Building Immutable Bootloaders With the PIC18-Q24 Family of MCUs

When prototyping an application, often the only piece of firmware on the microcontroller is the application code required. If a firmware bug is discovered, it is a relatively simple process to reprogram and rerun the application. But, once a design hits mass production, it isn’t feasible to track down every device and reprogram them.

The solution to this problem is a known as a bootloader. The bootloader is a small piece of code that is designed to “boot” with the microcontroller and initialize core functionalities before the application. In the case of 8-bit microcontrollers, usually the bootloader’s primary responsibility is to allow for firmware upgrades without needing a programmer. Commonly, new firmware is received from UART, SPI, I2C and/or USB depending on the application.

While a bootloader could be written from scratch, a pre-written driver is available inside of MPLAB® Code Configurator (MCC), a free graphic tool to configure peripheral hardware and software libraries. Python libraries for desktop computers are provided to interface with the firmware library over UART. Currently (as of time of writing), the library supports UART uploads with planned support for SPI, I2C and USB. More information about the 8-bit bootloader library can be found here.

Another benefit to using a bootloader is the option to permanently lockdown a microcontroller and prevent external programming while retaining the ability to upgrade the firmware in the future. The PIC18-Q24 family of microcontrollers contains several enhanced code protection features that complement a bootloader based approach:

  • Programming and Debugging Interface Disable (PDID)

  • Software In-Circuit Serial Programming (ICSP) Enable

  • Code Protection (Memory Read Disable)

  • One-Time Programmable Storage Area Flash (SAF)

  • Segmented Write Protection for Boot / Application Code

PDID is a permanent, irreversible lock-out of external programmers and debuggers. This prevents the microcontroller from ever being reprogrammed by external tools. This feature works with the software ICSP enable feature, which allows the bootloader to temporarily re-enable some ICSP interface functionality, such as program read/verify (see next sentence for more) and device detect at runtime, but this does not include write or erase operations. The Code Protection feature can be used to block ICSP read and verify operations.

Another enhanced code protection feature is the One-Time Programmable SAF. SAF is a feature that marks a portion of program flash memory as non-executable for the purposes of storing data. This makes this region of flash memory area One-Time Programmable, which prevents it from being erased or re-written from both external tools and the microcontroller itself.

Finally, the PIC18-Q24 family contains segmented write protection for Boot, Application and/or EEPROM memories. These bits prevent an external programmer from modifying the select memory areas, but do not prevent internal self-writes from the microcontroller.

Using these enhanced code protection bits in conjunction with a bootloader enables the creation of an “Immutable Bootloader”—or in other words, a bootloader that cannot be overwritten or erased. This also can be used with PDID and/or Code Protection to lock down the firmware and protect Intellectual Property.