Hardware Reference
In-Depth Information
The backdoor key access sequence includes
1. Setting the KEYACC bit in the flash configuration register (FCNFG)
2. Writing the first 16-bit word of the backdoor key to $FF00
3. Writing the second 16-bit word of the backdoor key to $FF02
4. Writing the third 16-bit word of the backdoor key to $FF04
5. Writing the fourth 16-bit word of the backdoor key to $FF06
6. Clearing the KEYACC bit in the flash configuration register FCNFG
Since the flash memory cannot be read when the KEYACC bit is set, the code for the back-
door key access sequence must be executed from SRAM.
If all four 16-bit words match the flash contents at $FF00 to $FF07, the microcontroller
will be unsecured and the security bits SEC1 and SEC0 of the FSEC register will be forced to
unsecured state 10. The contents of the flash options/security byte are not changed by this
procedure, and so the HCS12 will revert to the secure state after the next reset, unless further
action is taken. If any one of the four 16-bit words does not match the flash contents at $FF00 to
$FF07, the HCS12 microcontroller will remain secured.
R EPROGRAMMING THE S ECURITY B ITS
In normal single-chip mode, security can also be disabled by means of erasing and repro-
gramming the security bits within the flash options/security byte to the unsecured value. Since
the erase operation will erase the entire sector from $FE00 to $FFFF, the backdoor key and the
interrupt vectors will also be erased. Therefore, this method is not recommended for normal
single-chip mode. The application software can erase and program the flash options/security
byte only if the flash sector containing the flash options/security byte is not protected. Thus,
flash protection is a useful way to prevent this from occurring. The microcontroller will enter
the unsecured state after the next reset following the programming of the security bits to the
unsecured value. One of the following conditions must be satisfied in order for this method to
work:
The application software previously programmed into the MCU has been
designed to have the capability to erase and program the flash options/security
byte, and the flash section containing the flash options/security byte is not
protected.
Security is first disabled using the backdoor key method allowing the BDM
to be used to issue commands to erase and program the flash options/security
byte, and the flash section containing the flash options/security byte is not
protected.
C OMPLETE M EMORY E RASE
The microcontroller can be unsecured in special single-chip modes by erasing the entire
EEPROM and flash contents. When a secure microcontroller is reset into special single-chip
mode, the BDM firmware verifies whether the EEPROM and flash are erased. If any EEPROM or
flash location is not erased, only BDM hardware commands are enabled. BDM hardware com-
mands can then be used to write to the EEPROM and flash registers and also to bulk erase the
EEPROM and all flash blocks. When next reset to the special single-chip mode occurs, the BDM
firmware will again verify whether all EEPROM and flash are erased and, if this is the case, will
enable all BDM commands, allowing the flash options/security byte to be programmed to the
unsecured value. The security bits SEC1 and SEC0 in the FSEC register will indicate the unse-
cure state following the next reset.
 
Search WWH ::




Custom Search