Arm

Flash Patch and Breakpoint Unit (FPB) in Arm Cortex-M Explained

Graham Kruk
Graham Kruk 11 Min Read

The Flash Patch and Breakpoint (FPB) unit in Arm Cortex-M processors provides an efficient mechanism to rewrite flash memory contents and set code breakpoints for debugging and software patching purposes. This article provides a comprehensive overview of the FPB unit, how it works, its key features, configuration, and usage examples for patching code in flash memory and setting code breakpoints.

Contents
Overview of FPB UnitFPB Unit ArchitectureComparatorSubstitution LogicRemap RegisterFPB ControlFPB Unit OperationBreakpoint OperationRemapping OperationFPB Unit FeaturesBreakpoint Address ComparatorsReplacement Instruction SubstitutionFlash Memory RemappingSecurity RestrictionsFPB Configuration and ProgrammingFPB Register OverviewProgramming Breakpoint RegistersProgramming Remap RegistersDebugger ConfigurationFPB Unit Usage ExamplesDebugging with BreakpointsLive Firmware PatchingDynamic InstrumentationFlash Access ControlSummary

Overview of FPB Unit

The FPB unit is a debug component integrated into the Cortex-M processor system which allows debugging tools to set breakpoints and patch flash memory through a dedicated FPB interface. The key capabilities offered by the FPB unit are:

  • Setting instruction breakpoints in flash memory
  • Dynamically re-mapping flash contents to RAM for software patching
  • Fast and efficient flash patching without having to erase/program entire flash blocks
  • Up to 8 instruction replacement breakpoints for Cortex-M0/M0+ and up to 16 for Cortex-M3/M4/M7
  • Linked instruction breakpoints for complex breakpoint conditions
  • Shielding flash contents by restricting access to debug interfaces

The FPB unit operates independently from the CPU thus allowing breakpoints and flash patching without disturbing processor operation. By providing an interface to directly access and rewrite flash memory contents, the FPB unit enables several use cases for debugging, dynamic software updates and field firmware upgrades.

FPB Unit Architecture

The FPB unit consists of a set of comparators to match programmed addresses, substitution logic to insert new instruction values, and a remap register to swap flash and RAM addresses. The key components of the FPB architecture are:

  • Comparator – Compares instruction fetches with breakpoint addresses
  • Substitution logic – Provides replacement instruction when breakpoint matches
  • Remap register – Remaps flash address range to RAM to enable patching
  • FPB control – Enables/disables breakpoint and remapping

The comparator and substitution logic blocks allow breakpoint instructions to be inserted when the CPU fetches instructions from flash addresses configured as breakpoints. The remap register is used to dynamically map flash addresses to RAM locations to enable software patching.

Comparator

The FPB comparator detects matches between fetched instruction addresses and programmed breakpoint addresses. Cortex-M0/M0+ have 4 comparators while Cortex-M3/M4/M7 have 8 comparators. Each comparator is 40-bits wide allowing comparisons with physical addresses. Comparators can also be linked to form complex trigger conditions.

Substitution Logic

When an address match occurs in any comparator, the substitution logic provides the replacement instruction pre-programmed for that breakpoint address. For unconditional breakpoints, a BKPT instruction is typically provided to trigger the debug handler. For conditional breakpoints, the substitution instruction skips the breakpoint to avoid entering debug state.

Remap Register

The remap register is used to dynamically map a region of flash memory to RAM locations. This enables flash contents to be modified in RAM without having to erase/reprogram flash. The Cortex-M3, M4 and M7 have 8 remap registers to support multiple flash regions, while M0/M0+ have a single remap register.

FPB Control

The FPB control register is used to enable or disable breakpoint generation and address remapping. Breakpoints can be disabled by masking specific comparators or remapping can be disabled for normal flash execution. Additional control settings configure security and debug behavior.

FPB Unit Operation

The FPB unit operates concurrently with the processor pipeline to monitor instruction fetches and compare with configured breakpoint addresses. If an address match occurs, the substitution logic inserts the replacement instruction into the pipeline instead of the original instruction from flash.

When remapping is enabled, any instruction fetches within the remapped flash region will be fetched from the remapped RAM location instead of flash. This allows the flash contents to be modified in RAM without having to erase/reprogram flash.

Breakpoint Operation

The sequence of events for a breakpoint address match is:

  1. CPU fetches instruction from flash address 0x20000
  2. FPB comparator matches fetch address to a configured breakpoint
  3. Substitution logic provides replacement BKPT instruction
  4. CPU pipeline receives BKPT instruction and enters debug state

The replacement instruction can be a BKPT to trigger a debug handler or another instruction to skip the breakpoint based on conditions. Multiple breakpoints can be chained together using comparator linking.

Remapping Operation

The sequence of events for remapped flash access is:

  1. CPU fetches instruction from flash address 0x20000
  2. Remap register converts fetch address to RAM address 0x300000
  3. Instruction is fetched from RAM address instead of flash
  4. RAM contents can be modified without erasing/reprogramming flash

Remapping enables flash patching by redirecting fetches from flash to modifiable RAM locations. Multiple non-contiguous flash regions can be remapped using the remap registers.

FPB Unit Features

The FPB unit provides several key capabilities to enable advanced breakpoint debugging and live flash patching functionality:

Breakpoint Address Comparators

The FPB comparators match instruction fetch addresses from flash memory to identify breakpoint events. Configurable options include:

  • Up to 8 comparators in Cortex-M0/M0+, 16 in M3/M4/M7
  • Linked comparator modes for complex triggers
  • Address masking for range breakpoints
  • Comparator enable/disable control

Replacement Instruction Substitution

The FPB substitution logic inserts custom instructions in place of flash contents to alter program flow. Use cases include:

  • Inserting BKPT instruction to trigger debug handler
  • Skipping breakpoints based on conditions
  • Substituting patched code from RAM
  • 32-bit substitution instructions for Cortex-M3/M4/M7
  • 16-bit instructions for Cortex-M0/M0+

Flash Memory Remapping

The remap register dynamically swaps flash memory regions with locations in RAM. Key capabilities are:

  • Remap flash regions to modifiable RAM
  • Up to 8 remap registers in Cortex-M3/M4/M7
  • Single remapped region for Cortex-M0/M0+
  • Remapping flash blocks or pages to RAM
  • Flash addressing preserved in RAM space

Security Restrictions

Additional FPB capabilities to restrict unintended access include:

  • Disable external debug access
  • Require debugger authentication
  • Permanently disable FPB unit
  • Make FPB registers inaccessible
  • Protect FPB configuration with passkeys

FPB Configuration and Programming

The FPB unit is configured through a set of memory-mapped registers accessible from the Cortex-M system bus. Debuggers and software can program these registers to set up breakpoints and remapping.

FPB Register Overview

The main FPB registers include:

  • FP_CTRL – Control register to enable FPB operation
  • FP_REMAP – Remap register(s) to swap flash and RAM regions
  • FP_COMPx – Comparator registers to configure breakpoints
  • FP_REPLACE – Replacement instruction for breakpoints

There are up to 16 FP_COMP registers and 8 FP_REMAP registers depending on the Cortex-M variant. The FP_CTRL register enables FPB operation globally or selectively per feature.

Programming Breakpoint Registers

To program a breakpoint, the steps are:

  1. Write address to FP_COMPx register
  2. Configure address mask, linking in FP_COMPx
  3. Write replacement instruction to FP_REPLACE
  4. Enable comparator in FP_CTRL

Multiple breakpoints can be chained together using comparator linking modes. The replacement instruction is substituted when a breakpoint match occurs.

Programming Remap Registers

To remap a flash region, the process is:

  1. Write flash start/end addresses to FP_REMAPx
  2. Write RAM start/end addresses to FP_REMAPx
  3. Enable remap register in FP_CTRL

Any instruction fetches within the remapped flash range will be redirected to the mapped RAM range. Multiple remapped regions can be set up in the FP_REMAP registers.

Debugger Configuration

Debuggers and IDEs leverage the FPB interface to set breakpoints and patch flash. Common actions include:

  • Inserting breakpoints at source code lines
  • Monitoring memory accesses and variable values
  • Loading patched firmware into RAM
  • Remapping flash to RAM for test patches
  • Disabling external debug access

This enables advanced debugging use cases and live firmware updates without having to re-flash or re-run code.

FPB Unit Usage Examples

The FPB unit enables several key use cases by supporting breakpoints and flash patching in Cortex-M devices. Some examples include:

Debugging with Breakpoints

Software developers can leverage FPB breakpoints for debugging firmware:

  • Set breakpoints at specific source lines
  • Inspect call stacks and local variables
  • Step through firmware execution
  • Monitor memory accesses and changes
  • Analyze code execution paths

This provides granular visibility into program flow without impacting real-time behavior.

Live Firmware Patching

FPB remapping enables live patching of firmware by redirecting flash access to RAM:

  • Map flash region to modifiable RAM
  • Load patched firmware binary into RAM space
  • Execute patched code without reflashing device
  • Validate patch operation before committing to flash

This allows critical firmware fixes to be deployed rapidly without needing physical device access or interruptions.

Dynamic Instrumentation

The FPB substitution logic allows dynamic code instrumentation:

  • Insert tracing/profiling hooks at runtime
  • Collect detailed performance data non-intrusively
  • Minimal overhead vs software instrumentation
  • Enable/disable instrumentation dynamically

This enables fine-grained performance monitoring and tuning in production systems.

Flash Access Control

FPB security features can restrict flash access:

  • Disable external JTAG/SWD debug
  • Require debugger authentication
  • Permanently disable FPB interface
  • Protect firmware IP and encryption keys

This prevents unauthorized access and reverse-engineering of on-chip firmware.

Summary

The Cortex-M Flash Patch and Breakpoint unit provides invaluable capabilities for debugging, live patching and securing firmware. Key highlights include:

  • Setting code breakpoints to analyze program flow
  • Dynamically patching flash contents for live updates
  • Fast flash remapping to RAM without erase cycles
  • Debugging and instrumentation hooks at runtime
  • Securing flash memory from unauthorized access

The integration of FPB directly into Cortex-M processors enables use cases ranging from debugging on prototype hardware to instrumenting production firmware. Overall, the FPB unit is an essential feature for taking full advantage of Cortex-M capabilities.

Newsletter Form (#3)

More ARM insights right in your inbox

 

Share This Article
Previous Article Arm Cortex-M DAP bus and interconnect architecture Explained
Next Article What is Serial Wire Viewer (SWV) in Arm Cortex-M?
Leave a comment
- Sponsored-
Ad image