- Forums
- Product Forums
- General Purpose MicrocontrollersGeneral Purpose Microcontrollers
- i.MX Forumsi.MX Forums
- QorIQ Processing PlatformsQorIQ Processing Platforms
- Identification and SecurityIdentification and Security
- Power ManagementPower Management
- Wireless ConnectivityWireless Connectivity
- RFID / NFCRFID / NFC
- Advanced AnalogAdvanced Analog
- MCX Microcontrollers
- S32G
- S32K
- S32V
- MPC5xxx
- Other NXP Products
- S12 / MagniV Microcontrollers
- Powertrain and Electrification Analog Drivers
- Sensors
- Vybrid Processors
- Digital Signal Controllers
- 8-bit Microcontrollers
- ColdFire/68K Microcontrollers and Processors
- PowerQUICC Processors
- OSBDM and TBDML
- S32M
- S32Z/E
-
- Solution Forums
- Software Forums
- MCUXpresso Software and ToolsMCUXpresso Software and Tools
- CodeWarriorCodeWarrior
- MQX Software SolutionsMQX Software Solutions
- Model-Based Design Toolbox (MBDT)Model-Based Design Toolbox (MBDT)
- FreeMASTER
- eIQ Machine Learning Software
- Embedded Software and Tools Clinic
- S32 SDK
- S32 Design Studio
- GUI Guider
- Zephyr Project
- Voice Technology
- Application Software Packs
- Secure Provisioning SDK (SPSDK)
- Processor Expert Software
- Generative AI & LLMs
-
- Topics
- Mobile Robotics - Drones and RoversMobile Robotics - Drones and Rovers
- NXP Training ContentNXP Training Content
- University ProgramsUniversity Programs
- Rapid IoT
- NXP Designs
- SafeAssure-Community
- OSS Security & Maintenance
- Using Our Community
-
- Cloud Lab Forums
-
- Knowledge Bases
- ARM Microcontrollers
- i.MX Processors
- Identification and Security
- Model-Based Design Toolbox (MBDT)
- QorIQ Processing Platforms
- S32 Automotive Processing Platform
- Wireless Connectivity
- CodeWarrior
- MCUXpresso Suite of Software and Tools
- MQX Software Solutions
- RFID / NFC
- Advanced Analog
-
- NXP Tech Blogs
- Home
- :
- 产品论坛
- :
- S12 / MagniV微控制器
- :
- I have a question about using MM9Z1I638 to open the safe mode
I have a question about using MM9Z1I638 to open the safe mode
I have a question about using MM9Z1I638 to open the safe mode. I read the manual and learned that the FSEC register is used to open the safe mode, but this register does not seem to support direct writing, and needs to be written through FLASH programming. The address segment written is 0xFF_FE0F bytes of P_FLASH block, The minimum sector size supported by
P_FLASH is 512byte. I wrote bytes in accordance with the process of erasing sectors, verifying sectors and writing sectors, but found that every time after erasing sectors, the software would run to an illegal place. After checking, I found that all the information stored in this sector is the add
已解决! 转到解答。
Hi,
The security is described in detail:
https://community.nxp.com/t5/S12-MagniV-Microcontrollers/S12-X-MCU-Security/ta-p/1111118
Yes different family but principle is the same.
Some more info can be get from solution of https://community.nxp.com/t5/S12-MagniV-Microcontrollers/S12Z-Security/td-p/1646747
Also good article for backdoor key implementation (the implementation of sending the backdoor key to the MCU is really up to you. It can be also stored in the application sw and entire temporary unsecuring can be initialized by different action):
https://community.nxp.com/t5/S12-MagniV-Microcontrollers/SW-example-of-Security-feature-with-Backdoo...
The security can be set only by programming a byte in the special field (Table 22-3. Flash Configuration Field) in the flash memory as it was described in the above mentioned link. Then the security is automatically set during reset. Such secured device is not debuggable and the only BDM mass erase command followed by programming a flash memory byte to unsecure state followed by reset can unsecure the device.
Of course you can use Backdoor key access if necessary as described in the second link.
So, for debugging purposes do nothing with the flash field where the source data for FSEC and FPROT is stored. For production simply use following, for example.
main.c
#include <hidef.h> /* for EnableInterrupts macro */
#include "derivative.h" /* include peripheral declarations */
//set DFPROT and FSEC bytes in the flash ()
const unsigned char flash_array[] @0xFFFE08 = {0xFF,0xFF,0xFF,0xFF,0xFF,0x80,0xFF,0x7D};
//since DFPROT = 0x80 (DPOPEN=1, DPS[1:0]=00),
//EEPROM protection will be disabled
//since FSEC = 0x7D (KEYEN[1:0]=01, SEC[1:0]=01),
//MCU will be secured and access trough backdoor key disabled.
I also attached an example I found in the drawer of a colleague of mine.
The code (Flash Configuration field setup) will be part of the S19 record and loaded into flash during production loading of the code. After first and all reset the device will be secured.
Backdoor key is the only write to specific address the security key code which is compared with a code saved in a flash security field. There are more options how to do it.
- the routine can be inside the application code and you initialize process by special defined process, for example, keybord, interrupt, ....
- safer is to use some communication peripheral and send the code to the MCU together with internal recognition it is a backdoor code and then it is used for temporary unsecuring of the device. (for example, via can I'll send a command code "unsecure temporary" followed with "backdoor key data set" which will be processed and device unsecure till next reset)
The flash write it is another story. The flash memory block which is currently E/W is not allowed to be read so the waiting for end of the command processing must be do in another memory.
This in an example
https://community.nxp.com/t5/S12-MagniV-Microcontrollers/S12Z-Flash-example-code/ta-p/1108954
Best regards,
Ladislav
Hi,
The security is described in detail:
https://community.nxp.com/t5/S12-MagniV-Microcontrollers/S12-X-MCU-Security/ta-p/1111118
Yes different family but principle is the same.
Some more info can be get from solution of https://community.nxp.com/t5/S12-MagniV-Microcontrollers/S12Z-Security/td-p/1646747
Also good article for backdoor key implementation (the implementation of sending the backdoor key to the MCU is really up to you. It can be also stored in the application sw and entire temporary unsecuring can be initialized by different action):
https://community.nxp.com/t5/S12-MagniV-Microcontrollers/SW-example-of-Security-feature-with-Backdoo...
The security can be set only by programming a byte in the special field (Table 22-3. Flash Configuration Field) in the flash memory as it was described in the above mentioned link. Then the security is automatically set during reset. Such secured device is not debuggable and the only BDM mass erase command followed by programming a flash memory byte to unsecure state followed by reset can unsecure the device.
Of course you can use Backdoor key access if necessary as described in the second link.
So, for debugging purposes do nothing with the flash field where the source data for FSEC and FPROT is stored. For production simply use following, for example.
main.c
#include <hidef.h> /* for EnableInterrupts macro */
#include "derivative.h" /* include peripheral declarations */
//set DFPROT and FSEC bytes in the flash ()
const unsigned char flash_array[] @0xFFFE08 = {0xFF,0xFF,0xFF,0xFF,0xFF,0x80,0xFF,0x7D};
//since DFPROT = 0x80 (DPOPEN=1, DPS[1:0]=00),
//EEPROM protection will be disabled
//since FSEC = 0x7D (KEYEN[1:0]=01, SEC[1:0]=01),
//MCU will be secured and access trough backdoor key disabled.
I also attached an example I found in the drawer of a colleague of mine.
The code (Flash Configuration field setup) will be part of the S19 record and loaded into flash during production loading of the code. After first and all reset the device will be secured.
Backdoor key is the only write to specific address the security key code which is compared with a code saved in a flash security field. There are more options how to do it.
- the routine can be inside the application code and you initialize process by special defined process, for example, keybord, interrupt, ....
- safer is to use some communication peripheral and send the code to the MCU together with internal recognition it is a backdoor code and then it is used for temporary unsecuring of the device. (for example, via can I'll send a command code "unsecure temporary" followed with "backdoor key data set" which will be processed and device unsecure till next reset)
The flash write it is another story. The flash memory block which is currently E/W is not allowed to be read so the waiting for end of the command processing must be do in another memory.
This in an example
https://community.nxp.com/t5/S12-MagniV-Microcontrollers/S12Z-Flash-example-code/ta-p/1108954
Best regards,
Ladislav
