Forums

secure bootloader

Started by Michael Huslig August 29, 2003
Gentlemen:

I have implemented a version of Gordon's serial bootloader (AN2153). It
uses encryption so that the S19 file is not readable by the end user.
However when I set the security bits to '00' in the loader code and use the
BDM to put the loader into flash, the loader program doesn't seem to be able
to program the rest of the flash. I tried having the loader program write
to the backdoor first, but then the loader locked. Anyone have any
insights?

Mike Huslig



Michael,

You have run into errata MUCts00603 (Program & Erase of Flash blocked in
Normal Single Chip Mode when secure) as shown below. As the workaround
states, you can temporarily disable security using the backdoor key
operation. Make sure you are following the proper sequence as described
in the Flash user's Guide. Also note that this errata was fixed in the
2K79X mask set of the MC9S12DP256.

Regards,
Gordon

In normal single chip mode, when security is enabled, it is not possible
to launch the Program ($20), Sector-Erase ($40) and Erase- Verify ($05)
commands in the flash. The Mass-Erase ($41) command can be launched.

Workaround
To enable the Program ($20), Sector-Erase ($40)and Erase-Verify ($05)
commands in the flash, security must bedisabled via the backdoor key
sequence. See Flash User Guide for details of the backdoor key operation.

Michael Huslig wrote:

>Gentlemen:
>
>I have implemented a version of Gordon's serial bootloader (AN2153). It
>uses encryption so that the S19 file is not readable by the end user.
>However when I set the security bits to '00' in the loader code and use the
>BDM to put the loader into flash, the loader program doesn't seem to be able
>to program the rest of the flash. I tried having the loader program write
>to the backdoor first, but then the loader locked. Anyone have any
>insights?
>
>Mike Huslig >
>
>-------------------- >
>">http://docs.yahoo.com/info/terms/ >

--
===============================================================
Gordon Doughman Ph: 937-438-6811
Motorola Semiconductor Fax: 937-434-7457
Field Applications Engineer Pager: 800-759-8352 Pin: 1304089
Suite 175
3131 Newmark Drive
Miamisburg, OH 45342

Check out my HC12 book at:
http://www.rtcbooks.com/programming.php



Gordon,

I have included the code I am trying to use with the security feature in
my/your bootloader program. If the SECURED switch is off when I assemble,
the BDM loaded bootloader works fine. If I just clear the security bits at
FF0F, reassemble and BDM load, the bootloader operates but will not program
the flash as per the errata. If the SECURED switch is on so that the code
tries to use the backdoor, the BDM loaded bootloader just hangs when started
and does nothing whatsoever. Am I missing something

if SECURED
BSET FCNFG,#FCNFG.KEYACC
LDD #KEYFF00 ;do backdoor before RAM overlays Flash
STD $FF00
LDD #KEYFF02
STD $FF02
LDD #KEYFF04
STD $FF04
LDD #KEYFF06
STD $FF06
BCLR FCNFG,#FCNFG.KEYACC
endif

LDX #$F000 ; point to the start of the Flash bootloader in
Flash.
LDY #$3000 ; point to the start of on-chip RAM.
COPYLP
MOVW 2,X+,2,Y+ ; move a byte of the bootloader into RAM.
TBNE X,COPYLP ; dec byte count, move till done.

; write to the INITRM register to overlay the Flash bootblock at $F000 with
RAM from $3000.
LDAB #$C0+INITRM.RAMHAL ;RAM now at $D000-$FFFF
if *&1
NOP
endif
STAB >INITRM ; this instruction MUST use extended addressing ORG $FF00
DC.W KEYFF00,KEYFF02,KEYFF04,KEYFF06 ; backdoor key
DC.W $FFFF
DC.B $FF ; no protection for Flash block 3
DC.B $FF ; no protection for Flash block 2
DC.B $FF ; no protection for Flash block 1
DC.B $CF ; setup a 4K bootblock in Flash block 0.
DC.B $FF
if SECURED
DC.B $FC ; security byte (secured, backdoor enabled)
else
DC.B $FE ; security byte (unsecured, backdoor enabled)
endif

Mike ----- Original Message -----
From: "Gordon Doughman" <>
To: <>
Sent: Friday, August 29, 2003 9:56 AM
Subject: Re: [68HC12] secure bootloader > Michael,
>
> You have run into errata MUCts00603 (Program & Erase of Flash blocked in
> Normal Single Chip Mode when secure) as shown below. As the workaround
> states, you can temporarily disable security using the backdoor key
> operation. Make sure you are following the proper sequence as described
> in the Flash user's Guide. Also note that this errata was fixed in the
> 2K79X mask set of the MC9S12DP256.
>
> Regards,
> Gordon
>
> In normal single chip mode, when security is enabled, it is not possible
> to launch the Program ($20), Sector-Erase ($40) and Erase- Verify ($05)
> commands in the flash. The Mass-Erase ($41) command can be launched.
>
> Workaround
> To enable the Program ($20), Sector-Erase ($40)and Erase-Verify ($05)
> commands in the flash, security must bedisabled via the backdoor key
> sequence. See Flash User Guide for details of the backdoor key operation.
>
> Michael Huslig wrote:
>
> >Gentlemen:
> >
> >I have implemented a version of Gordon's serial bootloader (AN2153). It
> >uses encryption so that the S19 file is not readable by the end user.
> >However when I set the security bits to '00' in the loader code and use
the
> >BDM to put the loader into flash, the loader program doesn't seem to be
able
> >to program the rest of the flash. I tried having the loader program
write
> >to the backdoor first, but then the loader locked. Anyone have any
> >insights?
> >
> >Mike Huslig
> >
> >
> >
> >
> >--------------------
> >
> >
> >
> >">http://docs.yahoo.com/info/terms/
> >
> >
> >
>
> --
> ===============================================================
> Gordon Doughman Ph: 937-438-6811
> Motorola Semiconductor Fax: 937-434-7457
> Field Applications Engineer Pager: 800-759-8352 Pin: 1304089
> Suite 175
> 3131 Newmark Drive
> Miamisburg, OH 45342
>
> Check out my HC12 book at:
> http://www.rtcbooks.com/programming.php > -------------------- >
> ">http://docs.yahoo.com/info/terms/ >
>


Mike,

As the description below indicates, when the KEYACC bit is set, reads of
the flash array return invalid data. Hence, why the bootloader just
hangs. Unfortunately, you will first have to copy the unlock sequence
into RAM, execute the unlock sequence from RAM, return to Flash, copy
the bootloader into RAM and finally overlay the Flash with the RAM.

Regards,
Gordon

KEYACC Enable Security Key Writing.
1 = Writes to Flash array are interpreted as keys to open the backdoor.
Reads of the Flash array
return invalid data.
0 = Flash writes are interpreted as the start of a program or erase
sequence.

Michael Huslig wrote:

>Gordon,
>
>I have included the code I am trying to use with the security feature in
>my/your bootloader program. If the SECURED switch is off when I assemble,
>the BDM loaded bootloader works fine. If I just clear the security bits at
>FF0F, reassemble and BDM load, the bootloader operates but will not program
>the flash as per the errata. If the SECURED switch is on so that the code
>tries to use the backdoor, the BDM loaded bootloader just hangs when started
>and does nothing whatsoever. Am I missing something
>
> if SECURED
> BSET FCNFG,#FCNFG.KEYACC
> LDD #KEYFF00 ;do backdoor before RAM overlays Flash
> STD $FF00
> LDD #KEYFF02
> STD $FF02
> LDD #KEYFF04
> STD $FF04
> LDD #KEYFF06
> STD $FF06
> BCLR FCNFG,#FCNFG.KEYACC
> endif
>
> LDX #$F000 ; point to the start of the Flash bootloader in
>Flash.
> LDY #$3000 ; point to the start of on-chip RAM.
>COPYLP
> MOVW 2,X+,2,Y+ ; move a byte of the bootloader into RAM.
> TBNE X,COPYLP ; dec byte count, move till done.
>
>; write to the INITRM register to overlay the Flash bootblock at $F000 with
>RAM from $3000.
> LDAB #$C0+INITRM.RAMHAL ;RAM now at $D000-$FFFF
> if *&1
> NOP
> endif
> STAB >INITRM ; this instruction MUST use extended addressing > ORG $FF00
> DC.W KEYFF00,KEYFF02,KEYFF04,KEYFF06 ; backdoor key
> DC.W $FFFF
> DC.B $FF ; no protection for Flash block 3
> DC.B $FF ; no protection for Flash block 2
> DC.B $FF ; no protection for Flash block 1
> DC.B $CF ; setup a 4K bootblock in Flash block 0.
> DC.B $FF
> if SECURED
> DC.B $FC ; security byte (secured, backdoor enabled)
> else
> DC.B $FE ; security byte (unsecured, backdoor enabled)
> endif
>
>Mike >----- Original Message -----
>From: "Gordon Doughman" <>
>To: <>
>Sent: Friday, August 29, 2003 9:56 AM
>Subject: Re: [68HC12] secure bootloader >
>>Michael,
>>
>>You have run into errata MUCts00603 (Program & Erase of Flash blocked in
>>Normal Single Chip Mode when secure) as shown below. As the workaround
>>states, you can temporarily disable security using the backdoor key
>>operation. Make sure you are following the proper sequence as described
>>in the Flash user's Guide. Also note that this errata was fixed in the
>>2K79X mask set of the MC9S12DP256.
>>
>>Regards,
>>Gordon
>>
>>In normal single chip mode, when security is enabled, it is not possible
>>to launch the Program ($20), Sector-Erase ($40) and Erase- Verify ($05)
>>commands in the flash. The Mass-Erase ($41) command can be launched.
>>
>>Workaround
>>To enable the Program ($20), Sector-Erase ($40)and Erase-Verify ($05)
>>commands in the flash, security must bedisabled via the backdoor key
>>sequence. See Flash User Guide for details of the backdoor key operation.
>>
>>Michael Huslig wrote:
>>
>>
>>>Gentlemen:
>>>
>>>I have implemented a version of Gordon's serial bootloader (AN2153). It
>>>uses encryption so that the S19 file is not readable by the end user.
>>>However when I set the security bits to '00' in the loader code and use
>>>
>the
>
>>>BDM to put the loader into flash, the loader program doesn't seem to be
>>>
>able
>
>>>to program the rest of the flash. I tried having the loader program
>>>
>write
>
>>>to the backdoor first, but then the loader locked. Anyone have any
>>>insights?
>>>
>>>Mike Huslig
>>>
>>>
>>>
>>>
>>>--------------------
>>>
>>>
>>>
>>>">http://docs.yahoo.com/info/terms/
>>>
>>>
>>>
>>>
>>--
>>===============================================================
>>Gordon Doughman Ph: 937-438-6811
>>Motorola Semiconductor Fax: 937-434-7457
>>Field Applications Engineer Pager: 800-759-8352 Pin: 1304089
>>Suite 175
>>3131 Newmark Drive
>>Miamisburg, OH 45342
>>
>>Check out my HC12 book at:
>>http://www.rtcbooks.com/programming.php
>>
>>
>>
>>
>>
>>--------------------
>>
>>
>>
>>">http://docs.yahoo.com/info/terms/
>>
>>
>>
>>
> >
>
>-------------------- >
>">http://docs.yahoo.com/info/terms/ >

--
===============================================================
Gordon Doughman Ph: 937-438-6811
Motorola Semiconductor Fax: 937-434-7457
Field Applications Engineer Pager: 800-759-8352 Pin: 1304089
Suite 175
3131 Newmark Drive
Miamisburg, OH 45342

Check out my HC12 book at:
http://www.rtcbooks.com/programming.php



Thanks Gordon,

My mistake. I understood it to mean that reads of the key code bytes
FF00-FF07 would return invalid data.

Mike

----- Original Message -----
From: "Gordon Doughman" <>
To: <>
Sent: Friday, August 29, 2003 1:03 PM
Subject: Re: [68HC12] secure bootloader > Mike,
>
> As the description below indicates, when the KEYACC bit is set, reads of
> the flash array return invalid data. Hence, why the bootloader just
> hangs. Unfortunately, you will first have to copy the unlock sequence
> into RAM, execute the unlock sequence from RAM, return to Flash, copy
> the bootloader into RAM and finally overlay the Flash with the RAM.
>
> Regards,
> Gordon
>
> KEYACC Enable Security Key Writing.
> 1 = Writes to Flash array are interpreted as keys to open the backdoor.
> Reads of the Flash array
> return invalid data.
> 0 = Flash writes are interpreted as the start of a program or erase
> sequence.
>
> Michael Huslig wrote:
>
> >Gordon,
> >
> >I have included the code I am trying to use with the security feature in
> >my/your bootloader program. If the SECURED switch is off when I
assemble,
> >the BDM loaded bootloader works fine. If I just clear the security bits
at
> >FF0F, reassemble and BDM load, the bootloader operates but will not
program
> >the flash as per the errata. If the SECURED switch is on so that the
code
> >tries to use the backdoor, the BDM loaded bootloader just hangs when
started
> >and does nothing whatsoever. Am I missing something
> >
> > if SECURED
> > BSET FCNFG,#FCNFG.KEYACC
> > LDD #KEYFF00 ;do backdoor before RAM overlays Flash
> > STD $FF00
> > LDD #KEYFF02
> > STD $FF02
> > LDD #KEYFF04
> > STD $FF04
> > LDD #KEYFF06
> > STD $FF06
> > BCLR FCNFG,#FCNFG.KEYACC
> > endif
> >
> > LDX #$F000 ; point to the start of the Flash bootloader in
> >Flash.
> > LDY #$3000 ; point to the start of on-chip RAM.
> >COPYLP
> > MOVW 2,X+,2,Y+ ; move a byte of the bootloader into RAM.
> > TBNE X,COPYLP ; dec byte count, move till done.
> >
> >; write to the INITRM register to overlay the Flash bootblock at $F000
with
> >RAM from $3000.
> > LDAB #$C0+INITRM.RAMHAL ;RAM now at $D000-$FFFF
> > if *&1
> > NOP
> > endif
> > STAB >INITRM ; this instruction MUST use extended addressing
> >
> >
> > ORG $FF00
> > DC.W KEYFF00,KEYFF02,KEYFF04,KEYFF06 ; backdoor key
> > DC.W $FFFF
> > DC.B $FF ; no protection for Flash block 3
> > DC.B $FF ; no protection for Flash block 2
> > DC.B $FF ; no protection for Flash block 1
> > DC.B $CF ; setup a 4K bootblock in Flash block 0.
> > DC.B $FF
> > if SECURED
> > DC.B $FC ; security byte (secured, backdoor enabled)
> > else
> > DC.B $FE ; security byte (unsecured, backdoor enabled)
> > endif
> >
> >Mike
> >
> >
> >----- Original Message -----
> >From: "Gordon Doughman" <>
> >To: <>
> >Sent: Friday, August 29, 2003 9:56 AM
> >Subject: Re: [68HC12] secure bootloader
> >
> >
> >
> >>Michael,
> >>
> >>You have run into errata MUCts00603 (Program & Erase of Flash blocked in
> >>Normal Single Chip Mode when secure) as shown below. As the workaround
> >>states, you can temporarily disable security using the backdoor key
> >>operation. Make sure you are following the proper sequence as described
> >>in the Flash user's Guide. Also note that this errata was fixed in the
> >>2K79X mask set of the MC9S12DP256.
> >>
> >>Regards,
> >>Gordon
> >>
> >>In normal single chip mode, when security is enabled, it is not possible
> >>to launch the Program ($20), Sector-Erase ($40) and Erase- Verify ($05)
> >>commands in the flash. The Mass-Erase ($41) command can be launched.
> >>
> >>Workaround
> >>To enable the Program ($20), Sector-Erase ($40)and Erase-Verify ($05)
> >>commands in the flash, security must bedisabled via the backdoor key
> >>sequence. See Flash User Guide for details of the backdoor key
operation.
> >>
> >>Michael Huslig wrote:
> >>
> >>
> >>>Gentlemen:
> >>>
> >>>I have implemented a version of Gordon's serial bootloader (AN2153).
It
> >>>uses encryption so that the S19 file is not readable by the end user.
> >>>However when I set the security bits to '00' in the loader code and use
> >>>
> >the
> >
> >>>BDM to put the loader into flash, the loader program doesn't seem to be
> >>>
> >able
> >
> >>>to program the rest of the flash. I tried having the loader program
> >>>
> >write
> >
> >>>to the backdoor first, but then the loader locked. Anyone have any
> >>>insights?
> >>>
> >>>Mike Huslig
> >>>
> >>>
> >>>
> >>>
> >>>--------------------
> >>>
> >>>
> >>>
> >>>">http://docs.yahoo.com/info/terms/
> >>>
> >>>
> >>>
> >>>
> >>--
> >>===============================================================
> >>Gordon Doughman Ph: 937-438-6811
> >>Motorola Semiconductor Fax: 937-434-7457
> >>Field Applications Engineer Pager: 800-759-8352 Pin: 1304089
> >>Suite 175
> >>3131 Newmark Drive
> >>Miamisburg, OH 45342
> >>
> >>Check out my HC12 book at:
> >>http://www.rtcbooks.com/programming.php
> >>
> >>
> >>
> >>
> >>
> >>--------------------
> >>
> >>
> >>
> >>">http://docs.yahoo.com/info/terms/
> >>
> >>
> >>
> >>
> >>
> >
> >
> >
> >
> >--------------------
> >
> >
> >
> >">http://docs.yahoo.com/info/terms/
> >
> >
> >
>
> --
> ===============================================================
> Gordon Doughman Ph: 937-438-6811
> Motorola Semiconductor Fax: 937-434-7457
> Field Applications Engineer Pager: 800-759-8352 Pin: 1304089
> Suite 175
> 3131 Newmark Drive
> Miamisburg, OH 45342
>
> Check out my HC12 book at:
> http://www.rtcbooks.com/programming.php > -------------------- >
> ">http://docs.yahoo.com/info/terms/ >


Gordon,

It looks like I have to do this too if I want to write to EEPROM. After
using the backdoor, is there anyway of shutting it again without a reset?
Or does it matter because the BDM interface will not be active because the
BDM will reset the uP when it tries to talk to it?

Mike ----- Original Message -----
From: "Michael Huslig" <>
To: <>
Sent: Friday, August 29, 2003 1:25 PM
Subject: Re: [68HC12] secure bootloader > Thanks Gordon,
>
> My mistake. I understood it to mean that reads of the key code bytes
> FF00-FF07 would return invalid data.
>
> Mike
>
> ----- Original Message -----
> From: "Gordon Doughman" <>
> To: <>
> Sent: Friday, August 29, 2003 1:03 PM
> Subject: Re: [68HC12] secure bootloader > > Mike,
> >
> > As the description below indicates, when the KEYACC bit is set, reads of
> > the flash array return invalid data. Hence, why the bootloader just
> > hangs. Unfortunately, you will first have to copy the unlock sequence
> > into RAM, execute the unlock sequence from RAM, return to Flash, copy
> > the bootloader into RAM and finally overlay the Flash with the RAM.
> >
> > Regards,
> > Gordon
> >
> > KEYACC Enable Security Key Writing.
> > 1 = Writes to Flash array are interpreted as keys to open the backdoor.
> > Reads of the Flash array
> > return invalid data.
> > 0 = Flash writes are interpreted as the start of a program or erase
> > sequence.
> >
> > Michael Huslig wrote:
> >
> > >Gordon,
> > >
> > >I have included the code I am trying to use with the security feature
in
> > >my/your bootloader program. If the SECURED switch is off when I
> assemble,
> > >the BDM loaded bootloader works fine. If I just clear the security
bits
> at
> > >FF0F, reassemble and BDM load, the bootloader operates but will not
> program
> > >the flash as per the errata. If the SECURED switch is on so that the
> code
> > >tries to use the backdoor, the BDM loaded bootloader just hangs when
> started
> > >and does nothing whatsoever. Am I missing something
> > >
> > > if SECURED
> > > BSET FCNFG,#FCNFG.KEYACC
> > > LDD #KEYFF00 ;do backdoor before RAM overlays Flash
> > > STD $FF00
> > > LDD #KEYFF02
> > > STD $FF02
> > > LDD #KEYFF04
> > > STD $FF04
> > > LDD #KEYFF06
> > > STD $FF06
> > > BCLR FCNFG,#FCNFG.KEYACC
> > > endif
> > >
> > > LDX #$F000 ; point to the start of the Flash bootloader in
> > >Flash.
> > > LDY #$3000 ; point to the start of on-chip RAM.
> > >COPYLP
> > > MOVW 2,X+,2,Y+ ; move a byte of the bootloader into RAM.
> > > TBNE X,COPYLP ; dec byte count, move till done.
> > >
> > >; write to the INITRM register to overlay the Flash bootblock at $F000
> with
> > >RAM from $3000.
> > > LDAB #$C0+INITRM.RAMHAL ;RAM now at $D000-$FFFF
> > > if *&1
> > > NOP
> > > endif
> > > STAB >INITRM ; this instruction MUST use extended addressing
> > >
> > >
> > > ORG $FF00
> > > DC.W KEYFF00,KEYFF02,KEYFF04,KEYFF06 ; backdoor key
> > > DC.W $FFFF
> > > DC.B $FF ; no protection for Flash block 3
> > > DC.B $FF ; no protection for Flash block 2
> > > DC.B $FF ; no protection for Flash block 1
> > > DC.B $CF ; setup a 4K bootblock in Flash block 0.
> > > DC.B $FF
> > > if SECURED
> > > DC.B $FC ; security byte (secured, backdoor enabled)
> > > else
> > > DC.B $FE ; security byte (unsecured, backdoor enabled)
> > > endif
> > >
> > >Mike
> > >
> > >
> > >----- Original Message -----
> > >From: "Gordon Doughman" <>
> > >To: <>
> > >Sent: Friday, August 29, 2003 9:56 AM
> > >Subject: Re: [68HC12] secure bootloader
> > >
> > >
> > >
> > >>Michael,
> > >>
> > >>You have run into errata MUCts00603 (Program & Erase of Flash blocked
in
> > >>Normal Single Chip Mode when secure) as shown below. As the workaround
> > >>states, you can temporarily disable security using the backdoor key
> > >>operation. Make sure you are following the proper sequence as
described
> > >>in the Flash user's Guide. Also note that this errata was fixed in the
> > >>2K79X mask set of the MC9S12DP256.
> > >>
> > >>Regards,
> > >>Gordon
> > >>
> > >>In normal single chip mode, when security is enabled, it is not
possible
> > >>to launch the Program ($20), Sector-Erase ($40) and Erase- Verify
($05)
> > >>commands in the flash. The Mass-Erase ($41) command can be launched.
> > >>
> > >>Workaround
> > >>To enable the Program ($20), Sector-Erase ($40)and Erase-Verify ($05)
> > >>commands in the flash, security must bedisabled via the backdoor key
> > >>sequence. See Flash User Guide for details of the backdoor key
> operation.
> > >>
> > >>Michael Huslig wrote:
> > >>
> > >>
> > >>>Gentlemen:
> > >>>
> > >>>I have implemented a version of Gordon's serial bootloader (AN2153).
> It
> > >>>uses encryption so that the S19 file is not readable by the end user.
> > >>>However when I set the security bits to '00' in the loader code and
use
> > >>>
> > >the
> > >
> > >>>BDM to put the loader into flash, the loader program doesn't seem to
be
> > >>>
> > >able
> > >
> > >>>to program the rest of the flash. I tried having the loader program
> > >>>
> > >write
> > >
> > >>>to the backdoor first, but then the loader locked. Anyone have any
> > >>>insights?
> > >>>
> > >>>Mike Huslig
> > >>>
> > >>>
> > >>>
> > >>>
> > >>>--------------------
> > >>>
> > >>>
> > >>>
> > >>>">http://docs.yahoo.com/info/terms/
> > >>>
> > >>>
> > >>>
> > >>>
> > >>--
> > >>===============================================================
> > >>Gordon Doughman Ph: 937-438-6811
> > >>Motorola Semiconductor Fax: 937-434-7457
> > >>Field Applications Engineer Pager: 800-759-8352 Pin: 1304089
> > >>Suite 175
> > >>3131 Newmark Drive
> > >>Miamisburg, OH 45342
> > >>
> > >>Check out my HC12 book at:
> > >>http://www.rtcbooks.com/programming.php
> > >>
> > >>
> > >>
> > >>
> > >>
> > >>--------------------
> > >>
> > >>
> > >>
> > >>">http://docs.yahoo.com/info/terms/
> > >>
> > >>
> > >>
> > >>
> > >>
> > >
> > >
> > >
> > >
> > >--------------------
> > >
> > >
> > >
> > >">http://docs.yahoo.com/info/terms/
> > >
> > >
> > >
> >
> > --
> > ===============================================================
> > Gordon Doughman Ph: 937-438-6811
> > Motorola Semiconductor Fax: 937-434-7457
> > Field Applications Engineer Pager: 800-759-8352 Pin: 1304089
> > Suite 175
> > 3131 Newmark Drive
> > Miamisburg, OH 45342
> >
> > Check out my HC12 book at:
> > http://www.rtcbooks.com/programming.php
> >
> >
> >
> >
> >
> > --------------------
> >
> >
> >
> > ">http://docs.yahoo.com/info/terms/
> >
> >
> >
>
> -------------------- >
> ">http://docs.yahoo.com/info/terms/ >


Gordon,

Well I answered one question. If I power up my board with a BDM attached
and the loader in my board opens the backdoor, the BDM has access to my
code, at least until the BDM issues a reset.

Mike

----- Original Message -----
From: "Michael Huslig" <>
To: <>
Sent: Friday, August 29, 2003 1:43 PM
Subject: Re: [68HC12] secure bootloader > Gordon,
>
> It looks like I have to do this too if I want to write to EEPROM. After
> using the backdoor, is there anyway of shutting it again without a reset?
> Or does it matter because the BDM interface will not be active because the
> BDM will reset the uP when it tries to talk to it?
>
> Mike > ----- Original Message -----
> From: "Michael Huslig" <>
> To: <>
> Sent: Friday, August 29, 2003 1:25 PM
> Subject: Re: [68HC12] secure bootloader > > Thanks Gordon,
> >
> > My mistake. I understood it to mean that reads of the key code bytes
> > FF00-FF07 would return invalid data.
> >
> > Mike
> >
> > ----- Original Message -----
> > From: "Gordon Doughman" <>
> > To: <>
> > Sent: Friday, August 29, 2003 1:03 PM
> > Subject: Re: [68HC12] secure bootloader
> >
> >
> > > Mike,
> > >
> > > As the description below indicates, when the KEYACC bit is set, reads
of
> > > the flash array return invalid data. Hence, why the bootloader just
> > > hangs. Unfortunately, you will first have to copy the unlock sequence
> > > into RAM, execute the unlock sequence from RAM, return to Flash, copy
> > > the bootloader into RAM and finally overlay the Flash with the RAM.
> > >
> > > Regards,
> > > Gordon
> > >
> > > KEYACC Enable Security Key Writing.
> > > 1 = Writes to Flash array are interpreted as keys to open the
backdoor.
> > > Reads of the Flash array
> > > return invalid data.
> > > 0 = Flash writes are interpreted as the start of a program or erase
> > > sequence.
> > >
> > > Michael Huslig wrote:
> > >
> > > >Gordon,
> > > >
> > > >I have included the code I am trying to use with the security feature
> in
> > > >my/your bootloader program. If the SECURED switch is off when I
> > assemble,
> > > >the BDM loaded bootloader works fine. If I just clear the security
> bits
> > at
> > > >FF0F, reassemble and BDM load, the bootloader operates but will not
> > program
> > > >the flash as per the errata. If the SECURED switch is on so that the
> > code
> > > >tries to use the backdoor, the BDM loaded bootloader just hangs when
> > started
> > > >and does nothing whatsoever. Am I missing something
> > > >
> > > > if SECURED
> > > > BSET FCNFG,#FCNFG.KEYACC
> > > > LDD #KEYFF00 ;do backdoor before RAM overlays Flash
> > > > STD $FF00
> > > > LDD #KEYFF02
> > > > STD $FF02
> > > > LDD #KEYFF04
> > > > STD $FF04
> > > > LDD #KEYFF06
> > > > STD $FF06
> > > > BCLR FCNFG,#FCNFG.KEYACC
> > > > endif
> > > >
> > > > LDX #$F000 ; point to the start of the Flash bootloader
in
> > > >Flash.
> > > > LDY #$3000 ; point to the start of on-chip RAM.
> > > >COPYLP
> > > > MOVW 2,X+,2,Y+ ; move a byte of the bootloader into RAM.
> > > > TBNE X,COPYLP ; dec byte count, move till done.
> > > >
> > > >; write to the INITRM register to overlay the Flash bootblock at
$F000
> > with
> > > >RAM from $3000.
> > > > LDAB #$C0+INITRM.RAMHAL ;RAM now at $D000-$FFFF
> > > > if *&1
> > > > NOP
> > > > endif
> > > > STAB >INITRM ; this instruction MUST use extended addressing
> > > >
> > > >
> > > > ORG $FF00
> > > > DC.W KEYFF00,KEYFF02,KEYFF04,KEYFF06 ; backdoor key
> > > > DC.W $FFFF
> > > > DC.B $FF ; no protection for Flash block 3
> > > > DC.B $FF ; no protection for Flash block 2
> > > > DC.B $FF ; no protection for Flash block 1
> > > > DC.B $CF ; setup a 4K bootblock in Flash block 0.
> > > > DC.B $FF
> > > > if SECURED
> > > > DC.B $FC ; security byte (secured, backdoor enabled)
> > > > else
> > > > DC.B $FE ; security byte (unsecured, backdoor enabled)
> > > > endif
> > > >
> > > >Mike
> > > >
> > > >
> > > >----- Original Message -----
> > > >From: "Gordon Doughman" <>
> > > >To: <>
> > > >Sent: Friday, August 29, 2003 9:56 AM
> > > >Subject: Re: [68HC12] secure bootloader
> > > >
> > > >
> > > >
> > > >>Michael,
> > > >>
> > > >>You have run into errata MUCts00603 (Program & Erase of Flash
blocked
> in
> > > >>Normal Single Chip Mode when secure) as shown below. As the
workaround
> > > >>states, you can temporarily disable security using the backdoor key
> > > >>operation. Make sure you are following the proper sequence as
> described
> > > >>in the Flash user's Guide. Also note that this errata was fixed in
the
> > > >>2K79X mask set of the MC9S12DP256.
> > > >>
> > > >>Regards,
> > > >>Gordon
> > > >>
> > > >>In normal single chip mode, when security is enabled, it is not
> possible
> > > >>to launch the Program ($20), Sector-Erase ($40) and Erase- Verify
> ($05)
> > > >>commands in the flash. The Mass-Erase ($41) command can be launched.
> > > >>
> > > >>Workaround
> > > >>To enable the Program ($20), Sector-Erase ($40)and Erase-Verify
($05)
> > > >>commands in the flash, security must bedisabled via the backdoor key
> > > >>sequence. See Flash User Guide for details of the backdoor key
> > operation.
> > > >>
> > > >>Michael Huslig wrote:
> > > >>
> > > >>
> > > >>>Gentlemen:
> > > >>>
> > > >>>I have implemented a version of Gordon's serial bootloader
(AN2153).
> > It
> > > >>>uses encryption so that the S19 file is not readable by the end
user.
> > > >>>However when I set the security bits to '00' in the loader code and
> use
> > > >>>
> > > >the
> > > >
> > > >>>BDM to put the loader into flash, the loader program doesn't seem
to
> be
> > > >>>
> > > >able
> > > >
> > > >>>to program the rest of the flash. I tried having the loader
program
> > > >>>
> > > >write
> > > >
> > > >>>to the backdoor first, but then the loader locked. Anyone have any
> > > >>>insights?
> > > >>>
> > > >>>Mike Huslig
> > > >>>
> > > >>>
> > > >>>
> > > >>>
> > > >>>--------------------
> > > >>>
> > > >>>
> > > >>>
> > > >>>">http://docs.yahoo.com/info/terms/
> > > >>>
> > > >>>
> > > >>>
> > > >>>
> > > >>--
> > > >>===============================================================
> > > >>Gordon Doughman Ph: 937-438-6811
> > > >>Motorola Semiconductor Fax: 937-434-7457
> > > >>Field Applications Engineer Pager: 800-759-8352 Pin: 1304089
> > > >>Suite 175
> > > >>3131 Newmark Drive
> > > >>Miamisburg, OH 45342
> > > >>
> > > >>Check out my HC12 book at:
> > > >>http://www.rtcbooks.com/programming.php
> > > >>
> > > >>
> > > >>
> > > >>
> > > >>
> > > >>--------------------
> > > >>
> > > >>
> > > >>
> > > >>">http://docs.yahoo.com/info/terms/
> > > >>
> > > >>
> > > >>
> > > >>
> > > >>
> > > >
> > > >
> > > >
> > > >
> > > >--------------------
> > > >
> > > >
> > > >
> > > >">http://docs.yahoo.com/info/terms/
> > > >
> > > >
> > > >
> > >
> > > --
> > > ===============================================================
> > > Gordon Doughman Ph: 937-438-6811
> > > Motorola Semiconductor Fax: 937-434-7457
> > > Field Applications Engineer Pager: 800-759-8352 Pin: 1304089
> > > Suite 175
> > > 3131 Newmark Drive
> > > Miamisburg, OH 45342
> > >
> > > Check out my HC12 book at:
> > > http://www.rtcbooks.com/programming.php
> > >
> > >
> > >
> > >
> > >
> > > --------------------
> > >
> > >
> > >
> > > ">http://docs.yahoo.com/info/terms/
> > >
> > >
> > >
> >
> >
> >
> >
> > --------------------
> >
> >
> >
> > ">http://docs.yahoo.com/info/terms/
> >
> >
> >
>
> -------------------- >
> ">http://docs.yahoo.com/info/terms/ >


Mike,

>It looks like I have to do this too if I want to write to EEPROM.

Unfortunately, you are correct. The same errata is listed for the EEPROM.

>After using the backdoor, is there anyway of shutting it again without
a reset?

No. To disable security, the device must go through a hardware induced
reset.

As I mentioned in one of my previous e-mails, this errata has been fixed
in the 2K79X mask set. These devices can ordered by specifying the 'C'
suffix devices (MC9S12DP256Cxxx).

Regards,
Gordon

Michael Huslig wrote:

>Gordon,
>
>Well I answered one question. If I power up my board with a BDM attached
>and the loader in my board opens the backdoor, the BDM has access to my
>code, at least until the BDM issues a reset.
>
>Mike
>
>----- Original Message -----
>From: "Michael Huslig" <>
>To: <>
>Sent: Friday, August 29, 2003 1:43 PM
>Subject: Re: [68HC12] secure bootloader >
>>Gordon,
>>
>>It looks like I have to do this too if I want to write to EEPROM. After
>>using the backdoor, is there anyway of shutting it again without a reset?
>>Or does it matter because the BDM interface will not be active because the
>>BDM will reset the uP when it tries to talk to it?
>>
>>Mike
>>
>>
>>----- Original Message -----
>>From: "Michael Huslig" <>
>>To: <>
>>Sent: Friday, August 29, 2003 1:25 PM
>>Subject: Re: [68HC12] secure bootloader
>>
>>
>>
>>>Thanks Gordon,
>>>
>>>My mistake. I understood it to mean that reads of the key code bytes
>>>FF00-FF07 would return invalid data.
>>>
>>>Mike
>>>
>>>----- Original Message -----
>>>From: "Gordon Doughman" <>
>>>To: <>
>>>Sent: Friday, August 29, 2003 1:03 PM
>>>Subject: Re: [68HC12] secure bootloader
>>>
>>>
>>>
>>>>Mike,
>>>>
>>>>As the description below indicates, when the KEYACC bit is set, reads
>>>>
>of
>
>>>>the flash array return invalid data. Hence, why the bootloader just
>>>>hangs. Unfortunately, you will first have to copy the unlock sequence
>>>>into RAM, execute the unlock sequence from RAM, return to Flash, copy
>>>>the bootloader into RAM and finally overlay the Flash with the RAM.
>>>>
>>>>Regards,
>>>>Gordon
>>>>
>>>>KEYACC Enable Security Key Writing.
>>>>1 = Writes to Flash array are interpreted as keys to open the
>>>>
>backdoor.
>
>>>>Reads of the Flash array
>>>>return invalid data.
>>>>0 = Flash writes are interpreted as the start of a program or erase
>>>>sequence.
>>>>
>>>>Michael Huslig wrote:
>>>>
>>>>
>>>>>Gordon,
>>>>>
>>>>>I have included the code I am trying to use with the security feature
>>>>>
>>in
>>
>>>>>my/your bootloader program. If the SECURED switch is off when I
>>>>>
>>>assemble,
>>>
>>>>>the BDM loaded bootloader works fine. If I just clear the security
>>>>>
>>bits
>>
>>>at
>>>
>>>>>FF0F, reassemble and BDM load, the bootloader operates but will not
>>>>>
>>>program
>>>
>>>>>the flash as per the errata. If the SECURED switch is on so that the
>>>>>
>>>code
>>>
>>>>>tries to use the backdoor, the BDM loaded bootloader just hangs when
>>>>>
>>>started
>>>
>>>>>and does nothing whatsoever. Am I missing something
>>>>>
>>>>> if SECURED
>>>>> BSET FCNFG,#FCNFG.KEYACC
>>>>> LDD #KEYFF00 ;do backdoor before RAM overlays Flash
>>>>> STD $FF00
>>>>> LDD #KEYFF02
>>>>> STD $FF02
>>>>> LDD #KEYFF04
>>>>> STD $FF04
>>>>> LDD #KEYFF06
>>>>> STD $FF06
>>>>> BCLR FCNFG,#FCNFG.KEYACC
>>>>> endif
>>>>>
>>>>> LDX #$F000 ; point to the start of the Flash bootloader
>>>>>
>in
>
>>>>>Flash.
>>>>> LDY #$3000 ; point to the start of on-chip RAM.
>>>>>COPYLP
>>>>> MOVW 2,X+,2,Y+ ; move a byte of the bootloader into RAM.
>>>>> TBNE X,COPYLP ; dec byte count, move till done.
>>>>>
>>>>>; write to the INITRM register to overlay the Flash bootblock at
>>>>>
>$F000
>
>>>with
>>>
>>>>>RAM from $3000.
>>>>> LDAB #$C0+INITRM.RAMHAL ;RAM now at $D000-$FFFF
>>>>> if *&1
>>>>> NOP
>>>>> endif
>>>>> STAB >INITRM ; this instruction MUST use extended addressing
>>>>>
>>>>>
>>>>> ORG $FF00
>>>>> DC.W KEYFF00,KEYFF02,KEYFF04,KEYFF06 ; backdoor key
>>>>> DC.W $FFFF
>>>>> DC.B $FF ; no protection for Flash block 3
>>>>> DC.B $FF ; no protection for Flash block 2
>>>>> DC.B $FF ; no protection for Flash block 1
>>>>> DC.B $CF ; setup a 4K bootblock in Flash block 0.
>>>>> DC.B $FF
>>>>> if SECURED
>>>>> DC.B $FC ; security byte (secured, backdoor enabled)
>>>>> else
>>>>> DC.B $FE ; security byte (unsecured, backdoor enabled)
>>>>> endif
>>>>>
>>>>>Mike
>>>>>
>>>>>
>>>>>----- Original Message -----
>>>>>From: "Gordon Doughman" <>
>>>>>To: <>
>>>>>Sent: Friday, August 29, 2003 9:56 AM
>>>>>Subject: Re: [68HC12] secure bootloader
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>Michael,
>>>>>>
>>>>>>You have run into errata MUCts00603 (Program & Erase of Flash
>>>>>>
>blocked
>
>>in
>>
>>>>>>Normal Single Chip Mode when secure) as shown below. As the
>>>>>>
>workaround
>
>>>>>>states, you can temporarily disable security using the backdoor key
>>>>>>operation. Make sure you are following the proper sequence as
>>>>>>
>>described
>>
>>>>>>in the Flash user's Guide. Also note that this errata was fixed in
>>>>>>
>the
>
>>>>>>2K79X mask set of the MC9S12DP256.
>>>>>>
>>>>>>Regards,
>>>>>>Gordon
>>>>>>
>>>>>>In normal single chip mode, when security is enabled, it is not
>>>>>>
>>possible
>>
>>>>>>to launch the Program ($20), Sector-Erase ($40) and Erase- Verify
>>>>>>
>>($05)
>>
>>>>>>commands in the flash. The Mass-Erase ($41) command can be launched.
>>>>>>
>>>>>>Workaround
>>>>>>To enable the Program ($20), Sector-Erase ($40)and Erase-Verify
>>>>>>
>($05)
>
>>>>>>commands in the flash, security must bedisabled via the backdoor key
>>>>>>sequence. See Flash User Guide for details of the backdoor key
>>>>>>
>>>operation.
>>>
>>>>>>Michael Huslig wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>>>Gentlemen:
>>>>>>>
>>>>>>>I have implemented a version of Gordon's serial bootloader
>>>>>>>
>(AN2153).
>
>>>It
>>>
>>>>>>>uses encryption so that the S19 file is not readable by the end
>>>>>>>
>user.
>
>>>>>>>However when I set the security bits to '00' in the loader code and
>>>>>>>
>>use
>>
>>>>>the
>>>>>
>>>>>
>>>>>>>BDM to put the loader into flash, the loader program doesn't seem
>>>>>>>
>to
>
>>be
>>
>>>>>able
>>>>>
>>>>>
>>>>>>>to program the rest of the flash. I tried having the loader
>>>>>>>
>program
>
>>>>>write
>>>>>
>>>>>
>>>>>>>to the backdoor first, but then the loader locked. Anyone have any
>>>>>>>insights?
>>>>>>>
>>>>>>>Mike Huslig
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>--------------------
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>">http://docs.yahoo.com/info/terms/
>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>--
>>>>>>===============================================================
>>>>>>Gordon Doughman Ph: 937-438-6811
>>>>>>Motorola Semiconductor Fax: 937-434-7457
>>>>>>Field Applications Engineer Pager: 800-759-8352 Pin: 1304089
>>>>>>Suite 175
>>>>>>3131 Newmark Drive
>>>>>>Miamisburg, OH 45342
>>>>>>
>>>>>>Check out my HC12 book at:
>>>>>>http://www.rtcbooks.com/programming.php
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>--------------------
>>>>>>
>>>>>>
>>>>>>
>>>>>>">http://docs.yahoo.com/info/terms/
>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>>--------------------
>>>>>
>>>>>
>>>>>
>>>>>">http://docs.yahoo.com/info/terms/
>>
>>>>>
>>>>>
>>>>--
>>>>===============================================================
>>>>Gordon Doughman Ph: 937-438-6811
>>>>Motorola Semiconductor Fax: 937-434-7457
>>>>Field Applications Engineer Pager: 800-759-8352 Pin: 1304089
>>>>Suite 175
>>>>3131 Newmark Drive
>>>>Miamisburg, OH 45342
>>>>
>>>>Check out my HC12 book at:
>>>>http://www.rtcbooks.com/programming.php
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>--------------------
>>>>
>>>>
>>>>
>>>>">http://docs.yahoo.com/info/terms/
>>
>>>>
>>>>
>>>
>>>
>>>
>>>--------------------
>>>
>>>
>>>
>>>">http://docs.yahoo.com/info/terms/
>
>>>
>>>
>>
>>
>>
>>--------------------
>>
>>
>>
>>">http://docs.yahoo.com/info/terms/
>>
>>
>>
> >
>
>-------------------- >
>">http://docs.yahoo.com/info/terms/ >

--
===============================================================
Gordon Doughman Ph: 937-438-6811
Motorola Semiconductor Fax: 937-434-7457
Field Applications Engineer Pager: 800-759-8352 Pin: 1304089
Suite 175
3131 Newmark Drive
Miamisburg, OH 45342

Check out my HC12 book at:
http://www.rtcbooks.com/programming.php