PXS20RM Datasheet, PDF(136/1368 Page) Freescale Semiconductor, Inc – PXS20 Microcontroller

English

English German Russian Spanish Italian Polish Chinese Japanese Korean French Portuguese	Language :

PXS20RM Datasheet, PDF (136/1368 Pages) Freescale Semiconductor, Inc – PXS20 Microcontroller

◁

Device Security

0

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

R

Serial Boot Control

W

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

R

Censorship Control

W

Figure 6-2. Nonvolatile System Censorship Information Register (NVSCI) for cut2/3

A value of 0x55AA in the censhorship control word of the NVSCI register determines that the device is

unsecured, any other value determines that the device is secured. The factory default of the NVSCI holds

the value 0x55AA55AA. (For the function of the Serial Boot Control word see Section 6.2, Serial access.)

The device supports a backdoor to unsecure the device via the 64 bit password register (NVPWD) in the

flash memory block. The flash memory password can be programmed or modified as long as the device is

unsecured.

In order to modify an already programmed password the shadow block needs to be erased first, and all

other configuration bits re-programmed as well.

To protect against voltage manipulations, each 16-bit halfword needs to contain both 1âs and 0âs. Below

are examples for legal and illegal passwords:

Illegal passwords

0x0000_0000_0000_0000

0xFFFF_FFFF_FFFF_FFFF

0xFFFF_0000_FFFF_FFFF

0x0000_0000_0000_FFFF

0xAAAA_AAAA_AAAA_0000

Legal passwords

0x0001_0010_0100_1000

0xFFFE_FFFE_FFFE_FFFE

0xFFF0_000F_0FFF_0FFF

0x1000_1000_1000_FFFE

0xAAAA_AAAA_AAAA_0001

To deactivate the flash memory password (âswallowing the keyâ) the register can be programmed with the

value 0x0000_0000_0000_0000. However once this is done neither the manufacturer nor the user can

unlock device security again. Of course, application code can still implement a different backdoor scheme

if there are special requirements which are not covered by the available mechanism.

6.1.2 Unsecuring the microcontroller

To unsecure a secured device, the flash memory password needs to be provided. This can be done by

booting in SBL mode and providing the flash memory password via the serial bootloader protocol (see

refer to the BAM chapter) or via JTAG command.

If SBL mode was used in conjunction with the flash memory password, the password comparison result

will only be known after a delay - this is in order to avoid brute-force attacks. The data can be downloaded

into SRAM during this delay.

PXS20 Microcontroller Reference Manual, Rev. 1

6-2

Freescale Semiconductor

▷