const volatile unsigned char NVPROT_INIT @0X0000FFBD=0XC0;
const volatile unsigned char NVPT_INIT @0X0000FFBF=0XFC;
const byte NVBACK_KEY0 @0x0000FFB0 = 0xC0;
const byte NVBACK_KEY1 @0x0000FFB1 = 0xC1;
const byte NVBACK_KEY2 @0x0000FFB2 = 0xC2;
const byte NVBACK_KEY3 @0x0000FFB3 = 0xC3;
const byte NVBACK_KEY4 @0x0000FFB4 = 0xC4;
const byte NVBACK_KEY5 @0x0000FFB5 = 0xC5;
const byte NVBACK_KEY6 @0x0000FFB6 = 0xC6;
const byte NVBACK_KEY7 @0x0000FFB7 = 0xC7;
#define Program_Byte PGM[21]=0X20;temp=((unsigned char(*)(unsigned int,unsigned char))(PGM))
volatile unsigned char PGM[59]=
{
0X87,0XC6,0X18,0X25,0XA5,0X10,0X27,0X08,0XC6,0X18,0X25,0XAA,0X10,0XC7,0X18,
0X25,0X9E,0XE6,0X01,0XF7,0XA6,0X20,0XC7,0X18,0X26,0X45,0X18,0X25,0XF6,0XAA,
0X80,0XF7,0X9D,0X9D,0X9D,0X9D,0X45,0X18,0X25,0XF6,0XF7,0XF6,0XA5,0X30,0X27,
0X04,0XA6,0XFF,0X20,0X07,0XC6,0X18,0X25,0XA5,0X40,0X27,0XF9,0X8A,0X81
};
Decryption process:
DisableInterrupts
FCNFG_KEYACC=1;
temp=Program_Byte(0XFFB0,0XC0);
temp=Program_Byte(0XFFB1,0XC1);
__RESET_WATCHDOG();
temp=Program_Byte(0XFFB2,0XC2);
temp=Program_Byte(0XFFB3,0XC3);
__RESET_WATCHDOG();
temp=Program_Byte(0XFFB4,0XC4);
temp=Program_Byte(0XFFB5,0XC5);
__RESET_WATCHDOG();
temp=Program_Byte(0XFFB6,0XC6);
temp=Program_Byte(0XFFB6,0XC6);
__RESET_WATCHDOG();
FCNFG_KEYACC=0;
EnableInterrupts
I find that is not useful to unsecure the chip.According to the database sheet,I have no idea to unsecure,Looking forward to your help,thank you!
Solved! Go to Solution.
I guess that your program_byte() routine is flash programming byte in flash. You shouldn't use it for backdoor unsecure.You need to write directly to backdoor key locations in flash as if they were RAM. But since flash is not readable while KEYACC is set, you need to manipulate KEYACC and write backdoor locations while executing from RAM or data EEPROM.
Execute this from RAM or data EEPROM:
DisableInterrupts
FCNFG_KEYACC=1;
*(byte*)0xFFB0 = 0xC0;
*(byte*)0xFFB1 = 0xC1;
*(byte*)0xFFB2 = 0xC2;
*(byte*)0xFFB3 = 0xC3;
*(byte*)0xFFB4 = 0xC4;
*(byte*)0xFFB5 = 0xC5;
*(byte*)0xFFB6 = 0xC6;
*(byte*)0xFFB7 = 0xC7;
FCNFG_KEYACC=0;
EnableInterrupts
After executing it, don't forget to start debug session in "Hotplug" mode. Backdoor key unsecure is effective until reset (or power cycle), which is performed by default by most of debuggers.
Regards
Edward
I guess that your program_byte() routine is flash programming byte in flash. You shouldn't use it for backdoor unsecure.You need to write directly to backdoor key locations in flash as if they were RAM. But since flash is not readable while KEYACC is set, you need to manipulate KEYACC and write backdoor locations while executing from RAM or data EEPROM.
Execute this from RAM or data EEPROM:
DisableInterrupts
FCNFG_KEYACC=1;
*(byte*)0xFFB0 = 0xC0;
*(byte*)0xFFB1 = 0xC1;
*(byte*)0xFFB2 = 0xC2;
*(byte*)0xFFB3 = 0xC3;
*(byte*)0xFFB4 = 0xC4;
*(byte*)0xFFB5 = 0xC5;
*(byte*)0xFFB6 = 0xC6;
*(byte*)0xFFB7 = 0xC7;
FCNFG_KEYACC=0;
EnableInterrupts
After executing it, don't forget to start debug session in "Hotplug" mode. Backdoor key unsecure is effective until reset (or power cycle), which is performed by default by most of debuggers.
Regards
Edward