64 KByte Flash Module (S12XFTMR64K1V1)
S12XS Family Reference Manual, Rev. 1.13
Freescale Semiconductor
655
20.5.1
Unsecuring the MCU using Backdoor Key Access
The MCU may be unsecured by using the backdoor key access feature which requires knowledge of the
contents of the backdoor keys (four 16-bit words programmed at addresses 0x7F_FF00–0x7F_FF07). If
the KEYEN[1:0] bits are in the enabled state (see
), the Verify Backdoor Access Key
command (see
) allows the user to present four prospective keys for comparison to the
keys stored in the Flash memory via the Memory Controller. If the keys presented in the Verify Backdoor
Access Key command match the backdoor keys stored in the Flash memory, the SEC bits in the FSEC
register (see
) will be changed to unsecure the MCU. Key values of 0x0000 and 0xFFFF are
not permitted as backdoor keys. While the Verify Backdoor Access Key command is active, P-Flash block
0 will not be available for read access and will return invalid data.
The user code stored in the P-Flash memory must have a method of receiving the backdoor keys from an
external stimulus. This external stimulus would typically be through one of the on-chip serial ports.
If the KEYEN[1:0] bits are in the enabled state (see
), the MCU can be unsecured by the
backdoor key access sequence described below:
1. Follow the command sequence for the Verify Backdoor Access Key command as explained in
2. If the Verify Backdoor Access Key command is successful, the MCU is unsecured and the
SEC[1:0] bits in the FSEC register are forced to the unsecure state of 10
The Verify Backdoor Access Key command is monitored by the Memory Controller and an illegal key will
prohibit future use of the Verify Backdoor Access Key command. A reset of the MCU is the only method
to re-enable the Verify Backdoor Access Key command.
After the backdoor keys have been correctly matched, the MCU will be unsecured. After the MCU is
unsecured, the sector containing the Flash security byte can be erased and the Flash security byte can be
reprogrammed to the unsecure state, if desired.
In the unsecure state, the user has full control of the contents of the backdoor keys by programming
addresses 0x7F_FF00–0x7F_FF07 in the Flash configuration field.
The security as defined in the Flash security byte (0x7F_FF0F) is not changed by using the Verify
Backdoor Access Key command sequence. The backdoor keys stored in addresses
0x7F_FF00–0x7F_FF07 are unaffected by the Verify Backdoor Access Key command sequence. After the
next reset of the MCU, the security state of the Flash module is determined by the Flash security byte
(0x7F_FF0F). The Verify Backdoor Access Key command sequence has no effect on the program and
erase protections defined in the Flash protection register, FPROT.
20.5.2
Unsecuring the MCU in Special Single Chip Mode using BDM
The MCU can be unsecured in special single chip mode by erasing the P-Flash and D-Flash memory by
one of the following methods:
•
Reset the MCU into special single chip mode, delay while the erase test is performed by the BDM,
send BDM commands to disable protection in the P-Flash and D-Flash memory, and execute the
Erase All Blocks command write sequence to erase the P-Flash and D-Flash memory.
Summary of Contents for MC9S12XS128
Page 4: ...S12XS Family Reference Manual Rev 1 13 4 Freescale Semiconductor ...
Page 168: ...Interrupt S12XINTV2 S12XS Family Reference Manual Rev 1 13 168 Freescale Semiconductor ...
Page 736: ...Ordering Information S12XS Family Reference Manual Rev 1 13 736 Freescale Semiconductor ...
Page 737: ......