The use of PROM-type memories, either EPROM (erasable, programmable read-only memory) or EEPROM (electrically-erasable, programmable read-only memory), in both single-chip and board-level computers and controllers is rapidly increasing. In such a context, a PROM may store, for instance, an odometer reading in the case of an automotive controller or an account balance in the case of a "smart" banking card. Such parameters must be subject tto occasional alteration, but must also remain valid during periods of power-down and be protected from inadvertant alteration.
In a microcomputer such as the 68HC11, available from Motorola Microprocessor Products Group of Austin, Tex., all of the mechanisms necessary for programming the onboard EEPROM are integrated with the microcomputer. Most importantly, this includes the charge pump or other device necessary to generate the higher programming voltages required for EEPROMs. Thus, the EEPROM in such a microcomputer is readable and writable just as if it were random access memory (RAM), except, perhaps, for longer programming times.
In such a microcomputer, or other device in which no external control or input is required in order to program a PROM, inadvertant writes to the PROM are a major source of concern. Two basic approaches have been used to protect against such inadvertant changes. In presently-available versions of the above-mentioned 68HC11, several bits of a control register must be properly set to enable programming of the on-board EEPROM. The other basic approach recognizes that most inadvertant writes to PROM occur while power to the system is undergoing a transistion, such as on-to-off or off-to-on.
The former write protection approach operates on the principle that if the programming process is made more complex, it is more likely that any time the process is properly executed it is the result of an intentional attempt to program the PROM. However, since the sequence of instructions for programming the PROM must reside somewhere in program memory, and since there are times during power transitions when the system may be "wildly" executing instructions, there is some probability that the programming sequence will be hit and the contents of the PROM inadvertantly altered.
The latter approach solves the problem by detecting transitions in the power supply to the system and disabling the mechanism by which the PROM is programmed. U.S. Pat. Nos. 4,612,632 and 4,644,494 illustrate this method of write protecting a PROM. This solution is unattractive in the case of a single-chip microcomputer, and in some other cases, due to the requirement of a voltage level detection circuit. Such circuits are difficult to fabricate reliably and repeatably on the same chip as a microcomputer. Processing variations cause differences from chip-to-chip in the precise set-point of the voltage sensor, thus making the write protection unreliable.
U.S. Pat. No. 4,638,457 discloses a method of increasing the reliability of data stored in a PROM, but protects only against incomplete writes, not against inadvertant, but complete, writes.
U.S. Pat. No. 4,580,246, commonly assigned with the present invention, discloses a method of write protection for control registers. Writes to the control registers are allowed only once, and only within a short, predetermined time after the system is reset. After that period, no writes are allowed until the system is reset again. Obviously, this is reliable protection for certain types of control and configuration information, but cannot be used for PROM containing relatively large blocks of data, such as engine control parameters in an automotive controller, which would require more than the allowed period of time to re-program.