Memory
MC9S08RC/RD/RE/RG Data Sheet, Rev. 1.11
48
Freescale Semiconductor
4.4.7
Vector Redirection
Whenever any block protection is enabled, the reset and interrupt vectors will be protected. For this reason,
a mechanism for redirecting vector reads is provided. Vector redirection allows users to modify interrupt
vector information without unprotecting bootloader and reset vector space. For redirection to occur, at least
some portion but not all of the FLASH memory must be block protected by programming the NVPROT
register located at address $FFBD. All of the interrupt vectors (memory locations $FFC0–$FFFD) are
redirected, while the reset vector ($FFFE:FFFF) is not.
For example, if 512 bytes of FLASH are protected, the protected address region is from $FE00 through
$FFFF. The interrupt vectors ($FFC0–$FFFD) are redirected to the locations $FDC0–$FDFD. Now, if an
SPI interrupt is taken for instance, the values in the locations $FDE0:FDE1 are used for the vector instead
of the values in the locations $FFE0:FFE1. This allows the user to reprogram the unprotected portion of
the FLASH with new program code including new interrupt vector values while leaving the protected area,
which includes the default vector locations, unchanged.
4.5
Security
The MC9S08RC/RD/RE/RG includes circuitry to prevent unauthorized access to the contents of FLASH
and RAM memory. When security is engaged, FLASH and RAM are considered secure resources.
Direct-page registers, high-page registers, and the background debug controller are considered unsecured
resources. Programs executing within secure memory have normal access to any MCU memory locations
and resources. Attempts to access a secure memory location with a program executing from an unsecured
memory space or through the background debug interface are blocked (writes are ignored and reads return
all 0s).
Security is engaged or disengaged based on the state of two nonvolatile register bits (SEC01:SEC00) in
the FOPT register. During reset, the contents of the nonvolatile location NVOPT are copied from FLASH
into the working FOPT register in high-page register space. A user engages security by programming the
NVOPT location, which can be done at the same time the FLASH memory is programmed. The 1:0 state
disengages security while the other three combinations engage security. Notice the erased state (1:1)
makes the MCU secure. During development, whenever the FLASH is erased, it is good practice to
immediately program the SEC00 bit to 0 in NVOPT so SEC01:SEC00 = 1:0. This would allow the MCU
to remain unsecured after a subsequent reset.
The on-chip debug module cannot be enabled while the MCU is secure. The separate background debug
controller can still be used for background memory access commands, but the MCU cannot enter active
background mode except by holding BKGD/MS low at the rising edge of reset.
A user can choose to allow or disallow a security unlocking mechanism through an 8-byte backdoor
security key. If the nonvolatile KEYEN bit in NVOPT/FOPT is 0, the backdoor key is disabled and there
is no way to disengage security without completely erasing all FLASH locations. If KEYEN is 1, a secure
user program can temporarily disengage security by:
1. Writing 1 to KEYACC in the FCNFG register. This makes the FLASH module interpret writes to
the backdoor comparison key locations (NVBACKKEY through NVBACKKEY+7) as values to
be compared against the key rather than as the rst step in a FLASH program or erase command.