Escape from Security Mode in 9S12DG256

During a flashprocedure of a new development with a MC9S12DG256 I obviously cleared the Security Byte ($FF0F) by accident, i.e. including the backdoor access..

I do not get a connection with my BDM (a part offered by Kevin Ross) to FLASH, EEPROM and RAM.

But I can read and write to the registers. (See Dump of the RegPage in the attachment).

The contents of the REGS page can be found mod $400 of the complete adress range.

The control of the output pins works fine.

Reading through the Specification and the application note AN2206 I still am not clear how to escape from the Security Mode. (btw. I have doubts the sequence given there on page 9 really works, as Command $20 is a PROG and not a MASSERASE.)

here is my sequence ("ew" edits words, "eb" edits bytes):

---->

reset //with MODA = MODB = MODC = 0

eb 100 4a //write $4a to $100; FCLK set for 16MHz crystal

eb 102 10 //write all

ew 104 FFFF //FPROT set to FF; FSTAT clear all bits

ew f000 0000 // write something to page

eb 106 41 //FCMD: MASS ERASE

eb 105 80 //GO

reset //Reset to Special Mode to enable background check for erased FLASH according spec.

eb 100 4a //FCLK init again

ew 104 FFFF //open Prot and clear FSTAT bits again

ew ff0e fffe //SECURITY set to FE

eb 106 20 //FCMD: prog

eb 105 80 //go

<----

One very strange behavior of FSTAT is the result of $C1 instead of $C0 after the command is started. Accordung the Secification the LSB should always read zero.

I tried several similar sequences also delays before and after "reset". Unfortunately w/o effect.

Do you have an idea what my problem could be?

The accidential erasure is not very unlikely. ist there a standard escape sequence available, when no ext ROM ist available?

Thank you very much for reply in advance