Chapter 4 Memory
MC9S08AC60 Series Data Sheet, Rev. 3
58
Freescale Semiconductor
4.4.7
Vector Redirection
Whenever any block protection is enabled, the reset and interrupt vectors will be protected. Vector
redirection allows users to modify interrupt vector information without unprotecting bootloader and reset
vector space. Vector redirection is enabled by programming the FNORED bit in the NVOPT register
located at address $FFBF to zero. For redirection to occur, at least some portion but not all of the FLASH
memory must be block protected by programming the NVPROT register located at address $FFBD. All of
the interrupt vectors (memory locations $FFC0–$FFFD) are redirected, while the reset vector
($FFFE:FFFF) is not. When more than 32K is protected, vector redirection must not be enabled.
For example, if 512 bytes of FLASH are protected, the protected address region is from $FE00 through
$FFFF. The interrupt vectors ($FFC0–$FFFD) are redirected to the locations $FDC0–$FDFD. Now, if an
SPI interrupt is taken for instance, the values in the locations $FDE0:FDE1 are used for the vector instead
of the values in the locations $FFE0:FFE1. This allows the user to reprogram the unprotected portion of
the FLASH with new program code including new interrupt vector values while leaving the protected area,
which includes the default vector locations, unchanged.
4.5
Security
The MC9S08AC60 Series includes circuitry to prevent unauthorized access to the contents of FLASH and
RAM memory. When security is engaged, FLASH and RAM are considered secure resources. Direct-page
registers, high-page registers, and the background debug controller are considered unsecured resources.
Programs executing within secure memory have normal access to any MCU memory locations and
resources. Attempts to access a secure memory location with a program executing from an unsecured
memory space or through the background debug interface are blocked (writes are ignored and reads return
all 0s).
Security is engaged or disengaged based on the state of two nonvolatile register bits (SEC01:SEC00) in
the FOPT register. During reset, the contents of the nonvolatile location NVOPT are copied from FLASH
into the working FOPT register in high-page register space. A user engages security by programming the
NVOPT location which can be done at the same time the FLASH memory is programmed. The 1:0 state
disengages security while the other three combinations engage security. Notice the erased state (1:1) makes
the MCU secure. During development, whenever the FLASH is erased, it is good practice to immediately
program the SEC00 bit to 0 in NVOPT so SEC01:SEC00 = 1:0. This would allow the MCU to remain
unsecured after a subsequent reset.
The on-chip debug module cannot be enabled while the MCU is secure. The separate background debug
controller can still be used for background memory access commands, but the MCU cannot enter active
background mode except by holding BKGD/MS low at the rising edge of reset.
A user can choose to allow or disallow a security unlocking mechanism through an 8-byte backdoor
security key. If the nonvolatile KEYEN bit in NVOPT/FOPT is 0, the backdoor key is disabled and there
is no way to disengage security without completely erasing all FLASH locations. If KEYEN is 1, a secure
user program can temporarily disengage security by:
1. Writing 1 to KEYACC in the FCNFG register. This makes the FLASH module interpret writes to
the backdoor comparison key locations (NVBACKKEY through NVBACKKEY+7) as values to
be compared against the key rather than as the first step in a FLASH program or erase command.