AnsweredAssumed Answered

Problems unsecuring S08PA4

Question asked by Omar Ayala on Oct 27, 2015
Latest reply on Dec 11, 2015 by Omar Ayala

Hi every one,

 

I am experiencing problems while trying to unsecure an S08PA4. I need to unsecure the micro controller (mC) without erasing flash and eeprom (no mass erase option) to verify after production that the correct software version was flashed on it.

 

I am doing the following:

 

1. Define Backdoor Keys for NV_BACKKEY0, ... NV_BACKKEY7 using a pragma section.

2. Secure mC using a pragma section. I am also enabling the Backdoor mechanism by setting KEYEN to 0x2 like this

 

#pragma section {NVFSEC}

char NV_FSEC_INIT = 0xBC;

#pragma section {}

 

By the way I am using a COSMIC compiler.

 

The pragma sections are defined in Linker file and are correct (from 0xFF70 to 0xFF77 for the Backkeys and at 0xFF7F for NV_FSEC). I can see that the information is correctly generated in the *.S19 file.

 

3. Define unsecuring sequence to run from EEPROM. Since I ran out of Flash I cannot run the sequence from RAM. I did this again using a pragma section (from 0x3100 to 0x317f). The sequence looks like this:

 

  _asm("sei")                                                       /* Deactivate interrupts */

NVM_FSTAT  = Sys_D_BIT7;                       /* Launch a new Command */

  NVM_FCCOBIX = Sys_D_FCCOBIX_WORD_0;

  NVM_FCCOBHI = 0x0C;

  NVM_FCCOBIX = Sys_D_FCCOBIX_WORD_1;

  NVM_FCCOB = Sys_D_KEY_0;

  NVM_FCCOBIX = Sys_D_FCCOBIX_WORD_2;

  NVM_FCCOB = Sys_D_KEY_1;

  NVM_FCCOBIX = Sys_D_FCCOBIX_WORD_3;

  NVM_FCCOB = Sys_D_KEY_2;

  NVM_FCCOBIX = Sys_D_FCCOBIX_WORD_4;

  NVM_FCCOB = Sys_D_KEY_3;

 

After seeing that this was not working I modified the sequence a little bit. So this is how it looks like now.

 

 

 

  NVM_FSTAT  = (Sys_D_BIT5|Sys_D_BIT4);  /* Clear Flash Access Error Flag and Flash Protection Violation Flag*/
  NVM_FSTAT  = Sys_D_BIT7;              /* Launch a new Command */

  while((NVM_FSTAT & Sys_D_BIT7) == Sys_D_BIT7)

  { /* Stay here until CCIF is cleared by HW */

  }

  NVM_FCCOBIX = Sys_D_FCCOBIX_WORD_0;

  NVM_FCCOBHI = 0x0C;

  NVM_FCCOBIX = Sys_D_FCCOBIX_WORD_1;

  NVM_FCCOB = Sys_D_KEY_0;

  NVM_FCCOBIX = Sys_D_FCCOBIX_WORD_2;

  NVM_FCCOB = Sys_D_KEY_1;

  NVM_FCCOBIX = Sys_D_FCCOBIX_WORD_3;

  NVM_FCCOB = Sys_D_KEY_2;

  NVM_FCCOBIX = Sys_D_FCCOBIX_WORD_4;

  NVM_FCCOB = Sys_D_KEY_3;

  while((NVM_FSTAT & Sys_D_BIT7) == 0x00)

  { /* Stay here until command has finished */

  }

 

4. Download the *.S19 file to target system.

5. Disconnect programming tool.

5. Restart mC. -> The mC would then run its Start up routine which checks the flash and eeprom checksum before validating stimulus for activation of the backdoorkey procedure.

6. Generate stimulus (at the correct time) to activate the Backdoorkey procedure.

7. Try to make a Hot attach with an iSystem 3000 Debugger. (It fails)

8. Try to read the flash. (No information can be read)

 

Am I missing something? or is something wrong in this procedure?

 

When I make a test without securing the mC I can Hot attach the mC using the iSystem tool. So I think nothing is wrong with that tool.

 

Thank you in advanced for your help.

 

Omar

Outcomes