- Forums
- Product Forums
- General Purpose MicrocontrollersGeneral Purpose Microcontrollers
- i.MX Forumsi.MX Forums
- QorIQ Processing PlatformsQorIQ Processing Platforms
- Identification and SecurityIdentification and Security
- Power ManagementPower Management
- Wireless ConnectivityWireless Connectivity
- RFID / NFCRFID / NFC
- Advanced AnalogAdvanced Analog
- MCX Microcontrollers
- S32G
- S32K
- S32V
- MPC5xxx
- Other NXP Products
- S12 / MagniV Microcontrollers
- Powertrain and Electrification Analog Drivers
- Sensors
- Vybrid Processors
- Digital Signal Controllers
- 8-bit Microcontrollers
- ColdFire/68K Microcontrollers and Processors
- PowerQUICC Processors
- OSBDM and TBDML
- S32M
- S32Z/E
-
- Solution Forums
- Software Forums
- MCUXpresso Software and ToolsMCUXpresso Software and Tools
- CodeWarriorCodeWarrior
- MQX Software SolutionsMQX Software Solutions
- Model-Based Design Toolbox (MBDT)Model-Based Design Toolbox (MBDT)
- FreeMASTER
- eIQ Machine Learning Software
- Embedded Software and Tools Clinic
- S32 SDK
- S32 Design Studio
- GUI Guider
- Zephyr Project
- Voice Technology
- Application Software Packs
- Secure Provisioning SDK (SPSDK)
- Processor Expert Software
- Generative AI & LLMs
-
- Topics
- Mobile Robotics - Drones and RoversMobile Robotics - Drones and Rovers
- NXP Training ContentNXP Training Content
- University ProgramsUniversity Programs
- Rapid IoT
- NXP Designs
- SafeAssure-Community
- OSS Security & Maintenance
- Using Our Community
-
- Cloud Lab Forums
-
- Knowledge Bases
- ARM Microcontrollers
- i.MX Processors
- Identification and Security
- Model-Based Design Toolbox (MBDT)
- QorIQ Processing Platforms
- S32 Automotive Processing Platform
- Wireless Connectivity
- CodeWarrior
- MCUXpresso Suite of Software and Tools
- MQX Software Solutions
- RFID / NFC
- Advanced Analog
-
- NXP Tech Blogs
Hi,I am Using Freescale MC9S08DZ60 in my project,I want to allow backdoor key access memory.The example Code is as follows :
const volatile unsigned char NVPROT_INIT @0X0000FFBD=0XC0;
const volatile unsigned char NVPT_INIT @0X0000FFBF=0XFC;
const byte NVBACK_KEY0 @0x0000FFB0 = 0xC0;
const byte NVBACK_KEY1 @0x0000FFB1 = 0xC1;
const byte NVBACK_KEY2 @0x0000FFB2 = 0xC2;
const byte NVBACK_KEY3 @0x0000FFB3 = 0xC3;
const byte NVBACK_KEY4 @0x0000FFB4 = 0xC4;
const byte NVBACK_KEY5 @0x0000FFB5 = 0xC5;
const byte NVBACK_KEY6 @0x0000FFB6 = 0xC6;
const byte NVBACK_KEY7 @0x0000FFB7 = 0xC7;
#define Program_Byte PGM[21]=0X20;temp=((unsigned char(*)(unsigned int,unsigned char))(PGM))
volatile unsigned char PGM[59]=
{
0X87,0XC6,0X18,0X25,0XA5,0X10,0X27,0X08,0XC6,0X18,0X25,0XAA,0X10,0XC7,0X18,
0X25,0X9E,0XE6,0X01,0XF7,0XA6,0X20,0XC7,0X18,0X26,0X45,0X18,0X25,0XF6,0XAA,
0X80,0XF7,0X9D,0X9D,0X9D,0X9D,0X45,0X18,0X25,0XF6,0XF7,0XF6,0XA5,0X30,0X27,
0X04,0XA6,0XFF,0X20,0X07,0XC6,0X18,0X25,0XA5,0X40,0X27,0XF9,0X8A,0X81
};
Decryption process:
DisableInterrupts
FCNFG_KEYACC=1;
temp=Program_Byte(0XFFB0,0XC0);
temp=Program_Byte(0XFFB1,0XC1);
__RESET_WATCHDOG();
temp=Program_Byte(0XFFB2,0XC2);
temp=Program_Byte(0XFFB3,0XC3);
__RESET_WATCHDOG();
temp=Program_Byte(0XFFB4,0XC4);
temp=Program_Byte(0XFFB5,0XC5);
__RESET_WATCHDOG();
temp=Program_Byte(0XFFB6,0XC6);
temp=Program_Byte(0XFFB6,0XC6);
__RESET_WATCHDOG();
FCNFG_KEYACC=0;
EnableInterrupts
I find that is not useful to unsecure the chip.According to the database sheet,I have no idea to unsecure,Looking forward to your help,thank you!
已解决! 转到解答。
I guess that your program_byte() routine is flash programming byte in flash. You shouldn't use it for backdoor unsecure.You need to write directly to backdoor key locations in flash as if they were RAM. But since flash is not readable while KEYACC is set, you need to manipulate KEYACC and write backdoor locations while executing from RAM or data EEPROM.
Execute this from RAM or data EEPROM:
DisableInterrupts
FCNFG_KEYACC=1;
*(byte*)0xFFB0 = 0xC0;
*(byte*)0xFFB1 = 0xC1;
*(byte*)0xFFB2 = 0xC2;
*(byte*)0xFFB3 = 0xC3;
*(byte*)0xFFB4 = 0xC4;
*(byte*)0xFFB5 = 0xC5;
*(byte*)0xFFB6 = 0xC6;
*(byte*)0xFFB7 = 0xC7;
FCNFG_KEYACC=0;
EnableInterrupts
After executing it, don't forget to start debug session in "Hotplug" mode. Backdoor key unsecure is effective until reset (or power cycle), which is performed by default by most of debuggers.
Regards
Edward
I guess that your program_byte() routine is flash programming byte in flash. You shouldn't use it for backdoor unsecure.You need to write directly to backdoor key locations in flash as if they were RAM. But since flash is not readable while KEYACC is set, you need to manipulate KEYACC and write backdoor locations while executing from RAM or data EEPROM.
Execute this from RAM or data EEPROM:
DisableInterrupts
FCNFG_KEYACC=1;
*(byte*)0xFFB0 = 0xC0;
*(byte*)0xFFB1 = 0xC1;
*(byte*)0xFFB2 = 0xC2;
*(byte*)0xFFB3 = 0xC3;
*(byte*)0xFFB4 = 0xC4;
*(byte*)0xFFB5 = 0xC5;
*(byte*)0xFFB6 = 0xC6;
*(byte*)0xFFB7 = 0xC7;
FCNFG_KEYACC=0;
EnableInterrupts
After executing it, don't forget to start debug session in "Hotplug" mode. Backdoor key unsecure is effective until reset (or power cycle), which is performed by default by most of debuggers.
Regards
Edward
