This document details all known silicon errata for MPC8548E PowerQUICC III devices.

Table 1. Revision history

Revision Date Substantive changes

6 6/2012 • Renamed DUART 1 to A-004737 and CPU-A005 to A-001428.

• Added CPU erratum A-005125.

• In Table 2, updated the PVR value for 3.1.x from 0x8021_0023 to 0x8021_0022.

5 1/2012 • Added Rev 3.1.x silicon information

• Added CPU erratum A-003477

• Removed eTSEC 102, fixed in Rev 2.0 silicon

eTSEC 105, eTSEC 106, eTSEC 107, eTSEC-A001, eTSEC-A004, PCI-Ex 35,

PCI-Ex 37, PCI-Ex 38, PCI-Ex 39, PCI-Ex 42, PCIe-A001, SRIO-A002, GEN 11,

GEN13, I2C 2, DMA 1, and DMA 2

• In Table 2, Corrected SVR values for 'without security.' The leading digit was

• Modified CPU 4 workaround

• In Table 3, corrected silicon revisions impacted for JTAG 2

• Modified eTSEC 93 description

4 4/2011 • Added eTSEC-A005

• Modified impact for CPU 3 and SEC-A001

Table 1. Revision history (continued)

Revision Date Substantive changes

3 10/2010 • Added CPU-A001, CPU-A005, eTSEC 106, eTSEC 107, eTSEC-A001, eTSEC-

A002, eTSEC-A004, PCI-Ex 42, PCIe-A001, SEC-A001, SRIO-A002, SRIO-A004,

I2C 2 and I2C 3.

• Added OMnDATR note to Description on SRIO42.

• Removed PCI-Ex 40 due to duplicate entry.

• Updated disposition for eTSEC 104, SEC 5, SEC 6.

• Updated workaround for eTSEC 79.

• In Table 3, removed Rev. 1.1, 1.1.1, and 1.1.2 columns.

2 02/2009 • Changed DDR 20 by adding note explaining location of debug registers used in

work around.

• Added SRIO 41.

• Added SerDes 1.

• Added eTSEC 105.

• Modified disposition for eTSEC 39.

• Modified workaround for eTSEC 79.

• Removed eTSEC 103.

• Added SRIO 42.

• Updated information in Table 2, “Revision Level to Part Marking Cross-

Revision e500v2

Register Value

2.0.1 2.0 0x8021_0020 With security 0x8039_0020

2.1.1 2.2 0x8021_0022 With security 0x8039_0021

2.1.2 2.2 0x8021_0022 With security 0x8039_0021

revision level to which it applies. A ‘Yes’ entry indicates the erratum applies to a particular revision level, while a

'No' entry means it does not apply.

Errata Name Projected

Silicon Rev.

2.0 2.1.x 3.1.x

CPU 2 A core hang possible while executing a msync or mbar 0

instruction and a snoopable transaction from an I/O master

tagged to make quick forward progress is present.

Fixed in Rev 2.1 Yes No No

CPU 6 Incorrect Value May be Loaded Into SRR0 on ITLB Miss

When Executing icbtls

No plans to fix Yes Yes Yes

Enabling IEEE 754 exceptions can cause errors Fixed in Rev 3.1.x Yes Yes No

No plans to fix Yes Yes Yes

e500 core initiates a guarded load to PCI/PCIe/sRIO while

the PCI/PCIe/sRIO performs a coherent write to memory.

No plans to fix Yes Yes Yes

during reset

for some Tx FCB offsets

Fixed in Rev 2.1 Yes No No

truncated frames

No plans to fix Yes Yes Yes

lost data, loss of BD synchronization, or false underrun

Fixed in Rev 2.1 Yes No No

Parity Error (DPE)

Fixed in Rev 2.1 Yes No No

Partial fix in Rev

control enabled

Fixed in Rev 3.1.x Yes Yes No

Fixed in Rev 3.1.x Yes Yes No

Fixed in Rev 2.1 Yes No No

tagged frames

Fixed in Rev 3.1.x Yes Yes No

FIFO mode

Fixed in Rev 3.1.x Yes Yes No

Partially fixed in

and false BD close

Fixed in Rev 3.1.x Yes Yes No

if multiple Tx

queues enabled.

eTSEC 101 Magic Packet Sequence Embedded in Partial Sequence

Not Recognized

Partially fixed in

Rev 3.1.x

eTSEC 104 Rx may hang if RxFIFO overflows Fixed in Rev 3.1.x Yes Yes No

GEN 10 Device may fail DDR pins during IEEE Std 1149.1™

EXTEST mode

No plans to fix Yes Yes Yes

GEN 11 Some pins do not meet 500V CDM ESD criteria Fixed in Rev 3.1.x Yes Yes No

GEN 13 CPU write to platform failures in all core, platform, and

SYSCLK frequency combinations

Fixed in Rev 3.1.x Yes Yes No

GEN 14 CPU-only reset may result in a failure in the platform logic No plans to fix Yes Yes Yes

SERDES 1 SerDes lane power down function may cause training to fail. No plans to fix Yes Yes Yes

PIC 4 PIC soft reset not clearing MSIRn registers correctly No plans to fix Yes Yes Yes

PIC 5 MSIMR De-featured Documentation

PIC 6 MER, Interrupt will not be forwarded to destination No plans to fix Yes Yes Yes

PIC 7 PCI Express MSI other than interrupt 0 not supported via

No plans to fix Yes Yes Yes

PM 1 Some local bus events are not counted correctly in the

performance monitor

No plans to fix Yes Yes Yes

Errata Name Projected

Silicon Rev.

2.0 2.1.x 3.1.x

devices communicate

Fixed in Rev 3.1.x Yes Yes No

I2C 3 I2C boot sequencer cannot issue snoopable writes Fixed on Rev 2.1 Yes No No

DMA 1 DMA_DACK bus timing violation when operating in external

DMA master mode

Partially fixed in

Rev 3.1.x

DMA 2 Transfer error reported for wrong channel Fixed in Rev 3.1.x Yes Yes No

No plans to fix Yes Yes Yes

PCI 7 Asynchronous mode PCI1 and PCI2 input hold violation Fixed in Rev 2.1 Yes No No

PCI 9 Master-Abort issued incorrectly for outbound DAC with

subtractive decode

No plans to fix Yes Yes Yes

JTAG 2 TMS requires hold time beyond the fall of TCK Fixed in Rev 2.1 Yes No No

CPU 2: A core hang possible while executing a msync or mbar 0 instruction and a

Note that peer-to-peer type traffic across the OCN complex continues without lockup.

prevents this type of lockup. This disables the state machine inside of the Coherency Module

that elevates these transactions from I/O masters to highest priority. The result is that all

transactions that the core initiates are always permitted to compete on an equal basis on the

Core Connect Bus (CCB) so that the core will not hang.

A-003477: Phantom branches in the BTB may not be correctly invalidated

uses the same effective address for another nonbranch instruction for which the BTB has an

entry for a previously encountered branch. This causes the fetch unit to redirect instruction

execution of the instruction, the hardware realizes the error and is supposed to evict the BTB

share the same effective address space.

• Continue to use the BTB as it currently operates.

• Invalidate the BTB (BUCSR [BBFI] =1) at the appropriate points to ensure a phantom

A-005125: In a very rare condition, a system hang is possible when the e500 core

is possible for the CCB bus arbiter to enter into an invalid state and hang the system. A very

eTSEC 29: Frame is dropped with collision and HALFDUP[Excess Defer] = 0

HALFDUP[Excess Defer] = 0. This erratum affects 10/100 Half Duplex modes only.

BD as if the frame is transmitted successfully. This results in the frame being dropped

transmit frames regardless of the length of time the transmitter defers to carrier.

eTSEC 34: Transmit frames aborted under 16-bit FIFO GMII-style mode

(platform) clock to Tx clock ratio is less than 4.2:1, transmit packets may be lost due to

clock is 125 MHz. Also the minimum Inter Packet Gap (IPG) between packets at this ratio is 8

cycles. The logic in the transmit synchronizer needs the extra timing margin to recover

transmit path only. The receive path will operate with the CCB clock: Tx clock ratios as low as

at 533 MHz and a maximum transmit clock frequency of 155 MHz with platform clock at 667

MHz in Rev 2.0 silicon.

recommended. The FIFO Encoded mode will not abort packets if underrun occurs; instead, it

will assert idle bytes during the data stream.

eTSEC 36: TX_EN of eTSEC1 and eTSEC2 may be driven randomly during reset

being driven LOW while eTSEC3 & eTSEC4 tri-state this pin during the whole period where

TX_EN, software can reset the external devices after resetting the MPC8548E. This is required

All TX_EN pins will be tri-stated during HRESET. assertion.

eTSEC 37: eTSEC Parser does not properly parse L3 fields

properly parsed and filed into receive queues.

eTSEC 38: WWR bit Anomaly

RXB, RXF until the system acknowledges that the buffer descriptor write data is actually in

when there are multiple outstanding BD updates, particularly in high latency memory

scenarios, where an IEVENT can be lost when using DMACTRL[WWR] = 1.

updated in memory), or the IEVENT could be incorrect. In the case of it being incorrect, the

BD second or third in the list.

interrupt has been completed in memory. This may or may not have any impact on the system

depending on how packets are processed.

possible that the CPU completes a read of the BD before the BD is closed by the eTSEC so

that the BD's Empty bit is still set. In this case, software can either exit the packet processing

routine and service the packet upon receiving the next interrupt, or it can schedule another

interrupt to process the packet later.

Use of Rx interrupt coalescing of even a few packets reduce the chance of the CPU reading a

BD whose update is still in flight to virtually zero, though it is still possible if multiple receive

rings are in use.

eTSEC 39: Parsing of tunneled IP packets not supported

This applies to both IPv4 and IPv6.

A tunneled IP packet is an IP/TCP or IP/UDP packet and one of the following:

checksum error.

Malformed tunneled packets may be received without a parser error.

each packet header to see if it is a tunneled IP packet. If the packet is a tunneled IP packet,

software should ignore any parser or checksum error.

Revision 2.1.x will continue to not support parsing of tunneled IP packets. However, false

checksum and parser errors on tunneled IP packets will not occur. The inner header of those

packets will not be parsed. The FCB will contain the correct parser information for the outer

header and the next header field will correctly indicate the tunneled type. If tunneled packets

eTSEC 40: Magic packet does not wake device from a SLEEP state

packet is received on an eTSEC which is configured to come out of a low-power state (DOZE,

in turn gets the chip out of the low power state. Current versions of the device perform the

correct action for DOZE and NAP, but not for SLEEP.

eTSEC 44: FIFO8, FIFO16 TX hang

eTSEC 51: Missing basic integrity check for parsing Tunneled IP packets

verify packet header integrity on fields that are defined to contain certain values.

Two basic integrity checks involve the following:

• Ensuring that the version field of the IP header is a 4 or a 6, and corresponds to the

basic checking on receive packets to see if they are tunneled IP packets. If so, the software

should perform these checks.

eTSEC 52: Error in arbitrary extraction offset

extracted in some cases and some byte offsets cannot be extracted. The problem only applies

• With no VLAN/MPLS/SNAP/PPOE tag: Packet bytes 20-21 cannot be extracted.

• BxFFSET=0-7 extract preamble bytes 0-7.

• BxFFSET=8-27 extract bytes 0-19 of packet. Byte 0 is the first byte of the DA.

• Beginning at offset 34, the pattern is criss-crossed within a 4-byte granularity and is

eTSEC 55: Transmit jumbo frames greater than 2400 bytes may cause lost data, loss of

9600 bytes, the Tx FIFO may overflow. When the TxFIFO overflows, one of several error

conditions may occur. The scenarios below are representative, and may occur singly or in

eTSEC 56: Parser results may be lost if TCP/UDP checksum checking is enabled

memory the same cycle that parsing of the packet completes, all the fields of the RxFCB

ETU, PERR, PRO, VLCTL bits of the RxFCB are set to all zeroes.

Option 2: Disable VLAN extraction by setting RCTRL[VLEX] and check the contents of the

RxFCB. If the contents are zero, replicate the parser algorithm in software to determine the

eTSEC 57: RQUEUE[EXn] bits have no effect

cache) function. The EXn bits have no effect in the eTSEC IP, so stashing is completely

data is fetched from main memory.

eTSEC 58: Parsing of MPLS label stack or non-IPv4/IPv6 label not supported

other than IPv4 or IPv6. The RxFCB is written as 0x0000_00ff_0000_0000 (no layer 3 header

eTSEC 59: Arbitrary extraction on short frames uses data from previous frame

arbitrary extraction (RBIFX), it should set the corresponding byte of the ARB property sent to

when they should be rejected.

frames shorter than the location of any arbitrary extraction byte offset. Software must handle

short frames which may be filed in the wrong queue

eTSEC 60: Some combinations of Tx packets may trigger a false Data Parity Error

When the data is unloaded from the FIFO to be transmitted, if parity detection is enabled

(EDIS[DPEDIS] = 0), a false parity error is flagged (IEVENT[DPE]).

eTSEC 61: eTSEC Data Parity Error (DPE) does not abort transmit frames

types: soft errors and hard errors. Soft errors can be caused by a RAM bit cell temporarily

next write. Hard errors can be caused by a RAM bit cell no longer reliably holding a 0 and/or 1

written to it.

In either case, the parity error indicates that either at least one bit in a 16-bit word of the frame

error indication.

to indicate there was an error. However, due to this erratum a parity error will not cause the

eTSEC to assert this signal.

designed to signal a packet was sent with errors. Therefore, this erratum does not apply when

operating in this mode.

In 16-bit encoded packet FIFO mode TXC[2:0] = 011 indicates a packet was sent with an error,

where TXC[2:0] = {TX_ENn+1, TX_ERn, TX_ENn}. However, due to this erratum a parity error

will not set TXC[2:0] = 011 to indicate an error.

packet with good FCS.

an error indicator.

Have software periodically check the state of the Tx queue halt bits. If a queue is halted, but

still contains ready BDs, resolve any pending address or data error conditions before restarting

the queues.

Scenarios 1 and 2 fixed

Scenario 3 applies to all revisions of silicon. Scenarios 4 and 5 function properly as described

eTSEC 68: Rx TCP/UDP checksum checking may be incorrect while operating at low

assumes that the controller has two cycles to respond to certain events on the Rx interface. If

the controller runs slower than twice the Rx clock frequency, it may be unable to respond to an

Option 2: Ensure that the minimum platform frequency to eTSEC Rx_CLK ratio with Rx

Option 3: Make sure that packets that are being checksummed have at least 4 bytes of data at

eTSEC 69: Filer does not support matching against broadcast address flag PID1[EBC]

properties, so the filer cannot correctly match based on broadcast address (PID1[EBC]). The

IEEE Std 802.3™-2005 is all 1’s in the destination address field, then use a filer rule with PID3

eTSEC 70: eTSEC does not support parsing of LLC/SNAP/VLAN packets

interpretation. It also supports 802.1p VLAN tags. However, it does not support the

parser prematurely completes “normally” upon encountering the VLAN Ether-type at the end of

the LLC/SNAP encoding. The erratum is that no layer 3, layer 4, or VLAN information is

because the parser terminated before the VLAN tag was found.

functions performed by eTSEC.

eTSEC 71: eTSEC filer reports incorrect Ether-types with certain MPLS frames

Ether-type that was encountered in a packet as it was parsed. In the case that there is an

MPLS label. The last 2 bytes correspond to the LSB 4 bits of the label, the EXP field, the S

field, and the TTL field. The eTSEC does not know of any header types that follow other than

Null.” Hence the Ether-type is always left as the last 2 bytes of the MPLS label.

file based on an MPLS label existence.

eTSEC 72: Compound filer rules do not roll back the mask

fields of the packet against properties in the RQFPR table. The mask sets “don’t cares” in the

outside of a cluster guard rule (CLE = 1) you can set masks as appropriate for the subsequent

rule by setting CMP = 00/01, PID = 0, and RQPROP = “desired mask.” If however the chained

rule chain. The erratum is that the mask does not roll back and the resulting mask can be

incorrectly rejecting the frame in the case of an assumption of the mask being a certain value.

entering the chain. The following table shows a compound rule example for work arounds.

5 0 0 0 0 0 0 0xFFFF_FFFF Work around

eTSEC 73: Incomplete frame with error causes false CR error on next frame

before start of frame, the error indicator persists and is reported on the following frame by

The incomplete frames that can trigger the error are:

Incomplete frames can occur due to collisions in half-duplex mode, or during recovery after a

link down condition.

interrupt. When this link down interrupt is detected, software should

eTSEC 74: Parser does not check VER/TYPE of PPPoE packets

VER/TYPE not equal to 1, the controller should stop Ethernet parsing and treat it as an

assumes it is 1.

eTSEC 75: Back-to-back Rx frames may lose parser results of second frame

still processing the previous frame. If this scenario occurs, the parser results for the second

circumstances are related to format of the two frames, but are not controllable by the receiver

or the user.

Option 2: Because this erratum impacts the RxFCB only, the filer still gets the correct

information and be able to file to the appropriate queue or reject. If software now finds RxFCB

all zeros, it must assume that it encountered this error. The only other time the RxFCB is all

zeros is when the eTSEC didn’t find any L2–L4 information that is recognized.

eTSEC 76: RMCA, RBCA counters do not correctly count valid VLAN tagged frames

and a length between 64 and 1518 (non-VLAN tagged frames) or 1522 (single VLAN tagged

frames and not multicast frames. The erratum is that for a valid VLAN tagged frame greater

than 1518 the eTSEC does not increment these registers.

the core.

eTSEC 83: L3 fragment frame files on non-existent source/destination ports

end of the header looking for a L4 header, extracts non-existent source and destination ports,

eTSEC 84: Multiple BD frame may cause hang

entire frame must be read from memory before a checksum can be computed. Accordingly, the

R bit of the first TxBD in a frame must not be set until at least one entire frame can be fetched

from this TxBD onwards. If eTSEC prefetches TxBDs and fails to reach a last TxBD (with bit L

set), it halts further transmission from the current TxBD ring and report an underrun error as

remaining BDs are marked ready, and if the controller happens to prefetch the BDs when

some are marked ready and some marked unready, the controller may not halt or set

IEVENT[XFUN], hanging the transmit.

TxBD frame, the Ethernet controller may hang.

after the remaining BDs of the frame are set ready.

No plans to fix for single queue case.

eTSEC 85: TxBD[TC] is not reliable in 16-bit FIFO modes

frames have software CRC append, and some do not, customers may enable hardware-based

style or encoded), the TxBD[TC] setting for a frame is not properly pipelined, so some frames

with TxBD[TC] = 1 end up transmitting without CRC appended and some frames with

• Option 2: Set all TxBD[TC] = 0.

eTSEC 86: eTSEC receivers may not be properly initialized

initialization sequence, the eTSEC Rx logic may not be properly initialized.

When this occurs, the first packet received (and subsequent packets) will be affected. Failure

eTSEC 87: Arbitrary Extraction cannot extract last data bytes of frame

frame, the associated ARB property sent to the filer may be zero instead of the data at the

The following packet and extraction types are affected:

• L4 extraction of TCP/UDP packets with IP total length 4n + 1, 4n + 2, or 4n + 3.

• For frame length of 4n + 3, the last 1 byte of the frame is not extractable. This applies to

• For IP total length of 4n + 1, the L4 byte offsets 4n + m - <IP header length> are not

eTSEC 88: False TCP/UDP and IP checksum error in FIFO mode without CRC

appending and checking disabled (FIFOCFG[CRCAPP] = 0 for Tx and FIFOCFG[CRCCHK] =

0 for Rx) may cause the IP or TCP/UDP checksum parsing to skip the last two bytes of the

eTSEC 89: Frames greater than 9600 bytes with TOE = 1 will hang controller

it must be no more than 9600 bytes to fit entirely into the Tx FIFO. If the frame is larger, the

checksum and allow the frame to start transmission.

ensure Tx frame length ≤ 9600 bytes.

eTSEC 90: Setting RCTRL[LFC] = 0 may not immediately disable LFC

immediately disable the lossless flow control state machine and stop the sending of pause

idle before disabling it. If the state machine has been triggered by the number of free RxBDs

falling below the threshold, the controller continues sending pause frame extensions until the

RCTRL[LFC] = 0.

exceeds the threshold. Once the number of free RxBDs exceeds the threshold, the

configuration for LFC may be safely modified.

eTSEC 91: VLAN Insertion corrupts frame if user-defined Tx preamble enabled

after start of the Destination Address (after DA and SA). If user-defined Tx preamble is

preamble (4 bytes after start of DA), thus overwriting part of DA and SA.

destination and source addresses.

eTSEC 92: False parity error at Tx startup

Tx frame data is written to it. Under certain internal resource contention conditions, the

eTSEC 99: ECNTRL[AUTOZ] not guaranteed if reading MIB counters with software

when reading them if ECNTRL[AUTOZ] = 1. If the register read occurs in the same cycle as a

reading MIB registers would expect to read A the first time, B the second, and C the third, with

each value representing only the events that occurred in the interval between reads. If the first

a larger number of events than actually seen by the controller.

routines which periodically read MIB counters and accumulate the results should accumulate

only when an MIB counter overflows, as in the description that follows: Assuming a 32-bit MIB

ACCUM_LO), and a Carry Out bit (ACCUM_LO_CO), change the 64-bit accumulator update

as follows:

Previous accumulate method (with ECNTRL[AUTOZ] = 1):

New accumulate method (with ECNTRL[AUTOZ]=0):

eTSEC 100: Half-duplex collision on FCS of Short Frame may cause Tx lockup

frame, then the Ethernet MAC may lock up and stop transmitting data or control frames. Only a

Use software-generated CRC (MACCFG2[PAD/CRC] = 0, MACCFG2[CRC EN] = 0 and

TxBD[TC] = 0)

The reference manual will be updated to require padding of all short Tx frames when in half-

duplex mode (MACCFG2[Full Duplex] = 0).

eTSEC 101: Magic Packet Sequence Embedded in Partial Sequence Not Recognized

and valid FCS (CRC-32), and whose payload includes the specific Magic Packet byte

sequence at any offset from the start of data payload. The specific byte sequence comprises

an unbroken stream of 102 bytes, the first 6 bytes of which are 0xFFs, followed by 16 copies of

the MAC's unique IEEE station address in the normal byte order for Ethernet addresses.

Magic Packet sequence, however, the complete sequence will not be recognized and the MAC

station address 01_02_03_04_05_06:

• Sequence b)

The following is an example partial sequence followed by the start of a complete sequence that

is erroneously not recognized for station address 01_02_03_04_FF_06:

immediately after other frame data which partially matches the Magic Packet Sequence.

the Magic Packet sequence in the frame.

Because the Magic Packet sequence pattern search starts at the 3rd byte after DA, the Magic

the length/type field follows the above rule.

Sequence c)—no plans to fix

eTSEC 104: Rx may hang if RxFIFO overflows

and overflow. If the RxFIFO fills up, the controller should gracefully drop packets. Instead,

the Rx will lock up and stop receiving without any error indication.

and hang the Rx controller.

Lockup detection:

There is no guaranteed algorithm to detect Rx lockup with zero false positives.

eTSEC 105: MAC: Malformed Magic Packet Triggers Magic Packet Exit

Addresses) and valid FCS (CRC-32), and whose payload includes the specific Magic Packet

byte sequence at any offset from the start of data payload. The specific byte sequence

comprises an unbroken stream of 102 bytes, the first 6 bytes of which are 0xFFs, followed by

16 copies of the MAC’s unique IEEE station address in the normal byte order for Ethernet

Once the Ethernet MAC has recognized a valid DA for one frame, it continues searching for

on each frame. Therefore, a frame without a valid DA could erroneously cause the ethernet

controller to exit Magic Packet mode. The only events that cause the MAC to go back to check

for valid DA before checking for a Magic Packet sequence on new frames are:

The Ethernet controller may exit Magic Packet mode if it receives a frame with DA not

matching station address, or invalid unicast or broadcast address, but a valid Magic Packet

sequence for the device.

eTSEC 106: Excess delays when transmitting TOE=1 large frames

TxBD[TOE]=1 and TCTRL[TUCSEN]=1 or TCTRL[IPCSEN]=1, the controller holds the frame

Because the checksums are inserted near the beginning of the frame, transmission cannot

start on a TOE=1 frame until the checksum calculation and insertion are complete.

For TOE=1 huge or jumbo frames, the data required to generate the checksum may exceed

start of transmission.

When using packets larger than 2700 bytes, it is recommended to turn TOE off.

eTSEC 107: Controller may not be able to transmit pause frame during pause state

frame with PTV!=0, it should still be able to transmit pause control frames. The Ethernet

frame request to the MAC. Once it has initiated a start-of-frame request, the Ethernet controller

cannot initiate a pause control frame request until the normal frame completes transmission.

controller may be unable to transmit a pause frame while it is in pause state if there is a normal

normal frame is ready to transmit.

This applies to pause frame generation as a result of RxFIFO over threshold (ordinary flow

control), free BDs below threshold (lossless flow control), or software-generated pause frame

eTSEC-A001: MAC: Pause time may be shorter than specified if transmit in progress

Flow]=1, it completes transmitting any current frame in progress, then should pause for

frame into account when calculating the Tx pause time, and may pause for 1-2 pause quanta

(512-1024 bit times) less than the PTV value.

margin, this may lead to receive buffer overflows in the link partner.

frame size as margin when calculating the pause time value to use to prevent overflow of the

receiver's buffers.

receive buffer overflow.

eTSEC-A002: Incomplete GRS or invalid parser state after receiving a 1- or 2-byte

supports receiving short frames less than 64B, and can accept frames more than 16B and less

than 64B if RCTRL[RSF] = 1. Frames shorter than 17 bytes are supposed to be silently

though the GRS has successfully executed and the receive logic is completely idle. Any

in RxFCB and incorrect filing (accept versus reject, or accept to wrong queue) for that following

After asserting graceful receive stop (DMACTRL[GRS] = 1), initiate a timeout counter. The wait

time is system and memory dependent, but a reasonable worst-case time is the receive time

Rx is assumed to be idle and the Rx can be safely reset. If the register fields are not equal,

MAX Rx reset procedure:

3) Execute workaround for the following eTSEC erratum: eTSEC receivers may not be

eTSEC-A004: User-defined preamble not supported at low clock ratios

eTSEC system clock to Tx clock ratios of less than 1.8:1. If the controller is run with a slower

PCI-Ex 42: Reads to PCI Express CCSRs or local config space temporarily return all Fs

PEX_PME_MES_DISR[LDDD]=0 and PEX_PME_MES_IER[LDDIE]=1, sends a link down

(transaction error to source for memory reads, return data all Fs for config reads). Write

transactions are silently dropped.

The canceling of config read or write transactions should not apply to accesses to

If the controller is configured as an endpoint and receives a hot reset request, it also brings the

link down and follows the same cleanup procedures as in an externally detected link down.

for the duration of the hot reset event, as well.

PCI Express return all Fs during link down cleanup or hot reset event.

During this time, writes are handled normally, though the results of the write are not verifiable.

The duration of the link down cleanup varies depending on the number and type of pending

transactions. Cleanup for pending outbound transactions takes just a few cycles, regardless of

the source. Pending inbound transactions wait for all responses from targets (data response

for reads, or successful arbitration to the target queue for writes) before completing cleanup.

Once all pending transactions have been cleared, new CCSR accesses and local config return

PCIe-A001: PCI Express Hot Reset event may cause data corruption

Hot Reset event from its upstream device (either RC or Switch) before it finishes processing an

• TLP received right before the Hot Reset event may be discarded

• Data corruption may occur on the first inbound memory transaction received after the Hot

• If it is a memory write, the transaction may finish with data corruption at the target.

the payload data of this memory write TLP from its receiver buffer toward the packet

destination. As a consequence, data corruption may also occur on the first inbound memory

transaction received right after this “inbound memory write followed immediately by a Hot

Reset event” sequence.

If the first inbound transaction received is a configuration cycle, after the above mentioned

“inbound memory write followed immediately by Hot Reset event” sequence, the configuration

space registers in any PCI Express EP controller, per PCI Express base specification

application programming model and determine the actual impact and appropriate workaround

The above described error will not occur in any of the following conditions:

• If the last inbound memory transaction received immediately before the Hot Reset event

• If the system (PCI Express controller) is idle in its inbound path when the Hot Reset event

controller. This prevents the above mentioned “inbound memory write followed immediately by

Hot Reset event” sequence from occurring. The exact requirement and action required to

quiesce the system is dependent on system, application and software used. For example,

some requirements may include, but not be limited to, using a software semaphore at the RC

system side to stop the new memory requests targeting the downstream Freescale PCI

Express EP controller from the RC system’s software API layer or DMA controller.

configuration write cycle to clear the Memory Space bit in the Freescale PCI Express EP

controller’s Command Register, followed by a several micro-second delay to allow all

previously received inbound memory writes to propagate through the EP controller. A Hot

Reset command can then be applied.

SEC 5: AES-CTR mode data size error

Realtime Transport Protocol (SRTP), and optionally, IPSec. The SEC is designed to accelerate

special SRTP descriptor type 0010_1. SRTP uses AES-CTR with HMAC-SHA-1. Although

AES in counter mode (AES-CTR) is meant to act as a stream cipher, the AESU considers any

• The AESU Data Size error can be disabled via the AESU Interrupt Control Register to

• The input data length (in the descriptor) can be rounded up to the nearest 16B. Set the

SEC 6: Single descriptor SRTP error

designed to accelerate AES-CTR in parallel with HMAC-SHA-1 using a special SRTP

multiples of 16 bytes.

portion of the datastream relevant to their respective operations. When the input data is not

not work because these excess bytes are ‘snooped’ by the MDEU and corrupt the HMAC-

be of a data length that hits this erratum. The workaround is to use two descriptors to perform

Outbound: The first descriptor is type 0001_0 "common non-snoop" set for an AES-CTR

operation using either of the workarounds described in SEC5. The second descriptor is type

payload + MKI (when present).

Inbound: Same descriptors as outbound, but in reverse order.

To minimize the performance impact of this workaround, these two descriptors should be

created simultaneously and launched back-to-back. By configuring the SEC Crypto-channel to

perform Done notification on selected descriptors, the first descriptor should be set to not

generate a Done interrupt, while the second descriptor (which completes the SRTP operation)

should be set to generate the Done interrupt. All the parameters required to build both

SEC 7: AES-CCM ICV checking write-back error

receiver with proof that the frame/packet has not been modified in transit. These authentication

authentication tags for out-bound operations, and re-calculating the tag and comparing it to the

received tag for in-bound operations. When performing in-bound authentication tag

modification of a frame/packet) by generating a crypto-channel error interrupt, or by writing a

created by the AESU when in CCM mode, hardware can successfully perform the ICV

interrupt. When attempting to use the writeback method when an ICV miscompare is detected,

all subsequent descriptors will be flagged as having ICV miscompares, whether they do or not.

tag miscompare. Use the channel interrupt method. Alternately, perform ICV checking in

software, as is required in all SEC cores 2.0 and below.

SEC 8: Kasumi hardware ICV checking does not work

comparing a received ICV with a calculated ICV. In the case of the KEU (Kasumi) F9 function,

the calculated MAC.

protocol to a 64-bits message authentication code (MAC). To verify a received MAC, the user

parameters) in order to generate the calculated MAC. The KEU is supposed to compare the

compare the full 128 bits and consequently always reports an ICV comparison failure, for

example, integrity check comparison result (ICCR) returns binary “10.”

64 bits received MAC to the KEU’s IV data, the user can merely have the SEC output the 128-

bit MAC generated by the KEU, and software can perform the comparison of the upper 64 bits.

Performing the MAC comparison in software takes only a few more CPU cycles than copying

the received MAC to the IV data and reading the SEC’s comparison result from the descriptor

SEC-A001: Channel Hang with Zero Length Data

SEC EUs detect when the input data size is not a legal value and signal this as an error. For

properly notify the crypto-channel using the CHA of a data size error. Instead, the EUs wait

forever for a valid data length, leading to an apparent channel hang condition.

SRIO 39: Serial RapidIO atomic operation erratum

semaphore with a device on RapidIO using read atomic set, clr, inc, or dec in a similar manner

corruption as both masters try to modify the same piece of data protected by the lock.

It is possible that a read atomic set, clr, inc, or dec from a RapidIO master may be bypassed

by a read transaction on behalf of a lwarx instruction from the core. This can result in the core

between each of the read queues. Note that ordering in both read queues is enforced with

respect to the write queue.

that is protected by a software lock/semaphore. This can only occur if the core is using lwarx/

to check and obtain ownership of the lock.

address that a RapidIO master is sending read atomic set, clr, inc, or dec transactions, one of

two software solutions below should be followed. The first solution retains maximum

performance of the memory subsystem by temporarily disabling one of the read command

queues during the lock sequence. The second solution doesn't require the core to precede its

11. Read CCSR offset 0xE0F14 into GPR A

13. Bit-wise AND GPR A with 0xFFFF_FFFE

14. Write the result back to CCSR offset 0xE0F14

If the core ever attempts to take ownership of this lock again, the same sequence must be

register of the ECM) during initialization and leave them set indefinitely. This may slightly

degrade overall system performance.

DDR 15: Automatic calibration hardware may calibrate to an invalid driver impedance

setting) when calibrating the DDR IO drive strength. This same issue has been observed when

board, it is not expected to resolve to the highest impedance setting.

option for half-strength drive mode. Therefore, applications using half-strength drive mode are

• Half-strength mode can also be enabled via setting the DDR_SDRAM_CFG[HSE] bit in

DDR 16: On-die termination at the DDR IOs has been measured 75 Ω too high

about 150 Ω and 225 Ω, respectively.

termination of about 150 Ω. However, there is no way to get 75 Ω.

issue has been present on all previous revisions of the device. Customers who designed using

the lines will simply be better balanced using fixed silicon.

DDR 17: DDR performance monitoring and tracing functionality does not work

to certain types of DDR-related information.

DDR Performance Monitor events:

Counter 1: Event 0

Counter 5: Event 0, 2, 56

Counter 6: Event 0, 1, 2, 5

Counter 7: Event 1, 4, 57

Reference Events 11, 12, 13, 14, 1

Watchpoint/Trace buffer:

when “internal DDR SDRAM interface” is selected (WMCR1[IFSEL] or TBCR1[IFSEL] =

Trace buffer information can be obtained from the e500 Coherency Module Dispatch selection

(WMCR1[IFSEL] or TBCR1[IFSEL] = 3b’000).

DDR 18: Automatic data initialization and DLL resets to DRAM are not performed

7'bx1xx0x0. In this mode, the DDR controller may operate incorrectly for 2 different features.

First, the DDR controller will not initialize DRAM data properly if

Note that this feature is typically enabled when DDR_SDRAM_CFG_2[DLL_RST_DIS] is

reenabled when exiting self refresh. Although it would be possible for some vendors to vary,

feature was originally added to support DDR1 memories. It appears that DDR1 memories will

typically only require the DLL reset when the frequency is changed, but this scenario should

CS0 and CS3 could still be interleaved together without any issues.

for CS2 and CS3. During this entire sequence, software would need to guarantee that no other

transactions are issued to memory.

DDR 19: DDR IOs default receiver biasing may not work across voltage and

The current default settings may not work at cold temperature. The worst case condition for

this erratum is TJ = 0 degC, GVDD = GVDD(min), VDD = VDD(max). When a failure occurs, a

DDR 20: MCKE signal may not function correctly at assertion of HRESET

erroneously drive the state of MCKE to the incorrect level or release it to high impedance after

causing future operations to fail. The primary fail mechanism is for the device to incorrectly

train its I/O receivers during DDR initialization.

There are power on reset configuration signals sampled during HRESET that do not quickly

LA[28:31] are driving a value of 0b1111 at the time of HRESET assertion, then MCKE[0:3] may

be released to high impedance. If MSRCID[2] is driving a zero at the time of HRESET

assertion, then MCKE[0:1] may be released to high impedance or drive a 1.

operations during DRAM initialization sequence. This may result in an auto calibration error

(ERR_DETECT[ACE]) or improper training during the initialization sequence. A failure to train

properly may result in corrupted data transfers to and from DDR.

following options:

Note that the following DDR DEBUG registers are used in this option:

• D2—offset is CCSRBAR + DDR_OFFSET + 0xF04

• D3—offset is CCSRBAR + DDR_OFFSET + 0xF08

10. Poll on D2[21] until it is cleared by hardware.

starting address of CS0_BNDS by default or programmed in DDR_INIT_ADDR.

ERR_DISABLE[SBED] to enable SBE and MBE detection as desired for specific

11. Clear reserved bit EEBACR[3] at offset 0x1000.

Use an active component (for example, CPLD) to drive MCKE signals to the DRAMs. Inputs to

this logic should include MCKE and HRESET_REQ, both from the device. When

HRESET_REQ asserts, the MCKE signal to the DRAMs should be driven low by the active

component. When HRESET_REQ is negated, the MCKE value driven by the CPLD should

match the value driven by the device. The JEDEC defined tDelay parameter between the MCKE

and MCK/MCK signals must also be controlled by this workaround. In addition, note that

MCKE must still meet all JEDEC-defined ADDR/CMD setup/hold requirements when using the

external component to help drive MCKE.

GEN 10: Device may fail DDR pins during IEEE Std 1149.1™ EXTEST mode

initialized logic. These controls are correctly configured during functional POR, which is not a

while the device DDR pins are driving.

HRESET pin from the interconnect testing, but will allow all the DDR signals to be correctly

GEN 11: Some pins do not meet 500V CDM ESD criteria

500V CDM ESD criteria. The following pins are impacted:

• SD_TX[7:0], SD_TX_B[7:0], SD_RX[7:0], SD_RX_B[7:0], SD_REF_CLK,

• GND pins U27, L21, L23, N22, P20, R23, T21, U22, V20, W23, Y21, K28, L24, L26, N24,

handled in an environment that is compliant with current ESD standards.

GEN 13: CPU write to platform failures in all core, platform, and SYSCLK frequency

to the platform.

21.2.1 of the hardware specification). The filter resistors must be increased from 10 ohm to

180 ohm for the AVDD_CORE filter resistor, and 150 ohm for the AVDD_PLAT filter resistor.

The tolerance of these resistors must be +/-5% or better.

Additionally, systems with an operating core frequency less than 1200 MHz must limit SYSCLK

frequency to 100 MHz maximum.

PIC 5: MSIMR De-featured

its destination when masked using the MSIMR register. When a message shared interrupt is

when subsequently unmasked.

Note that the MSIMR register defaults out of reset to zeros which is enabled. Software should

This register will be de-featured from reference manual.

PIC 6: MER, Interrupt will not be forwarded to destination

message interrupt is asserted while masked using the MER register the respective interrupt

the initialization, set certain MER bit(s) to enable desired message interrupts.

PIC 7: PCI Express MSI other than interrupt 0 not supported via hardware

Message Address Register of the MSI Capability Register. The (little-endian) data format of the

Register, with lower bits modified as necessary to indicate the particular message.

The MPIC implements MSI via the Message Shared Interrupt Index Register (MSIIR), which is

big-endian with two fields: Shared Interrupt Register Select (SRS - bits 24:26) and Interrupt Bit

The PCI Express Root Complex logic swaps the bytes of inbound writes to big-endian memory

msi_data[15:8] to MSIIR[8:15], and msi_data[7:0] to MSIIR[0:7]. Since msi_data[31:16] are

defined as all zeroes, MSIIR[SRS] and MSIIR[IBS] are always set to zero on an MSI write, and

all standard MSIs trigger interrupt 0 (MSIR0[SH0]=1, MSISR[S0]=1). The contents of

and configuration is interrupt 0.

region defined by CCSRBAR through PCI Express, use an inbound ATMU window with the

attributes set as follows:

memory write with MSI[31:24] set to the value of MSI[7:0]. Duplicating the MSI data in the LSB

and MSB allows the workaround to be compatible with future versions of the IP which correct

the definition and implementation of MSIIR.

PM 1: Some local bus events are not counted correctly in the performance monitor

• Request granted to ECM port

• Cycles atomic reservation for ECM port is enabled

PM 2: A performance monitor time base transition event will not freeze the

though PMGC0[TBEE] and PMGC0[FCECE] are enabled. Also, a performance monitor

exception may not happen when a time base transition occurs even though PMGC0[TBEE]

0x8000_0000 minus this number. This causes PMCx to overflow after the desired amount of

due to the nature of the SCL and SDA signals at the point of enablement. When this occurs, it

communicate on the bus.

I2C 3: I2C boot sequencer cannot issue snoopable writes

therefore not presented on the CCB.

configured as SRAM. Note that only being able to issue Non-snoopable transactions causes

fetch until after the boot sequencer completes its initialization process.

DMA 1: DMA_DACK bus timing violation when operating in external DMA master mode

three system clocks. The DMA violates this requirement. The DMA_DACK signal is directly

while in external mode by hardware setting the bit when DMA_DREQ is asserted, and clearing

the bit when the channel wins arbitration. In normal DMA mode, a transfer in progress is

not the case, the MR[CS] bit is asserted to short of a time and does not truly reflect transfer in

the problem above, there is no logic to force the assertion of DMA_DACK to be at least three

DMA 2: Transfer error reported for wrong channel

given a time period in the shared resources corresponding to the value of the bandwidth

block (specified by the byte count register in the channel) is a write that requires a response

from the target port (WRFTP). This type of write is referred to here as an WRFTP. While a

allowed to start using the shared resources.

• The write gets a translation error from an outbound ATMU translation window at the

• The WRFTP translates to an NWRITE_R on Serial RapidIO and the write receives an

Note that an error response on a DMA read will set the transfer error bit in the correct channel.

A-004737: BREAK detection triggered multiple times for a single break assertion

A UART break signal is defined as a logic zero being present on the UART data pin for a time

longer than (START bit + Data bits + Parity bit + Stop bits). The break signal persists until the

data signal rises to a logic one.

A received break is detected by reading the ULSR and checking for BI = 1. This read to ULSR

read the URBR to clear the ULSR[DR] bit. The expected behavior is that the ULSR[BI] and

ULSR[BI] and ULSR[DR] bits continue to get set each character period after they are cleared.

This continues for the entire duration of the break signal.

At the end of the break signal, a random character may be falsely detected and received in the

URBR, with the ULSR[DR] being set.

the break.

occurring, perform the following sequence when a break is detected:

JTAG 2: TMS requires hold time beyond the fall of TCK

and the JTAG state machine is moving into the UPDATE-DR state, TMS must be held past the

This primarily affects 3rd party JTAG and hardware tool vendors because this only affects the

update the boundary register.

JTAG TAP, and the JTAG state machine is in the UPDATE-DR state, move to the SELECT-

DR state instead of to RUN-TEST-IDLE.

Moving from UPDATE-DR to RUN-TEST-IDLE requires TMS to change from a ‘1’ to a ‘0’. In

this case, care must be taken to ensure that TMS is held at ‘1’ for 2 ns past the falling edge of

TCK before changing to the ‘0’ value.

If the JTAG tool has the option to move to the SELECT-DR state instead of the RUN-TEST-

IDLE state from the UPDATEDR state, then the value on the TMS pin does not change,

because TMS will be a ‘1’ moving into the UPDATE-DR state and a ‘1’ moving into the

SELECT-DR state. Keeping TMS at a ‘1’ value will satisfy the hold time requirement. Then, go

through the IR route to go back to the RUN-TEST-IDLE state.