About s12g96 using backdoor secret key decryption problem

suaihome · ‎07-16-2018

My processor is s12g96. I set the backdoor key to be four 1, and then use the following code to decrypt, but the decryption did not succeed.

static const unsigned char NVFSEC_INIT @0x0000FF0FU = 0xBDU;

/* BAKEY0: KEY=1 */
static const unsigned int BAKEY0_INIT @0x0000FF00U = 0x01U;

/* BAKEY1: KEY=2 */
static const unsigned int BAKEY1_INIT @0x0000FF02U = 0x01U;
//
/* BAKEY2: KEY=3 */
static const unsigned int BAKEY2_INIT @0x0000FF04U = 0x01U;
//
/* BAKEY3: KEY=4 */
static const unsigned int BAKEY3_INIT @0x0000FF06U = 0x01U;

The following is the decryption code

#pragma push
#pragma CODE_SEG RAM_CODE
void PFlash_Verify_Backdoor_Access_Key()
{
//验证秘钥
U8 i;
enter_cirtical(); //禁止中断
while((FSTAT & FSTAT_CCIF_MASK) == 0); //wait if command in progress
FSTAT = 0x30; //clear ACCERR and PVIOL

FCCOBIX = 0x00;
FCCOB = 0x0C00;
for(i=0;i<4;i++)
{
FCCOBIX++; /* Shift index register */
FCCOB = 0x01U; /*fill key0~3*/
}

FSTAT = 0x80; //launch command
while((FSTAT & FSTAT_CCIF_MASK) == 0); //wait for done
exit_cirtical(); //
}
#pragma pop

RadekS · ‎07-17-2018

Hi Li Yu,

Please ensure that your BAKEY0_INIT .. BAKEY3_INIT constants are part of the compiled code and not optimized out. You may search their name in the map file.

If they are optimized out as unused, please enter their name into ENTRIES section in prm file. That will prevent against optimizing it out as unused.

Please look at G128-Security-CW51 example for your reference:

https://community.nxp.com/docs/DOC-93792

I hope it helps you.

Have a great day,
Radek

kef2 · ‎07-17-2018

Hi Li Yu,

You code looks good, perhaps I don't see something. But how do you verify whether unsecure succeeds or not? With Code Warrior? Didn't you forget to use "hotplug" debugging instead of default "reset into special single chip mode"? Default debugging settings lead to MCU reset, which reengages security.

Edward