Filter
Top Products
MCF51QE128 MCU Series Reference Manual, Rev. 3
Freescale Semiconductor 89
Get the latest version from freescale.com
Chapter 4 Memory
4.5.5 Security
The flash module provides the necessary security information to the MCU. During each reset sequence,
the flash module determines the security state of the MCU as defined in Section 4.2.1, “Flash Module
Reserved Memory Locations”.
The contents of the flash security byte in the flash configuration field (see Section 4.4.2.3) must be
changed directly by programming the flash security byte location when the MCU is unsecured and the
sector containing the flash security byte is unprotected. If the flash security byte is left in a secured state,
any reset causes the MCU to initialize into a secure operating mode.
4.5.5.1 Unsecuring the MCU using Backdoor Key Access
The MCU may be unsecured by using the backdoor key access feature that requires knowledge of the
contents of the backdoor keys (see Section 4.2.1). If the KEYEN[1:0] bits are in the enabled state (see
Section 4.4.2.2) and the KEYACC bit is set, a write to a backdoor key address in the flash memory triggers
a comparison between the written data and the backdoor key data stored in the flash memory. If all
backdoor keys are written to the correct addresses in the correct order and the data matches the backdoor
keys stored in the flash memory, the MCU is unsecured. The data must be written to the backdoor keys
sequentially. Values 0x0000_0000 and 0xFFFF_FFFF are not permitted as backdoor keys. While the
KEYACC bit is set, reads of the flash memory return valid data.
The user code stored in the flash memory must have a method of receiving the backdoor keys from an
external stimulus. This external stimulus would typically be through one of the on-chip serial ports.
If the KEYEN[1:0] bits are in the enabled state (see Section 4.4.2.2), the MCU can be unsecured by the
backdoor key access sequence described below:
1. Set FCNFG[KEYACC].
2. Execute three NOP instructions to provide time for the backdoor state machine to load the starting
address and number of keys required into the flash state machine.
3. Sequentially write the correct longwords to the flash address(es) containing the backdoor keys.
4. Clear the KEYACC bit. Depending on the user code used to write the backdoor keys, a wait cycle
(NOP) may be required before clearing the KEYACC bit.
5. If all data written match the backdoor keys, the MCU is unsecured and the SEC[1:0] bits in the
NVOPT register are forced to an unsecured state.
The backdoor key access sequence is monitored by an internal security state machine. An illegal operation
during the backdoor key access sequence causes the security state machine to lock, leaving the MCU in
the secured state. A reset of the MCU causes the security state machine to exit the lock state and allows a
new backdoor key access sequence to be attempted. The following operations during the backdoor key
access sequence lock the security state machine:
1. If any of the keys written does not match the backdoor keys programmed in the flash array.
2. If the keys are written in the wrong sequence.
3. If any of the keys written are all 0’s or all 1’s.
4. If the KEYACC bit does not remain set while the keys are written.