FAQs
English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

Unsecure 9S12T with backdoor key and BDM.

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Unsecure 9S12T with backdoor key and BDM.

‎03-05-2014 06:13 PM
3,324 Views
PadelisGR
Contributor III

Hi,

 

I am trying to unsecure a 9S12 using BDM and backdoor key.

I have previously set the KEYEN bit and the backdoor key locations in the flash.

So i am trying to unlock it using BDM and following the suggestion in the datasheet:

 

  1. Set the KEYACC bit in the Flash Configuration register FCNFG.
  2. Write the first 16-bit word of the backdoor key to $FF00.
  3. Write the second 16-bit word of the backdoor key to $FF02.
  4. Write the third 16-bit word of the backdoor key to $FF04.
  5. Write the fourth 16-bit word of the backdoor key to $FF06.
  6. Clear the KEYACC bit in the Flash Configuration register FCNFG.

 

A couple lines before that it mentions :

 

  • It is not possible to download the backdoor keys using Background Debug Mode.

 

By "download" does it mean that you cant read the keys?

Anyway i am using this to send the keys :

 

uint16_t pass[4] = { 0xAAAA, 0xAAAA, 0xAAAA, 0xAAAA };

error = USBDM_WriteMemory(MS_Word, 4, 0xFF00, (uint8_t*)pass);

 

Any suggestions on how to make it happen? I have no luck till now.

 

Thank you

 

P.S.: I am reseting in normal single chip mode.

Labels (1)
Labels
Reply
4 Replies

‎09-28-2016 01:12 AM
2,540 Views
gaoweizheng
Contributor I

Can you give me some code about this issue? 

Thank You

0 Kudos
Reply

‎04-11-2014 02:41 AM
2,540 Views
lama
NXP TechSupport
NXP TechSupport

Hi,

I have found this question unanswered and I am not sure the issue is solved. if you have already solved it then I only add some info for other users who run in the same issue.

The way of unsecuring is made via BDM interface by series of commands. In the case when the device is secured the only HW BDM commands are available so you have to create communication interface with the device via BDM, start the device in the special mode and then you have to send command which mass erase entire flash. Finally you have to reprogram security byte in the flash. This is a little bit complex process if you want to create it by yourself.

So, ways to unsecure device are:

1) By application SW, the unsecuring feature or backdoor key must by implemented in user’s application.

2) Another way how to unsecure the device is to use unsecure command from CodeWarrior debugger or unsecure program from www.pemicro.com pages.

If you use USB multilink you have to use unsecure Option MultilinkCyclonePro->Unsecure in the CodeWarrior Hiwave Debugger.

or you can use external usecure program which can be downloaded from pemicro pages.

Unsecure_12 (8060 KB): Utility which unsecures HCS12 devices via P&E's BDM Interfaces such as Cyclone-PRO, USB-ML-12, and BDM-Multilink. This version supports the new Rev B Multilink.

http://www.pemicro.com/downloads/download_file.cfm?download_id=16

Unsecure_12 Help Files (20 KB)  This .hlp file describes the use and operationg of the Unsecure_12 program which is used with P&E's interface devices to unsecure proeviously secured HCS12 microcontrollers.

http://www.pemicro.com/downloads/download_file.cfm?download_id=14

Best regards,

Ladislav

0 Kudos
Reply

‎03-05-2014 07:23 PM
2,540 Views
ZhangJennie
NXP TechSupport
NXP TechSupport

I suggest you check an2880.pdf and an2280sw for reference.


http://www.freescale.com/webapp/sps/download/license.jsp?colCode=AN2880SW


http://cache.freescale.com/files/microcontrollers/doc/app_note/AN2880.pdf




it is well documented how to use the Backdoor Access Capability to Unsecure HCS12 MCUs. it could be helpful.

Reply

‎03-06-2014 02:50 AM
2,540 Views
PadelisGR
Contributor III

Yes i am using the procedure that is in those documents, BUT i am trying to do it with BDM, not SCI or CAN.

Any other thoughts?

0 Kudos
Reply