David Kelly

S12 Flash Protection, Security, and the Backdoor

Discussion created by David Kelly on Nov 5, 2008
Latest reply on Nov 6, 2008 by David Kelly
Going around in circles trying to retrofit a fielded product. Believe I have finally demonstrated and found documentation confirming our situation is hopeless but want a second opinion. Briefly:

CPU is an S12NE64. The FPROT initial value stored in 0xff0d is 0xc7, protecting 0xf800 through 0xffff from being written or erased. Is there any way from inside the S12NE64 to modify this memory region without physical access to the chip and/or product?

Have no problems updating the contents outside of 0xf800 to 0xffff.

The FSEC initial value stored in 0xff0f is 0xfe which is the "unsecured" value, and apparently not relevant to my problem.

The Backdoor key apparently has nothing to do with protection (against accidental write), only security (locked against copying using a BDM). The backdoor will do nothing to allow me to change 0xf800 through 0xffff from within, even if SEC[1:0] in FSEC was not already 0b10 unsecured.

The FPROT register is essentially moot when running on the BDM. Firmware has no problem updating 0xf800 through 0xffff when running with the BDM attached but fails when BDM is not attached. Is there anything I can do in firmware to make the S12 think a BDM is attached when it is not?

Related problem: There is apparently no way to RESET the CPU from inside if COP is disabled. Someone disabled COP from within our _Startup() which is located in the protected region. This is the primary thing I'm trying to fix with a remote firmware update. If COP was enabled "ARMCOP = 0" promptly trips the COP and produces a RESET. Nobody thought to route an output pin to the RESET pin for software initiated hardware resets.