帮助
英语(美国) | English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

Implementing Backdoor Key sequence on MC9S08PA16

取消
开启建议
自动建议可通过在您键入时建议可能的匹配,而快速缩小您的搜索结果范围。
显示结果 
显示  仅  | 搜索替代 
您的意思是: 
已解决
跳至解决方案

Implementing Backdoor Key sequence on MC9S08PA16

跳至解决方案
‎04-25-2014 12:31 AM
2,077 次查看
jonascalifornia
Contributor II

Hi All,

 

Has anybody used the backdoor key to unlock a secure MCU in the HCS08 family?

I've read all the documentation in the reference manual, but am having trouble getting the unlock sequence right.

 

I've configured the memory so that KEYEN is enabled and SEC is secured, and to write a custom backdoor key.

const unsigned char NVOPT_F @ 0xff7f = 0xbd;

const unsigned char BackdoorKey[8] @ 0xffb0 = "My BDKey";

 

Anybody have an example of how they would write the unlock sequence? I tried clearing CCIF and then incrementing through the FCCOB index and writing each key value to the FCCOB register, but there only six locations in the index, and there a total of eight key locations, so I must be misunderstanding something.

 

Thank you! Your help is appreciated :-)

 

Jonas

标签 (1)
标签
标记 (3)
0 项奖励
回复
1 解答

跳至解决方案
‎04-29-2014 11:04 PM
1,793 次查看
kef2
Senior Contributor V

1. Looks like you swapped HI with LO.. 'M' should be written to HI, 'y' to LO etc. Don't have PT manual at hand, I guess 0x0C is written correctly to HI.

2. NVM_FSTAT_CCIF = 0; makes no sense. This should clear flash error bits, but it is confusing and if your intension was really to clear them, then you should write comment about this.

CCIF should be cleared (by writing one to it) after all keys are specified through FCCOBxxx registers. Don't use C bitfield NVM_FSTAT_CCIF here! Instead you should clear CCIF like this

NVM_FSTAT = NVM_FSTAT_CCIF_MASK;

3. Don't forget that flash is not readable while flash commands are in progress, even if this command is backdoor unsecure. Before clearing CCIF you need to jump to RAM and stay there while CCIF==1. Interrupts, since their vectors table is located in flash, should be disabled prior to clearing CCIF.

在原帖中查看解决方案

0 项奖励
回复
3 回复数

跳至解决方案
‎04-25-2014 12:31 PM
1,793 次查看
kef2
Senior Contributor V

Hi,

S08PA RM rev1  Table 4-39 Verify backdoor access key command FCCOB requirements.

CCOBIX indexes 1 to 4 allow specifying 4 16 bit words or 8 bytes...

回复

跳至解决方案
‎04-29-2014 08:05 PM
1,793 次查看
jonascalifornia
Contributor II

Thanks! That makes sense. So as far as I understand it, the code below should work, but I am still unable to unsecure the MCU. Any tips?

const unsigned char NVOPT_F @ 0xff7f = 0xbd;

const unsigned char BackdoorKey[8] @ 0xff70 = "My BDKey";

  NVM_FSTAT_CCIF = 0;

  NVM_FCCOBIX = 0x00;

  NVM_FCCOBHI = 0x0C;

  NVM_FCCOBIX = 0x01;

  NVM_FCCOBLO = 'M';

  NVM_FCCOBHI = 'y';

  NVM_FCCOBIX = 0x02;

  NVM_FCCOBLO = ' ';

  NVM_FCCOBHI = 'B';

  NVM_FCCOBIX = 0x03;

  NVM_FCCOBLO = 'D';

  NVM_FCCOBHI = 'K';

  NVM_FCCOBIX = 0x04;

  NVM_FCCOBLO = 'e';

  NVM_FCCOBHI = 'y';

0 项奖励
回复

跳至解决方案
‎04-29-2014 11:04 PM
1,794 次查看
kef2
Senior Contributor V

1. Looks like you swapped HI with LO.. 'M' should be written to HI, 'y' to LO etc. Don't have PT manual at hand, I guess 0x0C is written correctly to HI.

2. NVM_FSTAT_CCIF = 0; makes no sense. This should clear flash error bits, but it is confusing and if your intension was really to clear them, then you should write comment about this.

CCIF should be cleared (by writing one to it) after all keys are specified through FCCOBxxx registers. Don't use C bitfield NVM_FSTAT_CCIF here! Instead you should clear CCIF like this

NVM_FSTAT = NVM_FSTAT_CCIF_MASK;

3. Don't forget that flash is not readable while flash commands are in progress, even if this command is backdoor unsecure. Before clearing CCIF you need to jump to RAM and stay there while CCIF==1. Interrupts, since their vectors table is located in flash, should be disabled prior to clearing CCIF.

0 项奖励
回复