Table of Contents
Advertisement
4.6.5.1
Unsecuring the MCU using Backdoor Key Access
The MCU may be unsecured by using the backdoor key access feature which requires knowledge of the
contents of the backdoor keys (NVBACKKEY through NVBACKKEY+7, see
addresses). If the KEYEN[1:0] bits are in the enabled state (see
set, a write to a backdoor key address in the flash memory triggers a comparison between the written data
and the backdoor key data stored in the flash memory. If all backdoor keys are written to the correct
addresses in the correct order and the data matches the backdoor keys stored in the flash memory, the MCU
will be unsecured. The data must be written to the backdoor keys sequentially. Values 0x0000 and 0xFFFF
are not permitted as backdoor keys. While the KEYACC bit is set, reads of the flash memory will return
invalid data.
The user code stored in the flash memory must have a method of receiving the backdoor keys from an
external stimulus. This external stimulus would typically be through one of the on-chip serial ports.
If the KEYEN[1:0] bits are in the enabled state (see
backdoor key access sequence described below:
1. Set the KEYACC bit in the flash configuration register (FCNFG).
2. Sequentially write the correct eight 8-bit bytes to the flash addresses containing the backdoor keys.
3. Clear the KEYACC bit. Depending on the user code used to write the backdoor keys, a wait cycle
(NOP) may be required before clearing the KEYACC bit.
4. If all data written match the backdoor keys, the MCU is unsecured and the SEC[1:0] bits in the
FOPT register are forced to the unsecure state of 1:0.
The backdoor key access sequence is monitored by an internal security state machine. An illegal operation
during the backdoor key access sequence will cause the security state machine to lock, leaving the MCU
in the secured state. A reset of the MCU will cause the security state machine to exit the lock state and
allow a new backdoor key access sequence to be attempted. The following operations during the backdoor
key access sequence will lock the security state machine:
1. If any of the keys written does not match the backdoor keys programmed in the flash array.
2. If the keys are written in the wrong sequence.
3. If more keys than are required are written.
4. If any of the keys written are all 0s or all 1s.
5. If the KEYACC bit does not remain set while the keys are written.
6. If any of the keys are written on successive MCU clock cycles.
7. Executing a STOP instruction while the KEYACC bit is set.
After the backdoor keys have been correctly matched, the MCU will be unsecured. After the MCU is
unsecured, the flash security byte can be programmed to the unsecure state, if desired.
In the unsecure state, the user has full control of the contents of the backdoor keys by programming the
associated addresses in NVBACKKEY through NVBACKKEY+7.
The security as defined in the flash security byte is not changed by using the backdoor key access sequence
to unsecure. The stored backdoor keys are unaffected by the backdoor key access sequence. After the next
reset of the MCU, the security state of the flash module is determined by the flash security byte. The
Freescale Semiconductor
MC9S08QE128 MCU Series Reference Manual, Rev. 2
Section
4.6.2.2) and the KEYACC bit is
Section
4.6.2.2), the MCU can be unsecured by the
Chapter 4 Memory
Table 4-4
for specific
87
- Quick Links:
- Devices in the Mc9S08Qe128 Series
Hide quick links:
Advertisement
Table of Contents
