NXP Semiconductors
FXTH87E
FXTH87E, Family of Tire Pressure Monitor Sensors
6.7.7 Vector redirection
Note: Not recommended for TPMS applications where NXP firmware has been included
in the final image.
Whenever any block protection is enabled, the reset and interrupt vectors will be
protected. Vector redirection allows users to modify interrupt vector information without
unprotecting boot loader and reset vector space. Vector redirection is enabled by
programming the FNORED bit in the NVOPT register located at address 0xFFBF to zero.
For redirection to occur, at least some portion but not all of the FLASH memory must be
block protected by programming the NVPROT register located at address 0xFFBD. All
of the interrupt vectors (memory locations 0xFFC0–0xFFFD) are redirected, though the
reset vector (0xFFFE:FFFF) is not.
For example, if 512 bytes of FLASH are protected, the protected address region is from
0xFE00 through 0xFFFF. The interrupt vectors (0xFFC0–0xFFFD) are redirected to the
locations 0xFDC0–0xFDFD. Now, if an SPI interrupt is taken for instance, the values in
the locations 0xFDE0:FDE1 are used for the vector instead of the values in the locations
0xFFE0:FFE1. This allows the user to reprogram the unprotected portion of the FLASH
with new program code including new interrupt vector values while leaving the protected
area, which includes the default vector locations, unchanged.
6.8 Security
The FXTH87E includes circuitry to prevent unauthorized access to the contents of
FLASH and RAM memory. When security is engaged, FLASH and RAM are considered
secure resources. Direct-page registers, high-page registers, and the BACKGROUND
DEBUG controller are considered unsecured resources. Programs executing within
secure memory have normal access to any MCU memory locations and resources.
Attempts to access a secure memory location with a program executing from an
unsecured memory space or through the BACKGROUND DEBUG interface are blocked
(writes are ignored and reads return all 0s).
Security is engaged or disengaged based on the state of nonvolatile register bits
SEC[1:0] in the FOPT register. During reset, the contents of the nonvolatile location
NVOPT are copied from FLASH into the working FOPT register in high-page register
space. A user engages security by programming the NVOPT location, which can be
done at the same time the FLASH memory is programmed. The SEC[1:0] = 1 0 state
disengages security and the 0 0, 0 1 and 1 1 states engage security. At production, NXP
programs the NVOPT SEC[1:0] = 1 0, which keeps the device unsecured. In this case,
note that SEC[0] is programmed to 0 and it is not possible to reprogram it to 1 without
first erasing the entire memory page. Notice the erased state of SEC[1:0] = 1 1 secures
the device. During development, whenever the FLASH is erased, it is good practice to
immediately program the NVOPT SEC[0] = 0, such that SEC[1:0] = 1 0. This would allow
the MCU to remain unsecured after a subsequent reset.
The on-chip debug module cannot be enabled while the MCU is secure. The separate
BACKGROUND DEBUG controller can still be used for background memory access
commands, but the MCU cannot enter ACTIVE BACKGROUND mode except by holding
BKGD/MS low at the rising edge of reset.
A user can choose to allow or disallow a security unlocking mechanism through an 8-byte
backdoor security key. If the nonvolatile KEYEN bit in NVOPT/FOPT is 0, the backdoor
key is disabled and there is no way to disengage security without completely erasing
all FLASH locations. If KEYEN is 1, a secure user program can temporarily disengage
security by:
FXTH87ERM
All information provided in this document is subject to legal disclaimers.
© NXP B.V. 2019. All rights reserved.
Reference manual
Rev. 5.0 — 4 February 2019
29 / 183
NXP [ NXP ]
