Unsecure 9S12T with backdoor key and BDM.

Showing results for 
Search instead for 
Did you mean: 

Unsecure 9S12T with backdoor key and BDM.

Contributor III



I am trying to unsecure a 9S12 using BDM and backdoor key.

I have previously set the KEYEN bit and the backdoor key locations in the flash.

So i am trying to unlock it using BDM and following the suggestion in the datasheet:


  1. Set the KEYACC bit in the Flash Configuration register FCNFG.
  2. Write the first 16-bit word of the backdoor key to $FF00.
  3. Write the second 16-bit word of the backdoor key to $FF02.
  4. Write the third 16-bit word of the backdoor key to $FF04.
  5. Write the fourth 16-bit word of the backdoor key to $FF06.
  6. Clear the KEYACC bit in the Flash Configuration register FCNFG.


A couple lines before that it mentions :


  • It is not possible to download the backdoor keys using Background Debug Mode.


By "download" does it mean that you cant read the keys?

Anyway i am using this to send the keys :


uint16_t pass[4] = { 0xAAAA, 0xAAAA, 0xAAAA, 0xAAAA };

error = USBDM_WriteMemory(MS_Word, 4, 0xFF00, (uint8_t*)pass);


Any suggestions on how to make it happen? I have no luck till now.


Thank you


P.S.: I am reseting in normal single chip mode.

Labels (1)
4 Replies

Contributor I

Can you give me some code about this issue? 

Thank You

0 Kudos

NXP TechSupport
NXP TechSupport


I have found this question unanswered and I am not sure the issue is solved. if you have already solved it then I only add some info for other users who run in the same issue.

The way of unsecuring is made via BDM interface by series of commands. In the case when the device is secured the only HW BDM commands are available so you have to create communication interface with the device via BDM, start the device in the special mode and then you have to send command which mass erase entire flash. Finally you have to reprogram security byte in the flash. This is a little bit complex process if you want to create it by yourself.

So, ways to unsecure device are:

1) By application SW, the unsecuring feature or backdoor key must by implemented in user’s application.

2) Another way how to unsecure the device is to use unsecure command from CodeWarrior debugger or unsecure program from www.pemicro.com pages.

If you use USB multilink you have to use unsecure Option MultilinkCyclonePro->Unsecure in the CodeWarrior Hiwave Debugger.

or you can use external usecure program which can be downloaded from pemicro pages.

Unsecure_12 (8060 KB): Utility which unsecures HCS12 devices via P&E's BDM Interfaces such as Cyclone-PRO, USB-ML-12, and BDM-Multilink. This version supports the new Rev B Multilink.


Unsecure_12 Help Files (20 KB)  This .hlp file describes the use and operationg of the Unsecure_12 program which is used with P&E's interface devices to unsecure proeviously secured HCS12 microcontrollers.


Best regards,


0 Kudos

NXP TechSupport
NXP TechSupport

I suggest you check an2880.pdf and an2280sw for reference.



it is well documented how to use the Backdoor Access Capability to Unsecure HCS12 MCUs. it could be helpful.

Contributor III

Yes i am using the procedure that is in those documents, BUT i am trying to do it with BDM, not SCI or CAN.

Any other thoughts?

0 Kudos