Michael Christie

Problem Securing HCS12 flash

Discussion created by Michael Christie on Feb 19, 2007
Latest reply on Aug 5, 2015 by Miroslav Vaclavek
I'm working on a project involving the HCS12 (specifically the MC9S12DP512) and I'm having problems securing/unsecuring the flash memory.
 
My intention was to secure and unsecure the flash through firmware routines that could be called through one of the SCI ports.
So far, I have been able to write routines that allow me to secure the flash and also unsecure the flash but there's a few issues.  The main one is that, despite setting a backdoor key when securing the device, the flash can be unsecured just by changing the value of $FF0F (ie. without doing any writing to $FF00 - $FF07.)  Note that consecutive lock-unlock operations are done with a reset inbetween.
 
Another problem is that, if I do try to unsecure the device through the backdoor key method, the MCU seems to hang as soon as I try to set KEYACC in FCNFG.  Note that this only occurs once the device is locked.
 
Finally, when the device is unlocked, I've noticed that I cannot use bset to set KEYACC and instead have to do a full write to FCNFG.  A bset simply doesn't set KEYACC.
 
I suspect that the first two issues may be due to me not securing the device correctly.  While the Freescale documentation explains how to unsecure the device there doesn't seem to be any explicit explanation on how to secure it in the first place.  This is the design of the current routine:-
  1. FCNFG = 0x20 (KEYACC)
  2. Write backdoor keys to $FF00 - $FF07 (written directly, not through flash writing routine)
  3. FCNFG = 0
  4. Copy vector table into ram
  5. Erase Sector starting at $FC00
  6. Rewrite vector table into flash (through flash writing routine)
  7. Set $FF0F to 0xBC (written as word (0xFFBC) starting at $FF0E through flash writing routine.)

This is the unsecure routine that I'm trying to get to work (but hangs at step 1)

  1. FCNFG = 0x20 (KEYACC)
  2. Write backdoor keys to $FF00 - $FF07 (written directly, not through flash writing routine)
  3. FCNFG = 0
  4. Copy vector table into ram
  5. Erase Sector starting at $FC00
  6. Rewrite vector table into flash (through flash writing routine)
  7. Set $FF0F to 0xFE (written as word (0xFFFE) starting at $FF0E through flash writing routine.)

Doing steps 4 to 7 of the unsecure routine currently unsecures the device.

Any idea what could be causing the problems?

Outcomes