MCU Break is not a strange technology for those attackers in hardware security business. As we may know the emergency of FLASH online programme technology which has brought great innovation on the mechanism of MCU break and encryption. Through the analysis of HCS12 series MCU encryption and break process, we can believe that it is a reliable encrypt method for MCU break with sufficient flexibility.
Besides, use password to break a MCU has high reliability but the process of realization depends on the user program, user can minimize this kind of risk as long as the interface program being designed delicately.
In order to save the possibility of read the ROM code from MCU directly, user can apply the encryption method through password, when break it, the ROM and the content embedded can be extracted and read so long as the correct password being given (so call back-door code). Once we use this kind of method, user need to set up a 4 bits password and then store it in the FLASH. In the MC9S12DP256 as example, the flash address where password being placed is from $FF00 to $FF07. The password being set can be download into the MCU accompany with the programme.
When break the MCU in this type, there is only one user interface is allowed to complete the work include the password input and validation, BDM programmer is not allowed to use when break MCU. There is no limitation on the interface type, such as SCI, SPI, IIC and MSCAN, etc., as long as the correct password can be input, then any one kind of interface is available for MCU break and the most commonly use is series interface.
Assume there is any variation exist in KEY0 to KEY7, the procedure of password validation is as follow: if the password being input can be compatible with original value, system will automatically modify the last two bits of SEC to un-encrypted status when save it into FLASH, and system can break the MCU automatically. If the validation is failed to pass, system will remain the encryption status to prevent MCU break.