We have a bootloader application that programs firmware changes to an update region. Recently a customer returned a board after a failed attempt at programming. They told me they were successful updating it, but after a few iterations they discovered the failure. They had three separate boards fail with the same symptom out of 30 or so.
The Atmel was completely blank when they sent it back, even the bootloader region was blank (all bits were high) and the fuse settings had changed to execute from the application region after reset. Only the EEPROM was not erased. I was able to recover the board using an ICE3.
After a cursory glance at the code, there is soft protection for writing to the chip in the update region only. It's not my bootloader so I am trying to review it to see what could have gone wrong. Obviously we should be at least setting the lock bit to protect the bootloader and fuse regions, but I would like to know how it is even possible to erase the ATMEL so completely. Just so I have something to go on while reviewing the code. It's an ATXMEGA32A4U.