
Flash Security Enabling
56F8013/56F8011 Data Sheet, Rev. 11
Freescale Semiconductor
85
7.1 Flash Security Enabling
After the user has programmed the Flash with the application code, the 56F8013/56F8011 can be secured
by programming the security words located in the FM configuration field, which are located at the last nine
words of Program Flash. These non-volatile words will keep the part secured through reset and through
power-down of the device. To enable the flash security, program $E70A into program memory location
$1FF7. No other data programs in this location can secure the flash. Refer to the Flash Memory chapter in
the 56F801X Peripheral User Manual for more detail. When Flash security mode is enabled, the
56F8013/56F8011 will disable the core EOnCE debug capabilities. Normal program execution is
otherwise unaffected.
7.2 Flash Access Lock and Unlock Mechanisms
The 56F8013/56F8011 have several operating functional and debug modes. Effective Flash security must
address operating mode selection and anticipate modes in which the on-chip Flash can be read without
explicit user permission.
7.2.1
Disabling EOnCE Access
On-chip Flash can be read by issuing commands across the EOnCE port, which is the debug interface for
the 56800E CPU. The TCLK, TMS, TDO, and TDI pins comprise a JTAG interface onto which the
EOnCE port functionality is mapped. When the 56F8013/56F8011 boot, the chip-level JTAG TAP (Test
Access Port) is active and provides the chip’s boundary scan capability and access to the ID register, but
proper implementation of Flash security will block any attempt to access the internal Flash memory via
the EOnCE port when security is enabled.
7.2.2
Flash Lockout Recovery Using JTAG
If a user inadvertently enables security on the 56F8013/56F8011, the only lockout recovery mechanism is
the complete erasure of the internal Flash contents, including the configuration field, and thus disables
security (the protection register is cleared). This does not compromise security, as the entire contents of
the user’s secured code stored in Flash are erased before security is disabled on the 56F8013/56F8011 on
the next reset or power-up sequence.
To start the lockout recovery sequence, the JTAG public instruction (LOCKOUT_RECOVERY) must
first
be
shifted
into
the
chip-level
TAP
controller’s
instruction
register.
Once
the
LOCKOUT_RECOVERY instruction has been shifted into the instruction register, the clock divider value
must be shifted into the corresponding 7-bit data register. After the data register has been updated, the user
must transition the TAP controller into the RUN-TEST/IDLE state for the lockout sequence to commence.
The controller must remain in this state until the erase sequence has completed. Refer to the 56F801X
Peripheral User Manual for more details, or contact Freescale.
Note:
Once the lockout recovery sequence has completed, the user must reset both the JTAG TAP controller
(by advancing the TAP state machine to the reset state) and the 56F8013/56F8011 (by asserting
external chip reset) to return to normal unsecured operation.