One-time Programmable Memory Controller (OTPC)

Overview

The OTPC (One-Time Programmable Controller) is an anti-fuse based embedded non-volatile memory, featuring high security and data immutability. Each memory cell has a default value of 1 and can only be irreversibly programmed to 0 one time.

OTP Layout

The OTP layout is shown in the figure below.

Note

Refer to the corresponding User Manual for the detailed layout of each OTP partition.

Physical zone

The size of the physical zone is 0x800 bytes. Its layout has been predefined by Realtek and includes the mapping zone, security zone, user-defined physical zone, ROM code patch zone, and hidden physical zone.

Caution

The physical zone only supports a one-time, irreversible write from 1 to 0. Please operate with caution.

Physical Zone Partition

Address

Description

Usage

Mapping Zone

(0x000-0x1FF, 512 bytes)

Mapped to the logical zone

Security Zone

(0x200-0x37F, 384 bytes)

Stores various keys and related configurations

Security Zone Usage

User-defined Physical Zone

(0x380-0x4FF, 384 bytes)

For user’s free use

User-defined Physical Zone Usage

ROM Code Patch Zone

(0x500-0x6FF, 512 bytes)

Used for applying patches to ROM code

ROM Code Patch Zone Usage

Hidden Physical Zone

(0x700-0x7FF, 256 bytes)

Used for functions like RMA

Hidden Physical Zone Usage

Logical Zone

The size of the logical zone is 0x400 bytes. The value of the logical zone can be modified multiple times. The logical zone is mapped from the mapping zone (0x000 ~ 0x1FF, 512 bytes) of the physical zone through a relationship defined by Realtek. The mapping relationship is shown in the figure below.

../../../_images/otp_mapping_logic.svg

Each block of data in the logical zone occupies one frame in the mapping zone. The hardware sequentially scans the content of each frame in the mapping zone and maps the data to the logical zone. When multiple frames map to the same address in the logical zone, the hardware uses the data from the last frame, which allows the logical zone to be modified multiple times.

Note

  • Refer to the corresponding User Manual for the detailed mapping relationship between the logical zone and the mapping zone.

  • Each modification to the value of the logical zone occupies one frame in the mapping zone. Therefore, when the mapping zone is full, the logical zone can no longer be modified.

The layout of the logical zone has been predefined by Realtek and includes the system data zone, user-defined MTP zone, calibration zone, etc.

Logical zone Partition

Address

Description

Usage

System data zone

(0x000-0x01F, 32 bytes)

Stores system data.

System data zone usage

Wi-Fi Calibration zone

(0x020-0x13F, 288 bytes)

Stores Wi-Fi calibration data.

Used by Realtek

HCI-USB

(0x150-0x15F, 16 bytes)

Stores configuration data related to USB devices.

Used by Realtek

Cap-Touch Calibration zone

(0x160-0x16F, 16 bytes)

Stores Cap-Touch calibration data.

Used by Realtek

User-defined MTP zone

(0x170-0x19F, 48 bytes)

For user’s free use.

User-defined MTP zone usage

BT parameters zone

(0x1B0-0x1FF, 80 bytes)

Stores BT parameters.

Used by Realtek

OTP API Reference

OTP APIs

API

Description

Operating Zone

OTP_Read8

Read a single byte from the OTP physical zone.

Physical Zone

OTP_Read32

Read 4 bytes from the OTP physical zone.

Physical Zone

OTP_Write8

Write a single byte to the OTP physical zone.

Physical Zone

OTP_LogicalMap_Read

Read the OTP logical map zone by length.

Logical Zone

OTP_LogicalMap_Write

Write to the OTP logical map zone address by length.

Logical Zone

otp_logical_remain

Get the remaining available length of OTP in the logical map zone.

Logical Zone

OTPSetCRC

Set the CRC check value for the secure zone.

Physical Zone

OTP_Read8

Item

Description

Function

Read a single byte from the OTP physical zone.

Parameters

  • Addr: The address of the OTP physical zone to be read.

  • Data: The OTP data read buffer (1 byte).

Return Value

Read operation result

  • RTK_SUCCESS: Success

  • RTK_FAIL: Fail

OTP_Read32

Item

Description

Function

Read 4 bytes from the OTP physical zone.

Parameters

  • Addr: The address of the OTP physical zone to be read.

  • Data: The OTP data read buffer (4 bytes).

Return Value

Read operation result

  • RTK_SUCCESS: Success

  • RTK_FAIL: Fail

OTP_Write8

Item

Description

Function

Write a single byte to the OTP physical zone.

Parameters

  • Addr: The address of the OTP physical zone to be written.

  • Data: The 1-byte data to be written.

Return Value

Write operation result

  • RTK_SUCCESS: Success

  • RTK_FAIL: Fail

OTP_LogicalMap_Read

Item

Description

Function

Read the OTP logical map zone by length.

Parameters

  • pbuf: The buffer used by the OTP logical map zone.

  • addr: The starting address of the OTP logical map zone to be read.

  • len: The byte length of the OTP logical map zone to be read.

Return Value

Read operation result

  • RTK_SUCCESS: Success

  • RTK_FAIL: Fail

OTP_LogicalMap_Write

Item

Description

Function

Write to the OTP logical map zone address by length.

Parameters

  • addr: The starting address of the OTP logical map zone to be written.

  • cnts: The byte length of the OTP logical map zone to be written

  • data: The data to be written.

Return Value

Write operation result

  • RTK_SUCCESS: Success

  • RTK_FAIL: Fail

otp_logical_remain

Item

Description

Function

Get the remaining available length of OTP in the logical map zone.

Parameters

None

Return Value

Remaining available length

OTPSetCRC

Item

Description

Function

Set the CRC check value for the secure zone.

Parameters

None

Return Value

Operation result

  • RTK_SUCCESS: Success

  • RTK_FAIL: Fail

OTP API Usage

Logical Zone

Program the value of logical address 0x02[1] to 1 by following steps:

  1. Read the original value of logical address 0x02 and check the function return value.

    u8 data_read;
int ret;
ret = OTP_LogicalMap_Read(&data_read, 2, 1);

  2. Assume the data read from logical address 0x02 in step 1 is 0xA0. Perform an OR operation between 0xA0 and the target bit 0x02[1], keeping the rest of the data at default values. Therefore, the new value to be written is 0xA2.

  3. Write the new value 0xA2 to logical address 0x02 and check the function return value.

    u8 data_written = 0xA2;
int ret;
ret = OTP_LogicalMap_Write(2, 1, &data_written);

Note

If it’s the first time programming a specific byte when programming the system data zone, special handling is required for that byte. Refer to System Data Zone.

Physical Zone

Program the value of physical address 0x02[1] to 0 by following steps:

  1. Read the original value of physical address 0x02 and check the return value.

    u8 data_read;
int ret;
ret = OTP_Read8(0x2, &data_read);

  2. Assume the data read from physical address 0x02 in step 1 is 0xAF. Perform an AND operation between 0xAF and the target bit 0x02[1], keeping the rest of the data at default values. Therefore, the new value to be written is 0xAD.

  3. Write the new value 0xAD to physical address 0x02 and check the return value.

    u8 data_written = 0xAD;
int ret;
ret = OTP_Write8(0x2, data_written);

OTP Serial Port Programming

Program the physical and logical zones of the OTP via the serial port.

Logical Zone

Use the following commands to perform read and write operations on the logical zone.

Operation

Command

Description

Read

AT+OTP=RMAP

Read the entire logical zone

Write

AT+OTP=WMAP,<address>,<length>,<data>

Write to a specified address in the logical zone

  • address: Starting logical address to write (hexadecimal)

  • length: Number of bytes to write (hexadecimal)

  • data: Data to be written (hexadecimal)

Note

The length of the data string must be even and should not include the 0x prefix.

To program the value of logical address 0x02[1] to 1, follow these steps:

  1. Read the logical map and check the original value at logical address 0x02.

AT+OTP=RMAP

EFUSE[000]: ff ff a0 ff ff ff ff ff ff ff ff ff ff ff ff ff
EFUSE[010]: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
EFUSE[020]: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
EFUSE[030]: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
...

  1. Assume the data read from logical address 0x02 in step 1 is 0xA0. Perform an OR operation between 0xA0 and the target bit 0x02[1], keeping the rest of the data at default values. Therefore, the new value to be written is 0xA2.

  2. rite the new value 0xA2 to logical address 0x02.

AT+OTP=WMAP,0x2,0x1,A2
[ATCMD_OTP-I] efuse wmap write len:1, string len:2

  1. Read the data again to verify if the write operation was successful.

AT+OTP=RMAP

EFUSE[000]: ff ff a2 ff ff ff ff ff ff ff ff ff ff ff ff ff
EFUSE[010]: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
EFUSE[020]: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
EFUSE[030]: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
...

Note

If it’s the first time programming a specific byte when programming the system data zone, special handling is required for that byte. Refer to System Data Zone.

Physical Zone

Use the following commands to perform read and write operations on the physical zone.

Operation

Command

Description

Read

AT+OTP=RRAW

Read the entire physical zone

Write

AT+OTP=WRAW,<address>,<length>,<data>

Write to a specified address in the physical zone

  • address: Starting physical address to write (hexadecimal)

  • length: Number of bytes to write (hexadecimal)

  • data: Data to be written (hexadecimal)

Note

The length of the data string must be even and should not include the 0x prefix.

To program the value of physical address 0x02[1] to 0, follow these steps:

  1. Read the physical map to check the original value at physical address 0x02.

AT+OTP=RRAW

RawMap[000]: ff ff af ff ff ff ff ff ff ff ff ff ff ff ff ff
RawMap[010]: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
RawMap[020]: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
RawMap[030]: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
...

  1. Assume the data read from physical address 0x02 in step 1 is 0xAF. Perform an AND operation between 0xAF and the target bit 0x02[1], keeping the rest of the data at default values. The new value to be written is 0xAD.

  2. Write the new value 0xAD to physical address 0xAD.

AT+OTP=WRAW,0x2,0x1,AD
[ATCMD_OTP-I] efuse wraw write len:1, string len:2
wraw: 2 ad

  1. Read the data again to verify if the write operation was successful.

AT+OTP=RRAW

RawMap[000]: ff ff ad ff ff ff ff ff ff ff ff ff ff ff ff ff
RawMap[010]: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
RawMap[020]: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
RawMap[030]: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
...

Note

The RF calibration tool uses the command iwpriv to program the OTP, but it is not recommended for other tools to use this command for OTP programming.

Usage

Logical Zone

The logical zone is partitioned into zones such as system data, Wi-Fi calibration data, and User-defined MTP.

System Data Zone

The system data zone (0x000 ~ 0x01F, 32 bytes) is used to store system data that may be required at system boot. The system data is automatically loaded by hardware into the system registers and takes effect at system boot.

Note

Refer to the corresponding User Manual for the mapping relationship between the system data zone and the system registers.

For historical reasons, if a byte in the system data zone is programmed for the first time, the corresponding system register will retain its initial value of 0x00, rather than the 0xFF read from the logical zone. Therefore, special handling is required for the first-time programming of system data.

Note

When a byte in the system data zone has been programmed to a non-0xFF value and is then programmed back to 0xFF, the value of the corresponding system register will be 0xFF, not the initial value of 0x00. Therefore, it is not recommended to program a byte in the system data zone from a non-0xFF value to 0xFF.

The programming flow for system data is as follows:

../../../_images/programming_the_system_data.svg

Example

To program the value of logical address 0x02[1] to 1, follow these steps:

  1. Read the logical map to check the original value at logical address 0x02.

    AT+OTP=RMAP

    or

    u8 data_read;
OTP_LogicalMap_Read(&data_read, 2, 1);

  2. Determine the value to be written based on the read value.

    • If the data read from logical address 0x02 in step 1 is 0xA0, it indicates that this byte is not being programmed for the first time. Perform an OR operation between 0xA0 and the target bit 0x02[1], so the new value to be written is 0xA2.

      AT+OTP=WMAP,0x2,0x1,A2

      or

      u8 data_written = 0xA2;
OTP_LogicalMap_Write(2, 1, &data_written);

    • If the data read from logical address 0x02 in step 1 is 0xFF, it indicates that this byte is being programmed for the first time. Perform an OR operation between 0x00 and the target bit 0x02[1], so the new value to be written is 0x02.

      AT+OTP=WMAP,0x2,0x1,02

      or

      u8 data_written = 0x02;
OTP_LogicalMap_Write(2, 1, &data_written);

  3. Read the data again to verify if the write operation was successful.

    AT+OTP=RMAP

    or

    u8 data_read;
OTP_LogicalMap_Read(&data_read, 2, 1);
System Data Programming Scenarios

Generally, system data has its initial values, and the user modifies it as needed.

Offset

Bit

Symbol

Description

0x02

[0]

FLASH_DEEPSLEEP_EN

Enable Flash deep sleep mode when the system enters sleep mode.

0: Disable

1: Enable

0x02

[1]

SPIC_ADDR_4BYTE_EN

Enable SPI Flash controller 4-byte address mode.

0: Disable

1: Enable

0x02

[2]

SPIC_BOOT_SPEEDUP_DIS

Disable SPIC initialization speedup at boot time.

0: Speed up

1: Do not speed up

0x02

[3]

BOOT_FLASH_CLOCK_SEL

Select Flash clock at boot time.

0: 20MHz

1: 10MHz

0x02

[4]

BOOT_INT_FLASH

Select to boot from external or internal Flash.

0: Internal Flash

1: External Flash

0x02

[5]

BOOT_CNT_LMT_EN

Enable soft boot count limit.

0: Disable

1: Enable

0x03

[0]

DIS_BOOT_LOG_EN

Disable the boot log.

0: Enable

1: Disable

0x03

[1]

LOW_BAUD_LOG_EN

Select Loguart baud rate.

0: 1.5Mbps

1: 115200bps

0x03

[2]

LOGIC_SECURE_BOOT_EN

Enable Secure Boot .

0: Disable

1: Enable

0x03

[3]

LOGIC_RSIP_EN

Enable Secure Firmware Protection (RSIP) .

0: Disable

1: Enable

0x03

[4]

LOGIC_RDP_EN

Enable Read Protection (RDP) .

0: Disable

1: Enable

0x03

[5]

BOOT_RAND_DELAY_EN

Enable random delay at boot time.

0: Disable

1: Enable

0x03

[6]

USB_CLK_CAL_EN

Enable SoC clock calibration for USB.

0: Disable

1: Enable

0x03

[7]

USB_DOWNLOAD_EN

Enable USB download function.

0: Disable

1: Enable

User-defined MTP Zone

The User-defined MTP zone (0x170 ~ 0x19F, 48 bytes) can be freely used by the user.

Realtek provides dedicated APIs for this zone for user access.

API

Description

efuse_get_remaining_length

Get the remaining available length of the mapped area.

efuse_mtp_read

Read all data from the User-defined MTP area.

efuse_mtp_write

Write data to the User-defined MTP area.

efuse_get_remaining_length

Item

Description

Function

Get the remaining available length of the mapped area.

Parameters

None

Return Value

Remaining available length.

efuse_mtp_read

Item

Description

Function

Read all data from the User-defined MTP area.

Parameters

  • data: Pointer to the buffer for the data to be read.

Return Value

Read operation result.

  • RTK_SUCCESS: Success

  • RTK_FAIL: Fail

efuse_mtp_write

Item

Description

Function

Write data to the User-defined MTP area.

Parameters

  • offset: The offset address of the area to be written (base address is the User-defined MTP area start address, 0x170).

  • len: Length of the data to be written.

  • data: Pointer to the data buffer to be written.

Return Value

Write operation result.

  • RTK_SUCCESS: Success

  • RTK_FAIL: Fail

API Usage

To program the value of logical address 0x172[1] (offset address 0x2) to 1, follow these steps:

  1. Read the value from the User-defined MTP area and check the return value.

    u8 data_read[48];
int ret;
ret = efuse_mtp_read(data_read);

  2. Assume the data read from logical address 0x172 (offset address 0x2) in step 1 is 0xA0. Perform a bitwise OR operation between 0xA0 and the value for the target bit 0x172[1], keeping the other bits at their default values. Thus, the new value to be written is 0xA2.

  3. Write the new value 0xA2 to the offset address 0x2 and check the function’s return value.

    u8 data_written = 0xA2;
int ret;
ret = efuse_mtp_write(0x2, 0x1, &data_written);

Physical Zone

The physical zone is partitioned into the mapping zone, security zone, User-defined physical zone, ROM code patch zone, and hidden physical zone.

Security Zone

The security zone is divided into the following two parts:

  • Key area: 0x200~0x35F, 352 bytes. This area stores various types of keys and is automatically loaded into internal memory space at system boot.

  • Configuration area: 0x360~0x37F, 32 bytes. This area controls access permissions for the key area and other areas.

../../../_images/security_area_layout.svg
key Area

The key area includes the following content:

Function

Name

Offset Addr

Usage

IPSEC

S_IPSEC_Key1 (RDP)

0x200~0x21F

Hardware Crypto Engine

S_IPSEC_Key2

(Secure boot HMAC)

0x220~0x23F

NS_IPSEC_Key1

0x240~0x25F

NS_IPSEC_Key2

0x260~0x27F

USER PRI

USER_PRI_KEY1

0x280~0x29F

User private key area, free to use

USER_PRI_KEY2

0x2A0~0x2BF

RSIP

RSIP_KEY1

0x2C0~0x2DF

RSIP

RSIP_KEY2

0x2E0~0x2FF

SWD

SWD_PASSWORD

0x300~0x30F

SWD Protection

PSA

HUK

0x310~0x31F

HUK Derivation

Secure Boot

PK1 (ROTPK hash)

0x320~0x33F

Secure Boot

PK2 (ROTPK hash)

0x340~0x35F
Configuration Area

The content of the configuration area is shown in the table below. Refer to the detailed descriptions in the corresponding chapters for the specific usage of each field in this area.

Offset Addr

Bit

Symbol

Description

Usage

0x360

[31:0]

SWD_ID

Device’s SWD ID

SWD Protection

0x364

[0]

SWD_PWD_EN

Enable SWD password

[1]

SWD_DBGEN

SWD external debug authentication

[2]

SWD_NIDEN

[3]

SWD_SPIDEN

[4]

SWD_SPNIDEN

[5]

SWD_PWD_R_Protection_EN

Key read and write protection enable

[6]

SWD_PWD_W_Forbidden_EN

[7]

HUK_W_Forbidden_EN

HUK Derivation

0x365

[0]

RSVD

[1]

PK1_W_Forbidden_EN

Secure Boot

[2]

PK2_W_Forbidden_EN

[3]

S_IPSEC_Key1_R_Protection_EN

Symmetric Hardware Crypto Engine

[4]

S_IPSEC_Key1_W_Forbidden_EN

[5]

S_IPSEC_Key2_R_Protection_EN

[6]

S_IPSEC_Key2_W_Forbidden_EN

[7]

NS_IPSEC_Key1_R_Protection_EN

0x366

[0]

NS_IPSEC_Key1_W_Forbidden_EN

[1]

NS_IPSEC_Key2_R_Protection_EN

[2]

NS_IPSEC_Key2_W_Forbidden_EN

[3]

USER_PRI_KEY1_R_Protection_EN

Read/write protection for user key area

[4]

USER_PRI_KEY1_W_Forbidden_EN

[5]

USER_PRI_KEY2_R_Protection_EN

[6]

USER_PRI_KEY2_W_Forbidden_EN

[7]

RSIP_KEY1_R_Protection_EN

RSIP

0x367

[0]

RSIP_KEY1_W_Forbidden_EN

[1]

RSIP_KEY2_R_Protection_EN

[2]

RSIP_KEY2_W_Forbidden_EN

[3]

RSIP_MODE_W_Forbidden_EN

[4]

SIC_SECURE_EN

Enable/disable SIC function

1: Enable

0: Disable

-

[5]

CPU_PC_DBG_EN

Enable/disable allowing debug port to get CPU PC value

1: Enable

0: Disable

-

[6]

UDF1_TRUSTZONE_EN

User-defined 1 area (0x380~0x3BF) security protection

0: Enable

1: Disable

-

[7]

UDF2_TRUSTZONE_EN

User-defined 2 area (0x3C0~0x3FF) security protection

0: Enable

1: Disable

-

0x368

[0]

UART_DOWNLOAD_DISABLE

Enable/disable entering UART download mode via Trap pin

0: Disable

1: Enable

-

[1]

RSVD

-

-

[2]

RSIP_EN

Enable/disable RSIP function

RSIP

[3]

SECURE_BOOT_EN

Enable/disable Secure Boot function

Secure Boot

[4]

SECURE_BOOT_HW_DIS

[5]

RDP_EN

Enable/disable RDP function

Read Protection (RDP)

[6]

ANTI_ROLLBACK_EN

OTA Firmware Upgrade

[7]

FAULT_LOG_PRINT_DIS

Enable/disable hard fault log in ROM

0: Disable

1: Enable

-

0x369

[1:0]

RSIP_MODE

RSIP mode

RSIP

[2]

HUK_DERIV_EN

Enable/disable HUK derivation

HUK Derivation

[3]

USER_PHYSICAL_TZ1_EN

User-defined physical 1 area security protection

0: Enable

1: Disable

-

[4]

USER_PHYSICAL_TZ2_EN

User-defined physical 2 area security protection

0: Enable

1: Disable

-

[5]

SW_RSVD0

-

-

[6]

SWTRIG_UART_DOWNLOAD_DISABLE

Enable/disable entering UART download mode via software trigger

0: Disable

1: Enable

-

[7]

SPIC_PINMUX_IN_TESTMODE_DISABLE

For Realtek use only

-

0x36A

[7:0]

RSVD

-

-

0x36B

[3:0]

SECURE_BOOT_AUTH_LOG

Secure Boot authentication algorithm

Secure Boot

[7:4]

SECURE_BOOT_HASH_LOG

Secure Boot hash algorithm

0x36C

[15:0]

OTA_ADDR

OTA address, 4K aligned

OTA Firmware Upgrade

0x36E

[15:0]

BOOTLOADER_VERSION

Bootloader version

0x370

[31:0]

CRC0

CRC check

CRC

0x374

[31:0]

CRC1

0x378

[31:0]

CRC2

0x37C

[31:0]

CRC3

Note

If RSIP_MODE_W_Forbidden_EN is programmed, then 0x369[7:0] cannot be programmed

Security Zone CRC Check

CRC is used to defend against injection attacks. Protection is achieved by comparing a valid CRC entry programmed into the OTP with the CRC value calculated by the hardware for the security zone, ensuring that the security zone has not been attacked.

CRC Entry Usage Rules

  • There are 4 CRC entries in total in the OTP, each including 2 bytes of magic number and 2 bytes of valid CRC value. Only one entry can be used at a time, and they must be used in sequence. The current security zone CRC value can be obtained through hardware without software calculation. When enabling a new entry, program all previously used entries to 0x00 to invalidate them. These operations are integrated into the OTPSetCRC() function, which users only need to call.

  • The CRC calculation range is the security zone part (0x200~0x36B).

  • Ensure the security zone programming is completed before programming the CRC entry. Any modification to the calculation range in the security zone will change the CRC value, requiring reprogramming of a new CRC entry.

  • Once CRC checking is enabled, it cannot be disabled. If the magic number or valid CRC check fails, the ROM will enter an infinite loop.

Example

  1. Ensure the security zone has been modified.

  2. Write the CRC value and determine if the write was successful based on the return value and printed information.

    int ret;
ret = OTPSetCRC();

  3. Restart the chip.

    • If the CRC entry check passes, the boot process will proceed successfully.

    • If the CRC entry check fails, the chip will enter an infinite loop in ROM and fail to boot normally.

Caution

  • It is recommended that users enable this function only when there is a need to defend against injection attacks. Otherwise, once this function is enabled, if the security zone CRC value does not match the value written to the CRC entry, the chip will be permanently unable to boot.

  • If the CRC entry has already been programmed and the user needs to modify the security zone again, the new CRC value must be written before rebooting. Otherwise, the chip will be permanently unable to boot.

User-defined Physical Zone

There are 4 blocks in the user-defined zone, which can be used freely by the user.

Name

Zone

Usage Method

User_defined1

0x380-0x3BF

  • Free for user use. Can also be used for security requirements; this zone becomes a security zone when 0x367[6] is programmed to 0.

  • This zone will be inaccessible in RMA mode.

User_defined2

0x3C0-0x3FF

  • Free for user use. Can also be used for security requirements; this zone becomes a security zone when 0x367[7] is programmed to 0.

  • This zone will be inaccessible in RMA mode.

User_physical1

0x400-0x480

  • Free for user use. Can also be used for security requirements; this zone becomes a security zone when 0x369[3] is programmed to 0.

  • This zone will be inaccessible in RMA mode.

User_physical2

0x480-0x4FF

  • Free for user use. Can also be used for security requirements; this zone becomes a security zone when 0x369[4] is programmed to 0.

  • This zone will be inaccessible in RMA mode.

Realtek provides dedicated APIs for this zone for user access.

API

Description

efuse_otp_read

Read data from User-defined physical zone

efuse_otp_write

Write data to User-defined physical zone

efuse_otp_read

Item

Description

Function

Read data from User-defined physical zone

Parameters

  • offset: Offset address of target area (base address: 0x380)

  • len: Data length to read

  • buf: Pointer to data buffer

Return Value

Read operation result

  • RTK_SUCCESS: Success

  • RTK_FAIL: Failure

efuse_otp_write

Item

Description

Function

Write data to User-defined physical zone

Parameters

  • offset: Offset address of target area (base address: 0x380 for User-defined physical zone)

  • len: Data length to write

  • buf: Pointer to data buffer

Return Value

Write operation result

  • RTK_SUCCESS: Success

  • RTK_FAIL: Failure

API Usage

To program physical address 0x382[1] (offset address: 0x2) to 0, follow these steps:

  1. Read value and check return value.

    u8 data_read;
int ret;
ret = efuse_otp_read(0x2, 0x1, &data_read);

  2. Assume the read data from step 1 is 0xAF. Perform AND operation on 0xAF with target bit 0x382[1] value while keeping other bits default. The new value becomes 0xAD.

  3. Write new value 0xAD to physical address 0x02 and check return value.

    u8 data_written = 0xAD;
int ret;
ret = efuse_otp_write(0x2, 0x1, &data_written);

ROM Code Patch Zone

The ROM code patch zone (0x500 ~ 0x6FF, 512 bytes) is used for adding patches to the ROM within certain limits.

Note

  • If the ROM code patch feature is enabled, after write protection is enabled for the corresponding zone, it has the same level of security as a mask ROM.

  • At the time of chip manufacturing, if the ROM code patch feature is not enabled, ROM_PATCH_EN will be programmed to 0, permanently disabling this feature.

  • Realtek does not currently use this zone. It can be used as a user-defined zone. Please consult Realtek for the methods and precautions for using this zone.

This zone is divided into multiple parts, and each part has an independent control bit.

Offset Addr

Bit

Symbol

Description

0x701

[1:0]

ROM_PATCH_EN

Enable ROM code patch function

1/2: Enable

0/3: Disable

[2]

ROM_PATCH_LWE1

Enable write protection for ROM code patch area (0x500 ~ 0x51F, 32 bytes)

0: Enable

1: Disable

[3]

ROM_PATCH_LWE2

Enable write protection for ROM code patch area (0x520 ~ 0x53F, 32 bytes)

0: Enable

1: Disable

[4]

ROM_PATCH_LWE3

Enable write protection for ROM code patch area (0x540 ~ 0x55F, 32 bytes)

0: Enable

1: Disable

[5]

ROM_PATCH_LWE4

Enable write protection for ROM code patch area (0x560 ~ 0x57F, 32 bytes)

0: Enable

1: Disable

[6]

ROM_PATCH_LWE5

Enable write protection for ROM code patch area (0x580 ~ 0x5FF, 128 bytes)

0: Enable

1: Disable

[7]

ROM_PATCH_HWE

Enable write protection for ROM code patch area (0x600 ~ 0x6FF, 256 bytes)

0: Enable

1: Disable

Hidden Physical Zone

The hidden physical zone (0x700 ~ 0x7FF, 128 bytes) stores some RMA keys and Realtek calibration data. User is only allowed to program the RMA-related areas.

The specific content and usage of the hidden physical zone are shown in the table below:

Offset Address

Bits

Symbol

Description

Usage Instructions

0x700

[7:0]

RMA (Life State)

Enable/disable RMA mode.

RMA 模式

0x701

[1:0]

ROM_PATCH_EN

-

ROM code patch zone

[2]

ROM_PATCH_LWE1

[3]

ROM_PATCH_LWE2

[4]

ROM_PATCH_LWE3

[5]

ROM_PATCH_LWE4

[6]

ROM_PATCH_LWE5

[7]

ROM_PATCH_HWE

0x702

[0]

RMA_SWD_PWD_R_Protection_EN

Key read protection and write protection

To add read/write protection to keys in RMA mode, write the corresponding bit to 0.

[1]

RMA_SWD_PWD_W_Forbidden_EN

[2]

RMA_PK_W_Forbidden_EN

[7:3]

RSVD

-

-

0x704

[63:0]

ADC calibration

Defined by Realtek

Used by Realtek

0x710

[127:0]

RMA SWD Key

SWD key in RMA mode

Program this zone to encrypt SWD in RMA mode.

0x720

[255:0]

RMA SBOOT KEY HASH

SBOOT key hash in RMA mode

Program this zone to enable secure boot in RMA mode.
RMA Status

RMA Mode is used for customer chip return and repair. Users need to program the chip into RMA mode and provide the key (if key is enabled) to enable Realtek debugging operations.

In RMA mode, security zones and some user-defined physical zones will become inaccessible.