No security feature is absolutely secure. However, Motorola's strategy is to make reading or copying the FLASH difficult for unauthorized users. The Motorola 8/16 bit microcontrollers are becoming more flexible and powerful. At the same time attention to the hardware security against unautorised access stay insufficient. As a result microcontrollers facility based on some of MC68Hc05, MC68HC08, MC68HC12 family have been already broken.
MC68HC05B family microcontrollers:
register OPTR (Options register) located at address $0100,
contains the secure and protect functions for EEPROM and
allows user to select this options. Bit 0 Security bit (SEC)
is high security bit allows the user to secure the EEPROM
data from external accesses. When the SEC bit is at "0",
the EEPROM contents are secured by preventing any entry
to test mode. The only way to erase the SEC bit to "1"
externally is to enter self-check mode* (see document hc05b6.pdf),
at which time the entire EEPROM contents will be erased.
When the SEC bit is changed, its new value will have no
effect until the next external or power-on reset.
MC68HC11 family microcontrollers:
CONFIG register actually consist of an EEPROM byte (separate
from the N-byte* EEPROM array), a static register that holds
the configuration information during operation, and the
associated logic, which controls the transfer of information
from EEPROM byte to the working static register. Programming
and erasure of this register use the same logic used for
programming and erasure of the N-Byte* EEPROM array. Reads
of this register return the contents of the static working
register, not the EEPROM byte. During any reset, the contents
of the EEPROM byte are transferred to the working static
register over the data bus. Due to this mechanism, changes
to the EEPROM CONFIG location are not visible and do not
alter the operation of the MCU until after a subsequent
reset. Some versions of the MC68HC11 family allow the CONFIG
working register to be written directly as a normal control
register while operating in the special mode variations.
Bit 3 No Security bit (NOSEC). A special security feature
is available on the mask based versions of MC68HC11 family.
Once this feature is enabled at the mask-programming level,
the user activates it by programming the NOSEC bit to "0".
While NOCES is "0" the MCU can only be reset in
single chip modes (normal single chip or special bootstrap).
This restriction is accomplished by forcing the MDA control
bit to zero rather than allowing it to follow the MODA pin
level at the rising edge of RESET. By disallowing expanded
modes, a software pirate is prevented from seeing the data
in EEPROM or RAM because there is no external address/data
bus in single chip mode. The software pirate can see what
in the on-chip ROM by disabling the security option, which
can only accomplished after the contents of EEPROM and RAM
have been erased. Therefore for the avoidance of very difficult
disassemble work use complete decision embodied on MC68HC11E9/A8
EEPROM programming tool or MC68HC11KA1/KA4/PA8/P2
EEPROM programming tool.
MC68HC9(08) family microcontrollers
custom-masked ROM microcontrollers (MC68HC08 family) and
FLASH based microcontrollers (MC68HC908 family) has some
differences in protection program data.
MC68HC912 family microcontrollers
No security features. Single-wire background debug mode (BDM) realized on all models in this family. BDM is implemented in on-chip hardware and provides a full set of debug operations. More information about Shadow word see 912_9S12_mqt.pdf. For unlocking BDM feature use MC68HC912/9S12 FLASH/EEPROM programmer.
HCS12 family microcontrollers
MCUs will make available a security feature preventing the
unauthorized read and write of the memory contents. This
feature allows protection of the contents of FLASH, protection
of the contents of EEPROM, operation in single-chip mode,
operation from external memory with internal FLASH and EEPROM
disabled. The user must be reminded that part of the security
must lie with the user's code. An extreme example would
be user's code that dumps the contents of the internal program.
This code would defeat the purpose of security. At the same
time the user may also wish to put a back door in the user's
program. An example of this is the user downloads a key
through the SCI which allows access to a programming routine
that updates parameters stored in EEPROM. Once the user
has programmed the FLASH and EEPROM (if desired), the part
can be secured by programming the security bits located
in the FLASH module For more information see 912_9S12_mqt.pdf.
These non-volatile bits will keep the part secured through
resetting the part and through powering down the part. The
security byte resides in a portion of the Flash array. Check
the Flash Block User Guide for more details on the security
configuration. The Normal Single Chip mode is most common
usage of the secured part. Everything will appear the same
as if the part was not secured with the exception of BDM
operation. The BDM operation will be blocked. Executing
from external memory: the user may wish to execute from
external space with a secured microcontroller. This is accomplished
by resetting directly into expanded mode. The internal FLASH
and EEPROM will be disabled. BDM operations will be blocked.
For un secure of the microcontroller internal FLASH and
EEPROM must be erased. This can be done through an external
program in expanded mode. Once the user has erased the FLASH
and EEPROM, the part can be reset into special single chip
mode .This invokes a program that verifies the erasure of
the internal FLASH and EEPROM. Once this program completes,
the user can erase and program the FLASH security bits to
the unsecured state. This is generally done through the
BDM, but the user could also change to expanded mode (by
writing the mode bits through the BDM) and jumping to an
external program (again through BDM commands). Note that
if the part goes through a reset before the security bits
are reprogrammed to the un secure state, the part will be
secured again. The MC68HC912/9S12
FLASH/EEPROM programmer by pass Memory security bits