During a flashprocedure of a new development with a MC9S12DG256 I obviously cleared the Security Byte ($FF0F) by accident, i.e. including the backdoor access..
I do not get a connection with my BDM (a part offered by Kevin Ross) to FLASH, EEPROM and RAM.
But I can read and write to the registers. (See Dump of the RegPage in the attachment).
The contents of the REGS page can be found mod $400 of the complete adress range.
The control of the output pins works fine.
Reading through the Specification and the application note AN2206 I still am not clear how to escape from the Security Mode. (btw. I have doubts the sequence given there on page 9 really works, as Command $20 is a PROG and not a MASSERASE.)
here is my sequence ("ew" edits words, "eb" edits bytes):
reset //with MODA = MODB = MODC = 0
eb 100 4a //write $4a to $100; FCLK set for 16MHz crystal
eb 102 10 //write all
ew 104 FFFF //FPROT set to FF; FSTAT clear all bits
ew f000 0000 // write something to page
eb 106 41 //FCMD: MASS ERASE
eb 105 80 //GO
reset //Reset to Special Mode to enable background check for erased FLASH according spec.
eb 100 4a //FCLK init again
ew 104 FFFF //open Prot and clear FSTAT bits again
ew ff0e fffe //SECURITY set to FE
eb 106 20 //FCMD: prog
eb 105 80 //go
One very strange behavior of FSTAT is the result of $C1 instead of $C0 after the command is started. Accordung the Secification the LSB should always read zero.
I tried several similar sequences also delays before and after "reset". Unfortunately w/o effect.
Do you have an idea what my problem could be?
The accidential erasure is not very unlikely. ist there a standard escape sequence available, when no ext ROM ist available?
Thank you very much for reply in advance
If you have not yet done so, you should read Freescale application note AN2400/D "HCS12 NVM Guidelines".
This is the best single document that covers flash and EEPROM programming and securing.
In particular, at the end it describes the 27 step procedure for unsecuring a HCS12 part.
You should also check the mask set of your particular part and look at the latest errata for that mask set. Some early parts had a number of errata in the operation of the security features.
You should also be aware that some very early HCS-12 parts exhibited security behaviour that is not clearly documented in the errata/
I have sent the sequence according the spec. (See Attachment: steve1.txt is input file; seq1.txt the output log.) The 2nd part of the sequence ist not in the log.
The interesting result is in Line 24.
"Verify failure: address 0x115 expected 0x80, verified as 0xd1"
Looks like an Access error as I expect the result 0xc1.
there might also be a problem with the BDM. Maybe I corrupt the internal state machine with the edit command (Write/Read) .
what is your opinion?
From the Freescale 256 K flash documentation:
"The ACCERR flag will not be set if any Flash register is read during the command sequence."
I'm not familiar with the details of the software that you are using to maniplulate the registers, but you should try to use commands that do NOT attempt to verify the writes to the flash control registers.
It may be a good idea to check BDM communication by reading PARTID or some other readable register BEFORE attempting the unsecure sequence.
As you are demonstrating, it would be a help to include unsecuring instructions with any BDM software.
I am using Kevin Ross' BDM. I translated your code but unfortunately without success.
THere are no Write Commands but Edit Commands available. I guess they destroy internal states.