Escape from Security Mode in 9S12DG256

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Escape from Security Mode in 9S12DG256

7,320 Views
BHock
Contributor I

During a flashprocedure of a new development with a MC9S12DG256 I obviously cleared the Security Byte ($FF0F) by accident, i.e. including the backdoor access..

I do not get a connection with my BDM (a part offered by Kevin Ross) to FLASH, EEPROM and RAM.

But I can read and write to the registers. (See Dump of the RegPage in the attachment).

The contents of the REGS page can be found mod $400 of the complete adress range.

The control of the output pins works fine.

Reading through the Specification and the application note AN2206 I still am not clear how to escape from the Security Mode. (btw. I have doubts the sequence given there on page 9 really works, as Command $20 is a PROG and not a MASSERASE.)

here is my sequence ("ew" edits words, "eb" edits bytes):

---->

reset //with MODA = MODB = MODC = 0

eb 100 4a //write $4a to $100; FCLK set for 16MHz crystal

eb 102 10 //write all

ew 104 FFFF //FPROT set to FF; FSTAT clear all bits

ew f000 0000 // write something to page

eb 106 41 //FCMD: MASS ERASE

eb 105 80 //GO

reset //Reset to Special Mode to enable background check for erased FLASH according spec.

eb 100 4a //FCLK init again

ew 104 FFFF //open Prot and clear FSTAT bits again

ew ff0e fffe //SECURITY set to FE

eb 106 20 //FCMD: prog

eb 105 80 //go

<----

One very strange behavior of FSTAT is the result of $C1 instead of $C0 after the command is started. Accordung the Secification the LSB should always read zero.

I tried several similar sequences also delays before and after "reset". Unfortunately w/o effect.

Do you have an idea what my problem could be?

The accidential erasure is not very unlikely. ist there a standard escape sequence available, when no ext ROM ist available?

Thank you very much for reply in advance

Labels (1)
0 Kudos
Reply
5 Replies

1,300 Views
SteveRussell
Contributor III

If you have not yet done so, you should read Freescale application note AN2400/D "HCS12 NVM Guidelines".

This is the best single document that covers flash and EEPROM programming and securing.

In particular, at the end it describes the 27 step procedure for unsecuring a HCS12 part.

You should also check the mask set of your particular part and look at the latest errata for that mask set.  Some early parts had a number of errata in the operation of the security features. 

You should also be aware that some very early HCS-12 parts exhibited security behaviour that is not clearly documented in the errata/


 

NVM Guidelines
0 Kudos
Reply

1,300 Views
BHock
Contributor I

I have sent the sequence according the spec. (See Attachment: steve1.txt is input file; seq1.txt the output log.) The 2nd part of the sequence ist not in the log. 

The interesting result is in Line 24.

"Verify failure: address 0x115 expected 0x80, verified as 0xd1"

Looks like an Access error as I expect the result 0xc1.

there might also be a problem with the BDM. Maybe I corrupt  the internal state machine with the edit command (Write/Read) .

what is your opinion?

Bertram.

0 Kudos
Reply

1,300 Views
SteveRussell
Contributor III

From the Freescale 256 K flash documentation:

"The ACCERR flag will not be set if any Flash register is read during the command sequence."

I'm not familiar with the details of the software that you are using to maniplulate the registers, but you should try to use commands that do NOT attempt to verify the writes to the flash control registers.

It may be a good idea to check BDM communication by reading PARTID or some other readable register BEFORE attempting the unsecure sequence.

As you are demonstrating, it would be a help to include unsecuring instructions with any BDM software.

0 Kudos
Reply

1,300 Views
Nabla69
Contributor V
Hi BH,
 
To unsecure your part, you may try the attached command file.
As I couldn't post a .cmd, you can rename the file to a .cmd and adapt the speed of the oscillator by reading internal comments.
 
This is a standard file I took within CodeWarrior. I didn't check your procedure as I used this file and it worked a few times already.
 
Of course, unsecuring a MCU erases it fully.
 
Cheers,
Alvin.
0 Kudos
Reply

1,300 Views
BHock
Contributor I

Dear Alvin,

I am using Kevin Ross' BDM. I translated your code but unfortunately without success.

THere are no Write Commands but Edit Commands available. I guess they destroy internal states.

rgds

Bertram.

0 Kudos
Reply