Erasing a secured S12XD device via BDM

jmk · ‎08-14-2015

I am developing a programming solution for S12XD devices via the BDM interface. Everything is working properly (erase, write verify of both flash and eeprom) as long as I program the FSEC bits of flash location 0x7F_FF0F with 0b10 (UNSECURED).

It should be possible to mass erase the flash contents when the device is in a secured state, so I have programmed the FSEC bit to 0b11 (secured).

Since I did this, I am not able to program/erase the device anymore, because of the security.

I have tried the "Complete Mass Erase (Special Modes)" as written in the security chapter of the manual, but nothing changes to the contents of the flash.

The program is still executing, an so the security is still present.

Can somebody give me a good hint, or something to try out?

Many thanks

RadekS · ‎08-18-2015

Hi jmk,

Please use unsecure command file (something like P&E_Multilink_CyclonePro_Erase_unsecure_hcs12.cmd) in your project as inspiration for unsecure by your probe.

This command file was tested and works correctly. It uses simply commands like reset, write byte (wb), write word (ww) and wait.

Of course, you should use command file which was generated for your MCU family. There are two or three versions of this file for different S12 families.

I hope it helps you.

Have a great day,
RadekS

-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------

View solution in original post

RadekS · ‎08-17-2015

Hi Johan,

For complete mass erase by BDM probe (in special mode) please go to Code Warior debugger menu ->MultilinkCyclonePro (according your BDM probe)->Unsecure…

If that don’t work you can use unsecure12 from P&E (for PEmicro probes):

http://www.pemicro.com/downloads/download_file.cfm?download_id=16

Unsecure_12 Help Files:

http://www.pemicro.com/downloads/download_file.cfm?download_id=14

Note: For downloading is necessary registration.

Please check also your BDM connection. Typical issue is in ribbon cable orientation.

If you use some external watchdog circuit, please disconnect reset pin between watchdog device and MCU during unsecure and programming phase. The same is valid also for other sources which cloud drive RESET pin.

What is your oscillator clock and what is FCLKDIV value which you used during CW unsecure procedure?

Please check MODA, MODB, TEST pin voltages. They should be low for enter into special single chip mode (MODC/BKGD is driven by BDM probe). Please, check also XCLKS pin value and compare it with your oscillator type connection.

If, you have more than one BDM probes connected to your PC, please disconnect all others except one which you use to interface your MCU.

I hope it helps you.

Have a great day,
RadekS

-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------

jmk · ‎08-18-2015

Many thanks for the answers!

I do believe that the device can be erase and unsecured with the already existing BDM probes (PE or any other probe), but I want to erase the device with my own made probe.

MODA = 0V, MODB = 0V, TEST = 0V, all the time and MODC/BKGD = 0V during reset and when I release the nRST pin. So the device should enter Special Single Chip mode.

I use a crystal oscillator of 16MHz, XCLKS = 0V and I use the value 0x49 for FCLKDIV (PRDIV8=1, FDIV=9 to get 200KHz). As I set before, this all worked fine as long as I do not set the security bits. Even the mass erase was working properly before I set the security...

What I am looking for is a list of Read and Write Memory to the flash or bdm registers to erase a secured device. This list is mentioned in the datasheet of the part, but unfortunately it isn't working...

For clarity, here is the list from the datasheet:

RadekS · ‎08-18-2015

Hi jmk,

Please use unsecure command file (something like P&E_Multilink_CyclonePro_Erase_unsecure_hcs12.cmd) in your project as inspiration for unsecure by your probe.

This command file was tested and works correctly. It uses simply commands like reset, write byte (wb), write word (ww) and wait.

Of course, you should use command file which was generated for your MCU family. There are two or three versions of this file for different S12 families.

I hope it helps you.

Have a great day,
RadekS

-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------

jmk · ‎08-19-2015

Many Thanks RadekS!

kef2 · ‎08-19-2015

jmk,

Here's piece of code from my BDM programmer. Mass erase routine for S12A/C/D and S12XA/XD devices looks like follows. HWWrBt12() writes byte using WRITE_BYTE (C0) BDM command. HWWrWd12() writes word using WRITE_WORD (C8) BDM command.

I'm mass erasing Flash first, and then EEPROM, shouldn't matter.

         HWWrBt12(0x104, 0xFF);    // FPROT all protection disabled
         HWWrBt12(0x105,0x30);     // clear PVIOL and ACCERR in FSTAT register
         HWWrBt12(0x103, 0); //fcnfg not for S12X
         HWWrBt12(0x102, 0x00);    // clear the WRALL bit in FTSTMOD
         HWWrBt12(0x105, 0x02); // clear the FAIL bit
         HWWrBt12(0x102, 0x10); // fcnfg, write all
         HWWrWd12(0x108, 0);   // faddr
         HWWrWd12(0x10a,0);    // fdata
         HWWrBt12(0x106, 0x41); // fcmd=mass erase
         HWWrBt12(0x105, 0x80); // start

         do{
            Delay(); // 150us delay
         } while( !(HWRdBt12(0x105) & 0x40)) ; // wait for completion.

HWWrBt12(0x102, 0x0); // fcnfg, write all

               // mass erase eeprom
               HWWrBt12(0x114, 0xFF); // EPROT all protection disabled
               HWWrBt12(0x115, 0x30); // clear PVIOL and ACCERR in ESTAT register
               HWWrBt12(0x112, 0x00);    // clear the WRALL bit in FTSTMOD
               HWWrBt12(0x115, 0x02);     // clear S12X FAIL bit
               HWWrWd12(0x118, 0); //eaddr
               HWWrWd12(0x11A, 0); //edata
               HWWrBt12(0x116, 0x41);
               HWWrBt12(0x115, 0x80);

delay65ms(); // Don't rely on command complete flag, which is not available on S12C, just wait long enough.

lama · ‎08-17-2015

Hi,

Possible ways how to unsecure the device are to use unsecure command from CodeWarrior debugger or unsecure program from www.pemicro.com pages.

If you use USB multilink you have to use unsecure Option MultilinkCyclonePro->Unsecure in the CodeWarrior Hiwave Debugger. (Also check you have correct device selected for connection)

or you can use external usecure program which can be downloaded from pemicro pages.

Unsecure_12 (8060 KB): Utility which unsecures HCS12 devices via P&E's BDM Interfaces such as Cyclone-PRO, USB-ML-12, and BDM-Multilink. This version supports the new Rev B Multilink.

http://www.pemicro.com/downloads/download_file.cfm?download_id=16

Unsecure_12 Help Files (20 KB) This .hlp file describes the use and operationg of the Unsecure_12 program which is used with P&E's interface devices to unsecure proeviously secured HCS12 microcontrollers.

http://www.pemicro.com/downloads/download_file.cfm?download_id=14

Could you please also try to use Unsecure12? I have sometimes met with the fact I was not able to unsecure some device or connect to the device. In this case has helped to ask colleague to use his PC and connections or Unsecure12. Please, do not ask me why?

Best Regards, Ladislav

Erasing a secured S12XD device via BDM

Erasing a secured S12XD device via BDM

General