512 Kbyte Flash Module (S12XFTX512K4V2)
BookTitle, Rev. 2.4
142 Freescale Semiconductor
2.6.1 Unsecuring the MCU using Backdoor Key Access
The MCU may be unsecured by using the backdoor key access feature which requires knowledge of the
contents of the backdoor keys (four 16-bit words programmed at addresses 0x7F_FF00–0x7F_FF07). If
the KEYEN[1:0] bits are in the enabled state (see Section 2.3.2.2, “Flash Security Register (FSEC)”) and
the KEYACC bit is set, a write to a backdoor key address in the Flash memory triggers a comparison
between the written data and the backdoor key data stored in the Flash memory. If all four words of data
are written to the correct addresses in the correct order and the data matches the backdoor keys stored in
the Flash memory, the MCU will be unsecured. The data must be written to the backdoor keys sequentially
starting with 0x7F_FF00–1 and ending with 0x7F_FF06–7. 0x0000 and 0xFFFF are not permitted as
backdoor keys. While the KEYACC bit is set, reads of the Flash memory will return invalid data.
The user code stored in the Flash memory must have a method of receiving the backdoor keys from an
external stimulus. This external stimulus would typically be through one of the on-chip serial ports.
If the KEYEN[1:0] bits are in the enabled state (see Section 2.3.2.2, “Flash Security Register (FSEC)”),
the MCU can be unsecured by the backdoor key access sequence described below:
1. Set the KEYACC bit in the Flash Configuration Register (FCNFG).
2. Write the correct four 16-bit words to Flash addresses 0xFF00–0xFF07 sequentially starting with
0x7F_FF00.
3. Clear the KEYACC bit. Depending on the user code used to write the backdoor keys, a wait cycle
(NOP) may be required before clearing the KEYACC bit.
4. If all four 16-bit words match the backdoor keys stored in Flash addresses
0x7F_FF00–0x7F_FF07, the MCU is unsecured and the SEC[1:0] bits in the FSEC register are
forced to the unsecure state of 1:0.
The backdoor key access sequence is monitored by an internal security state machine. An illegal operation
during the backdoor key access sequence will cause the security state machine to lock, leaving the MCU
in the secured state. A reset of the MCU will cause the security state machine to exit the lock state and
allow a new backdoor key access sequence to be attempted. The following operations during the backdoor
key access sequence will lock the security state machine:
1. If any of the four 16-bit words does not match the backdoor keys programmed in the Flash array.
2. If the four 16-bit words are written in the wrong sequence.
3. If more than four 16-bit words are written.
4. If any of the four 16-bit words written are 0x0000 or 0xFFFF.
5. If the KEYACC bit does not remain set while the four 16-bit words are written.
6. If any two of the four 16-bit words are written on successive MCU clock cycles.
After the backdoor keys have been correctly matched, the MCU will be unsecured. Once the MCU is
unsecured, the Flash security byte can be programmed to the unsecure state, if desired.
In the unsecure state, the user has full control of the contents of the backdoor keys by programming
addresses 0x7F_FF00–0x7F_FF07 in the Flash Configuration Field.
The security as defined in the Flash security byte (0x7F_FF0F) is not changed by using the backdoor key
access sequence to unsecure. The backdoor keys stored in addresses 0x7F_FF00–0x7F_FF07 are