3 flash security operation, 3 flash security operation -30, Section 18.4.3, “flash security operation – Freescale Semiconductor ColdFire MCF52210 User Manual
Page 320

ColdFire Flash Module (CFM)
MCF52211 ColdFire® Integrated Microcontroller Reference Manual, Rev. 2
18-30
Freescale Semiconductor
If a command is not active (CCIF=1) when the MCU enters stop mode, the ACCERR flag does not set.
18.4.3
Flash Security Operation
The CFM provides security information to the integration module and the rest of the MCU. This security 
information is stored within a word in the flash configuration field. This security word is read 
automatically after each reset and stored in the CFMSEC register. 
In flash normal mode, it is possible to bypass the security via a backdoor access sequence using an 8-byte 
long key. Upon successful completion of the backdoor access sequence, the SECSTAT bit in the CFMSEC 
register is cleared indicating that the MCU is unsecured. 
The CFM may be unsecured by:
•
Executing a backdoor access sequence.
•
Passing a blank check operation on the flash memory.
•
Executing the JTAG lockout recovery sequence.
18.4.3.1
Backdoor Access Sequence
If the KEYEN bits in the CFMSEC register are set to the enabled state, it is possible to bypass security by:
1. Setting the KEYACC bit in the CFMMCR register.
2. Writing the correct 8-byte backdoor comparison key to the flash memory at offset 0x0400 -
0x0407. This operation must be composed of two 32-bit writes to address 0x0400 and 0x0404 in 
that order. The two backdoor write cycles can be separated by any number of internal flash bus 
cycles. 
NOTE
Any attempt to use a key of all zeros or all ones locks the backdoor access 
sequence until the CFM is reset.
3. Clearing the KEYACC bit.
4. If all eight bytes written match the flash memory content at offset 0x0400 - 0x0407, security is
bypassed until the next reset.
In the unsecured state, the software has full control of the contents of the 8-byte backdoor comparison key 
by programming the bytes at offset 0x0400 - 0x0407 of the flash configuration field. If at any time a key 
of all zeroes or all ones is received, the backdoor access sequence is terminated and cannot be successfully 
restarted until after the CFM is reset.
The security of the CFM as defined in the flash security word at address offset 0x0414 is not changed by 
the executing the backdoor access sequence to unsecure the device. After the next reset sequence, the CFM 
is secured again and the same backdoor key is in effect unless the flash configuration field was changed 
by program or erase prior to reset. The backdoor access sequence to unsecure the device has no effect on 
the program and erase protections defined in the CFM protection register.
The contents of the flash security word at address offset 0x0414 must be changed by programming that 
address when the device is unsecured and the sector containing the flash configuration field is unprotected.
