable write protection for ROM code patch zone (0x520 ~ 0x53F, 32 bytes) |
Program to 0 to enable write protection for this zone |
|
[4] |
ROM_PATCH_LWE3 |
Enable write protection for ROM code patch zone (0x540 ~ 0x55F, 32 bytes) |
Program to 0 to enable write protection for this zone |
|
[5] |
ROM_PATCH_LWE4 |
Enable write protection for ROM code patch zone (0x560 ~ 0x57F, 32 bytes) |
Program to 0 to enable write protection for this zone |
|
[6] |
ROM_PATCH_LWE5 |
Enable write protection for ROM code patch zone (0x580 ~ 0x5FF, 128 bytes) |
Program to 0 to enable write protection for this zone |
|
[7] |
ROM_PATCH_HWE |
Enable write protection for ROM code patch zone (0x600 ~ 0x6FF, 256 bytes) |
Program to 0 to enable write protection for this zone |