FAQs
English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

HC08 locking from prying eyes...

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

HC08 locking from prying eyes...

‎11-20-2007 12:07 PM
2,077 Views
Bloodhound
Contributor I
Hi All,
 
Just wondering on the locking system employed in the HC08. Is it that by default the device is locked simply because the values at FFF6+ define the lock codes and therefore will probably be different for every application depending on the address's in those locations?
 
If that is true, it would be possible to define your own lock code by doing something like below ? -
 
 org $F000
IntError1:
        jmp   Init   ; Init could be anything....
 org $F010
IntError2:
        jmp   Init
 org $FF10
IntError3:
        jmp   Init
 org $FF20
IntError4:
        jmp   Init
;=======================================
; Interrupt Vectors
;---------------------------------------
 org $FFF6
        fdb   IntError1                 ; $FFF6 = TIM1 Channel 0
        fdb   IntError2                 ; $FFF8 = PLL
        fdb   IntError3                 ; $FFFA = IRQ
        fdb   IntError4                 ; $FFFC = SWI
 
So in this situation the lock code for that program would be
F000F010FF10FF20
 
Thanks,
Ross
Labels (1)
Labels
0 Kudos
Reply
4 Replies

‎11-20-2007 10:51 PM
517 Views
Bloodhound
Contributor I
Peg, it makes more sense what you say to have one of the vectors pointing to a section in the code that will move as versions might change.
Thanks for the replies.
 
Cheers,
Ross
0 Kudos
Reply

‎11-20-2007 02:21 PM
517 Views
Ake
Contributor II
Hi,
The secure table lies at $fff6 - $fffd, which can contain real interrupt addresses at 2 words (or 4 bytes) which leaves half the secure code unknown.
 
Suppose that you do not fill in some random number at the missing 4 bytes, that is they will read $ff as default there, this leaves 8^4 = 4096 combinations left.
 
If further the reset vectors point into a table, with jump instructions to the addresses, and the vector is at the first byte in the Flash EPROM code, then you are making it very easy for the code burglar.
 
But if the jump instructions are placed somewhere else in the Flash EPROM, or if the table does not include jump instructions only, then it is quite more difficult to find out the real secure code.
 
Regards,
Ake
0 Kudos
Reply

‎11-20-2007 02:12 PM
517 Views
Nabla69
Contributor V
Hello Ross,

You are exactly right !!!

Cheers,
Alban.
0 Kudos
Reply

‎11-20-2007 12:47 PM
517 Views
peg
Senior Contributor IV
Hi Bloodhound,

Yes, you seemed to have sniffed it out.

I like the way it just happens and you don't have to remember to explicitly lock it like you now have to do on the S08's. When rushing a fix or mod out the door it is too easy to forget, especially when you deliberately left it open for debugging. With the HC08 its always secured.

But, why do you want to force it to a certain code? Far better to have the ISR's (real or dummy) in the middle of your code and at the top. That way the code changes as versions change (even more secure).

The tools can extract the code from your source so there is no need to remember (or even know) what the code is.

0 Kudos
Reply