Hi,I am Using Freescale MC9S08DZ60 in my project,I want to allow backdoor key access memory.The example Code is as follows :

少峰孙 · ‎05-18-2016

const volatile unsigned char NVPROT_INIT @0X0000FFBD=0XC0;

const volatile unsigned char NVPT_INIT @0X0000FFBF=0XFC;

const byte NVBACK_KEY0 @0x0000FFB0 = 0xC0;

const byte NVBACK_KEY1 @0x0000FFB1 = 0xC1;

const byte NVBACK_KEY2 @0x0000FFB2 = 0xC2;

const byte NVBACK_KEY3 @0x0000FFB3 = 0xC3;

const byte NVBACK_KEY4 @0x0000FFB4 = 0xC4;

const byte NVBACK_KEY5 @0x0000FFB5 = 0xC5;

const byte NVBACK_KEY6 @0x0000FFB6 = 0xC6;

const byte NVBACK_KEY7 @0x0000FFB7 = 0xC7;

#define Program_Byte PGM[21]=0X20;temp=((unsigned char(*)(unsigned int,unsigned char))(PGM))

volatile unsigned char PGM[59]=

{

0X87,0XC6,0X18,0X25,0XA5,0X10,0X27,0X08,0XC6,0X18,0X25,0XAA,0X10,0XC7,0X18,

0X25,0X9E,0XE6,0X01,0XF7,0XA6,0X20,0XC7,0X18,0X26,0X45,0X18,0X25,0XF6,0XAA,

0X80,0XF7,0X9D,0X9D,0X9D,0X9D,0X45,0X18,0X25,0XF6,0XF7,0XF6,0XA5,0X30,0X27,

0X04,0XA6,0XFF,0X20,0X07,0XC6,0X18,0X25,0XA5,0X40,0X27,0XF9,0X8A,0X81

};

Decryption process：

DisableInterrupts

FCNFG_KEYACC=1;

temp=Program_Byte(0XFFB0,0XC0);

temp=Program_Byte(0XFFB1,0XC1);

__RESET_WATCHDOG();

temp=Program_Byte(0XFFB2,0XC2);

temp=Program_Byte(0XFFB3,0XC3);

__RESET_WATCHDOG();

temp=Program_Byte(0XFFB4,0XC4);

temp=Program_Byte(0XFFB5,0XC5);

__RESET_WATCHDOG();

temp=Program_Byte(0XFFB6,0XC6);

__RESET_WATCHDOG();

FCNFG_KEYACC=0;

EnableInterrupts

I find that is not useful to unsecure the chip.According to the database sheet,I have no idea to unsecure,Looking forward to your help，thank you!

kef2 · ‎05-23-2016

I guess that your program_byte() routine is flash programming byte in flash. You shouldn't use it for backdoor unsecure.You need to write directly to backdoor key locations in flash as if they were RAM. But since flash is not readable while KEYACC is set, you need to manipulate KEYACC and write backdoor locations while executing from RAM or data EEPROM.

Execute this from RAM or data EEPROM:

DisableInterrupts

FCNFG_KEYACC=1;

*(byte*)0xFFB0 = 0xC0;

*(byte*)0xFFB1 = 0xC1;

*(byte*)0xFFB2 = 0xC2;

*(byte*)0xFFB3 = 0xC3;

*(byte*)0xFFB4 = 0xC4;

*(byte*)0xFFB5 = 0xC5;

*(byte*)0xFFB6 = 0xC6;

*(byte*)0xFFB7 = 0xC7;

FCNFG_KEYACC=0;

EnableInterrupts

After executing it, don't forget to start debug session in "Hotplug" mode. Backdoor key unsecure is effective until reset (or power cycle), which is performed by default by most of debuggers.

Regards

Edward

View solution in original post

kef2 · ‎05-23-2016

I guess that your program_byte() routine is flash programming byte in flash. You shouldn't use it for backdoor unsecure.You need to write directly to backdoor key locations in flash as if they were RAM. But since flash is not readable while KEYACC is set, you need to manipulate KEYACC and write backdoor locations while executing from RAM or data EEPROM.

Execute this from RAM or data EEPROM:

DisableInterrupts

FCNFG_KEYACC=1;

*(byte*)0xFFB0 = 0xC0;

*(byte*)0xFFB1 = 0xC1;

*(byte*)0xFFB2 = 0xC2;

*(byte*)0xFFB3 = 0xC3;

*(byte*)0xFFB4 = 0xC4;

*(byte*)0xFFB5 = 0xC5;

*(byte*)0xFFB6 = 0xC6;

*(byte*)0xFFB7 = 0xC7;

FCNFG_KEYACC=0;

EnableInterrupts

After executing it, don't forget to start debug session in "Hotplug" mode. Backdoor key unsecure is effective until reset (or power cycle), which is performed by default by most of debuggers.

Regards

Edward

Hi,I am Using Freescale MC9S08DZ60 in my project,I want to allow backdoor key access memory.The example Code is as follows :

Hi,I am Using Freescale MC9S08DZ60 in my project,I want to allow backdoor key access memory.The example Code is as follows :

General