Implementing Backdoor Key sequence on MC9S08PA16

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Implementing Backdoor Key sequence on MC9S08PA16

Jump to solution
928 Views
jonascalifornia
Contributor II

Hi All,

 

Has anybody used the backdoor key to unlock a secure MCU in the HCS08 family?

I've read all the documentation in the reference manual, but am having trouble getting the unlock sequence right.

 

I've configured the memory so that KEYEN is enabled and SEC is secured, and to write a custom backdoor key.

const unsigned char NVOPT_F @ 0xff7f = 0xbd;

const unsigned char BackdoorKey[8] @ 0xffb0 = "My BDKey";

 

Anybody have an example of how they would write the unlock sequence? I tried clearing CCIF and then incrementing through the FCCOB index and writing each key value to the FCCOB register, but there only six locations in the index, and there a total of eight key locations, so I must be misunderstanding something.

 

Thank you! Your help is appreciated :-)

 

Jonas

Labels (1)
Tags (3)
0 Kudos
1 Solution
644 Views
kef2
Senior Contributor V

1. Looks like you swapped HI with LO.. 'M' should be written to HI, 'y' to LO etc. Don't have PT manual at hand, I guess 0x0C is written correctly to HI.

2. NVM_FSTAT_CCIF = 0; makes no sense. This should clear flash error bits, but it is confusing and if your intension was really to clear them, then you should write comment about this.

CCIF should be cleared (by writing one to it) after all keys are specified through FCCOBxxx registers. Don't use C bitfield NVM_FSTAT_CCIF here! Instead you should clear CCIF like this

NVM_FSTAT = NVM_FSTAT_CCIF_MASK;

3. Don't forget that flash is not readable while flash commands are in progress, even if this command is backdoor unsecure. Before clearing CCIF you need to jump to RAM and stay there while CCIF==1. Interrupts, since their vectors table is located in flash, should be disabled prior to clearing CCIF.

View solution in original post

0 Kudos
3 Replies
644 Views
kef2
Senior Contributor V

Hi,

S08PA RM rev1  Table 4-39 Verify backdoor access key command FCCOB requirements.

CCOBIX indexes 1 to 4 allow specifying 4 16 bit words or 8 bytes...

644 Views
jonascalifornia
Contributor II

Thanks! That makes sense. So as far as I understand it, the code below should work, but I am still unable to unsecure the MCU. Any tips?

const unsigned char NVOPT_F @ 0xff7f = 0xbd;

const unsigned char BackdoorKey[8] @ 0xff70 = "My BDKey";

  NVM_FSTAT_CCIF = 0;

  NVM_FCCOBIX = 0x00;

  NVM_FCCOBHI = 0x0C;

  NVM_FCCOBIX = 0x01;

  NVM_FCCOBLO = 'M';

  NVM_FCCOBHI = 'y';

  NVM_FCCOBIX = 0x02;

  NVM_FCCOBLO = ' ';

  NVM_FCCOBHI = 'B';

  NVM_FCCOBIX = 0x03;

  NVM_FCCOBLO = 'D';

  NVM_FCCOBHI = 'K';

  NVM_FCCOBIX = 0x04;

  NVM_FCCOBLO = 'e';

  NVM_FCCOBHI = 'y';

0 Kudos
645 Views
kef2
Senior Contributor V

1. Looks like you swapped HI with LO.. 'M' should be written to HI, 'y' to LO etc. Don't have PT manual at hand, I guess 0x0C is written correctly to HI.

2. NVM_FSTAT_CCIF = 0; makes no sense. This should clear flash error bits, but it is confusing and if your intension was really to clear them, then you should write comment about this.

CCIF should be cleared (by writing one to it) after all keys are specified through FCCOBxxx registers. Don't use C bitfield NVM_FSTAT_CCIF here! Instead you should clear CCIF like this

NVM_FSTAT = NVM_FSTAT_CCIF_MASK;

3. Don't forget that flash is not readable while flash commands are in progress, even if this command is backdoor unsecure. Before clearing CCIF you need to jump to RAM and stay there while CCIF==1. Interrupts, since their vectors table is located in flash, should be disabled prior to clearing CCIF.

0 Kudos