- NXP Forums
- Product Forums
- General Purpose MicrocontrollersGeneral Purpose Microcontrollers
- i.MX Forumsi.MX Forums
- QorIQ Processing PlatformsQorIQ Processing Platforms
- Identification and SecurityIdentification and Security
- Power ManagementPower Management
- MCX Microcontrollers
- S32G
- S32K
- S32V
- MPC5xxx
- Other NXP Products
- Wireless Connectivity
- S12 / MagniV Microcontrollers
- Powertrain and Electrification Analog Drivers
- Sensors
- Vybrid Processors
- Digital Signal Controllers
- 8-bit Microcontrollers
- ColdFire/68K Microcontrollers and Processors
- PowerQUICC Processors
- OSBDM and TBDML
-
- Solution Forums
- Software Forums
- MCUXpresso Software and ToolsMCUXpresso Software and Tools
- CodeWarriorCodeWarrior
- MQX Software SolutionsMQX Software Solutions
- Model-Based Design Toolbox (MBDT)Model-Based Design Toolbox (MBDT)
- FreeMASTER
- eIQ Machine Learning Software
- Embedded Software and Tools Clinic
- S32 SDK
- S32 Design Studio
- Vigiles
- GUI Guider
- Zephyr Project
- Voice Technology
- Application Software Packs
- Secure Provisioning SDK (SPSDK)
- Processor Expert Software
-
- Topics
- Mobile Robotics - Drones and RoversMobile Robotics - Drones and Rovers
- NXP Training ContentNXP Training Content
- University ProgramsUniversity Programs
- Rapid IoT
- NXP Designs
- SafeAssure-Community
- OSS Security & Maintenance
- Using Our Community
-
-
- Home
- :
- Product Forums
- :
- 8-bit Microcontrollers
- :
- Implementing Backdoor Key sequence on MC9S08PA16
Implementing Backdoor Key sequence on MC9S08PA16
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi All,
Has anybody used the backdoor key to unlock a secure MCU in the HCS08 family?
I've read all the documentation in the reference manual, but am having trouble getting the unlock sequence right.
I've configured the memory so that KEYEN is enabled and SEC is secured, and to write a custom backdoor key.
const unsigned char NVOPT_F @ 0xff7f = 0xbd;
const unsigned char BackdoorKey[8] @ 0xffb0 = "My BDKey";
Anybody have an example of how they would write the unlock sequence? I tried clearing CCIF and then incrementing through the FCCOB index and writing each key value to the FCCOB register, but there only six locations in the index, and there a total of eight key locations, so I must be misunderstanding something.
Thank you! Your help is appreciated :-)
Jonas
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
1. Looks like you swapped HI with LO.. 'M' should be written to HI, 'y' to LO etc. Don't have PT manual at hand, I guess 0x0C is written correctly to HI.
2. NVM_FSTAT_CCIF = 0; makes no sense. This should clear flash error bits, but it is confusing and if your intension was really to clear them, then you should write comment about this.
CCIF should be cleared (by writing one to it) after all keys are specified through FCCOBxxx registers. Don't use C bitfield NVM_FSTAT_CCIF here! Instead you should clear CCIF like this
NVM_FSTAT = NVM_FSTAT_CCIF_MASK;
3. Don't forget that flash is not readable while flash commands are in progress, even if this command is backdoor unsecure. Before clearing CCIF you need to jump to RAM and stay there while CCIF==1. Interrupts, since their vectors table is located in flash, should be disabled prior to clearing CCIF.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
S08PA RM rev1 Table 4-39 Verify backdoor access key command FCCOB requirements.
CCOBIX indexes 1 to 4 allow specifying 4 16 bit words or 8 bytes...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks! That makes sense. So as far as I understand it, the code below should work, but I am still unable to unsecure the MCU. Any tips?
const unsigned char NVOPT_F @ 0xff7f = 0xbd;
const unsigned char BackdoorKey[8] @ 0xff70 = "My BDKey";
NVM_FSTAT_CCIF = 0;
NVM_FCCOBIX = 0x00;
NVM_FCCOBHI = 0x0C;
NVM_FCCOBIX = 0x01;
NVM_FCCOBLO = 'M';
NVM_FCCOBHI = 'y';
NVM_FCCOBIX = 0x02;
NVM_FCCOBLO = ' ';
NVM_FCCOBHI = 'B';
NVM_FCCOBIX = 0x03;
NVM_FCCOBLO = 'D';
NVM_FCCOBHI = 'K';
NVM_FCCOBIX = 0x04;
NVM_FCCOBLO = 'e';
NVM_FCCOBHI = 'y';
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
1. Looks like you swapped HI with LO.. 'M' should be written to HI, 'y' to LO etc. Don't have PT manual at hand, I guess 0x0C is written correctly to HI.
2. NVM_FSTAT_CCIF = 0; makes no sense. This should clear flash error bits, but it is confusing and if your intension was really to clear them, then you should write comment about this.
CCIF should be cleared (by writing one to it) after all keys are specified through FCCOBxxx registers. Don't use C bitfield NVM_FSTAT_CCIF here! Instead you should clear CCIF like this
NVM_FSTAT = NVM_FSTAT_CCIF_MASK;
3. Don't forget that flash is not readable while flash commands are in progress, even if this command is backdoor unsecure. Before clearing CCIF you need to jump to RAM and stay there while CCIF==1. Interrupts, since their vectors table is located in flash, should be disabled prior to clearing CCIF.
