

# How to use system calls (SROM APIs) for eFuse handling in TRAVEO™ T2G family

## About this document

### Scope and purpose

This application note provides useful information for eFuse memory handling using system calls in TRAVEO™ T2G MCUs. The eFuse memory consists of a set of eFuse bits. The eFuse bits are used to store various unchanging device parameters. System calls (SROM APIs) are available to program and read eFuses. This document describes how to use System calls for eFuse handling, and points to note.

### Intended audience

This document is intended for anyone using the TRAVEO™ T2G family.

## Table of contents

### Table of contents

|                                                                                                 |           |
|-------------------------------------------------------------------------------------------------|-----------|
| <b>About this document.....</b>                                                                 | <b>1</b>  |
| <b>Table of contents.....</b>                                                                   | <b>2</b>  |
| <b>1     Introduction .....</b>                                                                 | <b>3</b>  |
| <b>2     System call.....</b>                                                                   | <b>4</b>  |
| 2.1     System call interface .....                                                             | 4         |
| 2.2     System call argument .....                                                              | 5         |
| 2.3     Verification of system call .....                                                       | 5         |
| <b>3     System calls for eFuse handling .....</b>                                              | <b>6</b>  |
| 3.1     BlowFuseBit.....                                                                        | 6         |
| 3.2     ReadFuseByte.....                                                                       | 7         |
| 3.3     ReadFuseByteMargin .....                                                                | 8         |
| 3.4     TransitiontoSecure.....                                                                 | 10        |
| 3.5     TransitiontoRMA.....                                                                    | 12        |
| <b>4     eFuse structure .....</b>                                                              | <b>14</b> |
| 4.1     How to specify the parameters for BlowFuseBit system call .....                         | 14        |
| 4.2     How to specify the parameters for ReadFuseByte and ReadFuseByteMargin system calls..... | 15        |
| <b>5     System requirements to use system calls for eFuse handling .....</b>                   | <b>16</b> |
| 5.1     Power supply .....                                                                      | 16        |
| 5.2     Clock configuration .....                                                               | 16        |
| 5.3     Protection Unit .....                                                                   | 16        |
| 5.4     Prerequisites of triggering TransitiontoRMA system call .....                           | 16        |
| <b>6     How to use system calls .....</b>                                                      | <b>17</b> |
| 6.1     Blowing eFuse .....                                                                     | 17        |
| 6.1.1     Use case.....                                                                         | 17        |
| 6.1.2     Software flow .....                                                                   | 18        |
| 6.1.3     Configuration .....                                                                   | 19        |
| 6.2     Transition to Secure protection state .....                                             | 22        |
| 6.2.1     Use case.....                                                                         | 23        |
| 6.2.2     Software flow .....                                                                   | 23        |
| 6.2.3     Configuration .....                                                                   | 25        |
| <b>References.....</b>                                                                          | <b>31</b> |
| <b>Revision history.....</b>                                                                    | <b>32</b> |
| <b>Disclaimer.....</b>                                                                          | <b>33</b> |

### 1 Introduction

TRAVEO™ T2G family MCUs include Arm® Cortex®-M CPUs, SRAM, flash memories, hardware-based Cryptography (eSHE/HSM support), communication peripherals, digital peripherals, and analog peripherals in a single chip. In addition, the MCUs contain 1024 bits One-Time-Programmable (OTP) eFuse memory that can be used to store and access a unique and unalterable identifier or serial number for each device.

When an eFuse bit is programmed, or “blown”, its value cannot be changed. Some of the eFuse bits are used to store various unchanging device parameters, including critical device factory trim settings, device lifecycle stages, DAP security settings, and encryption keys. Other eFuse bits are available for customer use. For more information, see the “eFuse memory” section in the TRAVEO™ T2G architecture reference manual [2].

Customers may need to program and bloweFuse to control the device lifecycle stage. System calls are used to read and program eFuse.

## 2 System call

TRAVEO™ T2G device has a supervisory ROM that contains Boot ROM code and SROM APIs. The SROM APIs are executed by Arm® Cortex®-M0+ (CM0+). The system calls are used for specific operations, such as flash programming and lifecycle management. For more information, see the “Nonvolatile Memory Programming” in the TRAVEO™ T2G architecture reference manual.

### 2.1 System call interface

System calls are run via Inter-processor communication (IPC) structures and it can be triggered from CM core (CMx: CM0+, CM4, CM7\_0, CM7\_1, CM7\_2, and CM7\_3) or Debug Access Port (DAP) at any point during code execution. System calls should acquire the IPC\_STRUCT reserved for them and provide arguments and notify IPC interrupt ‘0’ to trigger a system call. When the API operation is complete, CM0+ will release the IPC structure that initiated the system call. If an interrupt is required upon release, then the corresponding mask bit should be set in IPC\_INTR\_STRUCT.INTR\_MASK.RELEASE[i]. For a list of lists IPC\_STRUCTs reserved for CMx and DAP, see [Table 1](#). For system call interface for CYT4BF series, see [Figure 1](#). For other series, see the “Nonvolatile Memory Programming” section in TRAVEO™ T2G architecture reference manual [\[2\]](#).

**Table 1** IPCSTRUCT for system call interface

| Number of<br>IPC Structure | CYT2 series | CYT3/4 series                                                    | CYT6 series |
|----------------------------|-------------|------------------------------------------------------------------|-------------|
| IPC_STRUCT0                | CM0+        | CM0+                                                             | CM0+        |
| IPC_STRUCT1                | CM4         | CM7_0                                                            | CM7_0       |
| IPC_STRUCT2                | DAP         | CM7_1 (Only CYT4 series),<br>DAP (Only CYT3DL series)            | CM7_1       |
| IPC_STRUCT3                | Unused      | DAP (Excluding CYT3DL<br>series),<br>Unused (Only CYT3DL series) | CM7_2       |
| IPC_STRUCT4                | Unused      | Unused                                                           | CM7_3       |
| IPC_STRUCT5                | Unused      | Unused                                                           | DAP         |

Note: *When the system call requests are received from multiple masters at the same time, priority is given to the IPC structures in order of their number. Specifically, CM0+ has the highest priority and DAP has the lowest priority.*

# How to use system calls (SROM APIs) for eFuse handling in TRAVEO™ T2G family



## System call



**Figure 1** System call interface for CYT4BF series

## 2.2 System call argument

The IPC component implements two 32-bit data registers, but only one (IPC\_STRUCTx\_DATA0) of these two registers is used to pass parameters to the system calls. The value of “x” depends on the master calling the API. This argument is either a pointer to SRAM or a formatted opcode or argument value that cannot be a valid SRAM address.

**Note:** *Exceptionally, the ConfigureRegulator system call uses IPC\_STRUCTx\_DATA0 and IPC\_STRUCTx\_DATA1.*

Following is the difference between CMx and DAP encoding:

- **DAP:** If the sum of the opcode and the argument (opcode + argument) is less than or equal to 31 bits, store them in the data field and set the LSB of the data field as ‘1’. When system calls are completed, a return value is passed in the IPC data register. For calls that need more argument data, the data field is a pointer to a structure in SRAM that has the opcode and the argument. The pointer needs to align on a word boundary. Therefore, it is a pointer if and only if the LSB is 0. In this case, when system calls are completed, a return value is passed to pointer address in the SRAM.
- **CMx:** A pointer is always used to a structure in SRAM. Commands that are issued as a single word by DAP can still be issued by CMx but use an SRAM structure instead.

For argument of each system call, see the “Nonvolatile Memory Programming” in TRAVEO™ T2G architecture reference manual [2].

Some system calls cannot be called from either CMx or DAP, depending on the chip protection state. For more information, see the “SROM API Library” section in TRAVEO™ T2G architecture reference manual [2].

## 2.3 Verification of system call

At the end of every system call, a status code is written over the arguments in the IPC data register, or the SRAM address pointed by the IPC data register (determined by the placement of the arguments).

When a system call is successful, the API writes 0xAxxxxxx, where “x” indicates a “don’t care” value or return value from the system call. If the system call is a failure, then the API writes 0xF00000X, where “X” indicates the failure code.

For more information on the failure code, see the “System Call Status” in TRAVEO™ T2G architecture reference manual [2].

### 3 System calls for eFuse handling

This section describes system calls related to eFuse programming, reading, and device lifecycle management.

[Table 2](#) lists for system calls for eFuse handling. For more information, see the “Nonvolatile Memory Programming” in TRAVEO™ T2G architecture reference manual [\[2\]](#).

**Table 2 List of system calls for eFuse handling**

| System call        | Access Allowed (Protection state) |          |      |
|--------------------|-----------------------------------|----------|------|
|                    | Normal                            | Secure   | Dead |
| BlowFuseBit        | CMx, DAP                          | CMx      | -    |
| ReadFuseByte       | CMx, DAP                          | CMx, DAP | -    |
| ReadFuseByteMargin | CMx, DAP                          | CMx, DAP | -    |
| TransitiontoSecure | CMx, DAP                          | -        | -    |
| TransitiontoRMA    | -                                 | CMx, DAP | -    |

Note: *There are other system calls also that could read eFuse, for example, CheckFactoryHash. See the “Nonvolatile Memory Programming” in TRAVEO™ T2G architecture reference manual [\[2\]](#) for details of each system.*

#### 3.1 BlowFuseBit

This system call blows the addressed eFuse bit. The read value of a blown eFuse bit is '1'. The parameters and results of the BlowFuseBit system call are described in the following tables.

For the arguments of the BlowFuseBit system call, see [Table 3](#) and [Table 4](#). The return result after running the system call is shown in [Table 5](#).

**Table 3 Argument located in IPC\_STRUCTx\_DATA0**

| Address field            | Name and value | Description                                                   |
|--------------------------|----------------|---------------------------------------------------------------|
| <b>IPC_STRUCTx_DATA0</b> |                |                                                               |
| Bits [31:24]             | 0x01           | Opcode                                                        |
| Bits [23:16]             | Byte Address   | A row number within a column                                  |
| Bits [15:12]             | Macro Address  | A column number                                               |
| Bits [11]                | Not used       | -                                                             |
| Bits [10:8]              | Bit Address    | A bit to be blown in the selected byte                        |
| Bits [7:1]               | Not used       | -                                                             |
| Bits [0]                 | 0x1            | Indicates that the arguments are passed in the DATA0 register |

# How to use system calls (SROM APIs) for eFuse handling in TRAVEO™ T2G family

## System calls for eFuse handling



**Table 4 Argument located in SRAM**

| Address field     | Name and value    | Description                                                                                                           |
|-------------------|-------------------|-----------------------------------------------------------------------------------------------------------------------|
| IPC_STRUCTx_DATA0 |                   |                                                                                                                       |
| Bits [31:0]       | SRAM_SCRATCH_ADDR | SRAM address where the API parameters are stored. This must be a 32-bit aligned address. Therefore, Bits [1:0] is “0” |
| SRAM_SCRATCH_ADDR |                   |                                                                                                                       |
| Bits [31:24]      | 0x01              | Opcode                                                                                                                |
| Bits [23:16]      | Byte Address      | A row number within a column                                                                                          |
| Bits [15:12]      | Macro Address     | A column number                                                                                                       |
| Bits [11]         | Not used          | –                                                                                                                     |
| Bits [10:8]       | Bit Address       | A bit to be blown in the selected byte. Value in the range [0,7]                                                      |
| Bits [7:0]        | Not used          | –                                                                                                                     |

**Table 5 Return result**

| Address field                                                         | Name and value               | Description                                                                                                                                                           |
|-----------------------------------------------------------------------|------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| IPC_STRUCTx_DATA0 or SRAM_SCRATCH_ADDR (depends on Argument location) |                              |                                                                                                                                                                       |
| Bits [31:28]                                                          | 0xA = SUCCESS<br>0xF = ERROR | System call result                                                                                                                                                    |
| Bits [27:24]                                                          | Not used                     | –                                                                                                                                                                     |
| Bits [23:0]                                                           | Error code                   | Error code if status is error, otherwise don't care.<br>For error code, see the “System Call Status” in TRAVEO™ T2G architecture reference manual <a href="#">[2]</a> |

## 3.2 ReadFuseByte

This system call returns the value of an eFuse. The read value of a blown eFuse bit is ‘1’ and that of a not blown eFuse bit is ‘0’. This API inherits the client protection context.

For the arguments of the ReadFuseByte system call, see [Table 6](#) and [Table 7](#). The return result after running the system call is shown in [Table 8](#).

**Table 6 Argument located in IPC\_STRUCTx\_DATA0**

| Address field     | Name and value | Description                                                   |
|-------------------|----------------|---------------------------------------------------------------|
| IPC_STRUCTx_DATA0 |                |                                                               |
| Bits [31:24]      | 0x03           | Opcode                                                        |
| Bits [23:8]       | eFuse address  | eFuse byte address to read from                               |
| Bits [7:0]        | 0x01           | Indicates that the arguments are passed in the DATA0 register |

# How to use system calls (SROM APIs) for eFuse handling in TRAVEO™ T2G family

## System calls for eFuse handling



**Table 7 Argument located in SRAM**

| Address field     | Name and value    | Description                                                                                                         |
|-------------------|-------------------|---------------------------------------------------------------------------------------------------------------------|
| IPC_STRUCTx_DATA0 |                   |                                                                                                                     |
| Bits [31:0]       | SRAM_SCRATCH_ADDR | SRAM address where the API parameters are stored. This must be a 32-bit aligned address. Therefore, Bits [1:0] is 0 |
| SRAM_SCRATCH_ADDR |                   |                                                                                                                     |
| Bits [31:24]      | 0x03              | Opcode                                                                                                              |
| Bits [23:8]       | eFuse address     | eFuse byte address to read from                                                                                     |
| Bits [7:0]        | Not used          | -                                                                                                                   |

**Table 8 Return result**

| Address field                                                         | Name and value                      | Description                                                                                                                                                               |
|-----------------------------------------------------------------------|-------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| IPC_STRUCTx_DATA0 or SRAM_SCRATCH_ADDR (depends on Argument location) |                                     |                                                                                                                                                                           |
| Bits [31:28]                                                          | 0xA = SUCCESS<br>0xF = ERROR        | Result of System call                                                                                                                                                     |
| Bits [27:24]                                                          | Not used                            | -                                                                                                                                                                         |
| Bits [23:0]                                                           | eFuse byte read value or error code | Read value when status is success, otherwise error code.<br>For error code, see the “System Call Status” in TRAVEO™ T2G architecture reference manual <a href="#">[2]</a> |

### 3.3 ReadFuseByteMargin

This system call returns the eFuse contents of the addressed byte read marginally. The read value of a blown eFuse bit is '1' and that of not blown is '0'. Difference between ReadFuseByte and ReadFuseByteMargin is that ReadFuseByte always uses default read condition (Margin control = "1"). This API inherits client's protection context.

For the arguments of the ReadFuseByteMargin system call, see [Table 9](#) and [Table 10](#). The return result after running the system call is shown in [Table 11](#).

**Table 9 Argument located in IPC\_STRUCTx\_DATA0**

| Address field     | Name and value                                                                                                                    | Description                                                                                                                                                                    |
|-------------------|-----------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| IPC_STRUCTx_DATA0 |                                                                                                                                   |                                                                                                                                                                                |
| Bits [31:24]      | 0x2B                                                                                                                              | Opcode                                                                                                                                                                         |
| Bits [23:20]      | 0: Low resistance (-50% from nominal)<br>1: Nominal resistance (default read condition)<br>2: High resistance (+50% from nominal) | Margin control for read-back check:<br>0: eFuse is read marginally with very low resistance after the eFuse is blown. A read pass is not an indication that the eFuse is blown |

# How to use system calls (SROM APIs) for eFuse handling in TRAVEO™ T2G family

## System calls for eFuse handling



| Address field | Name and value                                | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |
|---------------|-----------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|               | Other: Higher resistance (+100% from nominal) | strongly and will be stable over lifetime<br><br>1: eFuse is read marginally with nominal resistance after the eFuse is blown. This is the default read, also used by ReadFuseByte API. A read pass is not an indication that the eFuse is blown strongly and will be stable over lifetime<br><br>2: eFuse is read marginally with high resistance after the eFuse is blown. A read pass is an indication that the eFuse is blown strongly and will be stable over lifetime<br><br>Other: eFuse is read marginally with the highest resistance after the eFuse is blown. A read pass is an indication that the eFuse is blown strongly and will be stable over lifetime<br><br>Please refer to Software Flow ( <a href="#">Figure 4</a> ) |
| Bits [19:8]   | eFuse address                                 | eFuse byte address to read from                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |
| Bits [7:0]    | 0x01                                          | Indicates that the arguments are passed in the DATA0 register                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |

**Table 10 Argument located in SRAM**

| Address field            | Name and value                                                                                                                                                                     | Description                                                                                                              |
|--------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------|
| <b>IPC_STRUCTx_DATA0</b> |                                                                                                                                                                                    |                                                                                                                          |
| Bits [31:0]              | SRAM_SCRATCH_ADDR                                                                                                                                                                  | SRAM address where the API parameters are stored. This must be a 32-bit aligned address. Therefore, Bits [1:0] is 0      |
| <b>SRAM_SCRATCH_ADDR</b> |                                                                                                                                                                                    |                                                                                                                          |
| Bits [31:24]             | 0x2B                                                                                                                                                                               | Opcode                                                                                                                   |
| Bits [23:20]             | 0: Low resistance (-50% from nominal)<br>1: Nominal resistance (default read condition)<br>2: High resistance (+50% from nominal)<br>Other: Higher resistance (+100% from nominal) | Margin control for read-back check:<br><br>See Margin control for read-back check in <a href="#">Table 9</a> for details |

# How to use system calls (SROM APIs) for eFuse handling in TRAVEO™ T2G family

## System calls for eFuse handling



| Address field | Name and value | Description                     |
|---------------|----------------|---------------------------------|
| Bits [19:8]   | eFuse address  | eFuse byte address to read from |
| Bits [7:0]    | Not used       | -                               |

**Table 11** Return result

| Address field                                                         | Name and value                      | Description                                              |
|-----------------------------------------------------------------------|-------------------------------------|----------------------------------------------------------|
| IPC_STRUCTx_DATA0 or SRAM_SCRATCH_ADDR (depends on Argument location) |                                     |                                                          |
| Bits [31:28]                                                          | 0xA = SUCCESS<br>0xF = ERROR        | Result of System call                                    |
| Bits [27:24]                                                          | Not used                            | -                                                        |
| Bits [23:0]                                                           | eFuse byte read value or error code | Read value when status is success, otherwise error code. |

For possible return error codes, see [Table 12](#). Note that this list is not exhaustive. For a comprehensive list of all error codes, see the “System Call Status” in TRAVEO™ T2G architecture reference manual [\[2\]](#).

**Table 12** Error code for **BlowFuseBit**, **ReadFuseByte**, and **ReadFuseByteMargin** system call

| Return Value | Description                                                                                                                             |
|--------------|-----------------------------------------------------------------------------------------------------------------------------------------|
| 0xAxxxxXY    | Success, where XY = 0x0, 0x1, 0x2,..., 0xFF depending on blown fuse bits in addressed eFuse byte. Where “x” indicates don’t care value. |
| 0xF0000001   | Invalid protection state – This system call is not available in current protection state                                                |
| 0xF0000002   | Invalid eFuse address                                                                                                                   |
| 0xF0000005   | eFuse bytes are read/write protected via protection unit                                                                                |
| 0xF0000006   | Client did not use its reserved IPC structure for invoking system call                                                                  |
| 0xF0000008   | Returned by all system calls when client does not have access to the region it is using to pass arguments                               |
| 0xF000000B   | The opcode is not a valid system call opcode                                                                                            |
| 0xF000000F   | Invalid arguments passed to the system call                                                                                             |
| 0xF0000013   | Invalid argument location                                                                                                               |

### 3.4 Transition to Secure

This system call validates the FACTORY\_HASH and programs SECURE\_HASH, secure access restrictions and dead access restrictions into eFuse. Also, it programs eFuse bit of secure or secure with debug to transition to SECURE or SECURE WITH DEBUG life-cycle stage. Therefore, when this system call is executed successfully, the device will transition to Secure protection state after the next device reset. This system call is only allowed in

# How to use system calls (SROM APIs) for eFuse handling in TRAVEO™ T2G family

## System calls for eFuse handling



Normal protection state, that is, NORMAL\_PROVISIONED lifecycle stage. The arguments in this system call can only be in SRAM, and it requires three words for parameters in SRAM.

[Table 13](#) shows the arguments for the TransitiontoSecure system call and [Table 14](#) shows the return result after running system call.

**Table 13 Argument located in SRAM**

| Address field          | Name and value                       | Description                                                                                                                                   |
|------------------------|--------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------|
| IPC_STRUCTx_DATA0      |                                      |                                                                                                                                               |
| Bits [31:0]            | SRAM_SCRATCH_ADDR                    | SRAM address where the API parameters are stored. This must be a 32-bit aligned address. Therefore, Bits [1:0] is 0                           |
| SRAM_SCRATCH_ADDR      |                                      |                                                                                                                                               |
| Bits [31:24]           | 0x2F                                 | Opcode                                                                                                                                        |
| Bits [15:8]            | 1: blow D fuse<br>Other: blow S fuse | Decide whether to transition to SECURE or SECURE WITH DEBUG lifecycle stage                                                                   |
| Bits [7:0]             | Not used                             | -                                                                                                                                             |
| SRAM_SCRATCH_ADDR +0x4 |                                      |                                                                                                                                               |
| Bits [31:20]           | Not used                             | -                                                                                                                                             |
| Bits [19:18]           | MMIO_ALLOWED                         | Configure Secure Access Restriction<br>for encoding, see the “eFuse Bits” in TRAVEO™ T2G architecture reference manual <a href="#">[2]</a>    |
| Bits [17:16]           | SFLASH_ALLOWED                       |                                                                                                                                               |
| Bits [15:14]           | WORK_FLASH_ALLOWED                   |                                                                                                                                               |
| Bits [13:11]           | SRAM_ALLOWED                         |                                                                                                                                               |
| Bits [10:8]            | FLASH_ALLOWED                        |                                                                                                                                               |
| Bits [7]               | DIRECT_EXECUTE_DISABLE               |                                                                                                                                               |
| Bits [6]               | SYS_AP_MPU_ENABLE                    |                                                                                                                                               |
| Bits [5:4]             | AP_CTL_SYS_DISABLE                   |                                                                                                                                               |
| Bits [3:2]             | AP_CTL_CM4_DISABLE                   |                                                                                                                                               |
| Bits [1:0]             | AP_CTL_CM0_DISABLE                   |                                                                                                                                               |
| SRAM_SCRATCH_ADDR +0x8 |                                      |                                                                                                                                               |
| Bits [31:0]            | See above                            | Configure Secure Dead Access Restriction. For encoding, see the “eFuse Bits” in TRAVEO™ T2G architecture reference manual <a href="#">[2]</a> |

**Table 14 Return result**

| Address field     | Name and value               | Description        |
|-------------------|------------------------------|--------------------|
| SRAM_SCRATCH_ADDR |                              |                    |
| Bits [31:28]      | 0xA = SUCCESS<br>0xF = ERROR | System call result |

# How to use system calls (SROM APIs) for eFuse handling in TRAVEO™ T2G family



## System calls for eFuse handling

| Address field | Name and value | Description                                         |
|---------------|----------------|-----------------------------------------------------|
| Bits [27:24]  | Not used       | -                                                   |
| Bits [23:0]   | Error code     | Error code if status is error, otherwise don't care |

Table 15 shows possible return error code. Note that it is not exhaustive. For all error codes, see the “System Call Status” in TRAVEO™ T2G architecture reference manual [2].

**Table 15 Error code for TransitiontoSecure system call**

| Return value | Description                                                                                                                                                              |
|--------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 0xAxxxxxx    | Success, where “x” indicates don't care value                                                                                                                            |
| 0xF0000001   | Invalid protection state – This system call is not available in current protection state. For example, TransitiontoSecure triggered when the device is already in Secure |
| 0xF00000B5   | Invalid Factory Hash                                                                                                                                                     |
| 0xF0000018   | TOC1 is invalid                                                                                                                                                          |
| 0xF00000B8   | TOC1 has incorrect hash objects                                                                                                                                          |
| 0xF00000B9   | TOC2 has incorrect hash objects                                                                                                                                          |
| 0xF0000020   | TOC2 is invalid                                                                                                                                                          |
| 0xF00000CB   | eFuse programming failed (only for lifecycle stage eFuse bits).                                                                                                          |
| 0xF50000xx   | Crypto resources are protected against PC1 access, xx corresponding to protected PPU ID                                                                                  |

## 3.5 TransitiontoRMA

This system call blows the eFuse bit and converts the parts from SECURE or SECURE WITH DEBUG to the RMA lifecycle stage. Therefore, this system call is only allowed in Secure protection state, that is, SECURE or SECURE WITH DEBUG lifecycle stage. This system call requires parameters such as certificate and digital signature to move a device to the RMA lifecycle stage. The arguments in this system call can only be in SRAM, and it requires seven words for the parameters and signature area in SRAM. The signature size depends on the key size used.

Table 16 shows the arguments for the TransitiontoSecure system call.

Table 17 shows the return result after running system call.

**Table 16 Argument located in SRAM**

| Address field     | Name and value    | Description                                                                                                         |
|-------------------|-------------------|---------------------------------------------------------------------------------------------------------------------|
| IPC_STRUCTx_DATA0 |                   |                                                                                                                     |
| Bits [31:0]       | SRAM_SCRATCH_ADDR | SRAM address where the API parameters are stored. This must be a 32-bit aligned address. Therefore, Bits [1:0] is 0 |
| SRAM_SCRATCH_ADDR |                   |                                                                                                                     |

# How to use system calls (SROM APIs) for eFuse handling in TRAVEO™ T2G family

## System calls for eFuse handling



| Address field           | Name and value               | Description                                                                                                                                                           |
|-------------------------|------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Bits [31:24]            | 0x28                         | Opcode                                                                                                                                                                |
| Bits [23:0]             | Not used                     | -                                                                                                                                                                     |
| SRAM_SCRATCH_ADDR +0x4  |                              |                                                                                                                                                                       |
| Bits [31:0]             | 0x14                         | Object size in bytes (including itself). It should always be 20 bytes.                                                                                                |
| SRAM_SCRATCH_ADDR +0x8  |                              |                                                                                                                                                                       |
| Bits [31:0]             | 0x120028F0                   | Command ID                                                                                                                                                            |
| SRAM_SCRATCH_ADDR +0xC  |                              |                                                                                                                                                                       |
| Bits [31:0]             | Device unique ID 0           | Unique ID word 0                                                                                                                                                      |
| SRAM_SCRATCH_ADDR +0x10 |                              |                                                                                                                                                                       |
| Bits [31:0]             | Device unique ID 1           | Unique ID word 1                                                                                                                                                      |
| SRAM_SCRATCH_ADDR +0x14 |                              |                                                                                                                                                                       |
| Bits [31:0]             | Device unique ID 2           | Unique ID word 2 (3 bytes + zero padding)                                                                                                                             |
| SRAM_SCRATCH_ADDR +0x18 |                              |                                                                                                                                                                       |
| Bits [31:0]             | Signature address            | SRAM address where signature is stored                                                                                                                                |
| SRAM_SCRATCH_ADDR       |                              |                                                                                                                                                                       |
| Bits [31:28]            | 0xA = SUCCESS<br>0xF = ERROR | System call result                                                                                                                                                    |
| Bits [27:24]            | Not used                     | -                                                                                                                                                                     |
| Bits [23:0]             | Error code                   | Error code if status is error, otherwise don't care.<br>For error code, see the "System Call Status" in TRAVEO™ T2G architecture reference manual <a href="#">[2]</a> |

**Table 17      Return result**

| Address field     | Name and value               | Description                                                                                                                                                           |
|-------------------|------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| SRAM_SCRATCH_ADDR |                              |                                                                                                                                                                       |
| Bits [31:28]      | 0xA = SUCCESS<br>0xF = ERROR | System call result                                                                                                                                                    |
| Bits [27:24]      | Not used                     | -                                                                                                                                                                     |
| Bits [23:0]       | Error code                   | Error code if status is error, otherwise don't care.<br>For error code ,see the "System Call Status" in TRAVEO™ T2G architecture reference manual <a href="#">[2]</a> |

## eFuse structure

### 4 eFuse structure

eFuse consists of multiple eFuse macros and some of them are available for customer use.

[Figure 2](#) shows eFuse structure in TRAVEO™ T2G series. It has four eFUSE macros and a 192-bit (24-byte) customer data area (Offset= 0x68 to 0x7F). Customers can read and program this area in the eFuse using the BlowFuseBit, ReadFuseByte, and ReadFuseBytesMargin system calls. For more information on the number of eFuse macros and customer data, see the “Peripheral I/O map” in the device datasheet [\[1\]](#).



**Figure 2 eFuse structure in CYT4BF series**

### 4.1 How to specify the parameters for BlowFuseBit system call

A BlowFuseBit system call is used to program specified eFuse bits.

As parameters, it has:

- Macro address: Specifies the eFuse macro number to program
- Byte address: Specifies the eFuse byte number to program in the eFuse macro
- Bit address: Specifies the bit position to program in the eFuse byte

[Figure 3](#) shows each parameter description in the BlowFuseBit system call.

# How to use system calls (SROM APIs) for eFuse handling in TRAVEO™ T2G family



## eFuse structure



**Figure 3 Parameters in BlowFuseBit**

These parameters have the following relationships:

```
Macro Address = AddressOffset % EFUSE_NR  
Byte Address = AddressOffset / EFUSE_NR
```

The variable EFUSE\_NR represents the number of macros, which is four for all the T2G devices, while the AddressOffset is the eFuse offset address.

When blowing bit 5 of offset address 0x75 using the BlowFuseBit system call, specify the following parameters:

- Macro address =  $0x75 \% 4 = "1"$
- Byte address =  $0x75 / 4 = "29"$  (0x1D)
- Bit address: "5"

## 4.2 How to specify the parameters for ReadFuseByte and ReadFuseByteMargin system calls

ReadFuseByte and ReadFuseByteMargin system calls are used to read the eFuse byte.

As parameters, these have:

- eFuse address: Specifies the eFuse byte to read

This parameter specifies the eFuse offset address. Therefore, it is specified one from 104 (0x68) to 127 (0x7F) to read customer data.

## 5 System requirements to use system calls for eFuse handling

Following are the requirements to run the system calls correctly:

### 5.1 Power supply

To program an eFuse, ensure the device is in a 'quiet' state with minimal activity and provide a specific power supply. For more information, see the SID40A section in the device datasheet [1].

### 5.2 Clock configuration

System calls that target blowing of eFuses, such as BlowFuseBit and TransitionToSecure, have some requirements for clk\_hf0. To avoid complications, these APIs can be triggered with any of the clock settings used by internal boot (specified by TOC2\_FLAGS.CLOCK\_CONFIG) before the application changes the clk\_hf0 settings.

If the application changes the configurations used by boot for clk\_hf0, then ensure that the source clock for clk\_hf0 is FLL and the frequency of clk\_hf0 is restricted to 100 MHz maximum. If clk\_hf0 is not sourced from FLL and FLL is disabled, then the maximum frequency of clk\_hf0 should only be 8 MHz.

### 5.3 Protection Unit

eFuse can be protected by ERPU and EWPU in SWPU. Read or write access using system calls to protected areas returns a failure status such as 0xF0000005. For more information, see [AN228680 - Secure system configuration in TRAVEO™ T2G family](#) and [KBA234634 - Configure Software Protection Unit \(SWPU\) objects in TRAVEO™ T2G devices](#).

### 5.4 Prerequisites of triggering TransitiontoRMA system call

Requirements to run TransitiontoRMA:

- A device can only run the TransitiontoRMA system call in SECURE or SECURE\_WITH\_DEBUG lifecycle stage. Therefore, only devices in the secure protection state can trigger this system call, while devices in normal or dead protection states cannot.
- When a device is in SECURE lifecycle stage, a public key is required to be stored on a device to run the TransitiontoRMA system call. After reset, the device waits for OpenRMA system call. When a device transitions to the RMA lifecycle stage from the SECURE\_WITH\_DEBUG lifecycle stage, OpenRMA is skipped, and the device does not wait for OpenRMA system call.

ECC errors might occur during the TransitiontoRMA system call execution. Therefore, user software should not configure the fault structure for Crypto and SRAM0 ECC errors before triggering the TransitiontoRMA system call. For the fault numbers, see the device and for TransitiontoRMA system call. In addition, see the "System Calls" in TRAVEO™ T2G architecture reference manual [2].

## **6 How to use system calls**

This section describes how to trigger system calls.

In addition, this section describes sample software with the sample driver library (SDL). The code snippets in this application note are part of SDL. For more information on the SDL, see the [References](#) Section.

The SDL has two parts: configuration and driver. The configuration part configures the parameter values for the desired operation, whereas the driver part configures each register based on the parameter values in the configuration part. You can configure the configuration part according to your system. The sample software shows the CYT4BF series.

### **6.1 Blowing eFuse**

As mentioned earlier, eFuse has a customer area that customers can use to store the irreversible data. This section describes how to blow eFuse bit for customer area. BlowFuseBit system call is used to blow eFuse bit, and ReadFuseByte and ReadFuseByteMargin system calls are used to confirm the data is written correctly.

#### **6.1.1 Use case**

The following shows use case of this code example:

- Clock configuration: CLK\_HF0 is configured to be 100 MHz coming from FLL.
- Write address: offset address = 0x6D
- Write data: 0x5A

Where, EFUSE\_NR is four for CYT4BF. Therefore, system call parameters used in BlowFuseBit can be calculated as below:

- Macro address:  $1 = 109 \text{ (0x6D)} \% 4$
- Byte address:  $27 = 109 \text{ (0x6D)} / 4$
- Bit address: 6, 4, 3, 1 (0x5A)

In this use case, BlowFuseBit system call requires 4 times to blow 4 bits.

## How to use system calls

### 6.1.2 Software flow



**Figure 4 Blow eFuse flow**

**Note:** If a failure occurs, you should handle the error accordingly.

**Note:** In case of failure, it is possible to repeat the eFuse blowing.

**How to use system calls**

### 6.1.3 Configuration

For a list of parameters and functions for sample software of blowing eFuse, see [Table 18](#) and [Table 19](#).

**Table 18 List of parameters**

| Parameters              | Description                                                                         | Value             |
|-------------------------|-------------------------------------------------------------------------------------|-------------------|
| CLK_FREQ_IMO            | IMO Frequency                                                                       | 8000000 ul        |
| FLL_TARGET_FREQ         | FLL Target Frequency                                                                | 100000000 ul      |
| WAIT_FOR_STABILIZATION  | Wait definition for stabilization time of FLL bypass max switching                  | 10000 ul<br>333   |
| MacroAddr               | Macro Address to blow on BlowFusebit system call                                    | 1                 |
| ByteAddr                | Byte Address to blow on BlowFusebit system call                                     | 27                |
| BitAddr                 | Bit address to blow on BlowFusebit system call                                      | 0 (initial value) |
| MarginCTL               | Margin control setting on ReadFuseByteMargin system call                            | 1 (initial value) |
| EfuseAddr               | Offset address of eFuse to read on ReadFuseByte and ReadFuseByteMargin system calls | 109               |
| g_RdEfuseValue          | Read data by ReadFuseByte system call                                               | 0                 |
| g_RdEfuseMarginValue50  | Read data by ReadFuseByteMargin (-50%) system call                                  | 0                 |
| g_RdEfuseMarginValue100 | Read data by ReadFuseByteMargin (100%) system call                                  | 0                 |
| g_ExpectedValue         | Data to write by BlowFuseBit system call                                            | 0x5A              |

**Table 19 List of functions**

| Functions               | Description                            | Value |
|-------------------------|----------------------------------------|-------|
| ClockSetTo100MHz()      | Configure clock to FLL 100 MHz         | -     |
| Is_CLK100MHz()          | Check clock frequency                  | -     |
| Cy_BlowFuseBit()        | Run the BlowFuseBit system call        | -     |
| Cy_ReadFuseByte()       | Run the ReadFuseByte system call       | -     |
| Cy_ReadFuseByteMargin() | Run the ReadFuseByteMargin system call | -     |

# How to use system calls (SROM APIs) for eFuse handling in TRAVEO™ T2G family



## How to use system calls

The following code show an example of running the BlowFuseBit system call with a specific use case:

### Code listing 1 Sample software of blowing eFuse

```
001 #include "cy_project.h"
002 #include "cy_device_headers.h"
003 #include <stdio.h>
004
005 /** IMO Frequency **/
006 #define CLK_FREQ IMO          (8000000ul)
007 /** FLL Target Frequency **/
008 #define FLL_TARGET_FREQ      (100000000ul)
009 /** Wait time definition **/
010 #define WAIT_FOR_STABILIZATION (10000ul)
011
012 /* API Parameters setting*/
013 uint32_t MacroAddr = 1; /* Macro Address = AddressOffset % EFUSE_NR : 0x6D % 4 = '1' */
014 uint32_t ByteAddr = 27; /* Offset = 0x6D (Byte Address = AddressOffset / EFUSE_NR : 0x6D / 4 = '27') */
015 uint32_t BitAddr = 0; /* It will be update in main code */
016 uint32_t MarginCTL = 1; /* Default read condition: Nominal resistance */
017 uint32_t EfuseAddr = 109; /* 0x0000006D */
018
019 /* Global Variable */
020 uint32_t g_RdEfuseValue = 0;
021 uint32_t g_RdEfuseMarginValue50 = 0;
022 uint32_t g_RdEfuseMarginValue100 = 0;
023 uint32_t g_ExpectedValue = 0x5A;
024
025 void ClockSetTo100MHz(void);
026 bool Is_CLK100MHz(void);
027 cy_en_srom_driver_status_t Cy_BlowFuseBit(uint32_t blowEfuse_bitaddr, uint32_t blowEfuse_macroaddr, uint32_t
blowEfuse_byteaddr);
028 cy_en_srom_driver_status_t Cy_ReadFuseByte(uint32_t ReadEfuse_Efuseaddr);
029 cy_en_srom_driver_status_t Cy_ReadFuseByteMargin(uint32_t Margin_efuseAddr, uint32_t Margin_Ctl);
030
031
032 int main(void)
033 {
034     __enable_irq();
035
036     /*** Initial clock setting for application ***/
037     SystemInit();                                         (1)
038
039     /*** Disable D-cache if need ***/
040
041     /*** Set the CLK as FLL = 100MHz ***/
042     ClockSetTo100MHz();                                     (2) See Code listing 5
043
044     /*** Check CLK as expected ***/
045     while(Is_CLK100MHz() != true);                         (3) See Code listing 6
046
047     /*** Read the value of Efuse byte befor write ***/
048     while(Cy_ReadFuseByte(EfuseAddr) != CY_SROM_DR_SUCCEEDED);
049     if(g_RdEfuseValue == 0)                                 (4) See Code listing 3
050     {
051         cy_en_srom_driver_status_t Result;
052
053         /*** Call API BlowFuseBit ***/
054         /* Write Efuse bit value as 0x5A (0101 1010) */
055         BitAddr = 1;
056         Result = Cy_BlowFuseBit(BitAddr, MacroAddr, ByteAddr);           (5) See Code listing 3
057         while(Result != CY_SROM_DR_SUCCEEDED);
058
059         BitAddr = 3;
060         Result = Cy_BlowFuseBit(BitAddr, MacroAddr, ByteAddr);
061         while(Result != CY_SROM_DR_SUCCEEDED);
062
063         BitAddr = 4;
064         Result = Cy_BlowFuseBit(BitAddr, MacroAddr, ByteAddr);
065         while(Result != CY_SROM_DR_SUCCEEDED);
066
067         BitAddr = 6;
068         Result = Cy_BlowFuseBit(BitAddr, MacroAddr, ByteAddr);
069         while(Result != CY_SROM_DR_SUCCEEDED);
070
071         /*** Call API ReadFuseByte ***/
072         Result = Cy_ReadFuseByte(EfuseAddr);
073         while(Result != CY_SROM_DR_SUCCEEDED);                                (6) See Code listing 3
074
075         /*** Call API ReadFuseByteMargin MarginCTL = -50% ***/
076         MarginCTL = 0; /* 0: Low resistance -50% */
077         Result = Cy_ReadFuseByteMargin(EfuseAddr, MarginCTL);
078         while(Result != CY_SROM_DR_SUCCEEDED);                                (7) See Code listing 4
079
080         /*** Call API ReadFuseByteMargin MarginCTL = +100% ***/
081     }
```

# How to use system calls (SROM APIs) for eFuse handling in TRAVEO™ T2G family



## How to use system calls

```
081     MarginCTL = 3; /* High resistance +100% */
082     Result = Cy_ReadFuseByteMargin(EfuseAddr, MarginCTL);
083     while(Result != CY_SROM_DR_SUCCEEDED);
084
085     if((g_ExpectedValue != g_RdEfuseValue) || (g_ExpectedValue != g_RdEfuseMarginValue50) || (g_ExpectedValue != g_RdEfuseMarginValue100))      (9)
086     {
087         /* mismatch */
088         while(1);
089     }
090 }
091 else
092 {
093     while(1);
094 }
095
096 /** Switch to initial clock setting for application ***/
097 for(;;);
098
099
100
101 }
```

### Code listing 2 Cy\_BlowFuseBit function

```
001 cy_en_srom_driver_status_t Cy_BlowFuseBit(uint32_t blowEfuse_bitaddr, uint32_t blowEfuse_macroaddr, uint32_t
002     blowEfuse_byteaddr)
003 {
004     /* Prepares arguments to be passed to SROM API */
005     un_srom_api_args_t apiArgs = { 0ul };
006     apiArgs.BlowFuseBit.arg0.bitAddr = blowEfuse_bitaddr;
007     apiArgs.BlowFuseBit.arg0.macroAddr = blowEfuse_macroaddr;
008     apiArgs.BlowFuseBit.arg0.byteAddr = blowEfuse_byteaddr;
009     apiArgs.BlowFuseBit.arg0.Opcode = CY_SROM_OP_BLOW_FUSE_BIT;
010
011     /* Call SROM API driver and process response */
012     while(Cy_Srom_CallApi(&apiArgs, NULL) != CY_SROM_DR_SUCCEEDED);
013
014     return CY_SROM_DR_SUCCEEDED;
015 }
```

### Code listing 3 Cy\_ReadFuseByte function

```
001 cy_en_srom_driver_status_t Cy_ReadFuseByte(uint32_t ReadEfuse_Efuseaddr)
002 {
003     /* Prepares arguments to be passed to SROM API */
004     un_srom_api_args_t apiArgs = { 0ul };
005     un_srom_api_resps_t apiResp = { 0ul };
006     apiArgs.RdFuse.arg0.eFuseAddr = ReadEfuse_Efuseaddr;
007     apiArgs.RdFuse.arg0.Opcode = CY_SROM_OP_READ_FUSE_BYTE;
008
009     /* Call SROM API driver and process response */
010     while(Cy_Srom_CallApi(&apiArgs, &apiResp) != CY_SROM_DR_SUCCEEDED);
011
012     g_RdEfuseValue = apiResp.RdFuse.resp0.ReadByte;
013
014     return CY_SROM_DR_SUCCEEDED;
015 }
```

### Code listing 4 Cy\_ReadFuseByteMargin function

```
001 cy_en_srom_driver_status_t Cy_ReadFuseByteMargin(uint32_t Margin_efuseAddr, uint32_t Margin_Ctl)
002 {
003     /* Prepares arguments to be passed to SROM API */
004     un_srom_api_args_t apiArgs = { 0ul };
005     un_srom_api_resps_t apiResp = { 0ul };
006     apiArgs.RdFuseMargin.arg0.eFuseAddr = Margin_efuseAddr;
007     apiArgs.RdFuseMargin.arg0.marginCtl = Margin_Ctl;
008     apiArgs.RdFuseMargin.arg0.Opcode = CY_SROM_OP_READ_FUSE_BYTE_MARGIN;
009
010     /* Call SROM API driver and process response */
011     while(Cy_Srom_CallApi(&apiArgs, &apiResp) != CY_SROM_DR_SUCCEEDED);
012
013     if(MarginCTL == 0 ) /* 0: Low resistance -50% */
014     {
015         g_RdEfuseMarginValue50 = apiResp.RdFuseMargin.resp0.ReadByte;
016     }
017     else if(MarginCTL == 3)/* Higher resistance(+100% from nominal) */
018     {
019         g_RdEfuseMarginValue100 = apiResp.RdFuseMargin.resp0.ReadByte;
020     }
021 }
```

# How to use system calls (SROM APIs) for eFuse handling in TRAVEO™ T2G family



## How to use system calls

```
021     else
022     {
023         /* MarginCTL parameter error */
024         while(1);
025     }
026 }
027 return CY_SROM_DR_SUCCEEDED;
028 }
```

### Code listing 5 ClockSetTo100MHz function

```
001 void ClockSetTo100MHz(void)
002 {
003     /* Disable Fll */
004     CY_ASSERT(Cy_SysClk_FllDisableSequence(WAIT_FOR_STABILIZATION) == CY_SYSCLK_SUCCESS);
005     /* Wait */
006     for(volatile uint32_t I = 0ul; i < 3000; i++);
007
008     /* CLK_MEM */
009     CPUSS->unMEM_CLOCK_CTL.stcField.u8INT_DIV      = 0u; /* no division */
010
011     /* CLK_SLOW */
012     CPUSS->unSLOW_CLOCK_CTL.stcField.u8INT_DIV      = 0u; /* no division */
013
014     //***** FLL(PATH0) source setting *****/
015     Cy_SysClk_ClkPathSetSource(0, CY_SYSCLK_CLKPATH_IN IMO);
016     CY_ASSERT(Cy_SysClk_HfClockSetDivider(CY_SYSCLK_HFCLK_0, CY_SYSCLK_HFCLK_NO_DIVIDE) == CY_SYSCLK_SUCCESS);
017     CY_ASSERT(Cy_SysClk_HfClockSetSource(CY_SYSCLK_HFCLK_0,
018     (cy_en_hf_clk_sources_t)CY_SYSCLK_HFCLK_IN_CLKPATH0) == CY_SYSCLK_SUCCESS);
019     CY_ASSERT(Cy_SysClk_HfClkEnable(CY_SYSCLK_HFCLK_0) == CY_SYSCLK_SUCCESS);
020
021     /* Enable Fll */
022     CY_ASSERT(Cy_SysClk_FllEnable(WAIT_FOR_STABILIZATION) == CY_SYSCLK_SUCCESS);
023 }
```

### Code listing 6 Is\_CLK100MHz function

```
001 {
002     cy_stc_base_clk_freq_t freqInfo =
003     {
004         .clk_im0_freq = CY_CLK_IM0_FREQ_HZ,
005         .clk_ext_freq = 0,
006         .clk_eco_freq = CY_CLK_ECO_FREQ_HZ,
007         .clk_il00_freq = CY_CLK_HVIL00_FREQ_HZ,
008         .clk_il01_freq = CY_CLK_HVIL01_FREQ_HZ,
009         .clk_wco_freq = CY_CLK_WCO_FREQ_HZ,
010     };
011
012     uint32_t coreClockFreq = 0;
013     uint32_t Hf0ClkFrequency = 0;
014
015     Cy_SysClk_InitGetFreqParams(&freqInfo);
016     Cy_SysClk_GetHfClkFrequency(CY_SYSCLK_HFCLK_0, &Hf0ClkFrequency);
017     Cy_SysClk_GetCoreFrequency(&coreClockFreq);
018
019     if((coreClockFreq == FLL_TARGET_FREQ) && (Hf0ClkFrequency == FLL_TARGET_FREQ))
020     {
021         return true;
022     }
023
024     return false;
025 }
026 }
```

## 6.2 Transition to Secure protection state

This section describes how to transition a device to the SECURE lifecycle stage. The TransitiontoSecure system call transitions the device's lifecycle stage to SECURE or SECURE\_WITH\_DEBUG. This system call validates the FACTORY\_HASH and programs the SECURE HASH to eFuse. In addition, when the device transitions to the SECURE lifecycle stage, this system call programs Secure and Dead access restrictions into eFuse. For Secure and Dead access restrictions encoding, see the "BootROM" section in TRAVEO™ T2G architecture reference manual [2].

## How to use system calls

### 6.2.1 Use case

The following shows use case of this code example:

- Transition to SECURE lifecycle stage
- Secure access restrictions: 0x00000000
- Dead access restrictions: 0x00000000

Secure and Dead access restriction will change according to security requirements.

### 6.2.2 Software flow

[Figure 5](#) to [Figure 7](#) shows the software flow of blowing eFuse.



**Figure 5 Transition to SECURE lifecycle stage flow**

**Note:** If a failure occurs, you should handle the error accordingly.

# How to use system calls (SROM APIs) for eFuse handling in TRAVEO™ T2G family



## How to use system calls



**Figure 6** Compare Read byte value process (5) flow



**Figure 7** Compare Secure and DEAD access restricts process (8), (11) flow

**Note:** Some requirements should be fulfilled before transitioning the device to SECURE or SECURE\_WITH\_DEBUG lifecycle stage such as programming a valid public key, using Cypress

# How to use system calls (SROM APIs) for eFuse handling in TRAVEO™ T2G family



## How to use system calls

secure application format (CySAF) etc. For more details, see [AN228680 - Secure system configuration in TRAVEO™ T2G family](#).

Note: If all the steps described in the flow chart is successful, then it is recommended to do a device reset and make sure that the device is in the intended lifecycle stage (For example SECURE). If ROM boot reaches SECURE lifecycle stage, then the lifecycle eFuse and the secure hash must be correct.

### 6.2.3 Configuration

For a list of parameters and functions for sample software of blowing eFuse, see [Table 18](#) and [Table 19](#).

**Table 20 List of parameters**

| Parameters                           | Description                                                                                                                                              | Value        |
|--------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------|--------------|
| CLK_FREQ IMO                         | IMO Frequency                                                                                                                                            | 8000000 ul   |
| FLL_TARGET_FREQ                      | FLL Target Frequency                                                                                                                                     | 100000000 ul |
| WAIT_FOR_STABILIZATION               | Wait definition for stabilization time of FLL bypass max switching                                                                                       | 10000ul      |
| CY_SROM_OP_TRANSITION_TO_SECURE      | Transition to Secure system call OP code                                                                                                                 | 0x2F         |
| SECURE                               | Transition to Secure system call parameter:<br>Transition to SECURE lifecycle stage:                                                                     | 0x0          |
| SECURE_ACC_RESTRICT                  | Secure access restricts data.<br>See <a href="#">Table 13</a> for configuration.<br>This parameter can change according to system security requirements. | 0x00000000   |
| DEAD_ACC_RESTRICT                    | DEAD access restricts data. See <a href="#">Table 13</a> for configuration. This parameter can change according to system security requirements.         | 0x00000000   |
| MarginCTL                            | ReadFuseByteMargin system call parameter.                                                                                                                | 1            |
| EfuseAddr[]                          | eFuse Address                                                                                                                                            | 1, 44-67     |
| SecureAccessRestrictions_EfuseAddr[] | eFuse Address of Secure access restriction                                                                                                               | 60-62        |
| DeadAccessRestrictions_EfuseAddr[]   | eFuse Address of DEAD access restriction                                                                                                                 | 64-66        |
| g_RdEfuseValue                       | Read data by ReadFuseByte system call                                                                                                                    | -            |
| g_RdEfuseMarginValue50               | Read data by ReadFuseByteMargin (-50%) system call                                                                                                       | -            |

# How to use system calls (SROM APIs) for eFuse handling in TRAVEO™ T2G family



## How to use system calls

| Parameters              | Description                                        | Value |
|-------------------------|----------------------------------------------------|-------|
| g_RdEfuseMarginValue100 | Read data by ReadFuseByteMargin (100%) system call | -     |

**Table 21 List of functions**

| Functions                        | Description                                                                                         | Value |
|----------------------------------|-----------------------------------------------------------------------------------------------------|-------|
| ClockSetTo100MHz()               | Configure clock to FLL 100 MHz                                                                      | -     |
| Is_CLK100MHz()                   | Check clock frequency                                                                               | -     |
| CompareEfuseValue()              | Read eFuse data using ReadFuseByte and ReadFuseByteMargin system calls, and compare these read data | -     |
| CompareEfuseValue_DeadAccess()   | Read Dead access restriction and compare with write value                                           | -     |
| CompareEfuseValue_SecureAccess() | Read Secure access restriction and compare with write value                                         | -     |
| Cy_ReadFuseByte()                | Run the ReadFuseByte system call                                                                    | -     |
| Cy_ReadFuseByteMargin()          | Run the ReadFuseByteMargin system call                                                              | -     |
| Cy_TransitionToSecure ()         | Run the TransitiontoSecure system call                                                              | -     |

The following code show an example of running TransitiontoSecure system call with use case:

**Code listing 7 Sample software of TransitiontoSecure**

```

027 #include "cy_project.h"
028 #include "cy_device_headers.h"
029 #include <stdio.h>
030
031 /** IMO Frequency ***/
032 #define CLK_FREQ IMO (8000000ul)
033 /** FLL Target Frequency ***/
034 #define FLL_TARGET_FREQ (100000000ul)
035 /** Wait time definition */
036 #define WAIT_FOR_STABILIZATION (10000ul)
037 /** API OPCODE ***/
038 #define CY_SROM_OP_TRANSITION_TO_SECURE (0x2FUL)
039 /* API Parameters definition */
040 #define SECURE (0x0ul)
041 #define SECURE_ACC_RESTRICT (0x00000000ul) /* For SECURE- It can be change by customer needs. */
042 #define DEAD_ACC_RESTRICT (0x00000000ul) /* For SECURE */
043
044 /* API Parameters setting */
045 /* Nominal resistance (default read condition) */
046 uint32_t MarginCTL = 1;
047 /* 0x01 and 0x2C - 0x43 */
048 uint32_t EfuseAddr[25] = {1,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67};
049 /* Secure Access Restrictions (0x3C-0x3E) */
050 uint32_t SecureAccessRestrictions_EfuseAddr[3] = {60,61,62};
051 /* Secure Dead Access Restrictions (0x40-0x42) */
052 uint32_t DeadAccessRestrictions_EfuseAddr[3] = {64,65,66};
053
054 /* Global Variable */
055 uint32_t g_RdEfuseValue = 0;
056 uint32_t g_RdEfuseMarginValue50 = 0;
057 uint32_t g_RdEfuseMarginValue100 = 0;
058
059 void ClockSetTo100MHz(void);

```

# How to use system calls (SROM APIs) for eFuse handling in TRAVEO™ T2G family



## How to use system calls

```
060 bool Is_CLK100MHz(void);
061 bool CompareEfuseValue(uint32_t ReadEfuseAddr);
062 bool CompareEfuseValue_DeadAccess(uint32_t ReadEfuseAddr);
063 bool CompareEfuseValue_SecureAccess(uint32_t ReadEfuseAddr);
064 cy_en_srom_driver_status_t Cy_ReadFuseByte(uint32_t ReadEfuse_Efuseaddr);
065 cy_en_srom_driver_status_t Cy_ReadFuseByteMargin(uint32_t Margin_efuseAddr, uint32_t Margin_Ctl);
066 cy_en_srom_driver_status_t Cy_TransitionToSecure(uint32_t SecureDebug, uint32_t SecureAccessRestrict, uint32_t
067 SecureDeadAccessRestrict);
068
069 int main(void)
070 {
071     __enable_irq();
072
073     /** Initial clock setting for application ***
074     SystemInit();
075
076     /** Disable D-cache if need ***
077
078     /** Set the CLK as FLL = 100MHz ***
079     ClockSetTo100MHz();                                         (2) See Code listing 5
080
081     /** Check CLK as expected ***
082     while(Is_CLK100MHz() != true);                                (3) See Code listing 6
083
084     /** API Result ***
085     cy_en_srom_driver_status_t Result;
086
087     /** Call API TransitionToSecure      ***
088     Result = Cy_TransitionToSecure(SECURE, SECURE_ACC_RESTRICT, DEAD_ACC_RESTRICT);          (4) See Code listing 8
089     while(Result != CY_SROM_DR_SUCCEEDED);
090
091     int Num = 0;
092     for(Num = 0;Num < 25;Num++)
093     {
094         /* Read byte address from 0x01, 0x2C - 0x43 and compare the read value */           (5) See Code listing 9
095         if(CompareEfuseValue(EfuseAddr[Num]) != true)
096         {
097             /* mismatch*/
098             while(1);                                         (6)
099         }
100     }
101
102
103
104
105     for(Num = 0;Num < 3;Num++)
106     {
107         /* Read byte address from 0x3C - 0x3E, and compare the read value */           (7) See Code listing 10
108         if(CompareEfuseValue_SecureAccess(SecureAccessRestrictions_EfuseAddr[Num]) != true)
109         {
110             /* mismatch*/
111             while(1);                                         (8)
112         }
113     }
114
115     for(Num = 0;Num < 3;Num++)
116     {
117         /* Read byte address from 0x40 - 0x42, and compare the read value */           (9) See Code listing 11
118         if(CompareEfuseValue_DeadAccess(DeadAccessRestrictions_EfuseAddr[Num]) != true)
119         {
120             /* mismatch*/
121             while(1);                                         (10)
122         }
123     }
124
125     for(;;);
126 }
127 }
```

### Code listing 8 Cy\_TransitionToSecure function

```
001 cy_en_srom_driver_status_t Cy_TransitionToSecure(uint32_t SecureDebug, uint32_t SecureAccessRestrict, uint32_t
002     SecureDeadAccessRestrict)
003 {
004     /* Prepares arguments to be passed to SROM API */
005     un_srom_api_args_t apiArgs = { 0ul };
006     apiArgs.TransitionToSecure.arg0.debug        = SecureDebug;
007     apiArgs.TransitionToSecure.arg0.opcode       = CY_SROM_OP_TRANSITION_TO_SECURE;
008     apiArgs.TransitionToSecure.arg1.secureaccrest    = SecureAccessRestrict;
009     apiArgs.TransitionToSecure.arg2.deadaccrest   = SecureDeadAccessRestrict;
010
011     /* Call SROM API driver and process response */
012     while(Cy_Srom_CallApi(&apiArgs, NULL) != CY_SROM_DR_SUCCEEDED);
```

# How to use system calls (SROM APIs) for eFuse handling in TRAVEO™ T2G family



## How to use system calls

```
013     return CY_SROM_DR_SUCCEEDED;
014 }
015
016 cy_en_srom_driver_status_t Cy_ReadFuseByte(uint32_t ReadEfuse_Efuseaddr)
017 {
018     /* Prepares arguments to be passed to SROM API */
019     un_srom_api_args_t apiArgs = { 0ul };
020     un_srom_api_resps_t apiResp = { 0ul };
021     apiArgs.RdFuse.arg0.eFuseAddr = ReadEfuse_Efuseaddr;
022     apiArgs.RdFuse.arg0.Opcode = CY_SROM_OP_READ_FUSE_BYTE;
023
024     /* Call SROM API driver and process response */
025     while(Cy_Srom_CallApi(&apiArgs, &apiResp) != CY_SROM_DR_SUCCEEDED);
026
027     g_RdEfuseValue = apiResp.RdFuse.resp0.ReadByte;
028
029     return CY_SROM_DR_SUCCEEDED;
030 }
```

## Code listing 9 CompareEfuseValue function

```
001 bool CompareEfuseValue(uint32_t ReadEfuseAddr)
002 {
003     /*** API Result ***/
004     cy_en_srom_driver_status_t Result;
005
006     /*** Call API ReadFuseByte      ***/
007     Result = Cy_ReadFuseByte(ReadEfuseAddr); (5)-1
008     while(Result != CY_SROM_DR_SUCCEEDED);
009
010    /*** Call API ReadFuseByteMargin MarginCTL = -50%      ***/
011    MarginCTL = 0; /* 0: Low resistance */
012    Result = Cy_ReadFuseByteMargin(ReadEfuseAddr, MarginCTL);
013    while(Result != CY_SROM_DR_SUCCEEDED); (5)-2
014
015    /*** Call API ReadFuseByteMargin MarginCTL = +100%      ***/
016    MarginCTL = 3; /* High resistance +100% */
017    Result = Cy_ReadFuseByteMargin(ReadEfuseAddr, MarginCTL); (5)-3
018    while(Result != CY_SROM_DR_SUCCEEDED);
019
020    if((g_RdEfuseValue == g_RdEfuseMarginValue50) && (g_RdEfuseValue == g_RdEfuseMarginValue100)) (5)-4
021    {
022        // Matched
023        return true;
024    }
025    else
026    {
027        return false;
028    }
029 }
```

## Code listing 10 CompareEfuseValue\_SecureAccess function

```
001 {
002     /*** API Result ***/
003     cy_en_srom_driver_status_t Result;
004
005     /*** Call API ReadFuseByte      ***/
006     Result = Cy_ReadFuseByte(ReadEfuseAddr); (7)-1
007     while(Result != CY_SROM_DR_SUCCEEDED);
008
009    /* SECURE_ACC_RESTRICT */
010    /* Compare the bit value of SECURE_ACC_RESTRICT */
011    uint32_t SECURE_ACC_bitsValue = 0;
012    if(ReadEfuseAddr == 60)
013    {
014        SECURE_ACC_bitsValue = (SECURE_ACC_RESTRICT & 0x000000FF);
015        if(SECURE_ACC_bitsValue != g_RdEfuseValue) (7)-2
016        {
017            /* Mismatched */
018            return false;
019        }
020        else
021        {
022            /* Matched*/
023            return true;
024        }
025    }
026    else if(ReadEfuseAddr == 61)
027    {
028        SECURE_ACC_bitsValue = ((SECURE_ACC_RESTRICT & 0x0000FF00)>>8);
029        if(SECURE_ACC_bitsValue != g_RdEfuseValue) (7)-3
030    }
```

## How to use system calls

```
031         /* Mismatched */
032         return false;
033     }
034     else
035     {
036         /* Matched*/
037         return true;
038     }
039 }
040 else if(ReadEfuseAddr == 62)
041 {
042     SECURE_ACC_bitsValue = ((SECURE_ACC_RESTRICT & 0x001F0000)>>16);
043     if(SECURE_ACC_bitsValue != g_RdEfuseValue)
044     {
045         /* Mismatched */
046         return false;
047     }
048     else
049     {
050         /* Matched*/
051         return true;
052     }
053 }
054 else
055 {
056     /* Please check parameter */
057     return false;
058 }
059 }
```

## How to use system calls

### Code listing 11 CompareEfuseValue\_DeadAccess function

```

001 {
002     /** API Result **/
003     cy_en_srom_driver_status_t Result;
004
005     /** Call API ReadFuseByte      **/
006     Result = Cy_ReadFuseByte(ReadEfuseAddr);
007     while(Result != CY_SROM_DR_SUCCEEDED);                                (7) -1
008
009     /* DEAD_ACC_RESTRICT */
010    /* Compare the bit value of DEAD_ACC_RESTRICT   */
011    uint32_t DEAD_ACC_bitsValue = 0;
012    if(ReadEfuseAddr == 64)
013    {
014        DEAD_ACC_bitsValue = (DEAD_ACC_RESTRICT & 0x000000FF);
015        if(DEAD_ACC_bitsValue != g_RdEfuseValue)                               (7) -2
016        {
017            /* Mismatched */
018            return false;
019        }
020        else
021        {
022            /* Matched*/
023            return true;           }                                         (7) -2
024    }
025    else if(ReadEfuseAddr == 65)                                         (7) -3
026    {
027        DEAD_ACC_bitsValue = ((DEAD_ACC_RESTRICT & 0x0000FF00)>>8);
028        if(DEAD_ACC_bitsValue != g_RdEfuseValue)                               (7) -2
029        {
030            /* Mismatched */
031            return false;          }                                         (7) -3
032        }
033        else
034        {
035            /* Matched*/
036            return true;
037        }
038    }
039    else if(ReadEfuseAddr == 66)                                         (7) -2
040    {
041        DEAD_ACC_bitsValue = ((DEAD_ACC_RESTRICT & 0x001F0000)>>16);
042        if(DEAD_ACC_bitsValue != g_RdEfuseValue)                               (7) -3
043        {
044            /* Mismatched */
045            return false;
046        }
047        else
048        {
049            /* Matched*/
050            return true;
051        }
052    }
053    else
054    {
055        /* Please check parameter */
056        return false;
057    }
058 }
```

## References

The following are the TRAVEO™ T2G family series datasheets and technical reference manuals. A sample driver library (SDL) including startup as sample software to access various peripherals is provided. The SDL also serves as a reference to customers, for drivers that are not covered by the official AUTOSAR products. The SDL cannot be used for production purposes as it does not qualify to any automotive standards. The code snippets in this application note are part of the SDL. To obtain the SDL and other documents, contact [Infineon Technical Support](#).

### [1] Device datasheet

- [CYT2B6 datasheet 32-bit Arm® Cortex®-M4F microcontroller TRAVEO™ T2G family](#)
- [CYT2B7 datasheet 32-bit Arm® Cortex®-M4F microcontroller TRAVEO™ T2G family](#)
- [CYT2B9 datasheet 32-bit Arm® Cortex®-M4F microcontroller TRAVEO™ T2G family](#)
- [CYT2BL datasheet 32-bit Arm® Cortex®-M4F microcontroller TRAVEO™ T2G family](#)
- [CYT3BB/4BB datasheet 32-bit Arm® Cortex®-M7 microcontroller TRAVEO™ T2G family](#)
- [CYT4BF datasheet 32-bit Arm® Cortex®-M7 microcontroller TRAVEO™ T2G family](#)
- [CYT3DL datasheet 32-bit Arm® Cortex®-M7 microcontroller TRAVEO™ T2G family](#)
- [CYT4DN datasheet 32-bit Arm® Cortex®-M7 microcontroller TRAVEO™ T2G family](#)

### [2] Reference manual

- Body controller entry family
  - [TRAVEO™ T2G Automotive Body Controller Entry family architecture technical reference manual \(TRM\)](#)
  - [TRAVEO™ T2G Automotive Body Controller Entry registers technical reference manual \(TRM\) for CYT2B6/CYT2B7](#)
  - [TRAVEO™ T2G Automotive Body Controller Entry registers technical reference manual \(TRM\) for CYT2B9](#)
  - [TRAVEO™ T2G Automotive Body Controller Entry registers technical reference manual \(TRM\) for CYT2BL \(Doc No. 002-29852\)](#)
- Body controller high family
  - [TRAVEO™ T2G Automotive Body Controller High family architecture technical reference manual \(TRM\)](#)
  - [TRAVEO™ T2G Automotive Body Controller High registers technical reference manual \(TRM\) for CYT4BF](#)
  - [TRAVEO™ T2G Automotive Body Controller High registers technical reference manual \(TRM\) for CYT3BB/4BB](#)
- Cluster 2D family
  - [TRAVEO™ T2G Automotive Cluster 2D family architecture technical reference manual \(TRM\) \(Doc No. 002-25800\)](#)
  - [TRAVEO™ T2G Automotive Cluster 2D registers technical reference manual \(TRM\) for CYT4DN \(Doc No. 002-25923\)](#)
  - [TRAVEO™ T2G Automotive Cluster 2D registers technical reference manual \(TRM\) for CYT3DL \(Doc No. 002-29854\)](#)

### [3] Application note

- [AN228680 - Secure system configuration in TRAVEO™ T2G family](#)

### [4] Knowledge base article

- [KBA234634 - Configure Software Protection Unit \(SWPU\) objects in TRAVEO™ T2G devices](#)

**Revision history**

**Revision history**

| <b>Document revision</b> | <b>Date</b> | <b>Description of changes</b>                                                                                                                                                   |
|--------------------------|-------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| V 1.0                    | 2023-12-07  | Initial release                                                                                                                                                                 |
| V 2.0                    | 2025-01-22  | Added detail description in <a href="#">Table 10</a><br>Fixed to correct link in <a href="#">6 How to use system calls</a><br>Added Note to <a href="#">6.1.2 Software flow</a> |

## **Trademarks**

All referenced product or service names and trademarks are the property of their respective owners.

**Edition 2025-01-22**

**Published by**

**Infineon Technologies AG  
81726 Munich, Germany**

**© 2025 Infineon Technologies AG.  
All Rights Reserved.**

**Do you have a question about this  
document?**

**Email:** [erratum@infineon.com](mailto:erratum@infineon.com)

**Document reference  
AN0002**

## **Important notice**

The information contained in this application note is given as a hint for the implementation of the product only and shall in no event be regarded as a description or warranty of a certain functionality, condition or quality of the product. Before implementation of the product, the recipient of this application note must verify any function and other technical information given herein in the real application. Infineon Technologies hereby disclaims any and all warranties and liabilities of any kind (including without limitation warranties of non-infringement of intellectual property rights of any third party) with respect to any and all information given in this application note.

The data contained in this document is exclusively intended for technically trained staff. It is the responsibility of customer's technical departments to evaluate the suitability of the product for the intended application and the completeness of the product information given in this document with respect to such application.

## **Warnings**

Due to technical requirements products may contain dangerous substances. For information on the types in question please contact your nearest Infineon Technologies office.

Except as otherwise explicitly approved by Infineon Technologies in a written document signed by authorized representatives of Infineon Technologies, Infineon Technologies' products may not be used in any applications where a failure of the product or any consequences of the use thereof can reasonably be expected to result in personal injury.