NXP Semiconductors
UM11227
NTM88 family of tire pressure monitor sensors
UM11227 All information provided in this document is subject to legal disclaimers. © NXP B.V. 2020. All rights reserved.
User manual Rev. 6 — 24 April 2020
176 / 205
A user can choose to allow or disallow a security unlocking mechanism through an 8-byte
backdoor security key. If the nonvolatile KEYEN bit in NVOPT/FOPT is 0, the backdoor
key is disabled and there is no way to disengage security without completely erasing
all FLASH locations. If KEYEN is 1, a secure user program can temporarily disengage
security by:
1. Writing 1 to KEYACC in the FCNFG register. This makes the FLASH module interpret
writes to the backdoor comparison key locations (NVBACKKEY through NVBACKKEY
+7) as values to be compared against the key rather than as the first step in a FLASH
program or erase command.
2. Writing the user-entered key values to the NVBACKKEY through NVBACKKEY+7
locations. These writes must be done in order starting with the value for NVBACKKEY
and ending with NVBACKKEY+7. STHX must not be used for these writes because
these writes cannot be done on adjacent bus cycles. User software normally would
get the key codes from outside the MCU system through a communication interface
such as a serial I/O.
3. Writing 0 to KEYACC in the FCNFG register. If the 8-byte key that was just written
matches the key stored in the FLASH locations, SEC[1:0] are automatically changed
to 1:0 and security will be disengaged until the next reset.
The security key can be written only from secure memory (either RAM or FLASH), so
it cannot be entered through BACKGROUND commands without the cooperation of a
secure user program.
The backdoor comparison key (NVBACKKEY through NVBACKKEY+7) is located
in FLASH memory locations in the nonvolatile register space so users can program
these locations exactly as they would program any other FLASH memory location. The
nonvolatile registers are in the same 512-byte block of FLASH as the reset and interrupt
vectors, so block protecting that space also block protects the backdoor comparison key.
Block protects cannot be changed from user application programs, so if the vector space
is block protected, the backdoor security key mechanism cannot permanently change the
block protect, security settings, or the backdoor key.
Security can always be disengaged through the BACKGROUND DEBUG interface by
taking these steps:
1. Disable any block protections by writing FPROT. FPROT can be written only with
BACKGROUND DEBUG commands, not from application software.
2. Mass erase FLASH if necessary.
3. Blank check FLASH. Provided FLASH is completely erased, security is disengaged
until the next reset.
To avoid returning to secure mode after the next reset, program NVOPT so SEC[1:0] =
1:0.
Enabling the security feature disables NXP ability to perform failure analysis without first
completely erasing all flash memory contents. If the security feature is implemented, the
customer is responsible for providing NXP with unsecured parts for any failure analysis
to begin or supplying the entire contents of the device flash memory data as part of the
return process, to allow NXP to erase and subsequently restore the device to its original
condition.
To Next Page
Loading...