Chapter 18 32 Kbyte Flash Module (S12FTS32KV1)
Freescale Semiconductor
MC9S12C-Family / MC9S12GC-Family
535
Rev 01.24
addresses sequentially staring with 0xFF00-0xFF01 and ending with 0xFF06–0xFF07. The values 0x0000
and 0xFFFF are not permitted as keys. When the KEYACC bit is set, reads of the Flash array will return
invalid data.
The user code stored in the Flash array must have a method of receiving the backdoor key from an external
stimulus. This external stimulus would typically be through one of the on-chip serial ports.
If KEYEN[1:0] = 1:0 in the FSEC register, the MCU can be unsecured by the backdoor key access
sequence described below:
1. Set the KEYACC bit in the FCNFG register
2. Write the correct four 16-bit words to Flash addresses 0xFF00–0xFF07 sequentially starting with
0xFF00
3. Clear the KEYACC bit in the FCNFG register
4. If all four 16-bit words match the backdoor key stored in Flash addresses 0xFF00–0xFF07, the
MCU is unsecured and bits SEC[1:0] in the FSEC register are forced to the unsecure state of 1:0
The backdoor key access sequence is monitored by the internal security state machine. An illegal operation
during the backdoor key access sequence will cause the security state machine to lock, leaving the MCU
in the secured state. A reset of the MCU will cause the security state machine to exit the lock state and
allow a new backdoor key access sequence to be attempted. The following illegal operations will lock the
security state machine:
1. If any of the four 16-bit words does not match the backdoor key programmed in the Flash array
2. If the four 16-bit words are written in the wrong sequence
3. If more than four 16-bit words are written
4. If any of the four 16-bit words written are 0x0000 or 0xFFFF
5. If the KEYACC bit does not remain set while the four 16-bit words are written
After the backdoor key access sequence has been correctly matched, the MCU will be unsecured. The
Flash security byte can be programmed to the unsecure state, if desired.
In the unsecure state, the user has full control of the contents of the four word backdoor key by
programming bytes 0xFF00–0xFF07 of the Flash configuration field.
The security as defined in the Flash security/options byte at address 0xFF0F is not changed by using the
backdoor key access sequence to unsecure. The backdoor key stored in addresses 0xFF00–0xFF07 is
unaffected by the backdoor key access sequence. After the next reset sequence, the security state of the
Flash module is determined by the Flash security/options byte at address 0xFF0F. The backdoor key access
sequence has no effect on the program and erase protection defined in the FPROT register.
It is not possible to unsecure the MCU in special single chip mode by executing the backdoor key access
sequence in background debug mode.
Summary of Contents for MC9S12C Family
Page 689: ......