S12(X) MCU Security

Document created by Radek Sestak Employee on Nov 15, 2012Last modified by Diana Torres on Feb 24, 2017
Version 3Show Document
  • View in full screen mode

S12(X) MCU Secure:

There’s a security byte in the flash memory at address 0xFF0F that should be programmed appropriately.

Datasheet says: “The contents of the Flash Protection/Options byte at $FF0F in the Flash Protection/Options Field must be changed directly by programming $FF0F when the device is unsecured and the higher address sector is unprotected. If the Flash Protection/Options byte is left in the secure state, any reset will cause the MCU to return to the secure operating mode.”

 

If you use CodeWarrior then you can use the syntax as follows:

const unsigned char secure @0xFF0F = 0xFC;

 

If the security is enabled then:

- internal flash memory cannot be read via BDM device.

- debug features are disabled.

For more information see the description of FSEC register in datasheet.

 

I would like also recommend our application note AN2400 HCS12 NVM Guidelines:

http://www.freescale.com/files/microcontrollers/doc/app_note/AN2400.pdf

AN2880 Using the Backdoor Access Capability to Unsecure HCS12 MCUs:

http://www.freescale.com/files/microcontrollers/doc/app_note/AN2880.pdf

http://www.freescale.com/webapp/sps/download/license.jsp?colCode=AN2880SW

 

 

Security at S12(X) MCUs with 180nm Flash:

This is related to all S12(X) MCUs with 180nm Flash with ECC (S12G, S12HY, S12P, S12XE, S12XF, S12XHY,  S12XS, MM912G634, MM912H634, MM912J637 and S12VR):

 

If we load the flash security byte together with other code,

******************

c code example:

//set backdoor key and secure the flash (set flash security byte to 0xBD):

const unsigned char flash_array[] @0xFF00 = {0xAA,0xAA,0xAA,0xAA,0xAA,0xAA,0xAA,0xAA,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xBD};

******************

then we have to add following command to preload command file (P&E_Multilink_USB_Preload.cmd if you use PE Multilink):

 

FLASH NOUNSECURE

 

This command will ensure that the burner will not change security byte to unsecured state prior to programming. That's normal way: the MCU is erased, flash security byte is programmed to default unsecure state (0xFE) and then the code is loaded. We just have to turn off the programming of security byte.

 

Why:

The cumulative bits within the phrase is not allowed. If the flash security byte at address 0xFF0F is not erased prior to programming of the new value then the ECC checksum of this phrase is corrupted and the MCU will be left in secured state and the flash will be fully protected after next reset.

 

Datasheet says:

"If a double bit fault is detected while reading the P-Flash phrase containing the P-Flash protection byte during the reset sequence, the FPOPEN bit will be cleared and remaining bits in the FPROT register will be set to leave the P-Flash memory fully protected."

 

"If a double bit fault is detected while reading the P-Flash phrase containing the Flash security byte during the reset sequence, all bits in the FSEC register will be set to leave the Flash module in a secured state with backdoor key access disabled."

 

The same for D-Flash...

 

S12(X) unsecure:

Unsecure is possible by three ways:

  1. 1. Backdoor key access(temporary)
  2. 2. Reprogramming the security bits
  3. 3. Complete memory erase (special modes)

Ad1) For secure and backdoor key you set 16bytes on address 0xFF00. The backdoor key access method allows debugging of a secured microcontroller without having to erase the Flash. This is particularly useful for failure analysis.

For unsecure by backdoor key you use special flash command 0C (caption Verify Backdoor Access Key Command in reference manual). No word of the backdoor key is allowed to have the value 0x0000 or 0xFFFF. Unsecure is valid only till reset. If an invalid attempt is made to verify the Backdoor Keys the command will be locked out until a power down occurs. 

Ad2) In normal single chip mode (NS), security can also be disabled by erasing and reprogramming the security bits within Flash options/security byte to the unsecured value. Because the erase operation will erase the entire sector from 0xFE00–0xFFFF, the backdoor key and the interrupt vectors will also be erased; this method is not recommended for normal single chip mode.

Ad3) Complete mass erase by BDM device(in special mode). In Code Warior debugger menu ->MultilinkCyclonePro->Unsecure…

If not work you can use unsecure12 from P&E:

http://www.pemicro.com/downloads/download_file.cfm?download_id=16

Unsecure_12 Help Files:

http://www.pemicro.com/downloads/download_file.cfm?download_id=14

Note: For downloading is necessary registration.


4 people found this helpful

Attachments

    Outcomes