- Forums
- Product Forums
- General Purpose MicrocontrollersGeneral Purpose Microcontrollers
- i.MX Forumsi.MX Forums
- QorIQ Processing PlatformsQorIQ Processing Platforms
- Identification and SecurityIdentification and Security
- Power ManagementPower Management
- Wireless ConnectivityWireless Connectivity
- RFID / NFCRFID / NFC
- Advanced AnalogAdvanced Analog
- MCX Microcontrollers
- S32G
- S32K
- S32V
- MPC5xxx
- Other NXP Products
- S12 / MagniV Microcontrollers
- Powertrain and Electrification Analog Drivers
- Sensors
- Vybrid Processors
- Digital Signal Controllers
- 8-bit Microcontrollers
- ColdFire/68K Microcontrollers and Processors
- PowerQUICC Processors
- OSBDM and TBDML
- S32M
- S32Z/E
-
- Solution Forums
- Software Forums
- MCUXpresso Software and ToolsMCUXpresso Software and Tools
- CodeWarriorCodeWarrior
- MQX Software SolutionsMQX Software Solutions
- Model-Based Design Toolbox (MBDT)Model-Based Design Toolbox (MBDT)
- FreeMASTER
- eIQ Machine Learning Software
- Embedded Software and Tools Clinic
- S32 SDK
- S32 Design Studio
- GUI Guider
- Zephyr Project
- Voice Technology
- Application Software Packs
- Secure Provisioning SDK (SPSDK)
- Processor Expert Software
- Generative AI & LLMs
-
- Topics
- Mobile Robotics - Drones and RoversMobile Robotics - Drones and Rovers
- NXP Training ContentNXP Training Content
- University ProgramsUniversity Programs
- Rapid IoT
- NXP Designs
- SafeAssure-Community
- OSS Security & Maintenance
- Using Our Community
-
- Cloud Lab Forums
-
- Knowledge Bases
- ARM Microcontrollers
- i.MX Processors
- Identification and Security
- Model-Based Design Toolbox (MBDT)
- QorIQ Processing Platforms
- S32 Automotive Processing Platform
- Wireless Connectivity
- CodeWarrior
- MCUXpresso Suite of Software and Tools
- MQX Software Solutions
- RFID / NFC
- Advanced Analog
-
- NXP Tech Blogs
Hi All,
Has anybody used the backdoor key to unlock a secure MCU in the HCS08 family?
I've read all the documentation in the reference manual, but am having trouble getting the unlock sequence right.
I've configured the memory so that KEYEN is enabled and SEC is secured, and to write a custom backdoor key.
const unsigned char NVOPT_F @ 0xff7f = 0xbd;
const unsigned char BackdoorKey[8] @ 0xffb0 = "My BDKey";
Anybody have an example of how they would write the unlock sequence? I tried clearing CCIF and then incrementing through the FCCOB index and writing each key value to the FCCOB register, but there only six locations in the index, and there a total of eight key locations, so I must be misunderstanding something.
Thank you! Your help is appreciated :-)
Jonas
已解决! 转到解答。
1. Looks like you swapped HI with LO.. 'M' should be written to HI, 'y' to LO etc. Don't have PT manual at hand, I guess 0x0C is written correctly to HI.
2. NVM_FSTAT_CCIF = 0; makes no sense. This should clear flash error bits, but it is confusing and if your intension was really to clear them, then you should write comment about this.
CCIF should be cleared (by writing one to it) after all keys are specified through FCCOBxxx registers. Don't use C bitfield NVM_FSTAT_CCIF here! Instead you should clear CCIF like this
NVM_FSTAT = NVM_FSTAT_CCIF_MASK;
3. Don't forget that flash is not readable while flash commands are in progress, even if this command is backdoor unsecure. Before clearing CCIF you need to jump to RAM and stay there while CCIF==1. Interrupts, since their vectors table is located in flash, should be disabled prior to clearing CCIF.
Thanks! That makes sense. So as far as I understand it, the code below should work, but I am still unable to unsecure the MCU. Any tips?
const unsigned char NVOPT_F @ 0xff7f = 0xbd;
const unsigned char BackdoorKey[8] @ 0xff70 = "My BDKey";
NVM_FSTAT_CCIF = 0;
NVM_FCCOBIX = 0x00;
NVM_FCCOBHI = 0x0C;
NVM_FCCOBIX = 0x01;
NVM_FCCOBLO = 'M';
NVM_FCCOBHI = 'y';
NVM_FCCOBIX = 0x02;
NVM_FCCOBLO = ' ';
NVM_FCCOBHI = 'B';
NVM_FCCOBIX = 0x03;
NVM_FCCOBLO = 'D';
NVM_FCCOBHI = 'K';
NVM_FCCOBIX = 0x04;
NVM_FCCOBLO = 'e';
NVM_FCCOBHI = 'y';
1. Looks like you swapped HI with LO.. 'M' should be written to HI, 'y' to LO etc. Don't have PT manual at hand, I guess 0x0C is written correctly to HI.
2. NVM_FSTAT_CCIF = 0; makes no sense. This should clear flash error bits, but it is confusing and if your intension was really to clear them, then you should write comment about this.
CCIF should be cleared (by writing one to it) after all keys are specified through FCCOBxxx registers. Don't use C bitfield NVM_FSTAT_CCIF here! Instead you should clear CCIF like this
NVM_FSTAT = NVM_FSTAT_CCIF_MASK;
3. Don't forget that flash is not readable while flash commands are in progress, even if this command is backdoor unsecure. Before clearing CCIF you need to jump to RAM and stay there while CCIF==1. Interrupts, since their vectors table is located in flash, should be disabled prior to clearing CCIF.
