ヘルプ
英语(美国) | English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

Implementing Backdoor Key sequence on MC9S08PA16

キャンセル
提案をオンにする
自動提案では、入力時に可能な一致が提案されるので検索結果を素早く絞り込むことができます。
次の結果を表示 
表示  限定  | 次の代わりに検索 
もしかして: 
解決済み
ソリューションへジャンプ

Implementing Backdoor Key sequence on MC9S08PA16

ソリューションへジャンプ
‎04-25-2014 12:31 AM
905件の閲覧回数
jonascalifornia
Contributor II

Hi All,

 

Has anybody used the backdoor key to unlock a secure MCU in the HCS08 family?

I've read all the documentation in the reference manual, but am having trouble getting the unlock sequence right.

 

I've configured the memory so that KEYEN is enabled and SEC is secured, and to write a custom backdoor key.

const unsigned char NVOPT_F @ 0xff7f = 0xbd;

const unsigned char BackdoorKey[8] @ 0xffb0 = "My BDKey";

 

Anybody have an example of how they would write the unlock sequence? I tried clearing CCIF and then incrementing through the FCCOB index and writing each key value to the FCCOB register, but there only six locations in the index, and there a total of eight key locations, so I must be misunderstanding something.

 

Thank you! Your help is appreciated :-)

 

Jonas

ラベル(1)
ラベル
タグ(3)
0 件の賞賛
返信
1 解決策

ソリューションへジャンプ
‎04-29-2014 11:04 PM
621件の閲覧回数
kef2
Senior Contributor IV

1. Looks like you swapped HI with LO.. 'M' should be written to HI, 'y' to LO etc. Don't have PT manual at hand, I guess 0x0C is written correctly to HI.

2. NVM_FSTAT_CCIF = 0; makes no sense. This should clear flash error bits, but it is confusing and if your intension was really to clear them, then you should write comment about this.

CCIF should be cleared (by writing one to it) after all keys are specified through FCCOBxxx registers. Don't use C bitfield NVM_FSTAT_CCIF here! Instead you should clear CCIF like this

NVM_FSTAT = NVM_FSTAT_CCIF_MASK;

3. Don't forget that flash is not readable while flash commands are in progress, even if this command is backdoor unsecure. Before clearing CCIF you need to jump to RAM and stay there while CCIF==1. Interrupts, since their vectors table is located in flash, should be disabled prior to clearing CCIF.

元の投稿で解決策を見る

0 件の賞賛
返信
3 返答(返信)

ソリューションへジャンプ
‎04-25-2014 12:31 PM
621件の閲覧回数
kef2
Senior Contributor IV

Hi,

S08PA RM rev1  Table 4-39 Verify backdoor access key command FCCOB requirements.

CCOBIX indexes 1 to 4 allow specifying 4 16 bit words or 8 bytes...

返信

ソリューションへジャンプ
‎04-29-2014 08:05 PM
621件の閲覧回数
jonascalifornia
Contributor II

Thanks! That makes sense. So as far as I understand it, the code below should work, but I am still unable to unsecure the MCU. Any tips?

const unsigned char NVOPT_F @ 0xff7f = 0xbd;

const unsigned char BackdoorKey[8] @ 0xff70 = "My BDKey";

  NVM_FSTAT_CCIF = 0;

  NVM_FCCOBIX = 0x00;

  NVM_FCCOBHI = 0x0C;

  NVM_FCCOBIX = 0x01;

  NVM_FCCOBLO = 'M';

  NVM_FCCOBHI = 'y';

  NVM_FCCOBIX = 0x02;

  NVM_FCCOBLO = ' ';

  NVM_FCCOBHI = 'B';

  NVM_FCCOBIX = 0x03;

  NVM_FCCOBLO = 'D';

  NVM_FCCOBHI = 'K';

  NVM_FCCOBIX = 0x04;

  NVM_FCCOBLO = 'e';

  NVM_FCCOBHI = 'y';

0 件の賞賛
返信

ソリューションへジャンプ
‎04-29-2014 11:04 PM
622件の閲覧回数
kef2
Senior Contributor IV

1. Looks like you swapped HI with LO.. 'M' should be written to HI, 'y' to LO etc. Don't have PT manual at hand, I guess 0x0C is written correctly to HI.

2. NVM_FSTAT_CCIF = 0; makes no sense. This should clear flash error bits, but it is confusing and if your intension was really to clear them, then you should write comment about this.

CCIF should be cleared (by writing one to it) after all keys are specified through FCCOBxxx registers. Don't use C bitfield NVM_FSTAT_CCIF here! Instead you should clear CCIF like this

NVM_FSTAT = NVM_FSTAT_CCIF_MASK;

3. Don't forget that flash is not readable while flash commands are in progress, even if this command is backdoor unsecure. Before clearing CCIF you need to jump to RAM and stay there while CCIF==1. Interrupts, since their vectors table is located in flash, should be disabled prior to clearing CCIF.

0 件の賞賛
返信