128 KByte Flash Module (S12FTMRC128K1V1)
register (see Table 13-10) will be changed to unsecure the MCU. Key values of 0x0000 and 0xFFFF are
not permitted as backdoor keys. While the Verify Backdoor Access Key command is active, P-Flash
memory and D-Flash memory will not be available for read access and will return invalid data.
The user code stored in the P-Flash memory must have a method of receiving the backdoor keys from an
external stimulus. This external stimulus would typically be through one of the on-chip serial ports.
If the KEYEN[1:0] bits are in the enabled state (see Section 13.3.2.2), the MCU can be unsecured by the
backdoor key access sequence described below:
1. Follow the command sequence for the Verify Backdoor Access Key command as explained in
Section 13.4.5.11
2. If the Verify Backdoor Access Key command is successful, the MCU is unsecured and the
SEC[1:0] bits in the FSEC register are forced to the unsecure state of 10
The Verify Backdoor Access Key command is monitored by the Memory Controller and an illegal key will
prohibit future use of the Verify Backdoor Access Key command. A reset of the MCU is the only method
to re-enable the Verify Backdoor Access Key command. The security as defined in the Flash security byte
(0x3_FF0F) is not changed by using the Verify Backdoor Access Key command sequence. The backdoor
keys stored in addresses 0x3_FF00-0x3_FF07 are unaffected by the Verify Backdoor Access Key
command sequence. The Verify Backdoor Access Key command sequence has no effect on the program
and erase protections defined in the Flash protection register, FPROT.
After the backdoor keys have been correctly matched, the MCU will be unsecured. After the MCU is
unsecured, the sector containing the Flash security byte can be erased and the Flash security byte can be
reprogrammed to the unsecure state, if desired. In the unsecure state, the user has full control of the
contents of the backdoor keys by programming addresses 0x3_FF00-0x3_FF07 in the Flash configuration
field.
13.5.2 Unsecuring the MCU in Special Single Chip Mode using BDM
A secured MCU can be unsecured in special single chip mode by using the following method to erase the
P-Flash and D-Flash memory:
1. Reset the MCU into special single chip mode
2. Delay while the BDM executes the Erase Verify All Blocks command write sequence to check if
the P-Flash and D-Flash memories are erased
3. Send BDM commands to disable protection in the P-Flash and D-Flash memory
4. Execute the Erase All Blocks command write sequence to erase the P-Flash and D-Flash memory
5. After the CCIF flag sets to indicate that the Erase All Blocks operation has completed, reset the
MCU into special single chip mode
6. Delay while the BDM executes the Erase Verify All Blocks command write sequence to verify that
the P-Flash and D-Flash memory are erased
If the P-Flash and D-Flash memory are verified as erased, the MCU will be unsecured. All BDM
commands will now be enabled and the Flash security byte may be programmed to the unsecure state by
continuing with the following steps:
S12P-Family Reference Manual, Rev. 1.13
Freescale Semiconductor
471
FREESCALE [ Freescale ]
