Chapter 4 Memory
MC9S08AC16 Series Data Sheet, Rev. 9
56
Freescale Semiconductor
disengages security and the other three combinations engage security. Notice the erased state (1:1) makes
the MCU secure. During development, whenever the FLASH is erased, it is good practice to immediately
program the SEC00 bit to 0 in NVOPT so SEC01:SEC00 = 1:0. This would allow the MCU to remain
unsecured after a subsequent reset.
The on-chip debug module cannot be enabled while the MCU is secure. The separate background debug
controller can still be used for background memory access commands, but the MCU cannot enter active
background mode except by holding BKGD/MS low at the rising edge of reset.
A user can choose to allow or disallow a security unlocking mechanism through an 8-byte backdoor
security key. If the nonvolatile KEYEN bit in NVOPT/FOPT is 0, the backdoor key is disabled and there
is no way to disengage security without completely erasing all FLASH locations. If KEYEN is 1, a secure
user program can temporarily disengage security by:
1. Writing 1 to KEYACC in the FCNFG register. This makes the FLASH module interpret writes to
the backdoor comparison key locations (NVBACKKEY through NVBACKKEY+7) as values to
be compared against the key rather than as the first step in a FLASH program or erase command.
2. Writing the user-entered key values to the NVBACKKEY through NVBACKKEY+7 locations.
These writes must be done in order starting with the value for NVBACKKEY and ending with
NVBACKKEY+7. STHX should not be used for these writes because these writes cannot be done
on adjacent bus cycles. User software normally would get the key codes from outside the MCU
system through a communication interface such as a serial I/O.
3. Writing 0 to KEYACC in the FCNFG register. If the 8-byte key that was just written matches the
key stored in the FLASH locations, SEC01:SEC00 are automatically changed to 1:0 and security
will be disengaged until the next reset.
The security key can be written only from secure memory (either RAM or FLASH), so it cannot be entered
through background commands without the cooperation of a secure user program.
The backdoor comparison key (NVBACKKEY through NVBACKKEY+7) is located in FLASH memory
locations in the nonvolatile register space so users can program these locations exactly as they would
program any other FLASH memory location. The nonvolatile registers are in the same 512-byte block of
FLASH as the reset and interrupt vectors, so block protecting that space also block protects the backdoor
comparison key. Block protects cannot be changed from user application programs, so if the vector space
is block protected, the backdoor security key mechanism cannot permanently change the block protect,
security settings, or the backdoor key.
Security can always be disengaged through the background debug interface by taking these steps:
1. Disable any block protections by writing FPROT. FPROT can be written only with background
debug commands, not from application software.
2. Mass erase FLASH if necessary.
3. Blank check FLASH. Provided FLASH is completely erased, security is disengaged until the next
reset.
To avoid returning to secure mode after the next reset, program NVOPT so SEC01:SEC00 = 1:0.