ColdFire Flash Module (CFM)
MCF52110 ColdFire® Integrated Microcontroller Reference Manual, Rev. 1
17-30
Freescale Semiconductor
Preliminary
If a command is not active (CCIF=1) when the MCU enters stop mode, the ACCERR flag does not set.
17.4.3
Flash Security Operation
The CFM provides security information to the integration module and the rest of the MCU. This security
information is stored within a word in the flash configuration field. This security word is read
automatically after each reset and stored in the CFMSEC register.
In flash normal mode, it is possible to bypass the security via a backdoor access sequence using an 8-byte
long key. Upon successful completion of the backdoor access sequence, the SECSTAT bit in the CFMSEC
register is cleared indicating that the MCU is unsecured.
The CFM may be unsecured by:
•
Executing a backdoor access sequence.
•
Passing a blank check operation on the flash memory.
•
Executing the JTAG lockout recovery sequence.
17.4.3.1
Backdoor Access Sequence
If the KEYEN bits in the CFMSEC register are set to the enabled state, it is possible to bypass security by:
1. Setting the KEYACC bit in the CFMMCR register.
2. Writing the correct 8-byte backdoor comparison key to the flash memory at offset 0x0400 -
0x0407. This operation must be composed of two 32-bit writes to address 0x0400 and 0x0404 in
that order. The two backdoor write cycles can be separated by any number of internal flash bus
cycles.
NOTE
Any attempt to use a key of all zeros or all ones locks the backdoor access
sequence until the CFM is reset.
3. Clearing the KEYACC bit.
4. If all eight bytes written match the flash memory content at offset 0x0400 - 0x0407, security is
bypassed until the next reset.
In the unsecured state, the software has full control of the contents of the 8-byte backdoor comparison key
by programming the bytes at offset 0x0400 - 0x0407 of the flash configuration field. If at any time a key
of all zeroes or all ones is received, the backdoor access sequence is terminated and cannot be successfully
restarted until after the CFM is reset.
The security of the CFM as defined in the flash security word at address offset 0x0414 is not changed by
the executing the backdoor access sequence to unsecure the device. After the next reset sequence, the CFM
is secured again and the same backdoor key is in effect unless the flash configuration field was changed
by program or erase prior to reset. The backdoor access sequence to unsecure the device has no effect on
the program and erase protections defined in the CFM protection register.
The contents of the flash security word at address offset 0x0414 must be changed by programming that
address when the device is unsecured and the sector containing the flash configuration field is unprotected.