ATmega328(P) Flash Programming in ISP mode using SPI

HOW TO PROGRAM THE ATMEGA328(p) MANUALLY THROUGH SPI

Programming the ATmega328(p) manually can easily be achieved using a standard SPI connection.
By connecting the ATmega to a host MCU through SPI, programming the target can be very easy.

  1. ChipSelect - Enables programming mode on the target ATmega328(p)
  2. Issue corresponding commands from host to the target.
  3. Release ChipSelect

CONNECTIONS

HOST - TARGET
SS/CS RESET
MOSI MOSI
MISO MISO
SCK SCK
V+ V+
GND GND

No external crystal connection is needed. Programming speed is determined by SPI SCK.


ATMEGA328(p) ISP COMMANDS

0xAC EXECUTABLE COMMAND PREFIX
0x20 READ LOW BYTE FROM FLASH
0x28 READ HIGH BYTE FROM FLASH
0x30 READ DEVICE ID INFORMATION
0x40 WRITE LOW BYTE TO FLASH BUFFER
0x48 WRITE HIGH BYTE TO FLASH BUFFER
0x4C TRANSFER BYTES FROM BUFFER TO FLASH AT ADDRESS LOADED INTO 0x40 AND 0x48
0xC0 WRITE BYTE TO EEPROM
0xA0 READ BYTE FROM EEPROM


OPCODE USAGE

STEP 1: Issuing the "Programming Enable" command to the target:

This is the only command the target will acknowledge initially when RESET goes low.
You can enter Programming Mode by sending AC 53 00 00 to the target.

STEP 2: Reading the Device ID from the target after initialization:

The next step is to see if init occured correctly, so we have to read the Device ID from the target.
Device ID can be read by issuing 30 00 00 to the target, and then read one byte back from the
target checking for data first then issuing clock in that order on the bit level.

The Device ID byte should read back as 1E signifying Atmel as the manufacturer.
If the Device ID byte reads as 0x1E, the device is set to be reprogrammed.
If the Device ID byte reads as 0xFF, the device did not initialize properly.

If the Device ID byte reads as 0x00, then the Lock Bits are set and the
device has to be erased first before you can properly read the Device ID.

Send three bytes, then read one byte for a total of four bytes in the sequence.

** Note that each command in Programming Mode is ALWAYS 4 bytes long **
** You can also read flash size using 30 00 01 + read one byte **
** You can also read device family using 30 00 02 + read one byte **

STEP 3: Issuing the Chip Erase Command to Erase the entire contents of Flash and EEPROM:

Before programming can occur, the Flash and EEPROM must be erased at the same time.
This resets all bytes in the physical address space to 0xFF so they can be reprogrammed.
Erasing Flash and EEPROM can be accomplished by issuing AC 80 00 00 to the target.
ALL bytes in Flash and EEPROM become 0xFF.

** ATmega328(p) is only capable of setting individual bits to 0's from 1's during programming **
** The unit can not program bits from 0's to 1's, so the bytes default to 0xFF after format **

STEP 4: Checking to see if the device was formatted properly:

Checking Flash to see if it was formatted properly can be done by issuing
the Read Byte From Flash command. Each address location holds 2 bytes,
a High byte and a Low byte.

aa=SEGMENT or MSB highbyte of address
bb=OFFSET or LSB low byte of address

Example: If the Segment=00 and the Offset=01 then the ADDRESS= 0x0001

To read a low byte from an address in Flash, issue: 20 aa bb then read one byte,
or issue: 20 SEGMENT OFFSET then read one byte.

To read a high byte from an address in Flash, issue: 28 aa bb then read one byte
or issue: 28 SEGMENT OFFSET then read one byte.

Send three bytes, then read one byte for a total of four bytes in the sequence.

If the bytes read are 0xFF, then the device has been formated properly.
The Flash address range is 0x0000 - 0x03FFF or 0-16383 for a total of 16384 memory locations.
** Each address in Flash contains 2 bytes, a Low byte and a High byte **

STEP 5: Writing a byte to Flash after proper Format:

Writing bytes to flash occurs by sending a byte to a high or low location per address in flash.

Writing a low byte to a Flash address is accomplished by issuing 40 SEGMENT OFFSET uint8_t
for a total of four bytes sent to the target from the host.

Writing a high byte to a Flash address is accomplished by issuing 48 SEGMENT OFFSET uint8_t
for a total of four bytes sent to the target from the host.

Physically writing the low and high bytes to the flash from the buffer is done by issuing
the "Write Program Memory Page" command which must be done per address location
after having written the low and high bytes to a single address.

Locking the bytes into Flash memory can be done by issuing 4C SEGMENT OFFSET 00
for a total of four bytes sent to the target MCU.

Simply release the RESET line of the target MCU to end programming mode.

Example 40 00 00 FE 48 00 00 EF 4C 00 00 00 writes EFFE to address 0x0000 in Flash.
Commands are issued one after another without releasing RESET, (which must remain low).


INTERPRETTING INTEL HEX FORMAT

Intel HEX format traditionally looks something like this: :107800000C94343C0C94513C0C94513C0C94513CE1

Understanding the bytes can be done by breaking each line of HEX code into groups like this:

:10 7800 00 0C94343C0C94513C0C94513C0C94513C E1

Each line in this bootloader example begins with a : representing the start of a new line.

The next two chars 0x10 from the example shows how many data bytes are in the line of text.

The next four bytes 0x7800 show the starting address where the code will be written to Flash
with 0x78 as MSB or SEGMENT and 0x00 as LSB or OFFSET for the address.

The next two bytes 0x00 show that the next 16 bytes in the line are plain uint8 data.
This will be written low byte first then high byte in that order until end of file.

Following the data type is a group of 16 bytes beginning with 0x0C ending with 0x3C
0x0C will be written as the low byte using ISP command 0x40 at address 0x7800
0x94 will be written as the high byte using ISP command 0x48 at address 0x7800

Then these bytes are locked into place inside the Flash using ISP command
4C 78 00 00 reflecting the address of the bytes that were issued to the buffer.

0x3C will be written as the high byte using ISP command 0x48 at address 0x7807
This is because the ATmega328(p) holds two bytes per address in Flash unlike
the hex file shows.

The last two chars 0xE1 are the checksum digits for the entire line which can be discarded.

The last two lines in the hex file can be ignored as they will not be written to Flash in any shape, way or form.
The last two lines of code look something like this:
:040000030000780081
:00000001FF

They are not used for AVR, but used for storing instruction and stack pointer addresses in Intel x86 CPU's.
The last line marks the end of file which can be ignored completely.

** Write the low byte, then write the high byte and then lock the bytes into place before writing any bytes to any other address **
** The only address we are interested in is the very first address listed in the hex file, 7800 in this case for bootloader **
** No other address should ever be used as the other addresses do not line up to how the data needs to be written to MCU Flash! **


BOOTLOADERS

ATmega328(p) has four bootloader locations inside it.

They are:

BLS1 - 0x7E00 - 0x7FFF size 0x0200 or 512 bytes

BLS2 - 0x7C00 - 0x7FFF size 0x0400 or 1024 bytes

BLS3 - 0x7800 - 0x7FFF size 0x0800 or 2048 bytes

BLS4 - 0x6FFF - 0x7FFF size 0x1000 or 4096 bytes

Per the example above, this bootloader begins at 0x7800
so we know we'll have to use Bootloader Section 3, BLS3.
This will be the start address where the bootloader code
will reside.

However, all Application Code should be written starting
at address 0x0000 inside the MCU Flash without entering
bootloader space unless the bootloader option is disabled.

Disabling the bootloader can be accomplished by setting [BOOTRST] to 0
which will set the Reset Vector address to 0x0000 during Power-Up.

This way, the bootloader is disabled and your Application Code will still work.

Disabling the bootloader will give your Application Code more space as it
can then fill up the bootloader sections since execution starts at 0x0000.


Programming Questions

So what is the question?

Contributing the secret knowledge to the community since Atmel won't release their list of ISP commands for the ATmega series to help a lot of people here figure out how to write the MCU flash manually out of circuit. I did it successfully last night writing program and bootloader data in one shot by implementing SPI using GPIO functions with pin toggling in AVR32 while reading from MISO on an ADC pin on an ATUC3A3256alut.

So if I understand you correctly, you can ICSP program an Atmel chip?

Have you seen this?

I used it on Sunday to program one Atmega 328 from another.

Iexpress:
Contributing the secret knowledge to the community since Atmel won't release their list of ISP commands for the ATmega series to help a lot of people here figure out how to write the MCU flash manually out of circuit.

It's in the datasheet. That's how I wrote my programmer.

Atmega chip stand-alone programmer to upload .hex files

That link also shows reading .hex files.

Perhaps there was a misunderstanding. I programmed the ATmega328P from scratch in binary mode on a blank chip that did not have application code or bootloader on it. It was a little tricky at first until I got the hang of it, and did it it in 100% binary without an external oscillator letting the SPI clock control the rate of data transfer. It was very interesting, but worked. I parced the data from the hex file, and then wrote the bytes to their memory locations. The board the MCu's are soldered into take additional commands as well so writing two bytes to each address looked something like this: C104090000900009003C90C10489000090000900839004C90000900009000090

The format my hardware understands to route data.

Can you post a photo of your setup?

Sure thing. I rewired the board today to make it a little more managable. I’ll find a way to get a photo in, doesn’t seem I can upload photo from the iPad. Thanks.

It’s in the datasheet.

There are actually a few missing. For example, it is apparently possible to change the signature line #. Folks who claim to know have said the signature line is actually just a bit more Flash with a special purpose. The theory is AVR processors come out of the fab like a new born babe and have to be told their identity via ISP. Gotta love those AVR Freaks.

# Why anyone would want to change the signature line escapes me.