Use of back door access

Again, the "backdoor flash address" has *NOTHING* at all to do with the "Backdoor key".

The "User Code" is INSIDE the "security boundary". It can be trusted to do whatever it wants, including writing new data to the end of the FLASH.

The whole point of the Security system is to prevent anything OUTSIDE the chip from being able to read the code in the FLASH unless they have the 8-byte secret key. Or you can be really paranoid and disable the "security back door" completely. The only way into the system in that case requires you to completely erase the entire FLASH first.

Security is complicated. It can't be explained simply.

Read this section again, and all the other security-related features it refers to:

17.4.3 Flash Security Operation

Keep reading until you understand it. If you can't understand it, find someone there (not here) who can.

Tom

Hi Tom,

I really appreciate the time you take to answer. I would like to say a few statements:

1) I know the "backdoor flash address" has *NOTHING* at all to do with the "Backdoor key". I agree security is complicated, but the info in the data sheet isn't enough.

2) Why i can't use the forum to fin someone who understand a little more than me? This is the freescale coldfire forum!!

3) Some uc can use hot-plug debuggers. I looked for hot-plug debugger for the coldfire and i didn't find one.

4) EzPort, Jtag, and BDM must reset the coldfire in order to start the operation

5) The backdoor key unsecures the flash until the next reset.

if we put 3,4 and 5 together: Why an user would like to use the backdoor key in order to unsecure temporally the CFM?

Could you please answer to the last cuestion??

thanks in advice

Gonzalo

> Why i can't use the forum to fin someone who understand a little more than me?

You can, but any complete explanation would be as long as the reference manual.

> Could you please answer to the last cuestion??

I don't understand your question as phrased, but reading through the previous times you've asked it, you can't see a use for it.

Let's see if I can try again. Note I'm reading the Reference Manual, I don't know any more than that.

Assume you don't want your code pirated. You SECURE the chip. That disables the BDM, so you can't get to it with the debugger any more. If you have secured it and disabled the backdoor (KEYEN bit in CFMSEC), then the only access to the chip starts with erasing the entire FLASH and then performing the blank-check. That unsecures it and lets you write new (or the same) code back to the chip. You can also write it back with security turned off.

If you have enabled back door access, then you can use that to remove the security, and then are able to read the code and debug the chip. But only people who know the 8-byte security code

Who would you want to do this? To debug a problem, to connect the debugger to read variables, to get access to read logged data that isn't available any other way. There may be some part of your production process that requires programming, testing and then reprogramming with a different version of code.

Does that help explain what it is for?

> I had secured the flash ( 4ac8 in position 0x414 ) and then i tried to write ...

If you were able to get full access to the chip after "securing" it, then maybe you didn't secure it properly, or the operation didn't work or you didn't reset/power-cycle the chip after doing that. After resetting you should be able to read the "secured state" from CFMSEC[SECSTAT]. Write some code that reads that register and prints out the result somehow (or flashes a LED differently for the different states of that bit). You may find the chip isn't really secured.

Tom

>Who would you want to do this? To debug a problem, to connect the debugger to read variables, to get access to read >logged data that isn't available any other way. There may be some part of your production process that requires >programming, testing and then reprogramming with a different version of code.

>Does that help explain what it is for?

Yes, i read and understood the same you explain. But all debuggers reset the CFM, and so th CFM is secured again!. I didn't find a hot-plug debugger for ColdFire. Do you know one?

By the way, I were able to get full access to the chip after "securing" it, but from the inside. I read CFMSEC[SECSTAT] and the CFM is secured. Also the BDM can't be conneted, which means that the CFM is unsecured.

Thanks again!!!!

> I were able to get full access to the chip after "securing" it, but from the inside

That's inside the "security perimeter". You can do what you like there. "Security" is only for external threats (in most countries, most of the time :-). The Flash sector protection bits are there to protect against "accidents" from inside.

Tom

Thanks again.

What about the other question...

>But all debuggers reset the CFM, and so th CFM is secured again!. I didn't find a hot-plug debugger for ColdFire. Do you >know one?

Gonzalo

> Do you know one?

No. Why do you want one?

> But all debuggers reset the CFM, and so th CFM is secured again!.

I assume you want to connect to a secured part and then conduct a debugging session. I would guess that the first time you connect (and temporarily unsecure the part) you're meant to write to the FLASH to force it to be unsecured. Then you work on it unsecured. Then if you want it secure again you reflash it to be secured.

Tom

No, i don't need one. i just i want to know the purpuse of the BackDoor Key Access. In my opinion, if freescale designs somethings, it must be useful.

The key access secuence is done from the outside of the flash. so, which is the tool that can do it?

Hi tom, thanks again.

If the chip "talks" with an user, then the key could be as big as the disigner wants, and not 8 bytes fixed.

About Jtag and EzPort, if the flash is secured, they only can erase all the flash. they do not enter in debug mode. I thogth there was a tool to "talk" with the flash (not throgh the program). That's all the confussion. It's seem to be like you said: >>These parts are a "pick and mix" of previously designed and used modules<<

Thanks a lot again

HI Tom,

thanks for your answer. I agree the words are a little confusing.

I was talking about the backdoor access sequence. I don't find a use for it. As i said, i secured the flash, and then i wrote to the flash via the backdoor access so i don't understand the uses of unsecuring the flash.

why an user would want to unsecure the flash via the backdoor access sequence with the comparasion key?. Is it to enable the DMA to have write access to flash??

thanks again

Gonzalo

> I don't find a use for it.

So?

> i wrote to the flash via the backdoor access

That's because you had a copy of the "Backdoor Key" that was used to secure the device. If you didn't have that key you wouldn't be able to access the chip, steal the code and flood eBay with millions of pirated clones of whatever hardware that chip is in.

> Is it to enable the DMA to have write access to flash?

No, read through the manual again. The "Backdoor Key" described in the CFM module is all about security and locking down the chip against copying.

The SRAM has a "back door" controlled by the BDE bit in RAMBAR.

The Flash has a "Back Door" which is always enabled and is described as "backdoor flash address of IPSBAR plus an offset of 0x0400_0000. It can be used for DMA access, but MUST be used for writing programming commands to the FLASH.

They're different things with similar names that can be told apart by context.

If I've answered your question, please mark it "Answered".

Tom