Chapter 9 Security (S12XE9SECV2)
MC9S12XE-Family Reference Manual , Rev. 1.21
348
Freescale Semiconductor
Because of an order from the United States International Trade Commission, BGA-packaged product lines and partnumbers
indicated here currently are not available from Freescale for import or sale in the United States prior to September 2010
9.1.4.2
Special Single Chip Mode (SS)
BDM rmware commands are disabled.
BDM hardware commands are restricted to the register space.
Execution of Flash and EEPROM commands is restricted. Please refer to the NVM block guide for
details.
Tracing code execution using the DBG module is disabled.
Debugging XGATE code (breakpoints, single-stepping) is disabled.
Special single chip mode means BDM is active after reset. The availability of BDM rmware commands
depends on the security state of the device. The BDM secure rmware rst performs a blank check of both
the Flash memory and the EEPROM. If the blank check succeeds, security will be temporarily turned off
and the state of the security bits in the appropriate Flash memory location can be changed If the blank
check fails, security will remain active, only the BDM hardware commands will be enabled, and the
accessible memory space is restricted to the peripheral register area. This will allow the BDM to be used
to erase the EEPROM and Flash memory without giving access to their contents. After erasing both Flash
memory and EEPROM, another reset into special single chip mode will cause the blank check to succeed
and the options/security byte can be programmed to “unsecured” state via BDM.
While the BDM is executing the blank check, the BDM interface is completely blocked, which means that
all BDM commands are temporarily blocked.
9.1.4.3
Expanded Modes (NX, ES, EX, and ST)
BDM operation is completely disabled.
Internal Flash memory and EEPROM are disabled.
Execution of Flash and EEPROM commands is restricted. Please refer to the FTM block guide for
details.
Tracing code execution using the DBG module is disabled.
Debugging XGATE code (breakpoints, single-stepping) is disabled
9.1.5
Unsecuring the Microcontroller
Unsecuring the microcontroller can be done by three different methods:
1. Backdoor key access
2. Reprogramming the security bits
3. Complete memory erase (special modes)
9.1.5.1
Unsecuring the MCU Using the Backdoor Key Access
In normal modes (single chip and expanded), security can be temporarily disabled using the backdoor key
access method. This method requires that:
The backdoor key at 0xFF00–0xFF07 (= global addresses 0x7F_FF00–0x7F_FF07) has been
programmed to a valid value.